How can i attach a client certificate in a http request in java-me?
In c# i would simply do this as
request.ClientCertificates.Add(new X509Certificate());
where request is an instance of HttpWebRequest.
Related
Does the authorization server directly sends the auth code to the Redirect URI that the client specified or else Is there an Intermediate to whom the auth code will be sent first? If the auth code will be sent to the redirect URL ,then that redirect URL is an endpoint of the client's backend server?
Yes, the authorization code is sent from the authorization server to the web-backend-server via the browser redirect URL
Why via the browser:
Because it's the application the user used to consent/login
Why auth code not token:
Because URLS are visible in browser and network appliances
The step after that is the web-backend-server will exchange the auth code with a token from the auth server
I'm using the OAuth Authorization Code flow to authenticate the user and authorize my application against the WSO2 Identity Server. I'm using a simple node/express server, with Passport.js, to get the Access Token, and Postman to use that Access Token to make a few test requests to the SOAP APIs.
When using a Bearer Token method to authorize my application, I get the following error in the IS logs: 0 active authenticators registered in the system. The system should have at least 1 active authenticator service registered. I get the following error in Postman: 500 Internal Server Error, with the following response body, <faultstring>Authentication failure</faultstring>.
Here is what it looks like in Postman:
The same Access Token works with a REST API request, like "https://localhost:9443/scim2/Me".
Can anyone tell me what I'm missing here?
SOAP APIs in WSO2 Identity Server cannot be authenticated with Bearer tokens. They can be authenticated with Basic authentication and cookies. That's the reason for getting Authentication failure in the response.
But REST APIs in the Identity Server can be authenticated with Bearer tokens. So /scim2/Me authenticate successfully with access token.
Try to get the Access token manually from Authorize service and use it
Step 1: Get authorization code
https://<is_server_url>:9443/oauth2/authorize?client_id=<id>&redirect_uri=<callback_url>&response_type=code&scope=openid
You will get an authorization code on the callback URL
Step 2: Call token service to get access token
Post https://<is_server_url>:9443/oauth2/token
Content-Type:application/x-www-form-urlencoded
Authorization:Basic <base64encoded "<client_id>:<client_secret>">
grant_type:authorization_code
scope:openid
code:<code_from_step_1>
redirect_uri:<callback_url>
exp:
client_id=**abcdefgh12345678**
client_secret=**xyzsecretkey**
callback_url=**http://locahost/callback**
scope=openid
server: localhost
base64encode(client_id:client_secret)= base64encode(abcdefgh12345678:xyzsecretkey) => YWJjZGVmZ2gxMjM0NTY3ODp4eXpzZWNyZXRrZXk=
GET https://localhost:9443/oauth2/authorize?client_id=**abcdefgh12345678**&redirect_uri=**http://locahost/callback**&response_type=code&scope=openid
it will make a request back to the callback url with a parameter code, lets say code=this01is02your03code, please check your browser address bar
POST https://localhost:9443/oauth2/token
HEADERS
Content-Type:application/x-www-form-urlencoded
Authorization:Basic **YWJjZGVmZ2gxMjM0NTY3ODp4eXpzZWNyZXRrZXk=**
BODY
grant_type:authorization_code
scope:openid
code:this01is02your03code
redirect_uri:http://locahost/callback
this will return an access token, let say token returned by the server is 12345678ASDFGH
Now you could use this token to call any RestFull or SOAP service
Authorization: Bearer 12345678ASDFGH
I'm writing a Go application which has to authenticate using auth0. This is done similar to how Google do it, by creating a HTTP server and setting the callback url to localhost
https://developers.google.com/identity/protocols/OAuth2InstalledApp
Instead of sending the access_token in the HTTP body, it stored the token in the URL which could be cached by the browser/proxy.
http://127.0.0.1:36572/auth0/authenticate/#access_token=eyJ0...truncated...SVYsfTThUhssJSh2C9FSvSGFusdw&expires_in=7200&token_type=Bearer&state=QuSsUxSZkYtFi7QPJkpxB9VI23lO3x4W
How do I configure auth0 to make the callback request to http://127.0.0.1:36572/auth0/authenticate, and store the sensitive tokens in the HTTP response body?
Thanks
EDIT: https://auth0.com/docs/api-auth/tutorials/authorization-code-grant-pkce
I have a web api and MVC project,
The web api is deployed at api.domain.com
The MVC app is deployed at domain.com
I recently secured certain methods on the API, it requires authentication (grant type: password).
I want to have the token passed around in the code behind of the MVC app and not javascript, to keep it secure and away from someone sniffing angular js traffic.
I did some research and I should use the HttpClient class. If this is the case how does this client handle refresh tokens? Right now the token expires after 8 hours, I know a refresh token is also issued but does the HttpClient automatically handle this or do I have to write my own logic to check if a request was denied due to an expired token.
Thank you!
I did some research and I should use the HttpClient class. If this is
the case how does this client handle refresh tokens?
The HttpClient class is, as its name suggest, an HTTP protocol client. It knows strictly nothing about OAuth 2.0 and in this respect nothing about refresh tokens. So you should write this logic yourself. Basically the flow you should follow is something along those lines:
Send an HTTP request t othe target endpoint using the HttpClient and including your existing OAuth Bearer token in the Authorization header field.
If the request succeeds then you are good to go. If the request fails with 401, then you should use your refresh token in order to renew your access token and then repeat step 1 with your new access token.
I think using a HttpMessageHandler can help you.
The way this is wired up to an HttpClient is by using the HttpClient constructor that takes a HttpMessagHandler:
1: // Create client and insert an OAuth message handler in the message path that
2: // inserts an OAuth authentication header in the request
3: HttpClient client = new HttpClient(new OAuthMessageHandler(new HttpClientHandler()));
The HttpClientHandler is the default “network” handler provided by HttpClient that actually sends the request and received the response from the network.
Refer this for complete detail: https://blogs.msdn.microsoft.com/henrikn/2012/02/16/extending-httpclient-with-oauth-to-access-twitter/
I can call the HTTP web service but when the same service is HTTPS it throws error that it cannot be called. I am invoking it from iOS application. Do I need to pass some additional header fields related to HTTPS.
UPDATE (SOLUTION):
Seems like it just needed the HOST header parameter.
if you are not passing any authorization parameters in any way to the service and it is just a url: "https://www.xxxxxx.com/dev/tools/search=?" the issue is from server side authentication certificate. they need to allow the request to be taken in from server's end by configuring server authentication certificate.