I’m trying to migrate an authorization request into the authorization at the Postman collection level. The request body has an additional parameter for account_id that needs to be passed.
I’m unable to find a way to pass this additional parameter when using Oauth 2.0 client credentials flow. Is there a way to include this?
You're trying to add a new header. I don't think this is supported on the collection level, but a workaround is to use a pre-request script on the collection level:
const Header = require('postman-collection').Header
pm.request.headers.add(new Header(`account_id:${pm.environment.get('et_mid')}`))
Related
I need to add one parameter to redirect. When authentication fails WSO2 redirects to login page with &authFailure=true&authFailureMsg=login.fail.message request parameters.
I could not add some additional parameter to it by changing org.wso2.carbon.identity.application.authenticator.basicauth.BasicaAuthenticator class messages.
Are there any ways of doing it?
Also, in a very easy way, can be modified the login.jsp file located on:
<WSO2_APIM_HOME>/repository/deployment/server/webapps/authenticationendpoint/login.jsp
and you can do it without build any custom authenticator and redeployment. It is hot deploy.
It is also important to modify this file carefully, as it is used by all login flows on the platform
I could not change BasicAuthenticator.class. Added additional parameters by registering my LocalBasicAuthenticator where functions are the same as BasicAuthenticator but you can add query params and modify it. Then replace jar in components/dropins and change local authentication in your Service Provider.
I'm currently building a web application whose backend is purely build in API Gateway/Lambda. I build a custom JSON Web Token (JWT) authorizer to authorize the users. At the moment I'm passing token in header field.
Unfortunately, I'm only able to define a header field in which the token is send to API Gateway.My applications stores the token in a cookie.
Is there any option to access the cookie directly so that it can authenticate using lambda.
For example:
Now I'm passing:-
method.request.header.Authorizer
But I need somehting like this :-
methods.request.header.Cookie
Any workaround ? Thanks!
Now you should be able to access all the headers including Cookie header, using Custom Authorizers of the REQUEST type. Recently AWS introduced this feature to allow access to more than Token Header.
We're implementing WSO2-AM to handle access to some internal APIs from our Moodle LMS we wish to expose to the internet.
I am configuring the access to this LMS via WSO2 but I've run into an issue I can't resolve.
I realise WSO2 documentation is extensive, but I'be not been able to actually find a specific instance of this configuration.
Background: Moodle itself has implemented its APIs in a very non-standard manner. They call them REST, but they are not truly restful. Some of the parameters, such as a users token, are passed in the URL query string rather than using headers in the body of the query itself.
To start with, I have two APIs configured in WSO2, one to request a user token from Moodle (Moodle requires this to permit access to the API for a specific user) and another to get the users enrolled course list.
The first request to get the user token from Moodle via WSO2 proceeds as expected. I pass in the username/password/service parameters via the header as you would expect (so that they are encrypted over HTTPS) to WSO2, which it pushes to Moodle, as a POST. The response from Moodle via WSO2 is as expected, a JSON payload containing a token which my client then parses to use in subsequent requests.
The next request is then calling a more useful service in Moodle, to get a users enrolled courses. There are two issues noted here which I'm unsure how to resolve.
The problems: Moodle expects GET or POST parameters for the call to the web-service. When I'm using GET, which is handy for testing, the parameters passed from the client to WSO2 are either wrong (in the case of the 'userid') or missing (in the case of the wstoken field, which is in the post body).
In API publisher I have the API in WSO2 configured for POST with a URL pattern of {version}/courses/{userid}
The API definition is configured as below:
API Endpoint configuration is:
URL: http://(moodleurl)/webservice/rest/server.php?wstoken={uri.var.wstoken}&wsfunction=core_enrol_get_users_courses&moodlewsrestformat=json&userid={uri.var.userid}
GET URL as received by Apache hosting Moodle is:
xx.xx.xx.xx - - [09/Aug/2016:10:36:03 +0930] "POST /webservice/rest/server.php?wstoken=&wsfunction=core_enrol_get_users_courses&moodlewsrestformat=json&userid=6/6 HTTP/1.1" 200 270
So, the two issues are the missing 'wstoken' parameter (which is in the post body provided to WSO2, and the 'userid' being doubled up with a slash between the items.
I have run the client via a proxy and the data appears to be sent correctly to WSO2:
So I'm wondering what I can do about these problems:
Is there a different URL parameter I can use to correctly include a posted body param in the URL out to the service API address?
Is there some specific configuration problem I've made that's causing the userid parameter to break in this manner?
The posted parameters from the client do appear to be included in the post to Moodle by WSO2; so it is likely they can be stripped from the URL and simply included in the post body to Moodle by WSO2, meaning that it's likely only the issue with the userid parameter that needs to be resolved to allow this to work - unfortunately I'm not sure how to place a proxy between WSO2 and Moodle itself to validate the parameters that are posted to the API, short of using Wireshark.
The 'userid' being doubled up with a slash between the items because the URI template of the API's resource is automatically appended to the end of the HTTP endpoint at runtime. For an example in your case you defined the endpoint url as:
http://(moodleurl)/webservice/rest/server.php?wstoken={uri.var.wstoken}&wsfunction=core_enrol_get_users_courses&moodlewsrestformat=json&userid={uri.var.userid}
Then url pattern (/{userid}) appends to the endpoint url by default. To overcome this issue you can use the following mediator setting to remove the URL postfix from the backend endpoint:
<property name="REST_URL_POSTFIX" scope="axis2" action="remove"/>
For more on this please refer the link given in [1].
You can read the variables in the resources (urls) during mediation runtime using property values with the "uri.var." prefix. For example, in your case HTTP endpoint gets the wstoken and userid as the uri variables. But wstoken contains in the body section of the request. Therefore you cannot add it by introducing wstoken={uri.var.wstoken} as a query paramter to the endpoint. One way that you can overcome this issue is by defining wstoken as a query parameter by changing the parameter Type to query. The other way is you can define it in the header of the incoming request.
[1]. https://docs.wso2.com/display/AM190/Map+the+Parameters+of+your+Backend+URLs+with+the+API+Publisher+URLs
Pretty self explanatory title. I'm using API Gateway in AWS, requiring an API key to access a backend written in Django (not using lambda). I need to know how to access the API key used in the request to keep track of who did what at the app level.
You can use mapping templates and get the API Key from the $context variable, it’s the apiKey property inside the identity object: http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html#context-variable-reference
Create a mapping template for your requests and include the property in it. For example, if you wanted to include the entire request body + the API Key you would do this:
{
"body": $input.json('$'),
"apiKey": "$context.identity.apiKey"
}
Depending on how your backend application is built, you could send the API key to your application in a HTTP parameter (path, query string, or header) or in the request body. Please have a read through the docs on how to move data between the two systems.
Thanks,
Ryan
Here is how I finally made it work. At the top or bottom of the template, include this line.
#set($context.requestOverride.header.x-api-key = $context.identity.apiKey)
When your backend receives this request, the api key will be in the header x-api-key.
Here is a basic mapping template that just forwards the (json) body and the header.
$input.json("$")
#set($context.requestOverride.header.x-api-key = $context.identity.apiKey)
API Gateway uses the X-API-Key header, so I like for my backend to also use that. That way I can use the same testing commands with only the URL being different.
I am doing an $.ajax post command and i currently have an authenticated session on the client side. I am trying to figure out how to add the token to the ajax call (as on the server i check the token to see if it matches in my local database. How is it possible to use that same auth token in a generic ajax call ?
Thanks
You add the token as a request header in your authorizer.
To do this, either use one of the including solutions (if you're using the corresponding backend), or implement your own custom authorizer.
If you have to write your own, you can look at the devise authorizer's authorize method for an example of how to add the header.