WebSphere Docker OAuth - oauth

I need to implement OAuth against an IBM WebSphere server. For that purpose I built a docker environment https://github.com/hhoechtl/websphere-oauth according to http://www.ibm.com/developerworks/websphere/techjournal/1305_odonnell2/1305_odonnell2.html
But if I try to get a token
curl -X POST -H "Accept-Charset: UTF-8" -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=password&client_id=LibertyRocks&client_secret=AndMakesConfigurationEasy&username=admin&password=admin' "https://192.168.99.100:9443/oauth2/endpoint/DemoProvider/token"
I get the error
{
"error_description": "CWWKS1406E: The token request had an invalid client credential. The request URI was /oauth2/endpoint/DemoProvider/token.",
"error": "invalid_client"
}
But according to my server.xml that should be correct. What am I missing?

Would you be able to turn on and provide the server trace for that invocation? The message indicates that either credentials weren't found in the request, or credentials were found but were invalid for that client. It would be useful to know which is the case here.
You can enable trace by adding this snippet to your server.xml:
<logging traceSpecification="*=info=enabled:com.ibm.ws.security.*=all=enabled:com.ibm.oauth.*=all=enabled" />

The next day it just worked, no idea why.

Related

Webpush::Unauthorized: host: fcm.googleapis.com, #<Net::HTTPForbidden 403 Forbidden readbody=true>

I am trying to integrate Web Push Notification on the Web Application I am maintaining. I am using this github repo https://github.com/zaru/webpush as my guide.
After following what is included in that guide, and run this command at my terminal:
Webpush.payload_send(message: "Test", endpoint: n.endpoint, p256dh: n.p256dh_key, auth: n.auth_key, vapid: {private_key: "gAdLtJoNQHDXsd1iYxrvttW3YybuJX4GkN8LDMbSIuw=", public_key: "BHByXuCTQs7UuoqBN2MeLjL_gUHfsuhxKkV_QOdhm9mw9Ohl3giAoxdwtwuoXqYnIbaa7UaTC1BvwS8yv_pNOAU="} )
Suddenly, I encountered this error, does someone here encountered the same error as I did? How did you resolved it? Thank you in advance.
Webpush::Unauthorized: host: fcm.googleapis.com, #<Net::HTTPForbidden 403 Forbidden readbody=true>
body:
the key in the authorization header does not correspond to the sender ID used to subscribe this user. Please ensure you are using the correct sender ID and server Key from the Firebase console.

Keycloak token exchange fails with "invalid_token" error

I have two Keycloak instances running locally. They are connected via OIDC. Everything works so far - I can login via any of Keycloak instances.
Now I am trying to setup token exchage and it fails with "invalid_token" error. I want to do "external to internal" token exchange. There are following Keycloak logs showing that Keycloak sending HTTP GET request with the token I provided to another Keycloak instance to get user info:
08:14:36,523 DEBUG http-outgoing-19 >> "GET /auth/realms/master/protocol/openid-connect/userinfo HTTP/1.1[\r][\n]"
08:14:36,523 DEBUG http-outgoing-19 >> "Authorization: Bearer eyJhbGciOiJSU...[\r][\n]"
and the response is 401:
08:14:36,530 DEBUG http-outgoing-19 << "HTTP/1.1 401 Unauthorized[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "X-XSS-Protection: 1; mode=block[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "X-Frame-Options: SAMEORIGIN[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "Referrer-Policy: no-referrer[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "Date: Tue, 24 Nov 2020 08:14:36 GMT[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "Connection: keep-alive[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "WWW-Authenticate: Bearer realm="master", error="invalid_token", error_description="Token verification failed"[\r][\n]"
The weird part is this: when I am sending the same response with curl using the same token that does not work in Keycloak - it works:
curl -X GET 'http://localhost:8050/auth/realms/master/protocol/openid-connect/userinfo' \
-H 'Authorization: Bearer eyJhbGciOiJSUzI1N...'
{"name":"r o","sub":"fff41a6f-6910-4419-8d46-7630b57ed420","email_verified":true,"preferred_username":"ttt","given_name":"r","family_name":"o"}
All permissions for token exchange set up (otherwise it does not send the request at all and it fails with another error).
What am I missing here? Any help is highly appreciated.
I figured it out. It worked using curl, because I was using localhost, and it did not work in Keycloak, because Keycloak used local IP address (192.168.X.X). The core reason is in the token that has to be exchanged. Field iss must match the IP/Host that is sending the request. In other words, in the token that I used to test token exchange, iss was equal http://localhost..., and I also used localhost in curl request. After using token that's been issued from 192.168.XX, token exchange started to work.
Actually, from a security perspective it totally makes sense. Only issuer of the token should be able to use it to get user info.

No valid crumb was included in the request - Jenkins 403

My Crumb.sh file is :
crumb=$(curl -u "jenkins:pwd" -s 'http://yuvi_jenkins:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
echo $crumb
curl -u "jenkins:pwd" -H "$crumb" -X POST http://yuvi_jenkins:8080/job/ansible-project/build?delay=0sec
The Output I get is :
Jenkins-Crumb:d3950e9f61bc9dd88fba532c17dba1ce220be11b92d78e720464afd38021a3fb
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 No valid crumb was included in the request</title>
</head>
<body><h2>HTTP ERROR 403</h2>
<p>Problem accessing /job/ansible-project/build. Reason:
<pre> No valid crumb was included in the request</pre></p><hr>Powered by Jetty:// 9.4.z-SNAPSHOT<hr/>
</body>
</html>
Solutions that I have tried :
1) Probably you are accessing jenkins by proxy server, please do following
Go to "Global Security Settings"
Check "Enables the Compatibilty Mode for proxies".
Restart
2) To resolve this issue I unchecked "Prevent Cross Site Request Forgery exploits" in jenkins.com/configureSecurity section.
I have tried the above solutions but still I am getting the same error.
According to the Jenkins Documentation here, crumbs are now only valid for the web session in which they were created. To get around this you can store your cookies when making the crumb request, and then use those stored cookies when making subsequent API calls. So your script would become:
crumb=$(curl --cookie-jar ./cookie -u "jenkins:pwd" -s 'http://yuvi_jenkins:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
curl --cookie ./cookie -u "jenkins:pwd" -H "$crumb" -X POST http://yuvi_jenkins:8080/job/ansible-project/build?delay=0sec
Alternatively the documentation I linked suggests setting the system property hudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID to true, or using the Strict Crumb Issuer Plugin to change crumb validation to use something like time rather than session ID
Thanks to https://github.com/spinnaker/spinnaker/issues/2067#issuecomment-544993648 for helping me solve the same problem

How to handle RingCentral OAuth 2.0 "Invalid application" TokenInvalid error

When using a OAuth 2.0 Bearer token with the following cURL command and receiving the following error, what does the TokenInvalid "Invalid application" error mean and how to handle this error? The application is valid in the Developer Portal and the same token is working for other API calls in an running app.
cURL Request
curl -XGET https://platform.ringcentral.com/restapi/v1.0/account/~ \
-H 'Authorization: Bearer <my_token>'
Response
401 Unauthorized
{
"errorCode" : "TokenInvalid",
"message" : "Invalid application",
"errors" : [ {
"errorCode" : "OAU-127",
"message" : "Invalid application"
} ]
}
RingCentral operates different API environments that use different application definitions (client ids and secrets). A token and application that is valid in one environment may not be valid in another.
A common reason this error can occur is when a token or application is only valid in the sandbox environment is being used in the production environment. For example, this error will be encountered when making a request to the production environment (https://platform.ringcentral.com) with a token intended for the sandbox environment (https://platform.devtest.ringcentral.com).

Can't get header request Rails 5 API on production stage (AWS elasticbeanstalk)

I have rails 5 API. Tested on my local it running perfect. But after deploy to elastic beanstalk I have problem, I can't getting Authentication token which I put it on header, and this is how I set token when call API and get/ read on my app :
Set when call api :
curl -H "Content-Type: application/json" -X POST http://example.com/users -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGc"
And Read/ get :
auth_header = request.headers['Authorization'] and token = auth_header.split(' ').last
Any ideas what's going on?
I resolved by using dash("-") instead of underscore("_") in the
header.
example:
authentication-token
instead of
authentication_token
It will work 100%

Resources