I have a usage tracking library(snowplow) which needs to send data to a kinesis stream collector. We are using KrakenD in the middle for api gateway.
Inorder to secure this, I need to pass access token. Snowplow at present does not allow custom headers at the present, which prevents me from sending this data. Is there an option in KrakenD which allows it to validate a token sent in the body rather than the header?
KrakenD JWT validation expects you to send the token data in the Bearer header or inside a cookie. You cannot validate a token sent in the body.
I don't understand what is the problem of Snowplow not accepting custom headers. The validation would occur on KrakenD side and KrakenD does not send any custom header to Snowplow unless you explicitly add them in the input_headers list. If you have more information, I'd be happy to assist.
Related
I'm working with the Snapchat API to try and log into an app using their OAuth flow. Once the user is logged in via Snapchat, I'm trying to reverse engineer (since they have no documentation on this) how to obtain some sort of unique ID for the user so I can associate them with a local user in my database. This is how I have previously done this with things like Facebook. The user logs in and gets an access token via the Facebook Api, and I can extract some kind of unique ID for the user via the Facebook API.
The Snapchat API only allows you to access the user's display name and some "externalId", which I cannot guarantee won't change. So I decoded the JWT token that Snapchat issued to me and it challenged my understanding of how JWT tokens work. When I decoded the token at http://jwt.io, I saw that the payload was empty, yet the token works when calling the https://kit.snapchat.com/v1/me endpoint. How is the snapchat server able to identify who I am? I've always had the understanding that the JWT must include a claim such as sub which identifies the user. The server can then use that information to know who I am.
In this case, my JWT payload is empty, but the aforementioned endpoint still returns my user data. What is happening here? How does the server know who I am when my JWT token has an empty payload? To me they must be storing a copy of my JWT token on the server, which seems like the incorrect way to use JWT tokens. Perhaps my understanding is terribly wrong. Any thoughts?
The payload of a JWS (signed token) can be detached and transmited to the audience by other means.
This feature is described in the Appendix F of the specification.
With the JWS compact serialization mode (the most common format), a token looks like THE_HEADER.THE_PAYLOAD.THE_SIGNATURE. With a detached payload it is identical except that THE_PAYLOAD is an empty string: THE_HEADER..THE_SIGNATURE.
The verification of the signature is the same as with an attached payload. The receiver should have received the payload and must recreate the full input i.e. THE_HEADER.THE_PAYLOAD.
Regarding the identification performed by snapshat, a reference to the detached payload may be set in a header parameter of the token (first part of the token) allowing Snapchat to fully verify the token.
Currently my app is accepting Cookies ("idsrv.session") to authenticate the user, however when i try to add the "bearer" token in the hearder of a request it just says unauthorized.
However if i change the configuration of the IdServer but adding ".AddJwtBearer" it accepts now a request with an header containing the "bearer" token but no longer accepts requests containing cookies.
Is it possible to implement both approaches, to accept cookies or in case no cookie is received, to check if the header contains a "bearer" token?
Thanks in advance! =)
I'm trying to use the Postman REST Client to test the Quizlet API. Postman has a feature to do OAuth 2.0 for you. However, the Quizlet API requires a state parameter:
A random string generated by you. You send us this, and we'll send it back to you, and you verify that we send back the same thing you sent. You must send and verify this value in order to prevent CSRF attacks.
The default Postman helper does not have the ability to send more in the POST (as far as I know). Is there a known way to send the extra payload, or get around this (whether in Postman or the Quizlet API?)
Thanks in advance!
Steps:
I need to protect my API for CSRF on post and put requests.
To do that, I think the mobile device (example iOS) need to send to the API server (node.js) a token. This token must be encrypted and contain a JSON data that will be decrypted server side.
To decrypt the data, the mobile device use the same secret key that the sever know.
For example : {_csrf: 123456789} will be decrypted from the token sent via the mobile device and checked by the API if it match.
Is it the right way ? If not what is the right way ?
How I can encrypt a Jon data on iOS and decrypt it on node.js ? (JWT Token does not have library for iOS)
Can you provide me a example code to encrypt data on iOS et decrypt on node.js ?
Just use https, it encrypts everything, even any query string.
The content is encrypted with a random symmetric key and that key is encrypted with a asymmetric key from the certificate. Additionally the symmetric key has a short lifetime. Additionally you do not have to implements and encryption routines.
Also note that iOS9 will by default require https to be used for all connections, any http connections will need to be white-listed in the plist.
If you do your own encryption you immediately have a problem sharing the encryption key between the device and the server. This is not an easy problem to solve.
When accessing the API from a browser page, to protect against CSRF, you can send a token in HTTP headers, for example, X-CSRF-Token, or, use a cookie.
For example, have your server send the CSRF token in an HTTP response using the X-CSRF-Token header. You can have your page send it back in the JSON on the POST or PUT. Or have your page read it from the cookie and put it into the JSON.
(HTTPS from the browser will not protect against CSRF, since any script on any other site running in the same browser can POST to your HTTPS server freely. Your page needs to have a token that no other page in the same browser has access to.)
I am simulating an app where json requests are sent at the back. Now i have to add oauth support. I don't know how to move forward. Is the oauth token sent with the same json request?
Yes and no.. an oauth token is sent in the HTTP headers. So, ti's not in the json payload, but it is sent in the same HTTP request.
HOwever, before sending it, you have to accomplish some steps dictated by the standard, to exchange the proper token(s) (access and/or request)
Look at this good tutorial http://hueniverse.com/oauth/guide/ to understand the process more in depth. It even has an interactive part where you can dynamically change the parameters and see the headers and messages you should generate and exchange.