I have created a REST API server using go-swagger and added bearer token security to a few endpoints. As per docs, the token verification method should have a signature like func(string) (interface{}, error).
The token verification method returns an error if the passed bearer token is not valid. This results in 500 responses to the requestor with JSON response body:
{
"code": 500,
"message": "Token is expired"
}
However, as standers how can I make this response with code 401.
Note: A similar discussion like this for Java can be found at https://stackoverflow.com/a/60738107/16087692 , Is there any way to achieve this Go?
I've no experience with go-swagger but just stumbled upon this question.
The answer is in the examples:
https://github.com/go-swagger/go-swagger/tree/master/examples/authentication
The example shows that the function returns an:
errors.New(401, "incorrect api key auth")
This is an error from the package: "github.com/go-openapi/errors" where you can pass in a http status code.
Related
I used files from "https://github.com/Omkar0231/Django-Login-API" with as is. The login request from Postman is resulting in error, "detail": "JSON parse error - Expecting value: line 1 column 1 (char 0)", while the terminal shows "Bad request...".
The developer of the source code in above git has also explained it in a video, "https://www.youtube.com/watch?v=6d0fiPj0dsA", however, in video everything seems to be working as expected.
Whatever I understood from Googling, I thought that a bearer token is to be included in the login request as header. But I don't know where to find the bearer token in my Django app. However, in the video, the original author/developer did not include any such header token for the login request from Postman.
Please help me figure out the issue.
Been searching a lot but nothing seems to be working for me,
I'm trying without success to obtain the CSRF Token from a springboot application.
Postman is the chosen APP to try the API Rest.
I am performing a HTTP:POST method invoking a REST API from the application but i am getting this error message:
{
"timestamp": 1956618364439256,
"status": 403,
"error": "Forbidden",
"message": "Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.",
"path": "/api/rest/taxes"
}
This is my URl:
http://serverser45.swbc.local:9080/api/rest/orders/taxes
Do note that only the HTTP: POST is allowed to be used
I cannot perfom a HTTP: GET method and obtain the CSRF Token within a cookie or something like that. Nothing seems to be working for me.
How can i do that?
I was working on asp.net web api and used OpenIdDict as a way to add authorization. I got some problems, which I quickly resolved, but got stuck on one. Whenever I call the Exchange from the controller, it returns 400 and a response body:
{
"error": "invalid_request",
"error_description": "The mandatory 'Content-Type' header is missing.",
"error_uri": "https://documentation.openiddict.com/errors/ID2081"
}
I have experimented and searched more and found out, that the 1 part causing the problem is this:
[HttpPost("~/connect/token")]
[Produces("application/json", "application/vnd.my.v1+json")]
the post runs as intended, but the 'produces' can't define the content-type for the request and that's why I get an error. Even know all this, I don't know how to resolve the error. I have even re-tested an already working project and the same error occurred.
This is what i did when i tried to test my api to authorize using postman.
In the body choose data type as
x-www-form-urlencoded
and set content type in the headers to
application/x-www-form-urlencoded
We're having an issue in generating access token using OAuth2 Service Account for Google Apps marketplace users. The token generated here would be used in accessing Google APIs(Contacts, Calendar, Mail, Admin SDK APIs) and thus all the Google Integrations within our Services are failing. This has started failing abruptly from March 9th 8AM PST. Can you please consider this as high priority and let us know the reason for the issue or if we have missed something here. We are getting API response as
{ "error": "invalid_request" }
Please find the below sample request with all the headers and params for 2 sample requests for "https://www.googleapis.com/oauth2/v4/token"(as in documentation) and "https://accounts.google.com/o/oauth2/token" endpoints. Both result in a error message with responses { "error": "internal_failure", "error_description": "Invalid Value"} and { "error": "invalid_request" } respectively.
P.S: The service email address,private key files used for generating the below signature in the sample requests works if we use respective Google Client libraries. But we are making use of Google's REST APIs. We've created a sample application in Google APIs console for testing with new service account details and this results in the same exception.
URL:
https://www.googleapis.com/oauth2/v4/token
Headers:
Content-Type:application/x-www-form-urlencoded
BODY:
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjQvdG9rZW4iLCJzdWIi
OiJqYWdzQHNvbHV0aW9udGVzdC5jb20iLCJzY29wZSI6Imh0dHBzOi8vbWFpbC5nb29nbGUuY29t
LyIsImlzcyI6IjQ2OTU3MTY1OTAxNUBkZXZlbG9wZXIuZ3NlcnZpY2VhY2NvdW50LmNvbSIsImV4
cCI6MTQ1NzU5NTkwMCwiaWF0IjoxNDU3NTkyMzAwfQ==.VrsqS0nYSUVZn_SwMi7UJEYLDqRcWLzPrF9o6av-t1IYZbRkTybEdcnwWeUfnYXl_F88gFTllmRg
LSTBahM5gqpZrEAaWrRiDEVTo6rcN3hWm7MHcmZbwgdJB8B0ObV0Ivp5aTdLC5HcqsOumJvYpDCF
SyGU8StSg9pDujERzOo=
Response:
code:400
{
"error": "internal_failure",
"error_description": "Invalid Value"
}
URL:
https://accounts.google.com/o/oauth2/token
Headers:
Content-Type:application/x-www-form-urlencoded
BODY:
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjQvdG9rZW4iLCJzdWIi
OiJqYWdzQHNvbHV0aW9udGVzdC5jb20iLCJzY29wZSI6Imh0dHBzOi8vbWFpbC5nb29nbGUuY29t
LyIsImlzcyI6IjQ2OTU3MTY1OTAxNUBkZXZlbG9wZXIuZ3NlcnZpY2VhY2NvdW50LmNvbSIsImV4
cCI6MTQ1NzU5NTkwMCwiaWF0IjoxNDU3NTkyMzAwfQ==.VrsqS0nYSUVZn_SwMi7UJEYLDqRcWLzPrF9o6av-t1IYZbRkTybEdcnwWeUfnYXl_F88gFTllmRg
LSTBahM5gqpZrEAaWrRiDEVTo6rcN3hWm7MHcmZbwgdJB8B0ObV0Ivp5aTdLC5HcqsOumJvYpDCF
SyGU8StSg9pDujERzOo=
Response:
code:400
{
"error": "invalid_request"
}
EDIT:Sample request as in the documentation. This code was working for us for the past 2 years and suddenly it stopped working yesterday.
POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI3NjEzMjY3OTgwNjktcjVtbGpsbG4xcmQ0bHJiaGc3NWVmZ2lncDM2bTc4ajVAZGV2ZWxvcGVyLmdzZXJ2aWNlYWNjb3VudC5jb20iLCJzY29wZSI6Imh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL2F1dGgvcHJlZGljdGlvbiIsImF1ZCI6Imh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi90b2tlbiIsImV4cCI6MTMyODU3MzM4MSwiaWF0IjoxMzI4NTY5NzgxfQ.ixOUGehweEVX_UKXv5BbbwVEdcz6AYS-6uQV6fGorGKrHf3LIJnyREw9evE-gs2bmMaQI5_UbabvI4k-mQE4kBqtmSpTzxYBL1TCd7Kv5nTZoUC1CmwmWCFqT9RE6D7XSgPUh_jF1qskLa2w0rxMSjwruNKbysgRNctZPln7cqQ
It worked after changing the sun.misc.BASE64Encoder encoding part in my code for generating jwt token.
byte[] encode = BASE64Encoder.encode(data).replaceAll("\n", "").getBytes();
(or)
Change your BASE64Encoder encoding part while generating jwt token from sun.misc.BASE64Encoder to org.apache.commons.codec.binary.Base64 as
Base64 encoder = new Base64();
byte[] encode = encoder.encodeBase64(data);
Add comments if you anyone need any clarifications.
This solution was provided by Google.
I have a web app that uses form based authentication. When an AJAX request fails due to session timeout, I need to send an appropriate notification. It looks like I could send:
403 Forbidden, but that implies "authorization will not help", which is false.
401 Unauthorized, but responses "MUST include a WWW-Authenticate header field" and the information on what exactly the value should be when using form based authentication is limited.
When an AJAX request fails because the user is not authenticated, what then is the appropriate response?
I tend to interpret 403 as "HTTP authorization will not help", and use it instead of 401 when not using HTTP authentication.