I'm looking for any tutorials or blogs related to Auth and Cookie managemnt in postman app. I'm new to Postman so need some guidance.
I'm currently testing an API that follows the following workflow.
visiting portal.site.com it redirects to login.site.com and sets X-csrf token & cookies to it, The login is performed in two steps 1 verify email and then verify password to login and once login is validated you're redirets back to portal.site.com
I have created a postman collection it has 5 total requests
1) GET Visiting portal.site.com
2) POST Login Email Validation on login.site.com
3) POST Login Password Validation on login.site.com
4) GET Redirected back to portal.site.com
5) POST Get Profile Data in JSON response on portal.site.com
I need to validate the last request and get the data in response. This can only happen when login is done properly in above requests and cookies are set properly on portal.site.com via login at login.site.com.
If you can share any options on how to do it, I'll be really thankful.
What you are describing is the authorization-code workflow of OAuth2.
https://auth0.com/docs/flows/authorization-code-flow
Postman supports it as a built-in feature.
Related
Please note: I am not trying to get an access token to be used in a subsequent request to a different API!
Use case:
I have an app running locally that requires an authenticated session. Accessing any URL for this app (eg. http://localhost:3000/some/endpoint) will redirect to a "Sign in with Google" page. Once OIDC authentication is successful and a session has been created, requests will be handled by my app as expected.
I'd like to be able to use Postman to send requests to my app (eg. GET http://localhost:3000/some/endpoint), but doing so redirects to Google and the response HTML is rendered by Postman, but is non-functional, so I can't authenticate to create a session.
Is this a use case that Postman supports?
Wso2 IS 5.10.0 I have configured basic auth and sms otp. I wanted to trigger basic auth using url like below without login page(skipping login page with authentication at backend with the username and password provided).
https://192.168.1.10:9448/oauth2/authorize?client_id=USER_PORTAL&code_challenge=KmuKeL_V3Gc5rRp9zEQeK0SFMrHZU25lLyrtnr8uekE&code_challenge_method=S256&commonAuthCallerPath=/oauth2/authorize&forceAuth=false&passiveAuth=false&redirect_uri=https://192.168.1.10:9448/user-portal/login&response_type=code&scope=internal_login+internal_humantask_view+openid&relyingParty=USER_PORTAL&type=oidc&sp=User+Portal&isSaaSApp=false&username=test&password=test#123
The login is successful but after that smsotp page is throwing 401 error even after authentication. But same thing is working if I am login with login page(mobile sms otp page will be shown successfully). I am not getting what is wrong.
EDIT:
After login it is routing to sms otp page like below.
https://192.168.1.10:9448/oauth2/smsotpauthenticationendpoint/smsotp.jsp?client_id=USER_PORTAL&code_challenge=KmuKeL_V3Gc5rRp9zEQeK0SFMrHZU25lLyrtnr8uekE&code_challenge_method=S256&commonAuthCallerPath=%2Foauth2%2Fauthorize&forceAuth=false&isSaaSApp=false&passiveAuth=false&redirect_uri=https%3A%2F%2F192.168.1.10%3A9448%2Fuser-portal%2Flogin&response_type=code&scope=internal_login+internal_humantask_view+openid&sp=User+Portal&tenantDomain=carbon.super&sessionDataKey=c23b62da-3031-44fd-892c-5cff2e62db58&relyingParty=USER_PORTAL&type=oidc&sp=User+Portal&isSaaSApp=false&authenticators=SMSOTP
This invalid URL (/oauth2/smsotpauthenticationendpoint/..) is generated due to relative URLs configured for the following properties (in deployment.toml). To address it, you can update them with a slash at the beginning as below.
[authentication.authenticator.sms_otp.parameters]
SMSOTPAuthenticationEndpointURL= "/smsotpauthenticationendpoint/smsotp.jsp"
SMSOTPAuthenticationEndpointErrorPage= "/smsotpauthenticationendpoint/smsotpError.jsp"
MobileNumberRegPage = "/smsotpauthenticationendpoint/mobile.jsp"
I am using Identity Server 3 for implementing OAuth2 authentication.
I want to unit test the authorization code flow.
I am able to make a GET request to the authorize endpoint and get back a signin value.
I would like to authenticate the user to get the authorization code back and then use the code to get the access token.
I need some help with authenticating the user using the login link provided in a unit test.
I'm not sure if you have the same situation as I do, but the steps I needed to do are;
GET from /connect/authorize supplying made-up nonce and state. From the result you need to gather the signin param and fish out the anti-forgery token from the HTML. Also note that there should be a couple of cookies, sign-in and another anti-forgery token. DO NOT mess with those, keep them
POST to /login with the signin param and form fields of username, password and anti-forgery token AND send in the cookies.
Gather the session from the resulting cookies OR check the HTML for an error message
We make react SPA with django-rest-framework on backend and use django-rest-auth for user authentication.
When user has logged in, we show him form for change profile data. When user submit this form, we take csrf token from cookie in login response, and put them in request X-CSRFToken header. Server responses that token is missing or incorrect.
If user refreshed the page, and repeated the same actions, csrf token is correct and profile data is updated.
How to solve this problem and why it occurs?
It looks like this is happening:
The login is successful
The cookie+token is created by the CSRF API and returned to the endpoint
The ready state executes some code not executed after the API response
The certificate is validated and the cookie+token is set in the database/app config/server-side cache during a GET request and/or by the ready state callback
Since there is no GET request until the refresh, the cookie+token is not centrally stored until then. Add a request to mimic what happens during the GET, then store it where it is currently being accessed for subsequent requests.
References
Issues with CSRF token and how to solve them | SAP Blogs
Why refresh CSRF token per form request? - Information Security Stack Exchange
CSRF Protection — Flask-WTF 0.14
CSRFGuard 3 Configuration - OWASP
Spring Security: Cross Site Request Forgery (CSRF)
Cross Site Request Forgery protection | Django documentation | Django
XSRF/CSRF Prevention in ASP.NET MVC and Web Pages | Microsoft Docs
Cross-Site Request Forgery is dead!
Still think you don't need HTTPS?
I would like to use django-rest-framework token to authenticate users. My workflow would be:
User requests a page
If auth token is present, respond with the requested data.
If auth token is not present, redirect to the login page (with the request page).
Inside the login page, user submit their credentials
If credentials were correctly authenticated, get or create a token for that user and redirect back to the requested page with the token.
Else, respond with error.
Lastly,
When the user logs out, delete the token for that user.
So my question is, is it okay to delete and create a new token for every login if the user has already logged out? Also I assume the token will be unique, am I correct? Your help and guidance is very much appreciated. Thank you.
A REST API should be stateless, that means that there should not be a "session" hence no login and no logout, and no redirections to a login page.
If the request doesn't have a token then the API should return (probably) a 401 Unauthorized HTTP status code and not a redirection. You're making an API so there won't be human interaction. Django rest framework offers a human-friendly interface that does have sessions, login/logout, and if that's all you need the go for it, you can do whatever you want. But It'd be hard for another program to use your API.
why not using tokens with expiration dates or using another well known authentication method ?? :P
Hope this helps :)