Current Workflow:
I develop an API backend and whenever I change or add a route, I want to update my Postman collection accordingly. Therefore I've setup a Swagger endpoint. I run the app, get the swagger.json and import it into Postman overriding the already existing collection (from a previous iteration).
My API uses Bearer Token authorization. So I create a token, and edit the collection's authorization. I navigate to the request I want to test, edit its authorization to "Inherit auth from parent" and hit send.
Pain point:
I have to edit every request's authorization manually, every time I re-import the collection. Because unfortunately there authorization for imported requests defaults to "No auth" (as opposed to created requests, which default to "Inherit auth from parent").
Question:
Is there a way to set the authorization for all requests to "Inherit auth from parent" more easily?
Research:
The best thing I found was this thread:
https://community.postman.com/t/batch-edit-authorization-type/8327/6
The idea is to export the Collection as json, edit the auth via find and replace and then re-import it again. This is better than manually doing it for all requests, but still quite a pain.
Related
I'm having problems with Get New Access Token for Postman and SmartSheet.
All URLS are prefixed with https:// but StackOverflow would not allow that.
Callback URL: www.getpostman.com/oauth2/callback]
Token Name: Test
Auth URL: app.smartsheet.com
Access Token URL: app.smartsheet.com/token
Client ID: used the one provided when registering my app with SmartSheet
Client Secret: used the one provided when registering my app with SmartSheet
Scope: blank
Grant Type: [Authorization Code]
When I click Request Token it takes me to the SmartSheet Login. After I login and close the SmartSheet browser I get Could not complete OAuth 2.0 Login.
Looking at your example the Auth URL is incorrect. That should be
https://app.smartsheet.com/b/authorize
Also, the Access Token URL should be
https://api.smartsheet.com/2.0/token
The Smartsheet OAuth2 flow also requires a Scope, so it can't be left blank in spite of what Postman says.
More information on all of this can be found in the documentation:
http://smartsheet-platform.github.io/api-docs/#oauth-flow
It is important to note that with all of this set correctly setting this up in Postman still won't work. This is due to the fact that the Smartsheet process of obtaining and refreshing the token Smartsheet requires clients to hash the authorization code (with a pipe and the app secret, using SHA256) rather than sending it in clear text. This is arguably non-standard, but is still within the OAuth2 spec. More information on this process is at the documentation I referenced above.
Unfortunately, it does not look like Postman supports these types of deviations from "vanilla" OAuth2. Depending on what you are trying to accomplish, you will either have to go though the steps of the process manually, or stand up a third-party app in a hosting environment. If you are simply looking to generate a token, this approach http://smartsheet-platform.github.io/api-docs/#direct-api-access may work for you instead.
If you are trying to test in Postman the Direct API approach works. http://smartsheet-platform.github.io/api-docs/#direct-api-access
Step 1) Go to your actual smartsheet "https":"//app.smartsheet.com/b/home" and under Account>Personal Settings>API Access -- Generate a token (copy it you wont be able to copy after you close)
Step 2) Get the url for your sheet. Right click on the sheet name tab and select Properties. Copy the the Sheet ID (ie 123456). Add it to the end of the url: "https":"//api.smartsheet.com/2.0/sheets/123456"
Step 3)The most confusing one in my opinion. In Postman select No Authorization. Then go and update the header with "Bearer 0da6cf0d848266b4cd32a6151b1". You have to have the word Bearer and the randomly generated string of numbers is from Step 1.
Then send the get request and you get your sheet back in json format.
I want to send a http request to a webservice ,which I implemented earlier, that need the user to be login. Now, I implemented a form page that do this for me and I need to change it for every different request.
As far as I know, Django need "csrftoken" and "sessionid" to allow requests. Unfortunately, I can not figure out how to add this two field to Postman client and interact with my Django services.
Postman receives cookies from chrome and you can retrieve them using the Postman interception plugin.
See here
Now after installing the plugin :
Create a new environment so environment variables can be stored
Create a method with a test to store the XSRF cookie value in an environment variable, in the test tab post this code
var token = postman.getResponseCookie("XSRF");
postman.setEnvironmentVariable("xsrf-token", token .value);
Now you will have an environment variable with xsrf-token in it.
Save your method
Create the new post and add XSRF-Token-Header Key in the header.
Access the token value with {{xsrf-token}}
Now before running your new request make sure you run the method, so that it can store the environment variable, and then when you run the actual request it will append its value in the header.
You can also refer this post.
Just in case : For ajax requests you can refer to the django docs
I am trying to develop an application that should eventually replace an existing (non-Ember) one and provide additional functionality.
For a start, for anything not yet implemented in the new app, I want to redirect users to the existing one, using the latter's single-sign-on capability. The workflow I imagined is this:
User logged in to new (Ember) app clicks link or button there
New app makes an API call to an endpoint that returns an SSO token
New app generated link including SSO token, opens it (in new or same window)
I use ember-simple-auth to authenticate the user for API calls that return user-specific information, using a JSON web token that contains the user id.
For step 2 above I would need to include that token in the API call, but I am at loss how, and even where to implement the call. Do I need an Ember.Route for this (where I could throw in the AuthenticatedRouteMixin)? I would not consider the SSO token to be part of my model, so that does not seem right. Can I get the session's token somehow and include it in a direct ajax call? Should I?
ember-simple-auth provides the SessionService where you can access that information.
My recommendation is to use ember-ajax to make the actual request, and override the ajax service to call the session services authorize method.
Then you need to implement your authorizer to authorize that request.
The detail implementation depends on your authorizer and how you want to include the token in your request. As header, query param, or in the body.
I want to implement a custom code for token generation or you can think of removing OAuth2 from the WSO2 implementation and incorporating my specific APIs for token management. Is this possible? If yes, then please guide me how to achieve the same.
If you need to customize it fully, It means that you need to completely remove the OAuth2. There there is no worth of it. But; if you just need to customize some behaviors of the OAuth2, It can be done easily. There are several extension points for it. One main extension is that customization of OAuth2 grant types. You can find details from here and some sample for it. It may helps to do some major customization of the OAuth2 flow. Hope it would help for you.
When you send an API request to the backend, you pass a token in the Authorization header of the request. The API Gateway uses this token to authorize access, and then drops it from the outgoing message. If you wish to use a different (or a custom generated) authorization token than the application generated access token, you can use it as a token exchange mechanism in mediation logic of the API. In this tutorial, we explain how to pass a custom authorization token that is different to the authorization token generated for the application.
Add the following sequence content in to a file and save it as XML file.
Log in to the API Publisher, create a new REST API
Navigate to the Runtime Configurations tab, enable the Message Mediation in Request flow. Engage the In sequence that you created earlier and click Save .
If the API is not in PUBLISHED state, go to Lifecycle tab, click REDPLOY to re-publish the API.
Go Developer Portal, subscribe and obtain a token to invoke the published API.
Install any REST client in your machine. We use cURL here.
Go to the command line, and invoke the API using the following cURL command.
In this command, you pass the token that the backend expects, i.e., 1234, in the Custom header with the authorization token that the system generates in the Authorization header.
curl -H "Authorization: Bearer " -H "Custom: Bearer 1234"
NOTE
is the token that you got in step 20.
appears on the API's Overview page in the API Developer Portal. Copy the HTTP endpoint. If you select the HTTPs endpoint, be sure to run the cURL command with the -k option.
Note the response that you get in the command line. According to the sample backend used in this tutorial, you get the response as "Request Received."
FOR MORE EXPLANATION, PLEASE VISIT THIS LINK
[LINK] : https://medium.com/#PrakhashS/passing-access-token-to-oauth2-protected-backends-wso2-api-manager-7d0671a0afca
I have an Ember app using Ember Simple Auth. I need to revoke tokens on the server side, which I can do easy enough by setting the revoked_at column, in the oauth_access_tokens table, to a timestamp.
This causes the server to respond to Ember with a 401, which is great. However, Ember Simple Auth does not seem to fire the authorizationFailed action in the application route. I put a simple debugger in the action to test if it's getting hit.
What I want to happen is trigger any kind of authorization error to hit this action, which would allow me to manually run invalidate() if it hasn't done so yet, and redirect them to a login page.
Thanks.