It is written in the keycloak documentation that the Token Endpoint can be used for obtaining a temporary code in the Authorization Code Flow or for obtaining tokens via the Implicit Flow, Direct Grants, or Client Grants.
But even with response_type=code , I can't get an authorization code: only a token. How can I do that?
My test request:
curl -X POST \
http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/token \
-H 'Cache-Control: no-cache' \
-H 'Connection: keep-alive' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Host: localhost:8080' \
-H 'Postman-Token: e103dff9-7b25-4f8f-886b-2af73efee561,e8f92a85-1489-4d7f-b89f-76cfe85e9c68' \
-H 'User-Agent: PostmanRuntime/7.15.0' \
-H 'accept-encoding: gzip, deflate' \
-H 'cache-control: no-cache' \
-H 'content-length: 94' \
-d 'grant_type=password&username=login&password=pwd&client_id=my-app&response_type=code'
Source : https://www.keycloak.org/docs/latest/server_admin/index.html#keycloak-server-oidc-uri-endpoints
response_type can be only used in authorization request to authorization endpoint (http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/auth) and it will be ignored in this case (in token request). Authorization code can be got from authorization endpoint as follows:
http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/auth?client_id=my-ap&redirect_uri=https://...&response_type=code
See also:
https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1
Related
I'm looking at the JIRA api docs. Does anyone know where I can find these credentials?
-u charlie:charlie \
For the request
curl \
-D- \
-u charlie:charlie \
-X POST \
--data {see below} \
-H "Content-Type: application/json" \
http://localhost:8080/rest/api/2/issue/
I found it. Account Settings-> Security -> Create and Manage api tokens.
We try to exchange 'Sign in with apple' between 2 teams, we proceed as follows:
The old team generates a transfer_sub for the new team, the request (https://developer.apple.com/documentation/sign_in_with_apple/transferring_your_apps_and_users_to_another_team) here looks like this:
curl -sS --location --request POST "https://appleid.apple.com/auth/usermigrationinfo" \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-d "sub=$oldUserSub&target=$newTeamId&client_id=$oldAppBundleID&client_secret=$oldSecret"
This works perfectly, the old team receives a transfer_sub and gives it to the new team.
{"transfer_sub":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"}
The new team gets the new ID with the following request (https://developer.apple.com/documentation/sign_in_with_apple/bringing_new_apps_and_users_into_your_team):
curl -sS --location --request POST "https://appleid.apple.com/auth/usermigrationinfo" \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-d "transfer_sub=$transferSubFromOldTeam&client_id=$newAppBundleID&client_secret=$newSecret"
Unfortunately this does not work because there is an error return:
{"error":"invalid_request"}
Does anyone have an idea what to do to make the relegation valid?
Have you already transferred your app?
The same issue has already been resolved in the Developer Forums.
Referring to here may resolve this issue.
The answer says:
You cannot use the api "/auth/usermigrationinfo" of the URL before app transfer.
So, If you haven't transferred your app yet, you have to complete your app transfer first. Then the new team will be able to get the new ID with the following request:
curl -sS --location --request POST "https://appleid.apple.com/auth/usermigrationinfo" \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-d "transfer_sub=$transferSubFromOldTeam&client_id=$newAppBundleID&client_secret=$newSecret"
How to authenticate with the V2 API is useful and works.
REPO="https://hub.docker.com/v2"
I'm able to get tokens, list (my) repos and lists their images and tags.
curl --silent \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/repositories/${USERNAME}/
curl --silent \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/repositories/${USERNAME}/${IMAGE}/tags/
I'd like to 'GET MANIFEST' but I'm struggling to get this to work:
https://docs.docker.com/registry/spec/api/#manifest:
curl --silent \
--header "Host: hub.docker.com" \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/repositories/${USERNAME}/${IMAGE}/manifests/
curl --silent \
--header "Host: hub.docker.com" \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/${USERNAME}/${IMAGE}/manifests/
curl --silent \
--header "Host: hub.docker.com" \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/${USERNAME}/${IMAGE}/manifests/${TAG}
I've tried with|without the Host header. With various values for the Host header. But, I'm clearly missing something. I tried pattern-matching against the working endpoints but no joy:
curl --silent \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/repositories/${USERNAME}/${IMAGE}/manifests/
Curiously, this page shows "GET TAGS" seemingly incorrectly as /v2/<name>/tags/list:
https://docs.docker.com/registry/spec/api/#tags
Reviewed:
https://stackoverflow.com/a/45605443/609290
Follow-up
I'm a Googler and have access to Google Container Registry (GCR).
REPO="https://gcr.io/v2/"
On a whim, I just tried 'GET MANIFEST' against GCR and the requests works:
curl --silent \
--request GET \
--user _token:$(gcloud auth print-access-token) \
${REPO}/${PROJECT}/${IMAGE}/manifests/${TAG}
It's quite confusing with all the *.docker.com|io subdomains!
I found registry.hub.docker.com and index.docker.io the most reliable ones.
You can easily query the tags from there, but for the manifests you'll need to get a token for pulling first:
REGISTRY=https://index.docker.io/v2
#REGISTRY="https://registry.hub.docker.com/v2"
#REGISTRY="https://registry.docker.io/v2"
#REGISTRY="https://registry-1.docker.io/v2"
#REGISTRY="https://hub.docker.com/v2"
REPO=library
IMAGE=debian
# Could also be a repo digest
TAG=latest
# Query tags
curl "$REGISTRY/repositories/$REPO/$IMAGE/tags/"
# Query manifest
curl -iL "$REGISTRY/$REPO/$IMAGE/manifests/$TAG"
# HTTP/1.1 401 Unauthorized
# Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:library/debian:pull"
TOKEN=$(curl -sSL "https://auth.docker.io/token?service=registry.docker.io&scope=repository:$REPO/$IMAGE:pull" \
| jq --raw-output .token)
curl -LH "Authorization: Bearer ${TOKEN}" "$REGISTRY/$REPO/$IMAGE/manifests/$TAG"
# Some repos seem to return V1 Schemas by default
REPO=nginxinc
IMAGE=nginx-unprivileged
TAG=1.17.2
curl -LH "Authorization: Bearer $(curl -sSL "https://auth.docker.io/token?service=registry.docker.io&scope=repository:$REPO/$IMAGE:pull" | jq --raw-output .token)" \
"$REGISTRY/$REPO/$IMAGE/manifests/$TAG"
# Solution: Set the Accept Header for V2
curl -LH "Authorization: Bearer $(curl -sSL "https://auth.docker.io/token?service=registry.docker.io&scope=repository:$REPO/$IMAGE:pull" | jq --raw-output .token)" \
-H "Accept:application/vnd.docker.distribution.manifest.v2+json" \
"$REGISTRY/$REPO/$IMAGE/manifests/$TAG"
See
this gist for another example and
this repo for a reusable script docker-image-size-curl.sh
Authorization with hub.docker.com works differently and you don't seem to get the manifests from there 🤔
Below is the token request.
curl -X POST \
https://172.17.0.1:9443/oauth2/token \
-H 'Authorization: Basic dXF0c0hnVUp2dnU5X1BDdVEyTjI5dDRqRjA0YTozb1IzYllmN2gxOVBMYmZiTElnR25xNllkQjBh' \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Postman-Token: f7ffb7f5-c78d-4931-81e1-a3266da68578' \
-d grant_type=client_credentials
I'm not getting the refresh token in the response
{
"access_token": "867ab2c1-5afa-39f3-a897-5ff4b8a3232b",
"scope": "am_application_scope default",
"token_type": "Bearer",
"expires_in": 305
}
Wso2am version 2.1.0
In client-credentials grant type, the refresh token is not included. It's mentioned in the spec[1] as follows.
A refresh token SHOULD NOT be included.
If you need a refresh token, you should use a different grant type.
[1] https://www.rfc-editor.org/rfc/rfc6749#section-4.4.3
I have a Google Cloud service account and I'm able to use its JSON key to query google cloud data store via GCP python client libraries.
I'm using the very same JSON to generate a bearer token to run the same request via curl but this fails with "insufficient_scope" error.
Steps used to generate Bearer Token:
gcloud auth activate-service-account --key-file=KEY_FILE
TOKEN=$(gcloud auth application-default print-access-token)
curl command used with bearer token:
curl 'https://datastore.googleapis.com/v1/projects/my_project:runQuery' \
-X POST \
-H "Authorization: Bearer $TOKEN" \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
--data-binary '{"gqlQuery":{"queryString":"select * from Tasktest111"}}' \
--compressed