I recently posted a problem I was having with authentication, but didn't receive any replies so I thought of another way to ask the question without being redundant.
What I'm seeing in the applications documentation are three ways to pass the access token to authenticate and receive the information that I'm trying to get: HTTP Digest auth, HTTP Basic auth, and Bearer token auth. The distinctions between these is unclear to me, and my attempts at Bearer token auth (check out STEP 5) have not worked.
Can someone explain what these three are and hopefully point out what I'm doing wrong?
"HTTP Basic Auth" and "HTTP Digest" authenticate using username and secret. The HTTP Digest auth is more secure as it don't send username and secret as plain text.
"HTTP Bearer Auth" authenticate using access_token.
Your HTTP Bearer Auth code looks ok to me.
There is not much difference between HTTP Basic Authentication and HTTP Digest Authentication.
For basic Auth Before request with the oAuth system user name is appended with a colon and concatenated with the password. The result will than be encoded with the Base64 algorithm.
For example say username is demo and your access_token is 123 so in this case the resulting string after concatenation will be 'demo:123' and once we apply Base64 encode, it will become ZGVtbzoxMjM=
Now this encoded string is transmitted in the HTTP header and decoded by the oAuth provider.Again this is not a very strong encoding mechanism and can easily be decoded as this Auth system is not meant for very high secure system.
Again Digest also use HTTP protocol to send and recieve data but its much better than basic OAuth which send data in plaintext.Digest uses MD5 cryptographic hashing type of algorithm to encrypt your password/access_token and beside this it use nonce value to stop replay attack.
Hope this will give you some idea about the way they work.
Update
i just saw the code at Gimme bar
GET /api/v0/tags HTTP/1.1
Host: gimmebar.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-us) AppleWebKit/533.6+ (KHTML, like Gecko) Version/4.0 Safari/528.16 Titanium/1.1.0
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Authorization: Digest username="funkatron", realm="GimmeBarAPI", nonce="7a3ab1f9cde605f27797cd04c4d1fcf6", uri="/api/v0/tags", response="3654f9b1b2ba9489e1f01ae792852987", opaque="94619f8a70068b2591c2eed622525b0e", algorithm="MD5", cnonce="6897ccbff3b08776ab61e69a814c05b4", nc=00000001, qop="auth"
Connection: keep-alive
and if you see while sending the request they are passing the hashing algorithm used along with nonce,username.So all they are creating them in there application and placing in the header section.All you need to find what header name we need to put.
The bearer token is generated server side when you authenticate against the server. Then for any subsequent request you supply the generated bearer token in the request header.
From a security perspective these tokens get generated using a private key, only the server authenticating the user knows this key
Look at jwt they have really good documentation on this specific topic
The gimmebar documentation is pretty clear on how to gain access
POST /api/v0/auth/reqtoken HTTP/1.1
Response Message
{"request_token":"390a9b193fc51be1a78d13bf69555212","expires":1309375411}
Related
I am trying to generate JWT from WSO2 token endpoint using password and client credentials approach but not finding difference in sub claim value. Its always pointing to user id only, shouldn't it have application id/client id in sub claim for JWT generated using client credential approach ?
ex:
Token obtained using password grant:
Request:
POST https://localhost:8243/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic
UnNOYWY5ams2MERCM2tXQ292ZGZEZnRTWklvYToxU1o0alg1bW5YV2lBT3BkYjRReFhmS09VN1lh
Host: localhost:8243
Content-Length: 53
grant_type=password&username=api3dev&password=api3dev
JWT in response
{"typ":"JWT","alg":"RS256","x5t":"NTdmZjM4ZDk3NjY0Yzc5MmZmODgwMTE3MWYwNDE5MWRlZDg4Nzc4ZA=="}
{"aud":"http://org.wso2.apimgt/gateway","sub":"api3dev#carbon.super","application":{"owner":"api2dev","tierQuotaType":"requestCount","tier":"Unlimited","name":"demoapp_oriKeymgr","id":68,"uuid":null},"scope":"default","iss":"https://localhost:9443/oauth2/token","tierInfo":{"Unlimited":{"tierQuotaType":"requestCount","stopOnQuotaReach":true,"spikeArrestLimit":0,"spikeArrestUnit":null}},"keytype":"PRODUCTION","subscribedAPIs":[{"subscriberTenantDomain":"carbon.super","name":"PizzaShackAPI","context":"/pizzashack/1.0.0","publisher":"admin","version":"1.0.0","subscriptionTier":"Unlimited"}],"consumerKey":"RsNaf9jk60DB3kWCovdfDftSZIoa","exp":1600502664,"iat":1600499064,"jti":"426d64a9-932b-4f0c-b396-202fd03dd960"}
Token obtained using client credential:
Request:
POST https://localhost:8243/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic UnNOYWY5ams2MERCM2tXQ292ZGZEZnRTWklvYToxU1o0alg1bW5YV2lBT3BkYjRReFhmS09VN1lh
Host: localhost:8243
Content-Length: 29
grant_type=client_credentials
JWT in response
{"typ":"JWT","alg":"RS256","x5t":"NTdmZjM4ZDk3NjY0Yzc5MmZmODgwMTE3MWYwNDE5MWRlZDg4Nzc4ZA=="}
{"aud":"http://org.wso2.apimgt/gateway","sub":"api2dev#carbon.super","application":{"owner":"api2dev","tierQuotaType":"requestCount","tier":"Unlimited","name":"demoapp_oriKeymgr","id":68,"uuid":null},"scope":"am_application_scope default","iss":"https://localhost:9443/oauth2/token","tierInfo":{"Unlimited":{"tierQuotaType":"requestCount","stopOnQuotaReach":true,"spikeArrestLimit":0,"spikeArrestUnit":null}},"keytype":"PRODUCTION","subscribedAPIs":[{"subscriberTenantDomain":"carbon.super","name":"PizzaShackAPI","context":"/pizzashack/1.0.0","publisher":"admin","version":"1.0.0","subscriptionTier":"Unlimited"}],"consumerKey":"RsNaf9jk60DB3kWCovdfDftSZIoa","exp":1600502788,"iat":1600499188,"jti":"8091497e-9978-4541-99b9-efca50b16868"}
In above example you can see sub claim is always having user id only.
In WSO2 API Manager when you generating an access_token with client_credentials, sub claim is populated with the owner of the application (service provider). I am not sure that in client credentials the sub claim should be populated with client_id of the Oauth2 application, thought client credentials is a machine-machine authz process without user credentials, so sub (subject) claim should be a user, in this case the owner. For me it is a correct value.
Having issue with http transformation simple post with bearer token.
So, we have a mapping that uses http transformation to SIMPLE POST JSON data into an api. The api uses bearer token authorization. So you send a user/pass and get a token back and then POST your json data with the token in the header.
But when we are trying to POST along with token, we are facing issues. Basically i am not sure how to post json data with token in the header info.
Anyone have any ideas ?
It worked with below approach for Barer token.
Flow:
SQ->exp->HTTP->exp->HTTP->TGT
HTTP connection:
Base URL : Provide the login URL for the API
Authentication : Basic
First HTTP transformation:
Give the login URL in Base URl. Pass a single row as an input for trigger of URL. This should give the generated token as an output (JSON/XML).
Pass the output to expression transf. Add a new output port and extract the token value only.
output port value : 'Bearer '||substr(ouput,2,30)
Methods - POST
Second HTTP transformation:
Add new input port and connect the above expression output as input.
Add new Header port as "Authorization".
Provide the API URL in the base url.
Methods - POST
Connect the output port to Flat file to check the received response.
Note: Do not give/select any connection details to this transformation.
Bearer token is another token-based authorization technique where if you pass user/pass to the token-generating API, it returns a token. You attach that token to API tool (postman, insomnia, or informatica) and POST your data to another API which will process the data.
Now, issue is, token can expire fast or slow. Fast expiring token need to be managed so that API call finishes before expiry. For us luckily its 24hrs.
First, get the token using HTTP trx by passing userid/pass.
Then, I pass the token as part of header column in HTTP transformation.
Methods I used - SIMPLE POST for both trx.
EDIT : Per request from an user, i am adding this edit.
The user and pass in the EXP transformation is hardcode values. And they were added to a json format that auth api can recognize.
The output of http_auth transformation is a token. If hardcode is a problem, you can read user and pass from a file from a secured location.
This token is used in the next json. This next json is created using the token as well as input data to the actual api. The api catches them, validates them against token and then write the data into api DB.
Try postman.. It will give you the code as well. It supports quite a few commonly used development languages
I am looking to create an API using the Django REST Framework which will authenticate using a separate authentication server by means of its introspection endpoint. The authorization flow should look something like the following.
The client provides either user credentials or a refresh token to the token endpoint on our authentication server.
If the provided credentials or refresh token are valid, the authentication server responds with an access token and a refresh token.
The client then sends the access token to the API when requesting a resource.
The API verifies the provided access token using the introspection endpoint on our authentication server.
The authentication server responds letting the API know if the access token is valid.
If the access token is valid, the API responds to the client with the requested resources.
Step 4 is the part I'm after, and the Django OAuth Toolkit looks like it provides an option for exactly this. In the section about setting up a separate resource server it states that it allows the application to verify access tokens by use of an introspection endpoint.
So I followed the setup for the Django OAuth Toolkit, and pointed the RESOURCE_SERVER_INTROSPECTION_URL toward the introspection endpoint on our authentication server. Then I acquired an access token from our authentication server and provided it to the API as an Authorization header, but I get the following response.
Content-Type: application/json
WWW-Authenticate: Bearer realm="api",error="invalid_token",error_description="The access token is invalid."
Vary: Accept
Allow: GET, HEAD, OPTIONS
Content-Length: 58
{
"detail": "Authentication credentials were not provided."
}
If I don't provide a token I get the same response body, but no WWW-Authenticate header. The strange part is that the introspection endpoint never receives a POST request, which it should be sending to verify the access token.
So did I misread the documentation, or am I doing something wrong? Why isn't this working as I expect?
I was trying to write an UWP App in c++ (Visual Studio) for OAuth in to Google Drive API.
I referred the notes from this project under Github -
https://github.com/googlesamples/oauth-apps-for-windows/blob/master/OAuthUniversalApp/README.md
I was able to get the Authorization code from Google. But when I used the Authorization code to request for Authorization token then it is throwing me an error 404.
My Authorization token request URI looks like this -
https://googleapis.com/oauth2/v4/token?code=XXXXXXX#&client_id=ZZZZZZ&client_secret=YYYYYY&redirect_uri=uwapp.testgoogleoauth:/oauth2redirect&grant_type=authorization_code
Going by the notes mentioned in the link, I created the client ID using iOS application type. But I didnt get the client secret key at that step. I had to explicitly generate the client secret key again for the iOS application type.
Is there any issue which you see in the request URI being sent for the Authorization token request? What should be the value of client_secret to be used if the type of client has been selected as iOS in google console?
Thanks,
/vikas
Is there any issue which you see in the request URI being sent for the Authorization token request?
In you request URI you are using https://googleapis.com/oauth2/v4/token. However to make the token request, the correct token endpoint should be:
https://www.googleapis.com/oauth2/v4/token
And this is the reason why you get 404 (Not Found) error.
What should be the value of client_secret to be used if the type of client has been selected as iOS in google console?
In Handling the response and exchanging the code, we can find that
client_secret The client secret you obtained from the API Console (not applicable for clients registered as Android, iOS or Chrome applications).
So for iOS clients, there is no need to use client_secret. And as UWP is similar to iOS, we can also ignore this field in UWP.
The complete authorization token request might look like the following:
POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded
code=XXXXXX&
client_id=ZZZZZZ&
redirect_uri=uwapp.testgoogleoauth:/oauth2redirect&
grant_type=authorization_code
I've been doing this Java backend for an iPhone app (Jersey REST mainly) and implemented some web services like sign up and log in. Obviously I've needed params like username and pin. Since this services change state in the DB I've made them as POST and I've used #FormParams Jersey annotation for the params. The guy who worked on client kept sending the username and pin in the headers and it took a little while to discover where's the problem.
is this the standard, to put authentication-like data in headers? How do you do it?
if you use the standard http authentication mechanisms like Basic Authentication
then the credentials are sent in the http header
Something like this
POST /private/index.html HTTP/1.1
Host: localhost
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
if you planning to expose this backend through an unsecure network, i would advise you to use https - as it encrpts your header
But if you are implementing your own authentication mechanism - then you can pass the credentials anywhere you like (header or body), that way- your backend would know where to look for the username and password.
check these links for reference
Basic authentication
http authentication