I am trying to get request with endpoint after successful login.
I achieved to be login and take the token but I could not take the list with this token. I am using postman. Whenever I click the url link i sent with token i can see the valid json with my safari.
{
"message": "Forbidden"
}
what i sent https://qo7vrra66k.execute-api.eu-west-1.amazonaws.com/products?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
How can I send and successfully take this request from postman ? Also I couldnt understand why postman don`t allow this like safari.
I tried your endpoint and got no error.
Related
I'm trying to enable account linking on my google action using oAuth2 code grant flow.
Unfortunately my linking fails in the last step. I think that I'm not returning the result of my /token endpoint correctly back to google.
I can see this response of a 400 error in my console after getting redirect to my actions page (/authorize worked fine):
Request URL: https://oauthintegrations.clients6.google.com/v1/token:getForService?key=api-key-removed-by-me&alt=json
{
"error": {
"code": 400,
"message": "\u003ceye3 title='/OpenIdConsumerService.ValidateOpenId, INVALID_ARGUMENT'/\u003e APPLICATION_ERROR;apps_auth/OpenIdConsumerService.ValidateOpenId;com.google.identity.accountlinking.error.FederatedProtocolException: \u003ceye3 title='INVALID_ARGUMENT'/\u003e OpenAuth::INPUT_ERROR: ;AppErrorCode=13;StartTimeMs=1602166359350;tcp;Deadline(sec)=59.962523136;ResFormat=UNCOMPRESSED;Originator=traffic-prod;Tag=\u0002cloud_project_number\u0003744920882961\u0002IncomingMethod\u0003/OAuthIntegrationsService.GetTokenForService\u0002cidc\u00032;ServerTimeSec=1.00669508;LogBytes=256;Non-FailFast;EffSecLevel=privacy_and_integrity;ReqFormat=UNCOMPRESSED;ReqID=2d3a46fa4ab8370e;GlobalID=c34268105821e185;Server=[2002:ab3:7310::]:4155",
"status": "INVALID_ARGUMENT"
}
}
This is the body I send back to google for /token (I guess this results in the error above):
{
"access_token":"jwt-token-here",
"expires_in":"1602162256000",
"refresh_token":"refresh-token-here",
"refresh_token_expires_in":"31535999",
"token_type":"Bearer",
"scope":"read"
}
Is the structure of the body correct? I think it's because of the jwt-token but when I decode it manualy everything looks fine.
Any help appreciated!
Thank you
Unfortunately my linking fails in the last step. I think that I'm not returning the result of my /token endpoint correctly back to google.
Just a quick note that your access/refresh tokens are opaque to Google. You are handing over these credentials for Google to pass back to you in future requests. What these tokens mean, and how they are determined to be valid, is up to your OAuth server implementation.
See the OAuth account linking guide for more details.
This is the body I send back to google for /token
The fields scope and refresh_token_expires_in are not parameters Google expects in your token exchange responses, so this is likely where the INVALID_ARGUMENT error is coming from. A basic token response to Google should looking something like this:
{
"access_token":"jwt-token-here",
"expires_in":"1602162256000",
"token_type":"Bearer",
}
The expires_in field refers to the access token and when Google should use the refresh token to request a new access token.
If you want to expire or rotate your refresh tokens, you can do that as well. However, you can't tell Google when a refresh token will "expire". To rotate refresh tokens, you have to pass back the new token the next time Google requests a new access token, such as:
{
"access_token":"jwt-token-here",
"expires_in":"1602162256000",
"refresh_token":"updated-refresh-token-here",
"token_type":"Bearer",
}
See the OAuth implementation guide for more details on the fields in the requests and responses.
I am trying to access a REST API (Shopware to be specific), which is hosted externally.
When I log in to the frontend in the browser, I first need to enter a set of credentials in the browser authentication pop up. And then the application opens and I need to enter the application credentials.
I assumed the authentication for the API would also be similar.
This is how I see this set up: (sorry for the crude image) Set up pic
So first, I use HTTP Basic auth and pass my browser credentials to the server.
I get the following response:
{
"success": false,
"message": "Invalid or missing auth"
}
But in the Response header I get
Basic realm="<Realm B>", Digest realm="<Realm B>", domain="/", nonce="<nonce>", opaque="<opaque value>", algorithm="MD5", qop="auth"
Does this response mean that both Basic and Digest are supported for Realm B and the client can use any one of these?
I tried to authenticate again with Digest Auth chosen in postman,and using the realm B, nonce, opaque and qop values provided in the previous request.
But I still get a 401 Unauthorized error.
What am I missing? How does this two factor auth work via Postman?
Thanks in advance for your help.
I am implementing an Ocelot gateway. When I make the API call using my browser to http://localhost:5009/api/values, I get a valid json response back. However when I make the same request through Postman I get a 401 Unauthorized response. Any ideas if there is a setting in Postman I need to change or something else.
That is, the client must authenticate itself to get the requested response.
Most likely you have forgotten to put your token to the Header in Postman to be authenticated for the server in order to get a response.
I'm using Amazon Cognito for authorization of my app.
I'm using the authorization code flow. I can successfully get my token on /oauth2/authorize?...
But I can't seem to successfully get access_token, id_token and refresh_token using the POST to /oauth2/token with the Content type header: application/x-www-form-urlencoded
and body:
{"key":"grant_type","value":"authorization_code"},
{"key":"client_id","value":"xyz"},
{"key":"redirect_uri","value":"redirect-url.com"},
{"key":"code","value":"code_from_previous_request"}
When I make this call I get the following error json:
{"error":"invalid_request"}
Client id is correct and client app has no secret.
Anyone has any idea what I'm doing wrong?
By taking a closer look a #MikePatrick's request I figured it out. I was sending a wrong parameter
redirect_url
instead of
redirect_uri
...
Note to self: Half of software bugs are caused by typos
I'm trying to test my web server's login with Postman. First, I send a GET request to my login url, and I get a CSRF token as a cookie. Then, I make a POST request to that login page, with my username, password, and CSRF token.
My problem is, when I do this in Postman, I get a 403 forbidden error when I try to make that POST request to login. I'm copying the CSRF token received and putting it as one of the POST parameters, and I'm using a valid username and password. Is there anything I'm overlooking here?
You need to set it as a header in the request, not in the body. X-CSRFToken is the key and the value is CSRF token from the cookie. This will work if you are using an API framework like Tastypie or Django Rest Framework.
If you are authenticating without an API layer you would need to actually attach the cookie or create one with the CSRF token. This post explains it.
Try installing the Postman Interceptor Extension on GoogleChrome. It worked for me.
Works for me :
Set in Postman Header :
KEY : Authorization
Value : Token "Your token"