How to configure postman when you already have a token/bearer key at hand?
Was hoping it would be somewhat similar with seting up an OAuth2.0 authentication with SoapUI that you can just input the bearer/token key.
If you have an access token, you can configure POSTman by setting up a custom Authorization header. Setup:
Authorization: Bearer <accessToken>
And if the API you are accessing supports bearer tokens, and you are providing a valid access token, then it should work.
Related
I aim to fetch purchases from googleapis by using a service account on server-side.
Method: purchases.products.get api requires an oauth2 authentication.
Therefore I create an oauth2 token -from the client-secret.json I am provided from consolce.cloud.google- inside of my server-side backend java spring application.
GoogleCredentials googleCredentials = GoogleCredentials.fromStream(new FileInputStream("src/main/resources/client_secret.json")).createScoped("https://www.googleapis.com/auth/androidpublisher");
googleCredentials.refresh();
AccessToken accessToken = googleCredentials.getAccessToken();
The token I generate is like 'ya29.c.b0AXczHcuLszNI................'
It ends with multiple dots I don't know why.
https://androidpublisher.googleapis.com/androidpublisher/v3/applications/{packageName}/purchases/products/{productId}/tokens/{token}
After I get the token I do the GET request to this URL.
I gets the following error:
"message": "Request is missing required authentication credential.
Expected OAuth 2 access token, login cookie or other valid
authentication credential. See
https://developers.google.com/identity/sign-in/web/devconsole-project.",
Why my token is not working? The way I use it, Is it wrong? And/or oauth2 token generation way is it wrong?
The access token is sent as an authorization header. The access token should be prefexed with the term bearer as it is a bearer token.
I am using Forgerock as my identity provider and am looking for something in their rest api where i can provide an access token in the form of a Authorisation Bearer Token and get the corresponding JWT token to use as a Authorisation Bearer Token in a subsequent rest api call.
Can someone help me with what endpoint I can call in Forgerock to do this? I've had a look at the userinfo endpoint, that seems to return what is in the id_token in json format, but I want the actual id_token. A "token exchange".
thanks
There is no endpoint defined by specifications to obtain and ID token for an access token. Specificaitons define about token intrsopection endpoint (RFC7662) and user info endpoint (which you have already figured out).
Other than these, best option is to obtain ID Token from token response itself. For this you need to follow OpenID Connect request format, which include scope value openid. For this, you will require end use consent (most of the time) which allows authorization server to share their claims through id token.
Google Doc says that you can specify response_type for gapi?.auth.authorize
You can use it to get id_token
I have questions.
Does WSO2 support something similar to:
https://docs.wso2.com/display/AM190/Exchanging+SAML2+Bearer+Tokens+with+OAuth2+-+SAML+Extension+Grant+Type
using JWT instead of SAML?
Is it possible to achieve it using Facebook/Google as Federated identity provider?
And another one:
Can we use JWT token instead of OAuth2 Access Token in WSO2 Api Manager to authorize incoming requests?
Thanks
Does WSO2 support something similar to:
https://docs.wso2.com/display/AM190/Exchanging+SAML2+Bearer+Tokens+with+OAuth2+-+SAML+Extension+Grant+Type
using JWT instead of SAML?
Yes, it does. We have the JWT Bearer Grant implementation for this. The idea behind JWT Grant is that a signed JWT valid according to [1] issued by a trusted IDP can be exchanged for an access_token. Follow [2] to try out the JWT Bearer Grant.
Facebook and Google do issue JWTs in the form of id_token. But there's a problem with using those id_token as a JWT Bearer Grant at the moment. According to the spec[1], the JWT Bearer Grant must contain some value in the 'aud' claim to let the entity that validates the bearer grant that it was intended to them. At present we cannot do this with any OpenID Connect provider ie. there is no standard way to request a OIDC provider to give us a token that we can use at 'X' identity provider.
Can we use JWT token instead of OAuth2 Access Token in WSO2 Api
Manager to authorize incoming requests?
AFAIK, this is not possible out of the box. One solution would be to use the JWT to get an access token using the JWT Bearer grant type. And then use the access_token APIM.
[1] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bearer-12#section-3
[2] https://docs.wso2.com/display/ISCONNECTORS/JWT+Grant+Type+for+OAuth2
We want to make simple authorization for server-server HTTPS communication (we control both servers) like classic API_KEY: client has hardcoded (in a config) a key which use in every request. Server check if the key is valid.
Our colleague has implemented it like OAuth2 Bearer token (RFC6750)
Authorization: Bearer client_key
So the client has the client_key in the config, it's never refreshed. It works well, we have just a philosophical dispute in the company, if such "hardcoded" Bearer token is along with OAuth2 or not. (Disclaimer: I am not with any side of the dispute.)
The OAuth 2.0 protocol basically defines an access_token - which is a token that is bound in time and permissions - and two protocol "legs":
how to obtain and access token
how to use/present an access token
You do not use access tokens (since your tokens are not bound in any way) and you've only "syntactically" implemented part 2. In fact you don't actually implement OAuth 2.0 in that case. You may present the client_key just as well in an HTTP Basic header or in a query parameter, it has nothing to do with OAuth 2.0 except that you're borrowing (arguably: abusing...) its header name and format.
We are exploring the MailChimp API v3.0. There are two types of authentication methods: Basic and OAuth 2.
We are able to authenticate using both ways, but there is confusion with the Authorization Header part:
Basic Authentication (both authorization headers below work):
Authorization: Basic base64 format of username:APIkey
Authorization: Basic only APIKey
OAuth 2 Authentication (both authorization headers below work):
Authorization: OAuth access_token
Authorization: OAuth only APIKey
The API documentation refers only to the first approach of each of the above authentication methods.
Is the second approach of each valid? i.e. can we authenticate using only the API key in the place of the base64 encoded string (Basic auth), and only the API key in place of the access token (OAuth 2)?
OAuth on MailChimp is a way to retrieve an access token. You can then use that access token (or an API Key that you get from the dashboard) in the Basic Auth setup.
While it may work to pass the API key by itself in the header, I'd recommend following the actual Basic Auth methodology of the base64 encoded 'username:apikey' or 'username:access_token'. Almost all HTTP libraries will do this part for you. For example, with cURL, you can do this:
curl --user myusername:myapikey "https://dev.api.mailchimp.com/3.0/lists/"
Depending on your language and library, it will be handled different ways, but all of the ones I've worked with have made it easy to do Basic Auth.