Am trying to get access-token from keycloak using postman application. The flow which I am using is Auth Code flow. The Auth URI am giving is
http://localhost:8080/auth/realms/realm_name/openid-connect/token
Even in keycloak I made some changes of valid redirect URI to http://localhost:8080/* in the Security-admin-console under clients but still am receiving a web page stating we are sorry instead of login page when am hitting the get request token button in postman application
can someone help me with this issue
Getting accessToken in Postman:
POST http://localhost:8080/auth/realms/realm-name/protocol/openid-connect/token
Headers:
Content-Type: application/x-www-form-urlencoded
Body x-www-form-urlencoded:
client_id: your-client
username: user-you-are-using
password: password-for-user
grant_type: password
client_secret: 11112222-3333-4444-5555-666666666666 (client secret is required if client "Access Type"="confidential")
Getting refreshToken in Postman:
POST http://localhost:8080/auth/realms/realm-name/protocol/openid-connect/token
Headers:
Content-Type: application/x-www-form-urlencoded
Body x-www-form-urlencoded:
client_id: your-client
grant_type: refresh_token
refresh_token: refresh-token-from-previous-request
client_secret: 11112222-3333-4444-5555-666666666666 (client secret is required if client "Access Type"="confidential")
Related
As stated in the title, I would like to add a custom parameter to the /authorize URL to which Cognito redirects when working with a OIDC User Pool Identity Provider (in my case https://example.xx.auth0.com/authorize).
I found out you can specify an authorize URL through cloudformation but it cannot contain query parameters.
More details:
Cognito is configured through Serverless (which uses Cloudformation under the hood):
Auth0IdentityProvider:
Type: AWS::Cognito::UserPoolIdentityProvider
Properties:
UserPoolId:
Ref: CognitoUserPool
ProviderType: "OIDC"
ProviderName: "Auth0"
ProviderDetails:
client_id: "xxxx"
client_secret: "xxxx"
attributes_request_method: "GET"
oidc_issuer: "https://xxxx.xx.auth0.com"
authorize_scopes: "openid profile email"
AttributeMapping:
email: "email"
When navigating to the Cognito hosted UI and selecting the Auth0 provider it redirects to the /authorize Cognito endpoint which in turn redirects to the /authorize Auth0 endpoint.
I need to add the connection parameter to Auth0's /authorize in order to bypass its UI and go straight to the social login but I haven't been able to find a way to do so.
Turns out that when configuring your Auth0 client you can specify the connection parameter and Auth0 will skip its UI for you, but it will only do that if the configured redirect_uri does not point to localhost.
auth0 = await createAuth0Client({
redirect_uri: window.location.origin,
scope: "openid profile email offline_access",
connection: "linkedin",
});
I have created project in google console
Enable the Dialogflow API
Created OAuth v2 credential
Using this credentials i called access token api to generate token
https://accounts.google.com/o/oauth2/v2/auth?
scope=https://www.googleapis.com/auth/dialogflow&
access_type=offline&
include_granted_scopes=true&
response_type=code&
state=state_parameter_passthrough_value&
redirect_uri=http://localhost&
client_id= **i placed client id here**
I received access token and passed it to Dialog flow API
https://dialogflow.googleapis.com/v2/projects/**PROJECT-ID**/agent/sessions/123456:detectIntent
Header
Content-Type : application/json; charset=utf-8
Authorization : Bearer **ACCESS_TOKEN**
Body
{
"query_input": {
"text": {
"text": "I know french",
"language_code": "en-US"
}
}
}
Still i am getting this error
"error":{"code": 401, "message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",…}
i am not able to identify where i went wrong
Please help thanks in advance
The code that i was passing in api was the OAuth Code(Thanks John Hanley)
API to generate Access token from OAuth Code
Post : https://oauth2.googleapis.com/token
Content-Type: application/x-www-form-urlencoded
{
"code":"OAuth Code",
"client_id":"Client ID",
"client_secret":"Client Secret",
"redirect_uri":"http://localhost",
"grant_type":"authorization_code"
}
In response you receive this
Response
{
"access_token": "Token",
"expires_in": 3599,
"refresh_token": "Refresh Token",
"scope": "https://www.googleapis.com/auth/dialogflow",
"token_type": "Bearer"
}
Pass this access token in header of google API
I have a Vue.js PWA with a Django Rest Framework backend which works correctly locally on my laptop (using a browser). When I deploy it to production it continues to work correctly when I log in using a browser, however it fails to login when opened as a PWA (ie: on a phone or a PWA saved in a browser).
Here's my login code:
axios
.post("/api/get-token/", user)
.then(res => {
localStorage.setItem('user-token', res.data.token);
axios.defaults.headers.common['Authorization'] = res.data.token;
commit(AUTH_SUCCESS, res.data);
resolve(res);
})
.catch(err => {
commit(AUTH_ERROR, err);
reject(err);
});
As mentioned, everything works locally and in production when logging in via a browser. The problem comes when trying to log in using the PWA.
When trying to login to the PWA, I get the following:
POST https://www.example.com/api/get-token/ 401 (Unauthorized)
Doing a console log of the error received from the server I get:
{
detail: "Invalid token header. No credentials provided."
__proto__: Object
status: 401
statusText: "Unauthorized"
headers: {allow: "POST, OPTIONS", connection: "keep-alive", content-length: "59", content-type: "application/json", date: "Thu, 06 Feb 2020 15:00:11 GMT", …}
config:
url: "/api/get-token/"
method: "post"
data: "{"username":"test#example.com","password":"password"}"
headers:
Accept: "application/json, text/plain, */*"
Authorization: "Token "
Content-Type: "application/json;charset=utf-8"
__proto__: Object
transformRequest: [ƒ]
transformResponse: [ƒ]
timeout: 0
adapter: ƒ (t)
xsrfCookieName: "csrftoken"
xsrfHeaderName: "X-CSRFToken"
maxContentLength: -1
validateStatus: ƒ (t)
}
In production, the following works:
Log into the site using a browser on my laptop or on a phone.
Then open the PWA. This works correctly and I can continue using the PWA.
The only issue comes when trying to log in using the PWA.
Can you log in on a phone locally? I had this problem too once, the problem was that the frontend and backend were not running on the same host. This solved my problem:
devServer: {
proxy: {
'/api': {
target: 'http://localhost:5000'
}
}
}
I eventually figured out the issue. For some reason the following was being POSTed in the header: Authorization: "Token ".
This is really strange because when logging in using the /api/get-token/ there is no token required since this is the login route. Also, it works perfectly from a browser. The only issue is when trying from a PWA.
Anyway, changing the header to explicitly have no value for Authorization fixed the issue as follows: Authorization: ""
I have two services (APIs) deployed on GCP Cloud Run. Call them service-one.myDomain.com and service-two.myDomain.com. I would like service-one to be authenticated in calling service-two independently of what any user is doing.
I've read and implemented the instructions from GCP Cloud Run docs on Authenticating service-to-service (https://cloud.google.com/run/docs/authenticating/service-to-service) but service-one.myDomain.com is unsuccessful in calling service-two.myDomain.com receiving a 401:Unauthorized response.
Any thoughts on how to get service-one to successfully call service-two?
Here's my setup:
IAM and service accounts:
On google IAM, I created two service accounts and granted them both the "Cloud Run Invoker" (roles/run.invoker) role:
service-one#myproject.iam.gserviceaccount.com
service-two#myproject.iam.gserviceaccount.com
Inside Cloud Run I changed the service account from the "Default compute service account" to the service accounts I created. I assigned service-one#myproject.iam.gserviceaccount.com for service-one.myDomain.com and service-two#myproject.iam.gserviceaccount.com for service-two.myDomain.com
OIDC Auth token:
In service-one.myDomain.com I make a call to the metadata server to get a token (jwt) from the following url:
http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=https://service-two.myDomain.com with a request header set as {'Metadata-Flavor': 'Google'} The request is successful and the token I receive is decoded to have the following payload:
{
"alg": "RS256",
"kid": "9cef5340642b157fa8a4f0d874fe7543872d82db",
"typ": "JWT"
}
{
"aud": "https://service-two.mydomain.com",
"azp": "100959068407876085761",
"email": "service-one#myproject.iam.gserviceaccount.com",
"email_verified": true,
"exp": 1572806540,
"iat": 1572802940,
"iss": "https://accounts.google.com",
"sub": "100953168404568085761"
}
Http request:
Using the token I make a request from service-one.myDomain.com to an http endpoint on service-two.myDomain.com. I set the request header with {'Authorization': 'Bearer {token}'} ({token} is value of token).
Http Response:
The response is a 401 Unauthorized and my logs show the response headers to include:
{'WWW-Authenticate': 'Bearer error="invalid_token" error_description="The access token could not be verified"'}
With a content of:
"
<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>401 Unauthorized</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Unauthorized</h1>
<h2>Your client does not have permission to the requested URL <code>/health</code>.</h2>
<h2></h2>
</body></html>
"
I'm stumped.... any ideas on what I'm missing to get service-one to authenticate to service-two?
The answer was to use the gcp cloud run generated Url as the audience in the OIDC token request. And relatedly the "aud" field in the jwt.
My discovery was that Service-to-Service authentication in cloud run does not support custom domains (myDomain.com). I was using my custom domain.
(I feel like a bonehead) thanks #guillaumeblaquiere
I'm using Laravel 5.1 with Lucadegasperi's OAuth 2. My API Server is on AWS ElasticBeanstalk, with an SSL cert, and is delivered through AWS Cloudfront distribution.
Cloudfront made it easier to get the https cert on there and save money, as to add the cert directly to the EC2, you'd need expensive Load Balancing.
Anyway, I'm getting the following error through DHC when making a request with an OAuth2 access token to my production server, but having no issues on my localhost:
"error": "invalid_request",
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the \"access token\" parameter."
For prod/local, I first make a request to get the access token (changing the URL accordingly):
POST: http://myapp-api.localhost/1.0/oauth/access_token
HEADERS: Content-Type: application/json
BODY: {
"username" : "my#myemail.com",
"password" : "password",
"client_id" : "myclientid",
"client_secret" : "myclientsecret",
"grant_type" : "password",
"refresh_grant" : "refresh_token"
}
This gets the access token, which I then use to get a quest successfully:
GET: http://myapp-api.localhost/1.0/quests/1
HEADERS: Authorization: Bearer aTNk...
Both getting the access token and requesting an OAuth2 protected route, /quests/1, on localhost work fine.
But on AWS server, making the same request below results in error above:
GET: https://api.myapp.com/1.0/quests/1
HEADERS: Authorization: Bearer zYrA...