https://graph.facebook.com/me/feed?access_token=dsjsdchsdch&message=test
I used it with the real access token. Its throwing 403.
and oh, i did POST it.
See if the content of the HTTP 403 has an actual API error associated with it.
Related
I created an AWS Lambda function which invokes the endpoint of ML model I created in sagemaker. I tested it and it's working fine. Next I created REST API that calls this lambda function. I set any authentication type as NONE. Anyone with the url can access it. I created it following this aws blog. I tested my url in postman. It's working fine in postman but when I entered the url in chrome, its throwing {"message":"Missing Authentication Token"} error. Can someone please tell how do I get rid of that error while testing my url in chrome
The error is misleading. It's got absolutely nothing to do with tokens. What is actually happening is that the URL you are trying to access is invalid.
API Gateway's URL looks like this: https://xxxxxxx.execute-api.some-region.amazonaws.com/your-stage but it's very likely that you created an endpoint on API Gateway, which would then be accessible via https://xxxxxxx.execute-api.some-region.amazonaws.com/your-stage/YOUR_ENDPOINT
If you hit the base URL or a path which does not exist, you will get that weird, misleading Missing Authentication Token message.
So, long story short, hit a valid path for your API and it should work just fine.
Tip: maybe you are doing a POST request via Postman but whenever you try with the browser it issues a GET request, which would also result in an invalid path and therefore the Missing Authentication Token message.
I was trying to fetch the access token from my Identity server hosted in my local/remote. it showing error as request body should have client secret/client assertion.
Here's a full tutorial I wrote. Hope this helps.
https://medium.com/#rotter.axel/automatically-sign-in-to-identity-server-4-with-postman-and-test-net-core-controller-methods-bc5d8feb199e
I am implementing an Ocelot gateway. When I make the API call using my browser to http://localhost:5009/api/values, I get a valid json response back. However when I make the same request through Postman I get a 401 Unauthorized response. Any ideas if there is a setting in Postman I need to change or something else.
That is, the client must authenticate itself to get the requested response.
Most likely you have forgotten to put your token to the Header in Postman to be authenticated for the server in order to get a response.
I have setup my API at Amazon API Gateway and the Gateway Responses part seems to be a bit confusing.
There are a lot of default responses defined here along with the HTTP Return Code:
Access Denied (403)
Invalid API Key (403)
Invalid Signature (403)
Missing Authentication Token (403)
Unauthorized (401)
Is there any logic of which response is returned upon which condition? I have done my tests and I wasn't able to find a pattern.
No API Key + Valid URL: Invalid API Key
No API Key + Invalid URL: Missing Authentication Token
Good API Key + Invalid URL: Missing Authentication Token
Is there any specific pattern here?
Thanks,
Guven.
As noted in comments, for security reasons, API Gateway can give you the impression that it is really pretty obsessive about these mysterious authentication token thingies, whatever exactly they may be.
But this was apparently done because it should be difficult for a malicious user to determine a specific reason why the request is forbidden... and, as you have discovered, this message is as potentially uninformative as it is potentially misleading. (Not necessarily a criticism, here... that's what it's for.)
What you'll probably find helpful is to go in and customize your error responses and change the default wording of each message to match its actual meaning. There are several where you'll find Missing Authentication Token in the text of the template.
When creating a web service (RESTful), what status code should I use when session token is invalid?
Currently the one in my company sends me a 404, not found, but I think this is not correct, because the resource exists.
Maybe I should use 401 Unauthorized.
What do you think? What status code do you recommend me to use in this scenario? Thanks.
401 Unauthorized.
Your existing session token doesn't authorize you any more, so you are unauthorized.
Don't forget that a session token is just a short-cut to avoid having to provide credentials for every request.
Sending 404 is incorrect because, as you observe, the resource does exist. You just don't currently have authorization to see it.
NB Don't use 403 Forbidden; the HTTP specification defines it as follows: "The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated." That doesn't apply in this case as authorization WILL help.
Looking through the HttpStatusCode enum, I think Unauthorized is probably the closest to what you're looking for.
Take a look at the list there, and read the descriptions for each one.