I'm in the process of applying swagger to a project of mine.
In terms of Authorization, the user can log in with email and password and they'll get an authorization token.
They're then supposed to send this token along with every call, in the header.
So it would be like: MyAuthorization: authKey
Looking at the swagger documentation, it seems that it is only set up to handle OAuth. Is there a way to have swagger handle the authentication my way? I mean in the generated code. I can generate code for the project, it just only has "Basic: ..." as an option.
I'm running swagger 1.3.6, can't upgrade due to dependencies.
From the Swagger 1.2 specs
You can define an authorization object which specifies you are using
a type of "apiKey"
a passAs of "header", to indicate the key is passed in the request header
a keyname of "MyAuthorization", or whatever your header is
Related
In my dataflow configured in Apache Nifi, I have an API that requires Authorization header (bearer token) to invoke with a GET request.
I'm trying to configure the InvokeHTTP processor for this, but it doesn't support Authorization headers by default.
How can I add the Authorization header (maybe as an Attribute) into the GET request using Nifi's InvokeHttp processor?
You can add as many "dynamic properties" to the processor config as you like and they will be passed as HTTP headers on the request. You can populate the token via parameter or general Expression Language in the property value, but be aware that if using variables/parameters, you won't be able to use sensitive parameters because those must be referenced exactly rather than combined, and in this case you'll need to prepend the value with Bearer . There is an open ticket to make authorization header usage (OAuth2 specifically) easier with this processor.
I am trying to do a request my Netsuite RESTlet using Alamofire (SWIFT) but I meet several difficulties:
In the documentation it's specify the different parameters needed (see below).
DOCUMENTATION:
An OAuth 1.0 RESTlet authorization header requires the data described in the following table. Some of these values can be obtained from the NetSuite UI. Other values must be calculated. Typically, your integration should include logic to identify these values and generate the finished header. Follow the OAuth 1.0 protocol to create the authorization header.
However in postman I am using extra parameters (consumer Secret and the Token Secret) and it's works if I remove them it doesn't works
To finish when i check the Authorization header generated by postman, I see only the specify parameters in the documentation :
OAuth realm="my realm",oauth_consumer_key="myConsumerKey",oauth_token="myAccessToken",
oauth_signature_method="HMAC-SHA1",oauth_timestamp="1543488570",
oauth_nonce="ERxdLbUfkeh",oauth_version="1.0",oauth_signature="UeqmxAyeUqtPoICLo%2FARsQE8B1E%3D"
If someone can explain me this, I could implement TBA authentification in my Application but for now I need to understand better this authentification.
I also spend a few hours trying to make it work. In my case I wasn't adding the account ID to the realm param. Here a picture of what I ended with:
Here where you can get the account ID:
I hope it helps
The explanation of why the consumer secret and the token secret are needed by Postman to generate the token is shown in SuiteAnswer 42019 - as referenced in the Notes section beside oauth_signature in your screenshot above. From that page:
Sign the result string from step 5 using the consumer secret and token secret concatenated using '&' (For this case, HMAC-SHA1 or HMAC-256).
In other words, Postman uses the secrets to generate the output which authenticates your credentials - you cannot generate the oauth_signature correctly without them.
I ran into a lot of issues with NetSuite broken RESTlet/TBA connections as well. I did build this out in our software to help out customers. You can see the methods I used in the article below.
Using NetSuite TBA by Calling a RESTlet from an HTTP Source or Target
I want to use thymeleaf instead of angular JS. I can use templates with out security and i can add httpsecurity for that URL, My question is that how to authorize the URL? currently I am using JWT token mechanism.
Thanks
The 401 error is expected, it means you did not provide a valid token.
When using Thymeleaf templates, JWT is not the best choice because it means you will have to write some javascript to handle it as a HTTP header which seems to goes against what you wanted to achieve (not using angular).
I'd recommend that you use cookies and so select session auth type.
Please note that you could also modify JHipster JWT code so that it uses a cookie rather than a HTTP header but this is more work than simply using session auth type?
I am adding JWT Auth for a completely new frontend to a legacy Rails backend.
Upon HTTP request, it seems most sources suggest I send the token back to the server via Bearer Header.
Why? What is the additional value of sending via header (bearer or basic). What can't I simply pass the JWT back to the server via .json and authenticate the token from there.
What benefit does an Authorization header give me, and moreso, what does a Bearer Authorization header give me?
I can of course simply follow everyone's example, but want to understand why. The bearer docs are verbose and hard to understand what I'm gaining over simple sending the JWT as part of the data in the request.
Thank you.
You can technically send a json body on each request with the JTW but that would be non standard behaviour (for instance, GET requests should not have a body via the spec).
A more standard way would be to provide an Authorization HTTP header.
The Authorization header is not specific to JWTs and its role is to specify an auth scheme between the client and the server.
Another way would be to include the JWT inside a cookie but that would make the behaviour browser specific while the HTTP header can be sent by virtually any HTTP client.
P.S
Bear in mind that contrary to Auth cookies which are sent by the browser automatically the Authorization header needs to be set by the client explicitly.
When an OAuth signed request is made to a Rails 3 app, I can see the OAuth consumer key in amongst the other values in request.headers["HTTP_AUTHORIZATION"]. What is a better way to access it? I'm using the OAuth gem.
According to this section in the OAuth specification, the Authorization header is the preferred way of sending OAuth protocol parameters. The specification does make allowances for sending protocol parameters in a form encoded body or in the request URI, if the request meets certain requirements.
To answer your question: parsing the Authorization header is a must for any OAuth provider. But you may also look for it (and other protocol parameters) amongst "normal" parameters, you will never find them in more than one place,