I'm going through the Ory/Hydra 5min tutorial. I am able to create a public Client that will have to login using the authorization_code flow with PKCE like this:
hydra clients create \
--endpoint http://127.0.0.1:4445 \
--id public-client \
--grant-types authorization_code,refresh_token \
--response-types code \
--scope offline \
--token-endpoint-auth-method none
--callbacks http://127.0.0.1:5555/callback
I also configured Hydra to require public clients to use PKCE by setting env variable
OAUTH2_PKCE_ENFORCED_FOR_PUBLIC_CLIENTS=true
When I follow the tutorial and create the user application like this...
hydra token user \
--client-id public-client \
--endpoint http://127.0.0.1:4444/ \
--port 5555 \
--scope offline
...the application fails to use the PKCE flow:
invalid_request
This client must include a code_challenge when performing the authorize code flow, but it is missing.
I've looked through the CLI docs for creating the sample application for the right configuration without success. How do I start the example client application setup to use PKCE?
In short, using hydra token user cmd will not work because it does not support testing with PKCE yet.
To init a authorization flow + pkce, your request should look like this (just an example, not docs from hydra)
GET /authorize?
response_type=code
& client_id=<client_id>
& state=<state>
& scope=<scope>
& redirect_uri=<callback uri>
& resource=<API identifier>
& code_challenge=<PKCE code_challenge>
& code_challenge_method=S256
So the cmd above is missing last 2 args: code_challenge and code_challenge_method when it init the authorization flow. If you want to use PKCE flow, you need to implement it by your self.
Check out this link, it might help you out of it:
https://docs.cotter.app/sdk-reference/api-for-other-mobile-apps/api-for-mobile-apps
Related
As part of an automated tests suite I have to use OpenShift's REST APIs to send commands and get OpenShift's status. To authenticate these API calls I need to embed an authorization token in every call.
Currently, I get this token by executing the following commands with ssh on the machine where OpenShift is installed:
oc login --username=<uname> --password=<password>
oc whoami --show-token
I would like to stop using the oc tool completely and get this token using HTTP calls to the APIs but am not really able to find a document that explains how to use it. If I use the option --loglevel=10 when calling oc commands I can see the HTTP calls made by oc when logging in but it is quite difficult for me to reverse-engineer the process from these logs.
Theoretically this is not something specific to OpenShift but rather to the OAuth protocol, I have found some documentation like the one posted here but I still find it difficult to implement without specific examples.
If that helps, I am developing this tool using ruby (not rails).
P.S. I know that normally for this type of job one should use Service Account Tokens but since this is a testing environment the OpenShift installation gets removed and reinstalled fairly often. This would force me to re-create the service account every time with the oc command line tool and again prevent me from automatizing the process.
I have found the answer in this GitHub issue.
Surprisingly, one curl command is enough to get the token:
curl -u joe:password -kv -H "X-CSRF-Token: xxx" 'https://master.cluster.local:8443/oauth/authorize?client_id=openshift-challenging-client&response_type=token'
The response is going to be an HTTP 302 trying to redirect to another URL. The redirection URL will contain the token, for example:
Location: https://master.cluster.local:8443/oauth/token/display#access_token=VO4dAgNGLnX5MGYu_wXau8au2Rw0QAqnwq8AtrLkMfU&expires_in=86400&token_type=bearer
You can use token or combination user/password.
To use username:password in header, you can use Authorizartion: Basic. The oc client commands are doing simple authentication with your user and password in header. Like this
curl -H "Authorization: Basic <SOMEHASH>"
where the hash is exactly base64 encoded username:password. (try it with echo -n "username:password" | base64).
To use token, you can obtain the token here with curl:
curl -H Authorization: Basic $(echo -n username:password | base64)" https://openshift.example.com:8443/oauth/authorize\?response_type\=token\&client_id\=openshift-challenging-client
But the token is replied in the ugly format format. You can try to grep it
... | grep -oP "access_token=\K[ˆ&]*"
You need to use the correct url for your oauth server. In my case, I use openshift 4.7 and this is the url:
https://oauth-openshift.apps.<clustername><domain>/oauth/authorize\?response_type\=token\&client_id\=openshift-challenging-client
oc get route oauth-openshift -n openshift-authentication -o json | jq .spec.host
In case you are using OpenShift CRC:
Then the URL is: https://oauth-openshift.apps-crc.testing/oauth/authorize
Command to get the Token:
curl -v --insecure --user developer:developer --header "X-CSRF-Token: xxx" --url "https://oauth-openshift.apps-crc.testing/oauth/authorize?response_type=token&client_id=openshift-challenging-client" 2>&1 | grep -oP "access_token=\K[^&]*"
Note:
2>&1 is required, because curl writes to standard error
--insecure: because I have not set up TLS certificate
Adjust the user and password developer as needed (crc developer/developer is standard user in crc, therefore good for testing.)
Token is per default 24h vaild
Export the Token to an environment Variable
export TOKEN=$(curl -v --insecure --user developer:developer --header "X-CSRF-Token: xxx" --url "https://oauth-openshift.apps-crc.testing/oauth/authorize?response_type=token&client_id=openshift-challenging-client" 2>&1 | grep -oP "access_token=\K[^&]*")
And Use the token then in, e.g., oc login:
oc login --token=$TOKEN --server=https://api.crc.testing:6443
For learning purposes, I'm trying to use the Machine learning (ml) API.
https://cloud.google.com/ml-engine/reference/rest/v1/projects.models/list
I'm not able to identify if this request can be done with an API KEY instead of OAUTH.
I'm using npm package googleapis with this;
ml.projects.models.list({
key: GCLOUD_API,
parent: "projects/"+GCLOUD_PROJECT
}
But always receives this error:
Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential
I've tried replacing key with auth or token. Nothing work.
How can I know if is possible or not to use an api key?
I tried also with curl
'https://ml.googleapis.com/v1/projects/myproject-123456/models?token=my_super_sekret_key'
Today I had the same doubt.
Here are GCP Services that support API Keys:
https://cloud.google.com/docs/authentication/api-keys and ML API is not included.
You should obtain the access token using OAuth2, so URL POST request will be:
https://ml.googleapis.com/v1/projects/your_project/models?access_token=your_access_token
Works great for me. Same to do predictions.
1
You can get the auth token using gcloud:
access_token=$(gcloud auth application-default print-access-token)
and then embed it into the header:
curl --silent \
-H "Authorization: Bearer $access_token" \
-H "Content-Type: application/json" \
-X POST \
-d "$request" \
https://ml.googleapis.com/v1/projects/myproject-123456/models
I have a installation of IBM Connections 4.5 and the SBTPlayground on my Domino Server. Anyway I want to use it with the Playground on premise. But I can't find the right information for the custom environment. It wants OAuth2 - Consumer Key, OAuth2 - Consumer Secret and so on. So I have found many documentation about all. One of this with the WebSecurityStore but for this I need also actual URL's which I not found.
My first step is to bring a OAuth2 configuration with Greenhouse Connections.
The second step with Connections on premise.
So with this documentations are all not working, the URL's are not working. Or I can't register a app on Greenhouse, or any URL gives the keys back.
http: //heidloff.net/nh/home.nsf/article.xsp?id=12152011034545AMNHECAP.htm
http: //www.xpagescheatsheet.com/cheatsheet.nsf/135E58313968CEEB8825799100478A6F/$FILE/Ni9-CS-SocialTools-8.5x11%20PDF.pdf
http://www-10.lotus.com/ldd/appdevwiki.nsf/xpAPIViewer.xsp?lookupName=API+Reference#action=openDocument&res_title=Step_2_Obtain_authorization_code_sbt&content=apicontent
http://www.openntf.org/Projects/pmt.nsf/DA2F4D351A9F15B28625792D002D1F18/%24file/SocialEnabler111006.pdf
Does anyone have an idea?
#Raphael use these URLS from the sbt.properties file
# Connections OAuth 2.0 Endpoint Parameters
connectionsOA2.url=https://qs.renovations.com:444
connectionsOA2.serviceName=SBTK
connectionsOA2.appId=SBTK
connectionsOA2.consumerKey=SBTK
connectionsOA2.consumerSecret=
connectionsOA2.authorizationURL=https://qs.renovations.com:444/oauth2/endpoint/connectionsProvider/authorize
connectionsOA2.accessTokenURL=https://qs.renovations.com:444/oauth2/endpoint/connectionsProvider/token
connectionsOA2.apiVersion=4.0
Register your oauth keys Using wsadmin.sh
http://www-01.ibm.com/support/knowledgecenter/SSYGQH_4.5.0/admin/admin/r_admin_common_oauth_manage_list.html
Example is https://github.com/OpenNTF/SocialSDK/blob/0f7237b6ff22fed631bde9e4e16ed9744506694c/samples/scripts/oauthQSI.py
import sys
execfile('oauthAdmin.py')
OAuthApplicationRegistrationService.addApplication(sys.argv[0],sys.argv[1],sys.argv[2])
clientSecret = OAuthApplicationRegistrationService.getApplicationById(sys.argv[0]).get('client_secret')
print clientSecret
you can invoke it using a script
#
Parameters
USER=$1
PASSWORD=$2
CLIENTID=$3
APPID=$4
URL=$5
#Starts WSAdmin
cd /local/con/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/
/local/con/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -user $USER -password $PASSWORD -lang jython -port 8883 -f /local/qsi/bin/con/oauthQSI.py $CLIENTID $APPID $URL
I am working on a service which requires authentication.
I would like to base the authentication on my Redmine and grant access to registered users which are members in a private project.
The membership I have figured out:
curl -v -u account:secret \
https://myredmine/projects/private/memberships.json
But how to find out if a user can authenticate?
Use /users/current.json:
curl -v -u account:secret \
https://myredmine/users/current.json
It will return 401 if the user fails to login.
Add ?include=memberships to the URL to retrieve a list of associated projects.
I don't think it will work with OpenID though.
Use the built-in API. You can enable it for each user, once you get the key:
// Pseudo-code
api_key = '65454ftfg53543f34g34f23g'
url = "http://www.myredminesite.com/projects/my_project/issues.json?key=" + api_key
You can enable the API key if you log in and click on "My Account", then on the right should be your API access key.project.
There where some issues with older version I think. I run Redmine 2.1.2.stable and that works great.
I am very new to WSO2 and am still evaluating it - mostly through Fiddler. It is my understanding that I should be able to obtain an OAuth token by calling WSO2's Login API. I have attempted various URLs (in Fiddler) along the lines of:
// Based off a blog post : http://lalajisureshika.blogspot.com/2012/11/generate-application-tokens-user-tokens.html
http://localhost:8280/login?grant_type=password&username=admin&password=admin&scope=PRODUCTION
Authorization: Basic cFNET0lab1RnMHRBODRCWmQ4bTRBbnp1c0RZYTpZREIzZzh3RXhQOV92ZTdZX1drYVhieWx5ZlVh
When I execute the above URL, I receive (403) No matching resource found in the API for the given request.
I can use the the "Access Token" (via the Bearer tag) and the APIs work. I just can't figure out how to obtain the OAuth token for actual runtime use.
Any pointers/ideas?
--- Thanks, Jeff
Setup Identity Server [domain:9443]
Create OAuth2 application, and get client id + consumer key
Get Base64 encoded of clientId:consumerKey - replace this for Authorization Basic xxxxx
Replace the REST endpoint for token generation - This you should get in oauth application on management console [in our case https://domain:9443/oauth2/token]
And below curl command should give you the response
curl -k -d "grant_type=password&username=sasikumar#domain.com&password=xxxx1234" -H "Authorization" -H "Authorization: Basic X2dhWllidkN6TDNQY2ZqSmVBQ1lsNlg2SFdRYTpSQVlSMmxOZzQ0enU5ZXVGSDRDVXdOUWRudlVh, Content-type=application/x-www-form-urlencoded" https://domain:9443/oauth2/token
You can directly access OAuth2 REST web service to access the token.Here is how you can access token using curl
curl --user ConsumerKey:ConsumerSecret -k -d "grant_type=password&username=admin&password=admin" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2endpoints/token
Below is an example using cURL tool available in linux by default ( you can install cURL for windows explictly)
curl -v 4 -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=password&username=&password=&client_id=&client_secret=" https://:9443/oauth2/token
to obtain the client_secret & client_id you have to register a app in wso2is.
There are free tools available to construct the above request or directly use the above parameters and to get the token.
Setup Identity Server [domain:9443]
Create OAuth2 application, and get client id , consumer key and url.
Process post request by using 'poster' with bellow details ,
URL :- which get from oauth application
Content Type :- application/x-www-form-urlencoded
body:- grant_type=password&username=your username&password=your password&client_id=your client id&client_secret=your client secret