django oauth2 provider 401 after getting token - django

I used Django Oauth2 toolkit in my django app. my client is an angular web application and uses django api with oauth2.
it perfectly works in my localhost and every thing is ok but when i use application in server after success login and getting the access token when it requests another page with authentication the 401 error occures.
client is client.example.com and django api is on api.example.com.
please help me...
request token:
client_id:ePmICVI9Dwsb0eKCv8aMTKvq4Jnr7ewtFWFZGLEu
grant_type:password
username:mohammad
password:mz575451
client_secret:2RGeORI0eZbKFZX3gYtjGy
response:
{"expires_in": 36000, "token_type": "Bearer", "access_token": "yzKlTXuDLOZj5wGescfkNiejyYKhg2", "scope": "read write", "refresh_token": "JJp5Kxq3PcDQthwvSLxvfW2Ee5rLUE"}

I finally found the solution!!!!!!! ^___^
http://www.django-rest-framework.org/api-guide/authentication/#apache-mod_wsgi-specific-configuration

Related

JWT Cookie sent as Set-Cookie causing "Invalid Signature" in DRF jwt

I've been trying to solve this problem a week ago, from now on after looking for a solution in almost every forum, blog and lib's github issues I realized that it gonna be easier asking here.
I have a django app using JWT for authentication (Web and Mobile), when I change the user email the mobile app (react native) keeps sending the old jwt in cookies to server which leads to an "Invalid Signature" response (in any endpoint including login)
Here is my djangorestframework-jwt conf:
JWT_AUTH = { 'JWT_VERIFY_EXPIRATION': True, 'JWT_AUTH_COOKIE': "JWT", 'JWT_EXPIRATION_DELTA': datetime.timedelta(seconds=3000), 'JWT_ALLOW_REFRESH': True, }
Setting this line
'JWT_AUTH_COOKIE': "JWT",
To
'JWT_AUTH_COOKIE': None,
The server won't look for jwt cookies in request however the next api calls don't find token in Authorization Header which leads to
Authentication credentials were not provided
Even sending the token in Header.
At web app there is no problem with that, so I'd like to know how can I fix it, looking for a way to stop sending JWT cookie from mobile app.

Refresh Token GCP

How can I get a Refresh Token from GCP?
I already got the Client ID and Client Secret from OAuth Client ID, but I can't find any Refresh Token from the credentials?
Google provides a lot of docs around different methods of authentication including refresh tokens but this document is probably most helpful.
Basically, once the user authorises you, in the response you get an authorization code which can be exchanged for an access token and refresh token by making a call to https://oauth2.googleapis.com/token like:
POST /token HTTP/1.1
Host: oauth2.googleapis.com
Content-Type: application/x-www-form-urlencoded
code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7&
client_id=your_client_id&
client_secret=your_client_secret&
redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob%3Aauto&
grant_type=authorization_code
Response:
{
"access_token": "1/fFAGRNJru1FTz70BzhT3Zg",
"expires_in": 3920,
"token_type": "Bearer",
"scope": "https://www.googleapis.com/auth/drive.metadata.readonly",
"refresh_token": "1//xEoDL4iW3cxlI7yDbSRFYNG01kVKM2C-259HOF2aQbI"
}
Oauth on GCP is covered in depth here.

AWS Cognito authentication with Bearer token

I'm providing an external-facing REST GET API service in a kubernetes pod on AWS EKS. I had configured an ALB Ingress for this service which enforces Cognito user pool authentication. Cognito is configured with Authorization code grant with the openid OAuth scope enabled.
If I invoke my REST API from the browser, I get redirected to the Cognito login page. After a sucessful authentication on the form here, I can access my REST GET API just fine. This works, but this is not what I'd like to achieve.
Instead of this, I would need to use a Bearer token, after getting successfully authenticated. So first I invoke https://cognito-idp.ap-southeast-1.amazonaws.com using Postman with the request:
"AuthParameters" : {
"USERNAME" : "<email>",
"PASSWORD" : "<mypass>",
"SECRET_HASH" : "<correctly calculated hash>"
},
"AuthFlow" : "USER_PASSWORD_AUTH",
"ClientId" : "<cognito user pool id>"
}
and I get a successful response like:
"AuthenticationResult": {
"AccessToken": "...",
"ExpiresIn": 3600,
"IdToken": "...",
"RefreshToken": "...",
"TokenType": "Bearer"
},
"ChallengeParameters": {}
}
In the last step I'm trying to invoke my REST API service passing the Authorization HTTP header with the value Bearer <AccessToken> but I still get a HTML response with the login page.
How can I configure Cognito to accept my Bearer token for this call as an authenticated identity?
Quoting AWS support on this topic: "the Bearer token can not be used instead of the session cookie because in a flow involving bearer token would lead to generating the session cookie".
So unfortunately this usecase is not possible to implemented as of today.
STANDARD BEHAVIOUR
I would aim for a standard solution, which works like this:
API returns data when it receives a valid access token, or a 401 if the token is missing, invalid or expired - the API never redirects the caller
UIs do their own redirects to the Authorization Server when there is no token yet or when a 401 is received from the API
If it helps, my OAuth Message Workflow blog post demonstrates the 3 legged behaviour between UI, API and Authorization Server.
API GATEWAY PATTERN
It is perfectly fine to use an API Gateway Design Pattern, where token validation is done via middleware before hitting your API.
However that middleware must return a 401 when tokens are rejected rather than redirecting the API client.
IMPACT OF APIs REDIRECTING THE CLIENT
This may just about work for web UIs, though user experience will be limited since the UI will have no opportunity to save the user's data or location before redirecting.
For mobile / desktop apps it is more problematic, since the UI must redirect using the system browser rather than a normal UI view - see the screenshots on my Quick Start Page.
CHOICES
Any of these solutions would be fine:
Possibly the middleware you are using can be configured differently to behave like a proper API Gateway?
Or perhaps you could look for alternative middleware that does token validation, such as an AWS Lambda custom authorizer?
Or do the OAuth work in the API's code, as in this Sample API of mine
MY PREFERENCE
Sometimes I prefer to write code to do the OAuth work, since it can provide better extensibility when dealing with custom claims. My API Authorization blog post has some further info on this.

token not being sent in pre-flight request Ionic2

I am working on an app in Ionic 2 using DRF as API service. For authentication purpose I am using JWT. I am sending auth token with each request as Authorization: jwt [token]. In Postman, API is working fine.
Now when I am testing it in browser it is not working and I figured out that it is probably not working because the JWT auth token is not being sent in the OPTIONS request as a pre-flight. So how do I tackle this problem.
In the Ionic latest versions if you are using ionic serve commnad then you must have to use Proxies to prevent Preflight and CORS Issues,
First add API path and URL in ionic.config.json file like
{
"name": "APP-NAME",
"app_id": "",
"proxies": [
{
"path": "/api",
"proxyUrl": "http://example.com/api"
}
]
}
Now, while calling your API from http use the /api URL instead of the http://example.com/api like,
....
this.http.post('/api', data, {headers:headers}).map(res=>res.json()).subscribe(data=>{
console.log(data)
}, err=>{
console.log("Error!:", err.json());
});
....
After making the above changes you must rerun command ionic serve.
Still, if you are getting issues then refer Handling CORS Issues In Ionic and https://ionicframework.com/docs/cli/configuring.html
In CORS preflight OPTIONS response Cross-Origin-Allow-Headers should match that of the request.
Cross-Origin-Allow-Headers: Authorization
Actually the problem was that the OPTIONS api was not readable without the Authorization token so we added the readonly Auth level for the OPTIONS and GET api.

Django Rest Framework + Ember.js + rest auth

We're building a site using Ember for a frontend app which interacts with our Django Rest Framework API Backend. For Social Authentication we're using django_rest_auth coupled with django-allauth. The site is mostly all working, except we've run into problems with social authentication. Our local account authentication/registration is working fine.
I've made many projects that use django-allauth, but this is the first time using a restful authentication system. The ember application is able to go and fetch the token from google just fine. The response is something like:
{
authorizationCode: "mYtokEn12345",
provider: "google-oauth2",
redirectUri: "http://localhost:4200/dashboard"
}
I then post the access_token to my endpoint that I've set up according to the django_rest_auth docs. POST /auth/google {access_token:} but I get an error returned from Google that says "Invalid Credentials". How can I get Invalid Credentials after already Authenticating with Google and receiving my token?
After debugging through the code, I found that I was getting that response from https://www.googleapis.com/oauth2/v1/userinfo during the complete_login function in the allauth.socialaccount.providers.google.views.GoogleOAuth2Adapter class.
It's trying to run a GET https://www.googleapis.com/oauth2/v1/userinfo?access_token=mYtokEn12345&alt=json but returning Invalid Credentials.
{
error: {
errors: [
{
domain: "global",
reason: "authError",
message: "Invalid Credentials",
locationType: "header",
location: "Authorization"
}
],
code: 401,
message: "Invalid Credentials"
}
}
I'm pretty stumped on where to go from here. Anyone have some pointers on why this is happening? Any other code/errors I can give to be helpful?
It turned out that we weren't using the correct token. We were using the authorizationCode, which is used in another request to receive the token.