I authenticated the REST server and got a token in the cookies. This token allowed access to the REST server, but I want to interact with the authentication service.
Github responses with that message
{
"message": "Bad credentials",
"documentation_url": "https://developer.github.com/v3"
}
Gitlab returns only
401 (Unauthorized)
I'm using token returned from cookies as HTTP header
Authorization: `token`
Authorization: bearer `token`
Authorization: token `token`
Related
I am trying to fetch User profile picture from Microsoft Graph API by using keycloak access token. But I am getting the following error from keycloak API
{
"errorMessage": "Invalid token."
}
API - http://localhost:8080/auth/realms/{Realm name}/broker/{identity provider}/token
Header - Authorization: Bearer {accessToken}
We are using keycloak to handle authentication (client/secret) in our API Gateway.
The Kong api service uses konnect-managed-plugin to refer to keycloak to authenicate client credentials and return a bearer token.
Future calls to other endpoints use oauth2-introspection to verify the bearer token via keycloak introspection
I almost have this working however, when I authenticate via Kong api gateway, it returns a bearer token, but this token fails introspection.
If I auth straight to keycloak, the bearer token works for introspection.
eg
Token from:
http://kongapigateway.domain/getOAuthToken
NOTE: We have not yet set up ssl on the kong api gateway
Returns:
{"access_token":"ey..ZiUQyw","expires_in":900,"refresh_expires_in":0,"token_type":"Bearer","not-before-policy":0,"scope":"email profile"}
Calling api endpoint in kong that uses introspection fails:
http://kongapigateway.domain/bookings
{
"error_description": "The access token is invalid or has expired",
"error": "invalid_token"
}
Direct call to keycloak introspection also fails:
https://keycloak.domain/auth/realms/{Realms}/protocol/openid-connect/token/introspect
{
"active": false
}
However if I get token direct from keycloak server:
https://keycloak.domain/auth/realms/{Realms}/protocol/openid-connect/token
{"access_token":"eyJhb...4lT8w","expires_in":900,"refresh_expires_in":0,"token_type":"Bearer","not-before-policy":0,"scope":"email profile"}
The token works for both endpoints:
http://kongapigateway.domain/bookings and https://keycloak.domain/auth/realms/{Realms}/protocol/openid-connect/token/introspect
So why doesn't the introspection work for the token returned in the first scenario
You can fix this by setting Keycloak's frontend URL to your public URL. For details please refer to my answer to another but similar question.
I want to use HTTP basic authentication to password protect the status callback endpoint for programmable sms. On the initial request from Twilio, which does not have a Authorization header, I send back a status code of 401 with the WWW-Authenticate header set to "Basic realm='some realm'". However I do not receive a following request from Twilio with Authorization header.
refer: https://www.twilio.com/docs/usage/security#http-authentication
// Send sms with status callback
const details = await client.messages
.create({
body: 'This is the ship that made the Kessel Run in fourteen parsecs?',
from: 'TEST',
to: '......',
statusCallback: `https://user123:pass123#foo.com/status`
})
// Lambda response headers from logs
Method response headers: {WWW-Authenticate=Basic realm='Validate twilio request', Content-Type=application/xml}
Note: The reason as to why basic authentication is needed is to validate the authenticity of the request using the provided username and password. I am not using the X-Twilio-Signature HTTP header as I do not have access to the auth token to validate the request and am using api keys to make requests.
I tested with Ngrok (w/authentication enabled) with Twilio statusCallback basic authentication configured and it works. Try modifying your response headers to see if that changes anything.
Ngrok returns the below response headers:
HTTP/1.1 401 Unauthorized
Content-Length: 20
Content-Type: text/plain
Www-Authenticate: Basic realm="ngrok"
#Alan's answer lead me to investigate further on the headers returned by API Gateway. The 'WWW-Authenticate' headers that the lambda returned had been remapped by API Gateway (learn more here: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-known-issues.html)
The solution was to implement a lambda authorizer to intercept the request and do the necessary authentication i.e check for the Authorization header. The lambda authorizer then allows or denies the request from passing on to the lambda method.
I'm getting error 500 in token endpoint.
I'm using Google SSO with hosted login UI
he login URL is https:/sso.auth.ap-northeast-1.amazoncognito.com/login?response_type=code&client_id=asd123&redirect_uri=https://dev.test.com:5000/dev.html
I'm using 'Authorization code grant' flow. After successful login it returns to url with authorization code callback_url?code=c015030f-d7bc-48e4-b046-0431b1b66ac7
Then I need to get access_token and refresh_token on 'token endpoint'.
url: https://sso.auth.ap-northeast-1.amazoncognito.com/oauth2/token
using application/x-www-form-urlencoded
Authorization: Basic base64(client_id:client_secret)
fields
grant_type=authorization_code
scope=email openid profile
redirect_uri=https://dev.test.com:5000/dev.html
code=the code that I got to callback to url
I'm doing all as described in https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
All I get is error 500 and json
{"error": "Internal Error"}
I found the problem. I had double space in header's Authorization between Basic and the hash. Anyway there is also a problem in error handling in amazon, we shouldn't get 500.
I'm using the OAuth Authorization Code flow to authenticate the user and authorize my application against the WSO2 Identity Server. I'm using a simple node/express server, with Passport.js, to get the Access Token, and Postman to use that Access Token to make a few test requests to the SOAP APIs.
When using a Bearer Token method to authorize my application, I get the following error in the IS logs: 0 active authenticators registered in the system. The system should have at least 1 active authenticator service registered. I get the following error in Postman: 500 Internal Server Error, with the following response body, <faultstring>Authentication failure</faultstring>.
Here is what it looks like in Postman:
The same Access Token works with a REST API request, like "https://localhost:9443/scim2/Me".
Can anyone tell me what I'm missing here?
SOAP APIs in WSO2 Identity Server cannot be authenticated with Bearer tokens. They can be authenticated with Basic authentication and cookies. That's the reason for getting Authentication failure in the response.
But REST APIs in the Identity Server can be authenticated with Bearer tokens. So /scim2/Me authenticate successfully with access token.
Try to get the Access token manually from Authorize service and use it
Step 1: Get authorization code
https://<is_server_url>:9443/oauth2/authorize?client_id=<id>&redirect_uri=<callback_url>&response_type=code&scope=openid
You will get an authorization code on the callback URL
Step 2: Call token service to get access token
Post https://<is_server_url>:9443/oauth2/token
Content-Type:application/x-www-form-urlencoded
Authorization:Basic <base64encoded "<client_id>:<client_secret>">
grant_type:authorization_code
scope:openid
code:<code_from_step_1>
redirect_uri:<callback_url>
exp:
client_id=**abcdefgh12345678**
client_secret=**xyzsecretkey**
callback_url=**http://locahost/callback**
scope=openid
server: localhost
base64encode(client_id:client_secret)= base64encode(abcdefgh12345678:xyzsecretkey) => YWJjZGVmZ2gxMjM0NTY3ODp4eXpzZWNyZXRrZXk=
GET https://localhost:9443/oauth2/authorize?client_id=**abcdefgh12345678**&redirect_uri=**http://locahost/callback**&response_type=code&scope=openid
it will make a request back to the callback url with a parameter code, lets say code=this01is02your03code, please check your browser address bar
POST https://localhost:9443/oauth2/token
HEADERS
Content-Type:application/x-www-form-urlencoded
Authorization:Basic **YWJjZGVmZ2gxMjM0NTY3ODp4eXpzZWNyZXRrZXk=**
BODY
grant_type:authorization_code
scope:openid
code:this01is02your03code
redirect_uri:http://locahost/callback
this will return an access token, let say token returned by the server is 12345678ASDFGH
Now you could use this token to call any RestFull or SOAP service
Authorization: Bearer 12345678ASDFGH