I am using WSO2 IS 5.3.
I integrated it with U2F.
When I use it in authentication, it give me a blank page (https://localhost:9443/authenticationendpoint/fido-auth.jsp)
but when I use it with previous version its work well!
What is the problem between the last version and Fido token ?
And why the fido token works just with (google-chrome) not (Firefox) ?
As for the first part of your question, I assume you're not supposed to be "air-dropped" straight into that page, rather naturally be directed to it after providing username & password. Also, try to check the inner system log of wso2, you shall find it under 'monitor' tab.
For the second part of your question please refer to this question here
tl;dr:
Chrome supports FIDO by default starting from its 40th version, while Mozila is on its way to support it and in the mean time you can use this extension
Related
I am currently setting up a fresh instance of WSO2 AM 3.2.0 from scratch because upgrading and migrating from version 2.1 did not work as expected. To avoid any inconvenience for current users I would like to keep using the already existing consumer_key and consumer_secret for each application so the access_token doesn't change when transitioning from 2.1 to 3.2.
Assume the consumer_key:consumer_secret being in use in version 2.1 is: original_key:original_secret.
When creating a new application in the AM 3.2 instance I, of course, get a new secret - say new_key:new_secret. To keep using the original combination I created a dump of the AM 3.2 database and in this dump I just replaced the new consumer_key and consumer_secret with the original ones like this:
sed -i 's/new_key/original_key/g' dump.sql and sed -i 's/new_secret/original_secret/g' dump.sql
and then I replaced the existing 3.2 database with this modified dump. After restarting the AM 3.2 I can see that the application is in fact using the original consumer_key and consumer_secret but when I generate an access_token it differs from the original access_token which I actually wanted to replicate.
I know that my approach is rather dirty but I'm wondering why it didn't work, though. Is there anything I missed -- or even better -- a clean solution for my problem?
The reason for getting the different access token is that apim 3.2.0 only supports JWT tokens by default, in 2.1.0 it only supports opaque tokens. I believe that you are getting JWT tokens with the above token calls which are different from opaque tokens.
In the above approach, you will lose the following data from the previous 2.1.0 setup.
APIs and artifact related information.
Application attributes + existing active tokens + scopes
Users that persisted in the existing platform.
However, if you just want to replicate the applications with client id and secret, the better approach would be as follows.
Using Devportal REST API
Use the dev portal rest APIs to create the application[1]. When providing the parameters specify the token type as OAUTH if you want to obtain an opaque token.
Map the client-id secret pair using map-keys resource[2]
I hope the above will be helpful to you.
[1]https://apim.docs.wso2.com/en/latest/develop/product-apis/devportal-apis/devportal-v1/devportal-v1/#tag/Applications/paths/~1applications/post
[2]https://apim.docs.wso2.com/en/latest/develop/product-apis/devportal-apis/devportal-v1/devportal-v1/#tag/Application-Keys/paths/~1applications~1{applicationId}~1map-keys/post
Is there a way to pass Windows Authentication with postman?
I have added this in header but still 401 Unauthorized.
Authorization: NTLM TkFcYWRtaW46dGVzdA==
As suggested by this link. I've encrypted as Unicode (UTF-16, little-endian) but of no use.
Any Ideas?
I got this working by running Fiddler first.
Run Fiddler (I'm using 4.6.2.3)
Fiddler Menu: Rule -> Automatically Authenticate = true
Postman: Check that Authorization type = No Auth
Browse api.
you can use the the NTLM authorization exist in the Authorization tab same as this photo
I don't think there is a way to do that. But, you are not alone in wanting it...
https://github.com/postmanlabs/postman-app-support/issues/1137
[EDIT]
As of the addition of this edit, Postman has NTLM Authentication in beta in their most recent release.
https://www.getpostman.com/docs/v6/postman/sending_api_requests/authorization
I suggest using insomnia. It's free and you can see the documentation on how to add NTLM Auth here: https://insomnia.rest/documentation/authentication/
NTLM authentication does work with the Chrome plugin version of Postman, as the built-in Chrome NTLM authentication can be used with the plugin. However, plugins are no longer supported by Chrome, so this version can no longer be installed and used.
The current app version of Postman (both the Chrome app and native app versions) does not support NTLM authentication.
This was added to the Postman application in 5.3.0. However, this support was broken in 5.4.1 and remained broken until 7.14.0 per Postman App issue #4355. Updating the app to a newer version of Postman should therefore allow using NTLM authentication.
Note that Postman currently only supports NTLMv1 authentication but not NTLMv2 per Postman App issue #8038.
I will improve upon Hala's answer as it is problematic due to storing credentials in the request and these might get persisted in a shared repository if one is used.
Clear credentials once a request has been successfully issued
One way is to enter the credentials - username, password and domain - make the request and remove them. Subsequent requests will work, probably due to using the same NTLM authentication header, as Postman will add a temporary Authorization header (blurred) that has a value like the following: NTLM some_base64_content
Use environment variables (or better global ones as suggested by SSS) to store sensitive data
Define an environment to use and configure it similar to this:
Use configured environment variables in the request:
You can also change internet options and set Logon to:
Automatic logon with current user name and password
taken from:
https://sysadminspot.com/windows/google-chrome-and-ntlm-auto-logon-using-windows-authentication/
if the website uses https you can add it to Trusted Sites and set it there, otherwise you can add it to local intranet sites and set Custom level... there.
Open internet options:
Click Custom level... and scroll to bottom:
Postman now does NTLM on their desktop apps only.
If you develop your API in C# you can use the following on your Base Controller
#if !DEBUG
[Authorize]
#endif
I am interested how to handle AccessToken expiration when using the Facebook SDK for Android.
According to documentation of Access Tokens they are saying that developers don't need to worry about token expiration : "When using iOS, Android or our JavaScript SDK, the SDK will handle making sure that tokens are refreshed before they expire."
Assumption A : I assume that the quote above implies that AccessToken.getCurrentAccessToken() returns always non-expired access token, or is my assumption wrong ??
In the Facebook Login for Android documentation they are saying : "If you want your app to keep up with the current access token and profile, you can implement AccessTokenTracker and ProfileTracker classes."
My question is: Why should I implement AccessTokenTracker, if (according to 1 ) the SDK make sure that token are refreshed before they expire ?
If my assumption is correct, then the getCurrentAccessToken() returns always the non-expired token, so there should be no reason to track the AccessToken ?
Thank you for help!
EDIT
My assumption A is wrong, because according to this docu the person has to login again if the access token is invalid.
Typically you would use the AccessTokenTracker if you also save the access token elsewhere. Let's say that you keep the access token server side (so you can make requests offline), and the SDK updates the token with a refresh, in that case, you'll want to update the token on your server as well, this allows you to do that.
Alternatively, if your app allows people to log off, or to switch to a different user, you can use the AccessTokenTracker and ProfileTracker to alert you when the user changes.
It seems that WSO2IS does not honor the special characters in spEntityID parameter such like:
https://wso2is.localnet:9443/samlsso?spEntityID=http://otherhost/&RelayState=http://otherhost/logout.jsp
Do you have any idea how to sort this out? The SP cannot be set to use different issuer. The UrlEncoding doesn't help.
It seems that if the the SP doesn't send to WSO2IS IdP the SessionIndex in the SAML2 LogoutRequest, it fails since cannot get it from it.
This answer was posted by OP (toma) as a separate question, I've just pasted it here to get evertyhing in one place.
The website tool at:
https://developers.facebook.com/tools/debug/
Can be used by any user to check their token but it seems that the API end point:
https://graph.facebook.com/debug_token
Is only working for app developers.
Firstly I just wanted to confirm this is the case?
Secondly I was wondering if this is so if there is an API end point to check any token? Can't understand why this wouldn't be permitted given that there is a UI/web page feature to do this.
Are you asking if the API only works for developers? Yes - As the documentation CBRoe provided shows, you need to include a currently valid access_token from your own app in order to debug the details of another one.
That API endpoint does let you check any token from your app, you just need to specify your own token to authenticate the request