Is there any REST API or Java API through which I can get a user's security schemes or security levels? I want to know to what security level or security scheme the user is added.
We have a Jenkins instance set up behind an NGinx HTTPS reverse proxy. User authentication is done via PKI user client certificates.
So I want to make RESTful API requests against Jenkins to do things like kick off builds etc. I have got this to work by using application tokens and can kick off builds with and without parameters by using Curl, specifying my client certificate and key. All good so far.
I was interested in using crumbs instead of application tokens as nothing needs to be set up beforehand (i.e. creating the application token). However all the examples I could find use basic auth style authentication in the URI and trying to use the PKI authentication as above results in Error 403 No valid crumb was included in the request. Also remember that being PKI based, users don't have passwords on the system as they are authenticated by their certificate.
Would I be right in assuming that the crumb approach can't be used with PKI authentication?
I have a command-line app that I want to authenticate against AWS Cognito using OAuth2 with access code flow and hosted login UI. For the similar case, Google Cloud docs explicitly recommend using http://localhost:N redirect URI, so that the application can handle the access code after authentication:
This authorization flow is similar to the one used for web server applications. The main difference is that installed apps must open the system browser and supply a local redirect URI to handle responses from Google's authorization server.
However, with Cognito localhost URIs are only allowed/recommended for testing purposes:
One alternative solution would be using an "out-of-browser" URI urn:ietf:wg:oauth:2.0:oob to display the access code in the browser and make the user copy-paste it to the app, but Cognito doesn't seem to support it.
Currently I am leaning towards running a custom OAuth2 callback handler that would only tell the user to copy-paste the access code, but I don't find it really friendly from the Cognito side.
So, the question:
What's the recommended way to authenticate desktop / command-line apps with Cognito with minimal user interference?
What can go wrong if I ignore the Cognito's recommendation about the localhost redirect URI?
LOOPBACK URI
In a desktop app you can use localhost HTTP URLs to receive the authorization response, and that is one valid technique.
The Cognito warning is about using localhost URLs for web app responses, which of course is only suitable for a developer PC.
You can ignore the warning when using loopback desktop apps.
OUT OF BROWSER URI
This was used a few years ago to read an authorization response from a web view and is no longer recommended in OAuth for Native Apps.
PRIVATE URI SCHEME
The second valid rechnique is the option I prefer, since it feels more integrated. It involves receiving the authorization response via a URL of the following form, and registering the scheme with the OS to point to your app:
com.mycompany.mydesktopapp:/callback
RESOURCES OF MINE
If it helps, I have a couple of desktop samples / blog posts that use Cognito. You can run the samples on your PC, to see which you prefer:
Loopback URI
Private URI Scheme
Currently the swagger UI is exposed without any security scheme.
Need to implement basic auth for the swagger UI. So that everytime its pops for username and password before displaying the UI.
I have implemented ApiKey authorization but not able to configure for BasicAuth .
Very new to spring
I do not want to accept payments from my app so I do not need the Commerce API but I am having trouble authenticating via an iOS app without being able to define custom url schemes in the "Redirect URL" field.
According to Square's API documentation, OAuth is the only authentication scheme available however it restricts the "Redirect URL" to http://localhost or https:// only.
Most OAuth implementations allow defining custom schemes yourapp://oauth-callback instead of just using https://oauth-callback to implement this sort of flow on mobile devices (at least on Apple devices).
It is not currently possible to complete the OAuth flow with a redirect URL that does not use the https:// scheme (except for http://localhost URLs).
I've submitted a feature request to the API engineering team.