I am working on an app in Ionic 2 using DRF as API service. For authentication purpose I am using JWT. I am sending auth token with each request as Authorization: jwt [token]. In Postman, API is working fine.
Now when I am testing it in browser it is not working and I figured out that it is probably not working because the JWT auth token is not being sent in the OPTIONS request as a pre-flight. So how do I tackle this problem.
In the Ionic latest versions if you are using ionic serve commnad then you must have to use Proxies to prevent Preflight and CORS Issues,
First add API path and URL in ionic.config.json file like
{
"name": "APP-NAME",
"app_id": "",
"proxies": [
{
"path": "/api",
"proxyUrl": "http://example.com/api"
}
]
}
Now, while calling your API from http use the /api URL instead of the http://example.com/api like,
....
this.http.post('/api', data, {headers:headers}).map(res=>res.json()).subscribe(data=>{
console.log(data)
}, err=>{
console.log("Error!:", err.json());
});
....
After making the above changes you must rerun command ionic serve.
Still, if you are getting issues then refer Handling CORS Issues In Ionic and https://ionicframework.com/docs/cli/configuring.html
In CORS preflight OPTIONS response Cross-Origin-Allow-Headers should match that of the request.
Cross-Origin-Allow-Headers: Authorization
Actually the problem was that the OPTIONS api was not readable without the Authorization token so we added the readonly Auth level for the OPTIONS and GET api.
Related
I've been trying to solve this problem a week ago, from now on after looking for a solution in almost every forum, blog and lib's github issues I realized that it gonna be easier asking here.
I have a django app using JWT for authentication (Web and Mobile), when I change the user email the mobile app (react native) keeps sending the old jwt in cookies to server which leads to an "Invalid Signature" response (in any endpoint including login)
Here is my djangorestframework-jwt conf:
JWT_AUTH = { 'JWT_VERIFY_EXPIRATION': True, 'JWT_AUTH_COOKIE': "JWT", 'JWT_EXPIRATION_DELTA': datetime.timedelta(seconds=3000), 'JWT_ALLOW_REFRESH': True, }
Setting this line
'JWT_AUTH_COOKIE': "JWT",
To
'JWT_AUTH_COOKIE': None,
The server won't look for jwt cookies in request however the next api calls don't find token in Authorization Header which leads to
Authentication credentials were not provided
Even sending the token in Header.
At web app there is no problem with that, so I'd like to know how can I fix it, looking for a way to stop sending JWT cookie from mobile app.
I'm providing an external-facing REST GET API service in a kubernetes pod on AWS EKS. I had configured an ALB Ingress for this service which enforces Cognito user pool authentication. Cognito is configured with Authorization code grant with the openid OAuth scope enabled.
If I invoke my REST API from the browser, I get redirected to the Cognito login page. After a sucessful authentication on the form here, I can access my REST GET API just fine. This works, but this is not what I'd like to achieve.
Instead of this, I would need to use a Bearer token, after getting successfully authenticated. So first I invoke https://cognito-idp.ap-southeast-1.amazonaws.com using Postman with the request:
"AuthParameters" : {
"USERNAME" : "<email>",
"PASSWORD" : "<mypass>",
"SECRET_HASH" : "<correctly calculated hash>"
},
"AuthFlow" : "USER_PASSWORD_AUTH",
"ClientId" : "<cognito user pool id>"
}
and I get a successful response like:
"AuthenticationResult": {
"AccessToken": "...",
"ExpiresIn": 3600,
"IdToken": "...",
"RefreshToken": "...",
"TokenType": "Bearer"
},
"ChallengeParameters": {}
}
In the last step I'm trying to invoke my REST API service passing the Authorization HTTP header with the value Bearer <AccessToken> but I still get a HTML response with the login page.
How can I configure Cognito to accept my Bearer token for this call as an authenticated identity?
Quoting AWS support on this topic: "the Bearer token can not be used instead of the session cookie because in a flow involving bearer token would lead to generating the session cookie".
So unfortunately this usecase is not possible to implemented as of today.
STANDARD BEHAVIOUR
I would aim for a standard solution, which works like this:
API returns data when it receives a valid access token, or a 401 if the token is missing, invalid or expired - the API never redirects the caller
UIs do their own redirects to the Authorization Server when there is no token yet or when a 401 is received from the API
If it helps, my OAuth Message Workflow blog post demonstrates the 3 legged behaviour between UI, API and Authorization Server.
API GATEWAY PATTERN
It is perfectly fine to use an API Gateway Design Pattern, where token validation is done via middleware before hitting your API.
However that middleware must return a 401 when tokens are rejected rather than redirecting the API client.
IMPACT OF APIs REDIRECTING THE CLIENT
This may just about work for web UIs, though user experience will be limited since the UI will have no opportunity to save the user's data or location before redirecting.
For mobile / desktop apps it is more problematic, since the UI must redirect using the system browser rather than a normal UI view - see the screenshots on my Quick Start Page.
CHOICES
Any of these solutions would be fine:
Possibly the middleware you are using can be configured differently to behave like a proper API Gateway?
Or perhaps you could look for alternative middleware that does token validation, such as an AWS Lambda custom authorizer?
Or do the OAuth work in the API's code, as in this Sample API of mine
MY PREFERENCE
Sometimes I prefer to write code to do the OAuth work, since it can provide better extensibility when dealing with custom claims. My API Authorization blog post has some further info on this.
I used Django Oauth2 toolkit in my django app. my client is an angular web application and uses django api with oauth2.
it perfectly works in my localhost and every thing is ok but when i use application in server after success login and getting the access token when it requests another page with authentication the 401 error occures.
client is client.example.com and django api is on api.example.com.
please help me...
request token:
client_id:ePmICVI9Dwsb0eKCv8aMTKvq4Jnr7ewtFWFZGLEu
grant_type:password
username:mohammad
password:mz575451
client_secret:2RGeORI0eZbKFZX3gYtjGy
response:
{"expires_in": 36000, "token_type": "Bearer", "access_token": "yzKlTXuDLOZj5wGescfkNiejyYKhg2", "scope": "read write", "refresh_token": "JJp5Kxq3PcDQthwvSLxvfW2Ee5rLUE"}
I finally found the solution!!!!!!! ^___^
http://www.django-rest-framework.org/api-guide/authentication/#apache-mod_wsgi-specific-configuration
We're building a site using Ember for a frontend app which interacts with our Django Rest Framework API Backend. For Social Authentication we're using django_rest_auth coupled with django-allauth. The site is mostly all working, except we've run into problems with social authentication. Our local account authentication/registration is working fine.
I've made many projects that use django-allauth, but this is the first time using a restful authentication system. The ember application is able to go and fetch the token from google just fine. The response is something like:
{
authorizationCode: "mYtokEn12345",
provider: "google-oauth2",
redirectUri: "http://localhost:4200/dashboard"
}
I then post the access_token to my endpoint that I've set up according to the django_rest_auth docs. POST /auth/google {access_token:} but I get an error returned from Google that says "Invalid Credentials". How can I get Invalid Credentials after already Authenticating with Google and receiving my token?
After debugging through the code, I found that I was getting that response from https://www.googleapis.com/oauth2/v1/userinfo during the complete_login function in the allauth.socialaccount.providers.google.views.GoogleOAuth2Adapter class.
It's trying to run a GET https://www.googleapis.com/oauth2/v1/userinfo?access_token=mYtokEn12345&alt=json but returning Invalid Credentials.
{
error: {
errors: [
{
domain: "global",
reason: "authError",
message: "Invalid Credentials",
locationType: "header",
location: "Authorization"
}
],
code: 401,
message: "Invalid Credentials"
}
}
I'm pretty stumped on where to go from here. Anyone have some pointers on why this is happening? Any other code/errors I can give to be helpful?
It turned out that we weren't using the correct token. We were using the authorizationCode, which is used in another request to receive the token.
I'm trying to do authentication from app center for mobile devices but I get this error when I try to exchange code parameter for access token:
{
"error": {
"message": "Error validating verification code. Please make sure your redirect_uri is identical to the one you used in the OAuth dialog request",
"type": "OAuthException",
"code": 100
}
}
Auth token parameter is in Query String format because my app uses server-side authentication.
The url I'm calling is https://graph.facebook.com/oauth/access_token and the redirect_uri parameter I'm sending to is like the following one:
http://www.example.com?ref=app_directory&code=codefromfb&fb_source=appcenter_mobile&fb_appcenter=1
www.example.com is the value I've set in mobile site url field in app settings.
Authentication from app center for web it's ok.
I don't understand what it's wrong in redirect uri form mobile devices...
Could you help me?
I found this post referencing needing a trailing slash on the URI
redirect_uri error in oauth for facebook django app
I had the same error. I couldn't solve it but found a workaround:
I ignore the code param that is sent to my mobile web app by Facebook automatically; instead I make a request for code myself, then I exchange code for access_token using the same redirect_uri I used to request for code.
To make it easier to apply the workaround, in your app > settings > permissions, you can change Auth Token Parameter from query string to URI fragment. Then Facebook won't send you code param automatically--you will have to make a request for it--that's what is needed.
Another way to solve it is to implement client-side authentification flow using URI fragment or parse URI fragment at the client-side and send access_token to the server as a param. I didn't test this approach yet.
Redirect URLs that are working for app center authentication
desktop: http://www.example.com/?fb_source=appcenter&fb_appcenter=1
mobile: http://www.example.com/?ref=app_directory
(part fb_source=appcenter_mobile&fb_appcenter=1 should be excluded for mobile, I think that it's FB bug)
Where:
http/https - depends on request
www.example.com - you should use exactly same string as saved at application settings (https://developers.facebook.com/apps/YOUR_APPLICATION_NUMBER/summary) Domain name is case sensitive for Facebook (also bug)