It has always been haunting me but i can't find the answer.
When sending bearer token, why does one send the "Bearer" string also usually (i.e: Bearer abcd1234), isnt it enough with just the token only?
The Authorization header can be used with different authorize schemes like Basic or Digest. The Bearer scheme indicates that you are using a bearer token.
The HTTP authorization scheme can be extended with custom schemes.
See https://www.rfc-editor.org/rfc/rfc2617 for more information
Related
I have an api and i have gained access to the bearer token by sending username and password . I need to use the token to then send send another request using Oauth2 gem(ruby). H I have the endpoint
below is an example of something i think it may look like. I don't know the syntax or how to send this token to the url
it would be great if someone could give me an example of how to set up the method. Where to plug in the bearer token that i have saved to an instance variable, etc.
req = Net::HTTP::Get.new(url.to_s)
You need to add Authorization to the header, where the value is the bearer token. A header can be set like so req["header_name"] = header
You seem fairly new to this, I suggest you use RestClient instead https://github.com/rest-client/rest-client. Much more user friendly and the documentation is easier to read.
I'm in the context of an embedded devices that uses an HTTPS client to request an access token on behalf of a user (delegated permission needed for the app).
I'm currently using OAuth 2.0 ROPC (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc) to get my token and everything works fine.
But since this authentication is deprecated I'd like to change to a more secure solution that works in hybrid identity federation scenarios.
I see that many other solutions exists, but I can't find one that doesn't need to interpret an HTML/JS response.
Here a CURL example to explain my point:
ROPC request:
curl -X POST "https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token" --data "grant_type=password&scope=EWS.AccessAsUser.All&username=<username>&password=<password>&client_id=<client_id>&client_secret=<client_secret>" -H "Content-Type: application/x-www-form-urlencoded"
Response:
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"eyJ0eX....1234"}
Here I can extract the token directly from the response.
But using other ways to get delegated permission token such as OAuth 2.0 Implicit Grant flow (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow), responses are always an HTML that I can't interpret.
So here I am wondering if there is a solution to this situation.
Thanks in advance,
Aloïs KYROU
You cannot use the implicit flow to obtain the token in the tool, you can only run the request url in the browser. Because using the implicit flow requires you to log in. Please note that before this, you must enable id token and access token.
Request the id token and access token in the browser.
https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client id}
&response_type=id_token token
&redirect_uri={redirect_uri}
&scope=openid EWS.AccessAsUser.All
&response_mode=fragment
&state=12345
&nonce=678910
In order to use Discord's API I need a token, and to get it I open a link such as
https://discordapp.com/api/oauth2/authorize?client_id=<client_id>&redirect_uri=<redirect_url>&response_type=token&scope=identify
Then I set the token as authorization (in format Bearer <token>) header of requests that are issued to the Discord's API.
Let's say I want to "logout", so that a certain token can't be used anymore to do such requests. In this case I have to revoke that token, right?
So after reading Discord's documentation and making some adjustments I decided that I have to make a POST request to a URL such as
https://discordapp.com/api/oauth2/token/revoke, and content-type header of this request should be set to x-www-form-urlencoded.
When I do it I'm getting an error message from discord's server with message saying {error: "invalid_client"}
What do I do wrong?
If you come by this question and are wondering what is the full API call to revoke the token, here it is:
POST https://discord.com/api/oauth2/token/revoke
Content-Type: application/x-www-form-urlencoded
data:
client_id: <client_id>
client_secret: <client_secret>
token: <access_token>
So the problem was in actual format of the data I was sending. I was sending JSON data because I thought that setting specific headers would automatically turn the data into the right format, but it turns out I had to use FormData object to create the data in the right format, and after that I also removed the lines where I'm setting the header explicitly, after these steps everything worked fine.
I'm making a swagger-UI using swagger 2.0 generated in the integrated Apigee portal.
I'm trying to get the oauth2 client credentials(in swagger 2.0 called application) flow to work in the "try it out" part of the UI.
Note that the input from the user is the clientid and secret, and not the token.
When I try to authorize a get operation and send requests, I can see in the curl representation of the UI that the Authorization header is expressed "Authorization: BearerToken {token}". The token is replaced in the curl string as expected.
Apigee does not support the "BearerToken" prefix, only "Bearer".
Is there a way to force swaggerUI to use the prefix "Bearer" instead of "BearerToken"?
My securitydefinition:
securityDefinitions:
OAuth2:
type: oauth2
flow: application
tokenUrl: 'https://{org-environment}/token'
scopes:
read: Grants read access
My security definition in the path:
paths:
/resources:
get:
security:
- OAuth2: [read]
The name of the token is set from the response the oauth access token generation proxy.
I changed the token.type from "BearerToken" to "Bearer" and this solved my problem.
Currently my app is accepting Cookies ("idsrv.session") to authenticate the user, however when i try to add the "bearer" token in the hearder of a request it just says unauthorized.
However if i change the configuration of the IdServer but adding ".AddJwtBearer" it accepts now a request with an header containing the "bearer" token but no longer accepts requests containing cookies.
Is it possible to implement both approaches, to accept cookies or in case no cookie is received, to check if the header contains a "bearer" token?
Thanks in advance! =)