I'm currently building a web application whose backend is purely build in API Gateway/Lambda. I build a custom JSON Web Token (JWT) authorizer to authorize the users. At the moment I'm passing token in header field.
Unfortunately, I'm only able to define a header field in which the token is send to API Gateway.My applications stores the token in a cookie.
Is there any option to access the cookie directly so that it can authenticate using lambda.
For example:
Now I'm passing:-
method.request.header.Authorizer
But I need somehting like this :-
methods.request.header.Cookie
Any workaround ? Thanks!
Now you should be able to access all the headers including Cookie header, using Custom Authorizers of the REQUEST type. Recently AWS introduced this feature to allow access to more than Token Header.
Related
I've deployed a Django API powered with Django Rest Framework with some open endpoints and some Authenticated endpoints using Token authentication.
Which is the best way to protect the entry API allowing only to send request from the app frontend team?
I was thinking to use an Nginx basic auth, but then the Authorization header is duplicated, so Token auth is not working.
You could filter the access in your API by filtering the IP address in case that the frontend team uses a static one (e.g. ALLOWED HOSTS).
Moreover, you could add the users of the frontend team in a specific group or provided the same role and filter the access by implementing a reusable custom DRF permission.
An other option could be the usage of a custom HTTP header or an API key (e.g. X-API-KEY header).
There are two separate django projects, So I want both are generating tokens with the same user_id, secret key and same HS256 algorithm and then once Project B sends request along with token, the token should be decrypted and the required response should be send back from Project A. How do I go forward and implement it. Should i use JWT?
You can write a custom authentication.
It can work like this:
Check header for a token and if there is not any then the user is not authenticated.
If there is a token, then send a request to project A with the token and ask if the token is valid and if it is, what is the user.
Then set get the data in project B and do what ever you want.
It's like how frontend frameworks like react and ... works.
You can use any external resources to check if a token is valid or ...
Check here for custom authentication
I have done something similar with an oauth2 provider and 2 django apps.
Take a look here:
https://github.com/DimitrisBovasianos/CustomOauth2Authorization
You have to create a custom authentication backend and a custom middleware to handle the refresh token in case you want to use token based authentication.
I'm trying to make a request from my reactjs app existing on "localhost:3000" to my django living in "localhost:8000"
I was expecting some authentication token in header to passed along with the request, but it's not the case. The request seems to be stripped and the token is nowhere to be found. Unless I pass the token in the url as a parameter (which exposes the token that can be decoded. I don't like it), I can't seem to be able to get the token in any way.
so my questions:
is this CORS issue? My understanding is that CORS usually deals with javascripts only, and Django already has the middleware to deal with this.
I'm currently using a GET as method. Does using a POST help in this case? How would the reactjs script be written? Currently it's just a href attached to a NavItem
and ultimately:
How do I pass the token from reactjs to django?
We can perform the implicit grant on the front-end and then configure the Django API in Auth0 and specify its identifier in the audience parameter. This would grant you an access token which you could then use against your API. Your API would then verify the token and check the audience is correct. (This has a good overview of the process https://auth0.com/docs/api-auth/grant/implicit and then with the API https://auth0.com/docs/architecture-scenarios/spa-api)
Basically what we can do is when Auth0 authenticates the user it redirects the user to the app with an access token, and optionally an id token, in the hash fragment of the URI. We can extract that and use the token to call the API on behalf of the user.
So, after we have [created the API in Auth0][3, [defined the endpoints]3, and secured the endpoints we can call the API (by sending the access token in an Authorization header using the Bearer scheme).
If you have any Auth0 specific question please feel free to join over in community.auth0.com you may have better luck finding help/solutions.
The 403 error is telling you that the request is not being processed because something is stopping from process that request 403: The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated
As you said probably because the CORS, try to follow the guide bellow of how to install Django-cors
https://github.com/mbrochh/django-graphql-apollo-react-demo#add-jwt-authentication-to-django
I need to pass Authorization Header from API Manager (WSO2) to my Service Bus Aplication (Oracle).
I saw in another post that I cant do that, because API will validate the token against the key manager and drop that token before calling the back end. (How to pass authorization header in WSO2 OAuth2 and its backend API server Oauth2?)
There's any alternative to pass the token from API Manager to my service bus application?
There's some additional settings for that?
In conf/api-manager.xml, change value of "RemoveOAuthHeadersFromOutMessage" to false. Authorization header will not be removed and you can access it in your sequence, then you can set it to the request header to you backend. Not sure whether this is what you want or not.
One option would be to send same oauth token in another custom header and then by adding a custom mediation sequence in the api manager, set that custom header to Authorization header and then send it to backend server.
https://docs.wso2.com/display/AM1100/Pass+a+Custom+Authorization+Token+to+the+Backend.
We are trying to use the API Manager (1.10) to call an existing API (POST) that already uses an Authorization header token. I several things including using mediation according to an article entitled "Pass a Custom Authorization Token to the Backend" and that didn't seem to work.
I finally tried setting the "Auth Type" to "None" which according to documentation should just pass the API call directly to the backend (including the authorization header). This didn't work either. The call gets to the backend service but seems to lose the Authorization header so it throws an 400 error (the same error I get when I leave out the header and call the backend api directly using SoapUI).
Any help would be appreciated!
If you followed the instructions here, it should work.
I have implemented this for several projects and I can attest it did work.
You may turn on wire logs via configuring log4j.properties, inspect the wire log and see what happens.
If you want to have authorization (oauth token validation) at the API gateway as well as want to pass the custom authorization header to back end, you will need to follow the setup described in the documentation[1].
If you want to disable authorization at the API gateway level by setting the authorization type[2] to "none" and want to pass the Authorization header (custom) from client to the back end through the API gateway, you need to do the following steps.
By default, the API gateway will drop the "Authorization" header without sending it to the backend[3]. To send the Authorization header to the backend through the API gateway, uncomment the following property and set its value as "false" in <wso2am-home>/repository/conf/api-manager.xml and
<RemoveOAuthHeadersFromOutMessage>false</RemoveOAuthHeadersFromOutMessage>
[1] https://docs.wso2.com/display/AM1100/Pass+a+Custom+Authorization+Token+to+the+Backend
[2] https://docs.wso2.com/display/AM1100/Key+Concepts#KeyConcepts-HTTPmethods
[3] https://docs.wso2.com/display/AM1100/FAQ#FAQ-HowcanIremovetheauthenticationheadersfromthemessagegoingoutoftheAPIGatewaytothebackend