I have an Appsnyc query which I would like to test via clients like Insomnia or Postman as I want to check what header parameters work when trying to access the appsync via client side code
The Appsync query has IAM authentication.
In header parameter, what should be given to execute the query. I understand ACCESS_KEY; SECRET_KEY and SESSION_KEY should be given but not sure about exact parameter key name?
Can you please help on this? Searched lot of documents but execution only using API KEY is given mostly.
For example: to test API KEY secured appsync, one has to give something like "x-api-key" under header parameter.
What works correctly for IAM secured query?
Related
I have an eco system that the gateway and federated services live. The problem is when the gateway starts it validates the services - to do this it needs to be authorised.
When a client is querying via federation gateway they supply a bearer token.
In both instances the request header authorization field is used.
I've read and reread the docs but I am unable to achieve this using different tokens for different actions.
Anyone any ideas or links to relevant docs?
Cheers
Rereading for the Xth time the solution is with the "buildService".
It is only called once for each implementing service. You can extend it and add whatever headers you need.
See here for docs + example:
enter link description here
I am trying to restrict user to just view its own data and not anyone else's. So, if a user (bob) tries to hit
/api/v1/get-device-info?username=jon
, I want API gateway to send 403, only allowing username=bob. On the Lambda side, I am getting data from RDS. To solve this, I was looking at Custom Authorizers and got blocked thinking how to establish the identity of the user making the query.
What do you mean "establish the identity of the user"? If you are using Custom Authorizers then the user should be sending a token in the request header that identifies them as your API's user.
Found myself opening a couple of functions for access to users with invalid session tokens. The only way I could find to do that is to intercept the request using a bodyParser before Parse gets the request and removing sessionToken from the request.
Now trying to do a better job managing authorization to all functions - My question are:
can I relax the requirement that if a sessionToken is included it must be valid in any other way? Is session token validation done using a default validationHandler that can be replaced or is that done elsewhere?
to control access to cloud functions, is there anything like ACL roles? does cloud function's "validationHandler" accept only param? or can I inspect the user object as well?
Yes. In parse-server you can make sure that the sessions are valid because if you will try to run any CRUD operation with invalid session you will get http 403 error that your session is not valid or expired. You can control on the "Length" of your session by changing the sessionLength property in your parse-server app. The default is 1 year
There is no control access to cloud functions but you can check if a logged in user trigger this function by checking if the request.user is not undefined. Cloud functions can get only params in key-value pairs and those params cannot be Parse Objects. if you want to send ParseObject you can send the objectId of the parse object and then query for it in cloud code to get the full object. You can always access the user context in request.user (only if cloud code was triggered by the user). If you still want to "protect" your cloud code you can check if the calling user have a Role by query the Role DB and check if the user is contained there.
I have used postman to test request with Twitter API (https://api.twitter.com/1.1/statuses/user_timeline.json), but it gives me
{"errors":[{"code":215,"message":"Bad Authentication data."}]}
My header is:
Authorization:OAuth oauth_consumer_key="MLcGSZNPmn2un5DKbtgnYi8JY",oauth_token="%20751004957898342400-YYpLg5dayAHVkaG47H9NVVkZiE7Z2bc",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1468092744",oauth_nonce="ABCDEFGHIJKLMNOPQRSTUVWXYZ123456",oauth_version="1.0",oauth_signature="fkf0NE2PmDLQZY%2BzMa7gQmA72kU%3D"
and postman auth setting is:
How can I solve this?
Remove the space in
oauth_token="%20751004957898342400-YYpLg5dayAHVkaG47H9NVVkZiE7Z2bc"
it should be
oauth_token="751004957898342400-YYpLg5dayAHVkaG47H9NVVkZiE7Z2bc"
while sending request to twitter
Make sure that you are providing the query parameters which are required.
I received the same error, 215 Bad Authentication Data when I was not providing the only required query parameter, the search string q, in the GetUsers call. But since I did not intend to search for any specific user, I resorted to the Streaming APIs.
We're developing an Oracle database based RESTful webservice and we're using OAuth2 code protocol flow to issue Bearer tokens for querying with OAuth2 Bearer Authorization.
The Authorization itself works fine, but when we perform a RESTful query, we need to know which user is currently associated with the token.
We initially tried with the "APEX_UTIL.GET_CURRENT_USER_ID", but it doesn't return a value when queried from via OAuth2 authorized RESTful query.
Do you have any ideas on how I could grab the current user in that scenario?
Thanks!
We found the solution, it's actually pretty simple:
Just use the property: ":current_user
;)