I am trying to login cognito through Postman by POST request following the below site,
in order to get the id token from response.
https://docs.amazonaws.cn/en_us/cognito/latest/developerguide/token-endpoint.html
But it seems I am doing it by the wrong way, what is the correct way to do it?
Related
So I've been trying to use Djoser JWT and I don't know how to login in it. As far as I know you create a request with your login credentials to this url /jwt/create/ and get the access and refresh token and maybe get the user object from /users/me/. This is where I got stuck, where do I go from here?
You correctly understood the first step of the process. Basically, you can now:
Add the access token in the header of your next requests.
This will transparently authenticate the user thanks to the Simple JWT plugin and you will be able to access him with the usual request.user in the views.
Refresh the access token each time you get a 401 response.
The access token is supposed to be short-living for security concerns and a 401 response from the server indicates that the one your are using is expired. So you have to get a new one by sending the refresh token to the token/refresh/ API and, then, make your request again.
You can read this article if you need more detailed explanations about this process or JWT.
I have Postman set up following this guide:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/azure-ad-b2c-webapi?view=aspnetcore-2.2#use-postman-to-get-a-token-and-test-the-api
When I attempt to get new Access Token, Postman prompts a window with my B2C Sign in page.
I then attempt to sign in, however receive the following error in Postman: Error invalid_request
There is no other additional details. I feel I've followed the guide exactly.
What am I missing here?
In the request, you need to make sure the callback url same with your app reply url and api id uri of the Scope same with your API in the B2C.
The request is:
And the result like this:
I'm trying to create a personal blog using s3 and lambda. I already have the API setup but I'm trying to figure out how to make the blog post requests more secure by requiring an authorization token in order to access the API Gateway.
I believe this can be done with cognito user pools but is usually used with many users not a single admin user. However, if there's another way I should go about this then I'm all ears.
You can implement this by:
Creating a User Pool in Cognito
If you are using the Hosted UI login pages, I recommend having the pages send a code response rather than a token response because you can call the token endpoint to get all the appropriate tokens.
Call your token endpoint with the code you receive in Step 2 (it'll be in the URL when you are redirected back to your site) to retrieve the ID, Access, and Refresh Tokens.
Once you have your cognitoUser tokens, you can wrap your blog publish function with a token check function to ensure that your token is up-to-date and send the updated token to your publish blog callback.
Send the user token in your headers: { Authorization: token } API Call.
In API Gateway, choose the Method Request in your Blog Post API and select your Cognito User Pool name under authorizers.
As long as the token you send is valid, the Method Request is all you need to update in order to secure the ability to post.
I'm using Amazon Cognito for authorization of my app.
I'm using the authorization code flow. I can successfully get my token on /oauth2/authorize?...
But I can't seem to successfully get access_token, id_token and refresh_token using the POST to /oauth2/token with the Content type header: application/x-www-form-urlencoded
and body:
{"key":"grant_type","value":"authorization_code"},
{"key":"client_id","value":"xyz"},
{"key":"redirect_uri","value":"redirect-url.com"},
{"key":"code","value":"code_from_previous_request"}
When I make this call I get the following error json:
{"error":"invalid_request"}
Client id is correct and client app has no secret.
Anyone has any idea what I'm doing wrong?
By taking a closer look a #MikePatrick's request I figured it out. I was sending a wrong parameter
redirect_url
instead of
redirect_uri
...
Note to self: Half of software bugs are caused by typos
I'm trying to test my web server's login with Postman. First, I send a GET request to my login url, and I get a CSRF token as a cookie. Then, I make a POST request to that login page, with my username, password, and CSRF token.
My problem is, when I do this in Postman, I get a 403 forbidden error when I try to make that POST request to login. I'm copying the CSRF token received and putting it as one of the POST parameters, and I'm using a valid username and password. Is there anything I'm overlooking here?
You need to set it as a header in the request, not in the body. X-CSRFToken is the key and the value is CSRF token from the cookie. This will work if you are using an API framework like Tastypie or Django Rest Framework.
If you are authenticating without an API layer you would need to actually attach the cookie or create one with the CSRF token. This post explains it.
Try installing the Postman Interceptor Extension on GoogleChrome. It worked for me.
Works for me :
Set in Postman Header :
KEY : Authorization
Value : Token "Your token"