Problem
I have a Django REST API with a GET end point which I want to restrict the access to admin users. This can be done by specifying
permission_classes = (IsAdminUser,)
in the view.
Now I am trying to test this end point with Postman but I have 2 problems:
It does not work, I get a message that says "Authentication credentials were not provided."
My credentials are sent visibly in the url (because this is a GET end point)
Questions
Why can't I get the expected answer from the end point when I use Postman? I am receiving what I want if I use curl <my_url> -u <user>:<password>.
How can I keep my API meaningful (i.e., not using POST when the goal of the end point is to retrieve data) while keeping critical credentials hidden?
Why do you pass auth details in the URL? You have a Basic Auth section in POSTMAN, where you can put you login credentials. POSTMAN will then set the correct headers for you.
Remember to set BasicAuthentication as your auth class in DRF view or settings.
Related
So I've been trying to use Djoser JWT and I don't know how to login in it. As far as I know you create a request with your login credentials to this url /jwt/create/ and get the access and refresh token and maybe get the user object from /users/me/. This is where I got stuck, where do I go from here?
You correctly understood the first step of the process. Basically, you can now:
Add the access token in the header of your next requests.
This will transparently authenticate the user thanks to the Simple JWT plugin and you will be able to access him with the usual request.user in the views.
Refresh the access token each time you get a 401 response.
The access token is supposed to be short-living for security concerns and a 401 response from the server indicates that the one your are using is expired. So you have to get a new one by sending the refresh token to the token/refresh/ API and, then, make your request again.
You can read this article if you need more detailed explanations about this process or JWT.
I want to make a rest call to my Keycloak server.
According to doc it should be easy: https://www.keycloak.org/docs-api/10.0/rest-api/index.html#_executeactionsemail
So before I'll start codeing I want to prepare Postman call, so my url is
http://localhost:8080/auth/admin/realms/test/users/12345/execute-actions-email
in raw body I'm providing ['UPDATE_PASSWORD']
and what I get is 401 Unauthorized and I can't get what I'm doing wrong?
Body:
Headers are default:
For accessing the Admin Rest API you need to pass on the admin token to REST CALLS:
You would have been prompted to create an admin account as soon as you would have opened {keycloak-url}/auth.
You can use this admin account to obtain the admin token as shown below.
Note that only change you have to do in below call is your keycloak server address and value of admin username and password.
You can pass the token obtain above on to the REST aPIs with Authroization header.
Please refer to my other SO post for a step by step guide to do this.
#tryingToLearn thank You so much!
I'll post what I did.
Get token for master realm admin account:
Call reset password service in test realm
I've had wrong body so correct body for this request is ["UPDATE_PASSWORD"] and You can notice 204 in the right bottom corner.
The second question is, is it possible to have special user in any realm, not master realm admin for getting a token?
I'm creating a Login/Register API with Django Rest Framework which is consumed by my frontend, using JWT to authenticate and there are some basic things I can't seem to understand and maybe someone can help me out.
I created an endpoint to register a user (a POST to /users/). At first I was getting a "Authentication credentials were not provided." if I tried sending a request using Postman (on Django API GUI it would work normally I guess because they already send the correct authentication). However, when I think about it, it comes to me that he doesn't have the credentials yet since he's not registered and logged in, so its JWT wasn't created, so I added permission_classes = (AllowAny, ) to my APIView. But then it allows anyone to use the API, therefore anyone would be able to send a PATCH request to update some info without sending the JWT in the request. Anyone have any idea on how to handle that?
I think somehow I'm lacking some kind of concept about authentication. Maybe I need one exclusively for communicating my backend and frontend that will be used to register a user and the users JWT will be used to perform the other actions?
If needed, I can provide other informations about my architecture or code.
First As per your description,
I created an endpoint to register a user (a POST to /users/). At first I was getting a "Authentication credentials were not provided." if I tried sending a request using Postman (on Django API GUI it would work normally I guess because they already send the correct authentication).
You have to understand that since the api is a user registraion api, the permission class should always be set as permission_class = (AllowAny,), but you set permission_class = (IsAuthenticated,) in your view, so django expecting a proper authentication credential(a JWT token as you are using JWT) to make sure the requested user is authenticated. Thats why you are getting a "Authentication credentials were not provided." exception in your POST /users/ api.
Second, as you said later,
However, when I think about it, it comes to me that he doesn't have the credentials yet since he's not registered and logged in, so its JWT wasn't created, so I added permission_classes = (AllowAny, ) to my APIView
its obvious when a user registering himself/herself, then he/she will not have any credentials(JWT token).
then you said,
But then it allows anyone to use the API, therefore anyone would be able to send a PATCH request to update some info without sending the JWT in the request.
From these lines it seems that you are using single api view to Create(POST) and partial update(PATCH) of user. What you have to do is to make separate api views. That is one api view for Create/Register(POST) user and set permission_classes = (AllowAny, ) and another api view to Update(PATCH) user and set permission_class = (IsAuthenticated,). I think this will solve your problem.
EDITION: Now for better understanding how permission works in django rest framework, lets check this the way permission works in django rest framework.
I have a social media-type web app and want to have some read-only access even when a user isn't logged in. For example, if the user votes on a poll, I want nothing to happen but the user should still be able to see it. I am using token authorization. I'm wondering, should I do a check on the front-end somehow to see if a user is logged in (perhaps checking for the existence of a token in local storage) and not perform a fetch if they're not? Or should I somehow, in the frontend, handle receiving a 401 response from the backend for trying to access a protected resource? Or should I handle it on the back end and send back a 200 response and let the front end handle receiving a different version of a 200 response?
I'm using Django and React
Question has tag django-rest-framework so I suppose you are using it.
Take a look at DRF permissions documentation. There is IsAuthenticatedOrReadOnly permission which allows read-only access for unauthenticated users (list, retrieve actions), but only allows create, update, delete to authenticated users.
I understand that Flask JWT gives us the /auth endpoint. Once a user successfully logs in, an access token is assigned and the logged in user can be stored in Flask JWT's current_identity. What I'm wondering is can I also return the User Json back to my client in the same /auth endpoint? Or does it have to be a separate request?
This is for a mobile rest-api, using Flask-Restful. Right now, I have a user log in. The login route (/auth) returns the access token to the client, and then I use the token to get the User Json in a separate request, but I feel like I should be able to condense this into the same request.
Any tips are appreciated :)
IDEA:
Can I create an auth resource via flask-restful and specify exactly what I want it to return? (the token for the server and the user json to the client?)
Flask-JWT has been abandoned for quiet a while now. I would suggest checking out Flask-JWT-Extended instead as an alternative that is still actively maintained (full disclosure, I'm the author of that extension).
In Flask-JWT-Extended you create your own endpoint instead of having the extension create one for you, so you can return whatever data you want there. Here is an example of this in action: http://flask-jwt-extended.readthedocs.io/en/latest/basic_usage.html