I'm trying doing request in Anypoint Studio for this url https://{myhost}/rest/api/3/issue/{issueIdOrKey}.
I'm using only basic auth via Postman and this call doesn't work in Anypoint Studio.
I have this error:
HTTP GET on resource 'https://{myhost}:443/rest/api/3/issue/{issueIdOrKey}' failed: unauthorized (401)
When I use this url only using POSTMAN is working. But in Anypoint studio doesn't.
Could you help me?
Without more details of the configurations I'll assume that the HTTP Request is missing the Basic Authentication configuration, or that the request didn't replace the URI parameters in the URL correctly.
You can configure Basic Authentication in the HTTP Request configuration. Example:
<http:request-config name="HTTP_Request_configuration" >
<http:request-connection protocol="HTTPS" host="myhost" port="443" >
<http:authentication >
<http:basic-authentication username="myuser" password="mypassword" />
</http:authentication>
</http:request-connection>
</http:request-config>
If the URI parameter is not correctly replaced JIRA may consider that you don't have access. Be sure to configure it correctly. Example:
<http:request method="GET" config-ref="HTTP_Request_configuration" path="/rest/api/3/issue/{issueIdOrKey}">
<http:uri-params ><![CDATA[#[output application/java
---
{
"issueIdOrKey" : "1234"
}]]]></http:uri-params>
</http:request>
Related
We have the current situation:
In Azure API manager we build some APIs based on a Swagger definition.
The provider of the APIs provided us with a client id and secret.
Some of these API calls need to be authenticated with a bearer token which is generated on the provider's API infrastructure with a /token endpoint mentioned above and we want to integrate the authentication flow for these API calls in APIM (since the frontend will be authenticated in another way (CORS probably))
We tried various approaches using all kinds of variations in "OAuth2.0" service configurations in the APIM setting and apply them to the API definitions by We kept getting Unauthorized 401.
As starting point we used https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad, but most of the the explanations we found concerned using AD, which we don't need as far as we understand.
We tried to implement the following OAuth 2.0 Postman Authorization configuration into APIM (which actually works in Postman).
Is there a simple and straight forward way to tell APIM to do a call to the token URL with a given ClientId and secret and add the authorization header with a bearer token to the backend API?
Thanks to Gary for pointing me in the right direction. I'm quiet new to the topic, so my approach might be far from perfect but it works.
I ended up in modifying the inbound policies of the API call and added the following (replace xxxx's with the appropriate settings)
<policies>
<inbound>
//....
<send-request mode="new" response-variable-name="tokenstate" timeout="20" ignore-error="true">
<set-url>https://xxxxxxxxxx.azurewebsites.net/connect/token</set-url>
<set-method>POST</set-method>
<set-header name="Content-Type" exists-action="override">
<value>application/x-www-form-urlencoded</value>
</set-header>
<set-header name="Accept" exists-action="override">
<value>*.*</value>
</set-header>
<set-body>
#("grant_type=client_credentials&scope=xxxxxx&client_id=xxxxxxxx&client_secret=xx")
</set-body>
</send-request>
<set-variable name="bearerToken" value="#(((IResponse)context.Variables["tokenstate"]).Body.As<JObject>()["access_token"].ToString())" />
<set-header name="Authorization" exists-action="override">
<value>#("Bearer " + (string)context.Variables["bearerToken"])</value>
</set-header>
<set-header name="Content-Type" exists-action="override">
<value>application/json</value>
</set-header>
<set-header name="Accept" exists-action="override">
<value>*/*</value>
</set-header>
</inbound>
Short explanantion
A new request is initaited which response will be stored in the variable (token state)
The method is defined as POST
Headers for the request are set (Centent-Type & Accept)
The body of the request is defined
Since the response of the token request (stored in tokenstate) is JSON formatted, the response of the request is cast to a JObject and the "access_token" is stored in the "bearerToken" variable (alternatively you could do without assigning the variable and put this line immediately in the next step.
Set the "Autorization" header with the value "Bearer " + [bearerToken]
the additional steps (Set header Content-Type & Accept) I needed to be able to debug, but in normal cases they will be added by the requesting client of the API.
Yes - you can do this and here is a Curity resource that follows a similar process:
Make an OAuth request to get a JWT based on an incoming credential
Forward it to the downstream API
Cache the result for subsequent requests with the same incoming credential
Your case is a little different but uses the same building blocks. You just need to adapt the OAuth message to use the Client Credentials flow.
I have an oAuth Provider which uses Authentication URL. In some cases, my Authentication URL returns "non-200" with meaning messages e.g. incorrect username, incorrect password, user locked etc.
I wonder how to pass the meaningful message from Authentication URL to the client who is requesting the token via API (oauth2/token)??
I have tried many ways, the API Connect always results 401 - invalid grant only.
Here is my oAuth Provider Code
x-ibm-configuration:
testable: true
enforced: true
phase: realized
oauth2:
client-type: confidential
scopes:
weather: Weather Information
openid: Enable OIDC
grants:
- password
identity-extraction:
type: basic
authentication:
x-ibm-authentication-url:
url: 'https://8hxovobj7g.execute-api.eu-west-2.amazonaws.com/Prod/auth'
authorization:
type: authenticated
access-token:
ttl: 1500
refresh-token:
count: 2048
ttl: 2682000
gateway: datapower-gateway
assembly:
execute:
...
...
when authen fail due to incorrect username, the authentication URL return
401 Unauthorized
{
"error": "incorrect username"
}
However, when I use postman to post a request to API Connect Gatwatway to the oAuth Provider (path: /oauth2/token)
if correct username password (authen URL user registry return 200-OK, I will get
{
"token_type": "bearer",
"access_token": "AAIkNTU4M2RlMzktODY1NS00ZDQ1LTgyMjctODEyMDM4MDUzMTE2m7lBYXfx73OVPONAHoLT5VNdtSVD40Hu-M3nAQPu6wdviOxcIfbsOXBwt-Iy8EAgLzuATlZB7RBME_U5Ymd5fDkRTwy05G9zGmV7mIkawaELtiOj4xdzQr7Vn-indlv-y1NFEjvRv2VrK0d3TOqZnTEj5heDdY7Q0X9BFeydV4MtS-gCpnj-9l6TU3XqyeiK5hGnBZkZRAWOIskLm4KCyf8n_mnsi42vN9GLxlxoO9EmuHAwXOxr_aocKaaVlLKK5vDMHBRws2Vguqk3eVuoh9EnkRZvjbTurmW57bCgX3nMTd6MwcEYFkAGh-cOcEDyydZR6BI_pLuwaUM9RN8Vnb7EATQjzW2d_eHKQyjShcyM0TqxzhYq3q90fLfJLo08WxDgTFaKpGHA6qoZmUpYRLeyyImhOPtyd9p1l9z87g52duHbL1cyVGErHktTVpeXsmIRtn-QTTvI4jWmjxPZnSYj_rEeR9S8QAxYpHSEPmJQQmsjISf2SIRLABwuhG9dKyrrzs3UTotVyIotxmJjc9lfEsEtDTz9Ej--yQFw97ESHCVEvOkifeyIJ9F5MyPFh7fMEoGGwyDmWEfZSYRpkLg4_ib3dbjkGAuthiwjdA0",
"metadata":
...
}
if incorrect username/ password (authen URL user registry return 401-Unauthorized with response-body (error message), I will get
401-Unauthorized
{
"error": "invalid_grant"
}
The Authentication URL is custom made. I have tried to make different returns in authentication URL (different http response code/ body/ headers) which all cannot affect the end-user's oauth's oauth/token result which always return the msg "invalid grant". what I really want to pass the authentication URL result message to the end-users to let the users know what is wrong such as incorrect username
Thanks for your kindly help
Unfortunately, it seems that in APIC v5 it is not possible to adjust OAuth error based on the response from Authentication URL call.
You can check DataPower XSLT code which handles this case (local:/isp/aaa-ldap-lib.xsl) to see more details. For any non-200 response code returned by an authentication URL, the same hardcoded error is produced. Only a response code is checked and all response information is discarded after that check - including a response code.
In the case of non-200 response code returned by authentication URL following XSLT code is executed:
<xsl:call-template name="error">
<xsl:with-param name="code" select="'401'"/>
<xsl:with-param name="reason" select="'Unauthorized'"/>
<xsl:with-param name="challenge" select="'Basic'" />
</xsl:call-template>
That means it is not possible to distinguish between errors caused by different authentication URL responses in OAuth API assembly catch. You can catch UnauthorizedError in the created assembly in OAuth API but you would have no additional information based on which you could create custom error response.
However, if you are using on-premise APIC v5 and you have access to the DataPower Gateway you could:
change mentioned xsl file to propagate status code/reason from authentication URL (possibly using gateway extensions)
info necessary, add a custom assembly to your OAuth API where you would catch UnauthorizedError and add GatewayScript code to adjust behavior
GatewayScript code to adjust behavior in case of UnauthorizedError caught would be something like:
let p = session.name('policy');
let e = p.getVariable('fw/exception');
let statusCode = e.httpCode;
let statusReason = e.httpReasonPhrase;
...
When attempting to perform an HTTP post via Swagger (using the Swagger Type Provider) I get a 401 Unauthorized.
I suspect the answer to this might be UseDefaultCredentials which isn't exposed when inheriting from the SwaggerProvider.Internal.ProvidedSwaggerBaseType. So I was thinking that an upcast :> might help but posts I've seen elsewhere indicate naïveté.
Also, updating the config for fsi.exe to include the following proved wishful:
<system.net>
<defaultProxy enabled="true" useDefaultCredentials="true">
<proxy usesystemdefault="True" />
</defaultProxy>
</system.net>
Might anyone have a simple answer?
Thanks
Schema access
SwaggerProvider assumes that Swagger schema is easy-accessible and can be downloaded using simple Http request without authentication
type PetStore = SwaggerProvider<"http://petstore.swagger.io/v2/swagger.json">
user also can add any HTTP header to schema-request like this
type PetStore = SwaggerProvider<"http://petstore.swagger.io/v2/swagger.json", "Content-Type=application/json">
It can be Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l header, but this literal string will be hard-coded in source code.
If schema-request requires more complex authentication, will be easier to download it and put it near source code
[<Literal>]
let schemaPath = __SOURCE_DIRECTORY__ + "/PetStore.Swagger.json"
type PetStore = SwaggerProvider<schemaPath>
Requests control
When schema are in place you have a full control over all HTTP request to the server using CustomizeHttpRequest parameter in provided type.
For example, if you want to use default credentials:
let store =
PetStore(
CustomizeHttpRequest=
fun (req:System.Net.HttpWebRequest) ->
req.UseDefaultCredentials <- true
req)
You are free to modify web request as you need:
Use default credentials
Specify runtime Credentials
Add headers to HTTP request
Add cookies to HTTP request
Break request ;) and etc.
CustomizeHttpRequest will be called in the run-time for each request, after SwaggerProvider built it and before call to the server. So you can change anything you want.
I am experimenting with OAuth2 on HTTP request connector. It is throwing the below exception always:
SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 'oauth2:authorization-code-grant-type'. One of '{"http://www.mulesoft.org/schema/mule/core":annotations, "http://www.mulesoft.org/schema/mule/http":abstract-http-request-authentication-provider, "http://www.mulesoft.org/schema/mule/tcp":client-socket-properties, "http://www.mulesoft.org/schema/mule/tls":context, "http://www.mulesoft.org/schema/mule/http":raml-api-configuration, "http://www.mulesoft.org/schema/mule/http":proxy, "http://www.mulesoft.org/schema/mule/http":ntlm-proxy}' is expected
Here is my configuration:
<http:request-config name="SF_Authorize_Configuration" protocol="HTTPS" host="${login.host}" basePath="${oauth2.url}" port="80" doc:name="Authorize Configuration" >
<oauth2:authorization-code-grant-type clientId="my_client_id" clientSecret="my_client_secret" redirectionUrl="http://localhost:8081/oauth2callback">
<oauth2:authorization-request authorizationUrl="https://my.api.com/services/oauth2/authorize" localAuthorizationUrl="http://localhost:8082/authorization" scopes="access_user_details, read_user_files">
</oauth2:authorization-request>
<oauth2:token-request tokenUrl="https://my.api.com/services/oauth2/token"/>
</oauth2:authorization-code-grant-type>
</http:request-config>
This means that you have not provided the xml namespace for the xml tag.
If you have not used the UI to create this then please create using the design and then you can copy and paste your specific tag later by replacing it.
Edited answer,
It was similar for me for API kit. I re installed the Studio(Unzipped it again). This might work .
I have encountered the same issue. It was resolved by adding oauth2 namespace at the start mule tag, e.g.:
<mule xmlns:http="http://www.mulesoft.org/schema/mule/http"
...
xmlns:oauth2="http://www.mulesoft.org/schema/mule/oauth2"
http://www.mulesoft.org/schema/mule/oauth2
...
>
I am connecting to SFDC with mule connector by oauth, trying to authorize but getting following error message.
<flow name="sfdcFlow1" doc:name="sfdcFlow1">
<http:inbound-endpoint exchange-pattern="request-response" host="${hostname}" port="${port}" path="sfdc" doc:name="HTTP"/>
<sfdc:authorize config-ref="Salesforce__OAuth_v2_0" display="POPUP"
accessTokenUrl="https://na1.salesforce.com/services/oauth2/token"
authorizationUrl="https://na1.salesforce.com/services/oauth2/authorize"
doc:name="Salesforce"/>
</flow>
getting following error message in the browser:
error:redirect_uri_mismatch&error_description=redirect_uri must match configuration
what is redirect or callback url? Do I need to have another flow and http requests?
I made this but didnot work:
<http:inbound-endpoint exchange-pattern="request-response" host="${hostname}" port="${port}" path="callback" doc:name="HTTP"/>
<logger message="===callback====" level="INFO" doc:name="Logger"/>
</flow>
Edit:
I have an url from sfdc as: https://cs17.salesforce.com/. IS this is the url to be used for redirect?
Mules ref docs says to use
oauthcallback as path. I am using Anypoint studio with sfdc connector 6.0.1. Even after using same error message I receive it.
<sfdc:oauth-callback-config domain="localhost" localPort="8081" path="oauthcallback"/>
Mulesoft ref docs
Reference -1
Callback URL is where Salesforce will redirect after successful authentication. I have not used it with Salesforce but I have done this with other cloud connector and you can refer some of my slide share for details. Please try with those links and let me know if u still have any issue.
http://www.slideshare.net/rupeshkrsinha/integration-with-dropbox-using-mule-esb
http://www.slideshare.net/rupeshkrsinha/integrating-with-linkedin-using-mule-esb-linkedin-connector