I have a requirement to authenticate a user who wants to access an API with his credentials (un/pwd) with basic authentication or digest auth
Also pass the required credentials(un/pwd) in the request to authenticate the access to backend service
My synapse extracted config looks like this:
<filter source="$ctx:AM_KEY_TYPE" regex="PRODUCTION">
<then>
<property name="api.ut.backendRequestTime"
expression="get-property('SYSTEM_TIME')"/>
<property name="password"
expression="wso2:vault-lookup('PayAdmin-- ZenoAPI51.0')"/>
<property name="unpw"
expression="fn:concat('user',':',get-property('password'))"/>
<property name="Authorization"
expression="fn:concat('Basic ', base64Encode(get-property('unpw')))"
scope="transport"/>
<send>
<endpoint name="PayAdmin--ZenoAPI5_APIproductionEndpoint_0">
<http uri-template="http://localhost:8080/payment/{uri.var.name}"/>
</endpoint>
</send>
</then>
What i want to know is:
curl -X POST --header "Content-Type: application/json" --header "Accept: application/json" --header "Authorization: Bearer 2e13c9b3c8717f43d093cfc7c63994bb" -d "{}" http://<IP address of APIM Server>:8280/Zeno1/1.0.0/payment/name
This curl can only take bearer token but how to pass user/pwd for API and user/pwd for backend in the curl
Regarding your second question:
For Basic Authentication towards the backend you can configure a general Password in the Publisher in step Implement -> Show More Options -> Endpoint Security Scheme: set to Secured and provide Credentials
(see: https://docs.wso2.com/display/AM1100/Basic+Auth)
If user specific credentials have to be provided the user should set the "Authentication: Basic base64(username:password)" in the HTTP header, the header will get passed to the backend.
curl -X POST --header "Content-Type: application/json" --header "Accept: application/json" --header "Authorization: **Basic** **[base64encode(username:password)]**" -d "{}" http://<IP address of APIM Server>:8280/Zeno1/1.0.0/payment/name
[base64encode(username:password)] replace this with base64 encode string of
"username:password"
Related
If I try to provide authentication credentials in my request as a generated ID token stored in an Authorization header:
curl -m 550 -X POST https://origin-project.cloudfunctions.net/myfunction \
-H "Authorization: bearer $(gcloud auth print-identity-token)" \
-H "Content-Type: application/json" -d '{}'
I get 401 Unauthorized:
<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>401 Unauthorized</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Unauthorized</h1>
<h2>Your client does not have permission to the requested URL <code>/myfunction</code>.</h2>
<h2></h2>
</body></html>
But if I manually insert the ID token like below, it works:
curl -m 550 -X POST https://origin-project.cloudfunctions.net/myfunction \
-H "Authorization: bearer eyM5NjBJ0eXAiOiJKV1QifQ.eyJpc3MiOztszEgUX4oH.YI80RjsZdxSFIcFshmA" \
-H "Content-Type: application/json" -d '{}'
Response:
Request payload is empty: None
Does anyone know why this is so?
Note: I'm executing commands locally via Google Cloud CLI.
We have on premise WSO2 stack for managing the api subscription where there are client applications created in the wso2 store URL for generating access tokens. One of the development team in our organization is trying to generate the access token from the client id and secret by the means of javascript. The tokens are not getting generated and resulting into CORS issue. I have checked the documentations for similar issues and I have made change in the TokenAPI.xml file located under the <API_M>/repository/deployment/server/synapse-configs/default/api directory by adding the outsequence property. Unfortunately this did not solve the issue. I have read a few documentations and verified the cors configuration in the api manager.xml file it looked fine to me.
const token =
"Base64(consumer-key:consumer-secret)";
const url = "https://<gateway_Url>/token";
const res = axios({
method: "post",
url: url,
data: "grant_type=client_credentials",
headers: {
"Authorization": `Basic ${token}`,
"Content-Type": "application/x-www-form-urlencoded",
Accept: "application/json"
},
});
cat /data/wso2/wso2am-2.6.0/repository/deployment/server/synapse-configs/default/api/_TokenAPI_.xml
<api xmlns="http://ws.apache.org/ns/synapse" name="_WSO2AMTokenAPI_" context="/token">
<resource methods="POST" url-mapping="/*" faultSequence="_token_fault_">
<inSequence>
<property name="uri.var.portnum" expression="get-property('keyManager.port')"/>
<property name="uri.var.hostname" expression="get-property('keyManager.hostname')"/>
<send>
<endpoint>
<http uri-template="https://{uri.var.hostname}:{uri.var.portnum}/oauth2/token">
<timeout>
<duration>60000</duration>
<responseAction>fault</responseAction>
</timeout>
</http>
</endpoint>
</send>
</inSequence>
<outSequence>
<property name="Access-Control-Allow-Headers" scope="transport" value="authorization,Access-Control-Allow-Origin,Content-Type,Action"></property>
<send/>
</outSequence>
</resource>
<handlers>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerCacheExtensionHandler"/>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.common.SynapsePropertiesHandler"/>
</handlers>
</api>
Error - Access to XMLHttpRequest at 'https://api-uat.ucl.ac.uk/token' from origin 'null' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
You might have to add the CORS handler to the token API under handlers.
<handler class= "org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler">
<property name="apiImplementationType" value="ENDPOINT"/>
</handler>
I have generated the presigned url for get request using the same algoritthm mentioned in the documentation of AWS.
This is working.
But when I Post/Put the data the signature mismatch error is present.
Below is a sample curl :-
curl --location --request POST 'https://<bucket_name>.s3.ap-south-1.amazonaws.com/testFolder/testing1.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=<access_key_id>%2F20211006%2Fap-south-1%2Fs3%2Faws4_request&X-Amz-Date=20211006T113405Z&X-Amz-Expires=3000&X-Amz-SignedHeaders=content-type%3Bhost%3Bx-amz-content-sha256%3Bx-amz-date&X-Amz-Signature='
--header 'x-amz-content-sha256: UNSIGNED-PAYLOAD'
--header 'x-amz-date: 20211006T113405Z'
--header 'Content-Type: text/plain'
I am using WSO2 Identity server and using email as username from following documentation-
https://is.docs.wso2.com/en/5.9.0/learn/using-email-address-as-the-username/
Then while performing a sign-up ie create users using SCIM2 APIs with email more than 30 characters i was getting the following error-
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:Error"
],
"scimType": "invalidValue",
"detail": "31301 - Username test1233.admin#motioneducation.com is not valid. User name must be a non null string with following format, ^[\\S]{3,30}$",
"status": "400"
}
Then to fix this i added this regex expression in deployment.toml file in user store-
[user_store]
username_java_script_regex = '^[a-zA-Z0-9.-]+#[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$'
username_java_regex='^[a-zA-Z0-9.-]+#[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}'
This change fixed my sign-up problem but the token generated by performing login using wso2 /oauth2/token API is giving 401 unauthorized in /oauth2/introspect API?
Please Help........?
Since you have enabled email as username, then you need to use the email username in the authorization header also. A sample curl command is given below.
curl --location --request POST
'https://{host_name}:{port}/oauth2/introspect'
--header 'Content-Type: application/x-www-form-urlencoded'
--header 'Authorization: Basic {base64encode(emailusername:password)}'
--data-urlencode 'token={access_token}'
Sample request
curl --location --request POST
'https://localhost:9443/oauth2/introspect'
--header 'Content-Type: application/x-www-form-urlencoded'
--header 'Authorization: Basic YWRtaW5Ad3NvMi5jb206YWRtaW4='
--data-urlencode 'token=47f65812-c5fb-3f90-b5c0-3bbc3603578f'
401 unauthorized error comes only if you are sending invalid credentials. So please check whether you are sending valid emailusername and valid password in authorization header
I sent this message:
curl -X POST http://192.168.0.179:8280/esb/api/CreateAddressID -H "content-
type: application/json" --data #evCaptureJSONPropertiesInvalid.json
I was trying to capture the header "content-type: application/json" .
This was my configuration in my API Resource:
<!-- Capture the payload values START-->
<property name="contentType" expression="$trp:Content-Type" scope="default" type="STRING" value="value"/>
and then I tried to retrieve it in the log mediator as shown below:
<log description="Request Log" level="custom">
<property name="Content-Type" expression="$ctx:contentType"/>
</log>
Yet when I saw the output in the console it did not appear what I saw instead was:
[2018-12-05 15:15:07,933] [EI-Core] INFO - LogMediator content-Type = value
Could someone kindly assist? Also thank you in advance.
Both
<property expression="get-property('transport', 'Content-Type')" name="contenttype"/>
<property expression="$trp:Content-Type" name="contenttype"/>
Should work. I suspect the header is case sensitive and it will work when you use `-H "Content-Type: application/json"