I have a problem with keycloak and oauth2 identification.
I use client_credentials grant type to request an access_token :
curl --location --request POST 'https://XXX/realms/YYY/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=CCC' \
--data-urlencode 'client_secret=6yqR3IEE...' \
--data-urlencode 'grant_type=client_credentials'
{
"access_token": "eyJhbGciOiJS.....",
"expires_in": 300,
"refresh_expires_in": 0,
"token_type": "Bearer",
"not-before-policy": 0,
"scope": "profile good-service email groups"
}
Seems ok. and verification on jwt.io confirm.
{
"exp": 1673290210,
"iat": 1673289910,
"jti": "b948569a-9597-4e1d-aab8-b95a24550965",
"iss": "https://XXX/realms/YYY",
"aud": "account",
"sub": "f8b0676d-9b28-4eb6-82a2-12e21b77c8e3",
"typ": "Bearer",
"azp": "CCC",
"acr": "1",
"allowed-origins": [
"*"
],
"realm_access": {
"roles": [
"default-roles-YYY",
"offline_access",
"uma_authorization"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "profile good-service email groups",
"email_verified": false,
"clientId": "caravan",
"clientHost": "XX.XX.XX.XX",
"preferred_username": "service-account-caravan",
"clientAddress": "XX.XX.XX.XX"
}
But when I try to verify access with this API :
curl --location --request POST 'https://XXX/realms/YYY/protocol/openid-connect/token/introspect' \
--header 'Authorization: Bearer eyJhbGciOiJS.....' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=eyJhbGciOiJS.....'
it return error 401
"error": "invalid_request",
"error_description": "Authentication failed."
}
how can my access token can not work ?? Am I misundestanding something ?
You missed two items in body of introspect API.
You need to add the client_id and client_secret
Demo, using Keycloak v20.0.2 by curl from terminal.
And using jq for extract child field's value or pretty print.
#1 set configuration in environment variables.
CLIENT_ID=my-client
CLIENT_SECRET=d2IrqYfIcbjQuCqnzM8AoqFz0s9DBaJ0
REALM_NAME=my-realm
PORT=8180
#2 Get client token
CLIENT_TOKEN=$(curl --location --request POST 'http://localhost:'$PORT'/realms/'$REALM_NAME'/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=openid' \
--data-urlencode 'client_id=my-client' \
--data-urlencode 'client_secret='$CLIENT_SECRET | jq -r '.access_token')
echo $CLIENT_TOKEN
Results
$ CLIENT_TOKEN=$(curl --location --request POST 'http://localhost:'$PORT'/realms/'$REALM_NAME'/protocol/openid-connect/token' \
> --header 'Content-Type: application/x-www-form-urlencoded' \
> --data-urlencode 'grant_type=client_credentials' \
> --data-urlencode 'scope=openid' \
> --data-urlencode 'client_id=my-client' \
> --data-urlencode 'client_secret='$CLIENT_SECRET | jq -r '.access_token')
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2588 100 2479 100 109 268k 12111 --:--:-- --:--:-- --:--:-- 280k
$ echo $CLIENT_TOKEN
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ3YW9QMDlKcXZMX2hCX1pleEh5M2hPVXFNZ2UzVnlGc3g4Tm9Na2N4RVM0In0.eyJleHAiOjE2NzMyOTYyNjksImlhdCI6MTY3MzI5NTk2OSwianRpIjoiZjYzNGQ3NTEtN2RlZi00MWY3LWJkZjQtMjkyMjRjOTYyMWFkIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MTgwL3JlYWxtcy9teS1yZWFsbSIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiIyNDlkNGI0OC03MGRiLTQzNjAtODBlMi03MzliZWY1M2JkNmUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJteS1jbGllbnQiLCJhY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJkZWZhdWx0LXJvbGVzLW15LXJlYWxtIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsibXktY2xpZW50Ijp7InJvbGVzIjpbInVtYV9wcm90ZWN0aW9uIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwiY2xpZW50SG9zdCI6IjE3Mi4xNy4wLjEiLCJjbGllbnRJZCI6Im15LWNsaWVudCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoic2VydmljZS1hY2NvdW50LW15LWNsaWVudCIsImNsaWVudEFkZHJlc3MiOiIxNzIuMTcuMC4xIn0.CSOlC4wmGRs95q71Gr-IjavtjUaq8mykSjcg6sXOLn_VQH2i_rlYb7eBOthyHSloZrrHbzLVWgOZ2Ah2jJmgqJ5CKXcfi4gSSbyOMll5dI5AGK8QMhVoHWIs_CD8KCfXR5ca8kfeZLdbabqusLl_D6Cqcg2tavPb8SLDEfVLnbija1ZaeBjI0jSuEIkf0sxCaYl-vrnHkvgExN3i5AgZzJ4uoOAAWuBPHjVdDX5pa_s6adi_PGKM2YQlVvWbirwSznWmAFnVhBRFW8ZuKum9BmUTcknT1K65DVMAthNp5zuBzkuMaCmWFuIzwpYtRzfIy66THFKdppDnXEyoo99_Jg
#3 Introspect that token
curl --location --request POST 'http://localhost:'$PORT'/realms/'$REALM_NAME'/protocol/openid-connect/token/introspect' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id='$CLIENT_ID \
--data-urlencode 'client_secret='$CLIENT_SECRET \
--data-urlencode 'token='$CLIENT_TOKEN | jq -r
Results
$ curl --location --request POST 'http://localhost:'$PORT'/realms/'$REALM_NAME'/protocol/openid-connect/token/introspect' \
> --header 'Content-Type: application/x-www-form-urlencoded' \
> --data-urlencode 'client_id='$CLIENT_ID \
> --data-urlencode 'client_secret='$CLIENT_SECRET \
> --data-urlencode 'token='$CLIENT_TOKEN | jq -r
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2094 100 715 100 1379 174k 336k --:--:-- --:--:-- --:--:-- 511k
{
"exp": 1673296269,
"iat": 1673295969,
"jti": "f634d751-7def-41f7-bdf4-29224c9621ad",
"iss": "http://localhost:8180/realms/my-realm",
"aud": "account",
"sub": "249d4b48-70db-4360-80e2-739bef53bd6e",
"typ": "Bearer",
"azp": "my-client",
"preferred_username": "service-account-my-client",
"email_verified": false,
"acr": "1",
"realm_access": {
"roles": [
"offline_access",
"uma_authorization",
"default-roles-my-realm"
]
},
"resource_access": {
"my-client": {
"roles": [
"uma_protection"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "openid profile email",
"clientHost": "172.17.0.1",
"clientId": "my-client",
"clientAddress": "172.17.0.1",
"client_id": "my-client",
"username": "service-account-my-client",
"active": true
}
Related
Is it possible to set an assignee and apply a transition (change status) in a single call to the Jira Cloud REST API? The example from the documentation here seems to imply that you can, but it does not work when I tested it.
Here's some examples (with curl):
setting an assignee works
curl --request PUT \
--url "https://mysite.atlassian.net/rest/api/2/issue/project-123" \
--user "johnsmith#example.com:abcdef1234567890abcdef00" \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '{
"fields": {
"assignee": { "accountId": "987654321fedcba987654321" }
}
}'
applying a transition works too
curl --request POST \
--url "https://mysite.atlassian.net/rest/api/2/issue/project-123/transitions" \
--user "johnsmith#example.com:abcdef1234567890abcdef00" \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '{
"transition": { "id": 1 }
}'
error saying that assignee cannot be set
curl --request POST \
--url "https://mysite.atlassian.net/rest/api/2/issue/project-123/transitions" \
--user "johnsmith#example.com:abcdef1234567890abcdef00" \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '{
"fields": {
"assignee": {
"accountId": "987654321fedcba987654321"
}
},
"transition": {
"id": 1
}
}'
sets assignee, but doesn't apply transition
curl --request PUT \
--url "https://mysite.atlassian.net/rest/api/2/issue/project-123" \
--user "johnsmith#example.com:abcdef1234567890abcdef00" \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '{
"fields": {
"assignee": {
"accountId": "987654321fedcba987654321"
}
},
"transition": {
"id": 1
}
}'
you cannot do that in one request because you're sending them to two different URLs.
On JIRA Server 8.7.1, was able to successfully transition using the name property (instead of accountId).
curl --request POST \
--url "https://mysite.atlassian.net/rest/api/2/issue/project-123/transitions" \
--user "johnsmith#example.com:abcdef1234567890abcdef00" \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '{
"fields": {
"assignee": {
"name": "will"
}
},
"transition": {
"id": 1
}
}'
Otherwise I got the following error:
{
"errorMessages": [],
"errors": {
"assignee": "expected Object containing a 'name' property"
}
}
I'm using groovy file with Jenkins to send a curl PUT request. I need to hide the --data in the request, but everytime I run the pipeline it shows the data.... I've tried with --silent and --output /dev/null , but the data still shows in the Jenkins Console Output.
Curl Request
String data = """{
"name": "$secretName",
"Description": "$secretName",
"value": "$secretValue"
}"""
sh """
curl --request PUT \
--silent \
--output /dev/null \
--insecure \
--location \
--url $host \
--header 'accept: application/json' \
--header "Authorization: Basic $API_KEY" \
--header 'content-type: application/json' \
--data '${data}'
"""
}
}
What I see in Jenkins console is:
curl --request PUT --silent --output /dev/null --insecure --location --url hostname --header accept: application/json --header Authorization: Basic **** --header content-type: application/json --data {
"name": "MY_ACTUAL_VALUE",
"Description": "MY_ACTUAL_VALUE",
"value": "MY_ACTUAL_VALUE" }
How can I hide this part:
--data {
"name": "MY_ACTUAL_VALUE",
"Description": "MY_ACTUAL_VALUE",
"value": "MY_ACTUAL_VALUE" }
If you store $secretName as a credential, Jenkins will automatically hide it for in the console output.
Best regards.
I am trying to get current_user but non the user is authenticated by header on API request.
Header include access-token, client and uid but it doesn't authenticate and shows following errors:
For reference please check this repo
Filter chain halted as :authenticate_user! rendered or redirected
Completed 401 Unauthorized in 398625ms (Views: 0.3ms | ActiveRecord: 2.6ms | Allocations: 1598457)
Response:
{
"errors": [
"You need to sign in or sign up before continuing."
]
}
Header Response on sign_in:
Request for profile, demo endpoint
curl --location --request GET 'http://localhost:3000/tweets' \
--header 'client: TeS-DWwybwxqh9l3ZMn__A' \
--header 'uid: sahsantoshh#gmail.com' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer e1tO5DawJq0iISdsgOk-fg'
The request was missing with access-token and expiry
Actual Request is
curl --location --request GET 'http://localhost:3000/tweets' \
--header 'Content-Type: application/json' \
--header 'client: TeS-DWwybwxqh9l3ZMn__A' \
--header 'uid: sahsantoshh#gmail.com' \
--header 'expiry: 1616149988' \
--header 'access-token: sjdinlkiijklnlaosihda' \
Trying to use the reminders.app to post reminders via curl.
Getting the following error
{"ok":false,"error":"internal_error","warning":"missing_charset","response_metadata":{"warnings":["missing_charset"]}}
curl -X POST -H 'Authorization: Bearer secretsxxxxxxxxxxxxx' -H 'Content-type: application/json' --data \
'{
"ok": true,
"reminder": {
"text": "eat a banana",
"recurring": false,
"time": 1602288000
}
}' https://slack.com/api/reminders.add
You need to change the following line https://slack.com/api/reminders.add to https://slack.com/api/reminders.add?. Include the question mark at the end.
So your code should be:
curl -X POST -H 'Authorization: Bearer secretsxxxxxxxxxxxxx' \
-H "Content-type: application/json" \
--data '{"text": "I hope you eat your banana","time":1581447960}' \
https://slack.com/api/reminders.add
Below is the token request.
curl -X POST \
https://172.17.0.1:9443/oauth2/token \
-H 'Authorization: Basic dXF0c0hnVUp2dnU5X1BDdVEyTjI5dDRqRjA0YTozb1IzYllmN2gxOVBMYmZiTElnR25xNllkQjBh' \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Postman-Token: f7ffb7f5-c78d-4931-81e1-a3266da68578' \
-d grant_type=client_credentials
I'm not getting the refresh token in the response
{
"access_token": "867ab2c1-5afa-39f3-a897-5ff4b8a3232b",
"scope": "am_application_scope default",
"token_type": "Bearer",
"expires_in": 305
}
Wso2am version 2.1.0
In client-credentials grant type, the refresh token is not included. It's mentioned in the spec[1] as follows.
A refresh token SHOULD NOT be included.
If you need a refresh token, you should use a different grant type.
[1] https://www.rfc-editor.org/rfc/rfc6749#section-4.4.3