I am building an app on an existing private api for in house use. This api implements oAuth2 for authentication, but also expects extra custom headers to be send when requesting a token.
When working with PAW I can request a token without a problem by a custom request. But when I want to automate the oAuth token request by using the build in oAuth(thingy) then I can't find a way to send those additional headers.
Where/can I do a feature request to implement adding custom headers in oAuth request?
Example for adding custom headers
Related
I`m new to OAuth 2.0 and am trying to develop a application using a third party OAuth provider with Authorization Code grant flow as ny Authorization Server and Spring Security.
This provider gives me two endpoints /authorize and /token and those two, after the user authorizes its access, will return a access token.
So far, I have secured the "/" endpoint, so the application redirect the user to the authorization page and then, in the callback endpoint, store the token so it can be validated by a filter in each request.
But, as the application is mainly a set of REST API's, we want to be able to test it using Postman, with that said, on Postman, I am getting the token by setting the Authorization as OAuth 2.0 and requesting the token directly from the third party endpoints but, as Postman have its own callback URI, my application doesn`t store the token generated.
So, my two questions on this are:
Using /callback endpoint to store the token and validating it before each request by a filter is the common way of doing it?
To use Postman, should I create an endpoint for storing the token generated outside the application context or should I create an Authorization Server of my own as an additional layer on top of this third party AS?
Since your application is a set of REST API's, you need to make it as a Resource Server (in terms of OAuth2).
Resource Server doesn't perform authentication itself, it only validates a token from Authorization header (Resource Server in a nutshell).
You can find an example in Spring Security samples: oauth2resourceserver
I eventually come to the conclusion that I was using Postman wrong the whole time.
So, by the end, we got the Token saved on the database when the user logs in and, then, return it to the caller, whether it is the Front-end application, or Postman itself.
Then, in every call to the API's, the caller should include the token as Authorization on the header and a Filter on Spring will check the token against the Database.
The API I'm using requires that my OAuth 2.0 redirect URI be urn:ietf:wg:oauth:2.0:oob. So when I initiate the authentication flow in Paw, I am presented with this:
Where do I paste that code into Paw? Or is there a more automatic way I should be authenticating?
It seems like you're using an OAuth 2 "Authorization Code" flow, in which case the code needs to be then sent back to the server in order to get an authentication token.
Unfortunately, as your API doesn't provide the code automatically through a URL query param, Paw isn't able to retrieve the code and continue the normal flow. I'm afraid that in your case you won't be able to use Paw's automated OAuth 2 flow.
Instead, you may setup manually multiple requests in Paw:
One request to query this page (the Authorization URL)
One request to get access token using the code you've got (the Access Token URL)
We are using VB.NET and developing one Windows Form based application. Where we need to send email using gmail.
Appropriate scope has been approved by Google: scope=https://www.googleapis.com/auth/gmail.send
Using below URL via browser, we are able to retrieve code.
https://accounts.google.com/o/oauth2/v2/auth?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fgmail.send&access_type=offline&include_granted_scopes=true&state=state_parameter_passthrough_value&redirect_uri=**********&response_type=code&client_id=******************
At this point, we have client id, client secret, and code.
But we are unable to send email.
Can someone please share any sample POST request or sample code?
Lanugage used: VB.NET and first URL was called using webbrowser object.
You are using OAuth2 Authorization Code Grant flow. This flows returns you just a code that you need to exchange for an access token and a refresh token using the /token endpoint. The code is just a random identifier and cannot be used for anything else. Without an access token, you cannot access protected resources (GMail). The /token endpoint requires authentication, so you will need your client ID and secret when calling it.
The workflow, request parameters, responses and examples are covered in the OAuth2 RFC.
After having developed my first web portal (using railstutorial.org), I'm now making my way in building my first API (with some help).
Authentication for the web portal works with session as well as with a cookie (if the user wants his log in to be remembered).
For the API I understand that using session is insecure; you need to work only with a token. So, just as for the web portal, when a user logs into the API his credentials get checked, and if they are valid a token is generated of which the digest is stored to the database.
But then: I understand there are then three options what to do with the token: to store the token on the user's computer using a cookie, include the token as parameter or use the HTTP header. I read for APIs using the HTTP header is the preferred option.
If using the cookie, it is the same as the 'remember me' option for the web portal: the token is stored in the cookie and a digest of the token is stored in the database. With each API request the cookie is read and it is checked if it's token matches the digest.
Each time the API sends data to the user or the user makes a call to the API, the token is included as a parameter. I understand that this displays the token in the URL, which is not desirable.
My understanding of using the HTTP header fails.
What does it mean to use the HTTP header to send the token, instead of a cookie? What is the process/logic behind it? When to use a cookie, a parameter or the HTTP header?
Am I correct in my understanding that each time the API sends data to the user, it should include the token in the HTTP header? And each call the user makes to the API should include that same token?
I think this link is a good place to start : http://devcenter.kinvey.com/rest/guides/security
Also, reading up on some documentation of HttpAuthentication::Token should give you a basic overview of how/when you should utilize it.
http://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token.html
You should look into how a cookie works. Setting a cookie is also sending a standardized http header to the client. When client sends a request, they can send cookie along with the request.
There is also a standard for http token in rails: Link Which is also setting a specific header in the request
We are exploring the MailChimp API v3.0. There are two types of authentication methods: Basic and OAuth 2.
We are able to authenticate using both ways, but there is confusion with the Authorization Header part:
Basic Authentication (both authorization headers below work):
Authorization: Basic base64 format of username:APIkey
Authorization: Basic only APIKey
OAuth 2 Authentication (both authorization headers below work):
Authorization: OAuth access_token
Authorization: OAuth only APIKey
The API documentation refers only to the first approach of each of the above authentication methods.
Is the second approach of each valid? i.e. can we authenticate using only the API key in the place of the base64 encoded string (Basic auth), and only the API key in place of the access token (OAuth 2)?
OAuth on MailChimp is a way to retrieve an access token. You can then use that access token (or an API Key that you get from the dashboard) in the Basic Auth setup.
While it may work to pass the API key by itself in the header, I'd recommend following the actual Basic Auth methodology of the base64 encoded 'username:apikey' or 'username:access_token'. Almost all HTTP libraries will do this part for you. For example, with cURL, you can do this:
curl --user myusername:myapikey "https://dev.api.mailchimp.com/3.0/lists/"
Depending on your language and library, it will be handled different ways, but all of the ones I've worked with have made it easy to do Basic Auth.