I'm trying to use Micronaut GraphQL using keycloak JWT. I was able to get things working with Basic Auth, trying to move over to bearer token instead, and I'm missing something, as I always get a 401 Unauthorized, but I'm not seeing any useful error messages in the log, even with the logging set to TRACE
Using Micronaut 3.0.0.
My application.yml looks like this:
micronaut:
application:
name: myapp
server:
cors:
enabled: true
port: 8080
security:
authentication: bearer
intercept-url-map:
- pattern: /graphiql
access:
- isAnonymous()
- pattern: /graphql
access:
- isAuthenticated()
endpoints:
login:
enabled: false
token:
jwt:
enabled: true
signatures:
jwks:
keycloak:
url: http://xx.xx.xx.xx:8090/auth/realms/myrealm/protocol/openid-connect/certs
oauth2.clients.keycloak:
grant-type: password
client-id: myapp-backend
client-secret: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
authorization:
url: http://xx.xx.xx.xx:8090/auth/realms/myrealm/protocol/openid-connect/auth
custom:
keycloak:
url: http://xx.xx.xx.xx:8090
graphql:
enabled: true
path: /graphql
graphiql:
enabled: true
path: /graphiql
here is what I'm posting to test:
curl --location --request POST 'localhost:8080/graphql' \
--header 'Authorization: Bearer {exceptionally long jwt token}' \
--header 'Content-Type: application/json' \
--data-raw '{"query":"query test { scenarios { id } }","operationName":"test"}'
I'm not sure what else would be useful to provide. Any thoughts?
I don't know much about Micronaut but isn't this missing an openid configuration like this:
micronaut:
security:
oauth2.clients.keycloak.openid:
issuer: http://xx.xx.xx.xx:8090/auth/realms/myrealm
After more searching and stepping through in the debugger, I was able to finally determine that I had mistyped my realm name.
However, for posterity, here is the minimal configuration that I needed to run:
micronaut:
application:
name: myapplication
server:
cors:
enabled: true
port: 8080
security:
enabled: true
authentication: bearer
intercept-url-map:
- pattern: /graphiql
access:
- isAnonymous()
- pattern: /graphql
access:
- isAuthenticated()
endpoints:
login:
enabled: false
token:
jwt:
enabled: true
signatures:
jwks:
keycloak:
url: http://xx.xx.xx.xx:8090/auth/realms/MyRealm/protocol/openid-connect/certs
oauth2.clients.keycloak:
grant-type: password
client-id: myapp-backend
client-secret: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
authorization:
url: http://xx.xx.xx.xx:8090/auth/realms/MyRealm/protocol/openid-connect/auth
custom:
keycloak:
url: http://xx.xx.xx.xx:8090/auth/realms/MyRealm
graphql:
enabled: true
graphiql.enabled: true
graphql-ws.enabled: true
Related
I created AWS sam application. It has a REST API customers. Presently I'm able to add only one http method type either GET or POST.
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: ""
Globals:
Function:
Timeout: 59
Resources:
HealthFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: src/
Handler: index.handler
Runtime: nodejs14.x
Architectures:
- x86_64
Events:
Health:
Type: Api
Properties:
Path: /health
Method: get
Customers:
Type: Api
Properties:
Path: /customers
Method: get
Outputs:
HealthApi:
Description: "API Gateway endpoint URL for Prod for Health function"
Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/health"
CustomersApi:
Description: "API Gateway endpoint URL for Prod for Health function"
Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/customers"
How can I declare customers API http methods both GET and POST?
You can define multiple events for the same path.
CustomersGetEvent:
Type: Api
Properties:
Path: /customers
Method: GET
CustomersPostEvent:
Type: Api
Properties:
Path: /customers
Method: POST
As an alternative you can also use Method: ANY.
I am using Ansible's URI module to call a simple GET endpoint but I am getting a 401 error message as shown below.
Here is the playbook configuration
- name: Elasticsearch Cluster health Check
uri:
url: https://elastichost:9200/_cluster/health?&pretty
url_password : xxxxxxx
url_username : xxxxxx
validate_certs : no
method: GET
body_format: json
force_basic_auth: yes
return_content: yes
headers:
Content-Type: "application/json"
register: showhealth
tags: NonProd
- name: Show Elasticsearch Health
debug: var=showhealth
tags: NonProd
Any inputs on how to resolve
specific issue with elastic. elastic is secure, you need token or certificate to connect to api.
And ofc, your's user need correct right.
exemple
- name: Create update_user
uri:
url: 'uri'
method: POST
user: elasticuser
body_format: json
headers:
Content-Type: application/json
body: '{{ item.body }}'
client_cert: 'certificate.crt'
client_key: 'certificate.key'
password: '{{ elastic_password }}'
validate_certs: false
return_content: true
Questions:
IntegrationResponse to Sam template ? Is it possible without OpenApi?
Way to add headers to GatewayResponses in SAM template?
What im trying to achive:
Define gateway responses and integration responses inside a SAM
CloudFront template.
What i checked so far:
SAM github link
SAM issue
I was checking SAM github but for me it wasnt clear how to do it based on the above link.
Also i didnt found any answer on stackoverflow which would explain why the headers are bad in my gatewayresponse snippet
Every Help is appreciated
Some examples:
Globals:
Api:
GatewayResponses:
MISSING_AUTHENTICATION_TOKEN:
ResponseParameters:
# gatewayresponse.header.Cache-Control: "no-cache"
ResponseTemplates:
"application/json" : '{"errors": [{errorKey: "error Value"}]}'
StatusCode: '404'
#defaultResponse: true
Expected function level integrationResponse:
Function:
Type: AWS::Serverless::Function
Properties:
Handler: Function.handler
Timeout: 20
CodeUri: "src/Function"
Role: .......
Events:
FunctionGet:
Type: Api
Properties:
Path: /Function
Method: get
IntegrationResponse:
SOME_ERROR_CODE
ResponseTemplates
integrationresponse.header
So long story short half of my question is stupid. in proxy integration API GW is by defult returning the response from server to client no need further declaration in SAM template.
As for the headers the following way is the correct:
Globals:
Api:
GatewayResponses:
MISSING_AUTHENTICATION_TOKEN:
ResponseParameters:
Headers:
Access-Control-Allow-Origin: "'*'"
Access-Control-Allow-Headers: "'*'"
Cache-Control: "'no-cache'"
Content-Type: "'application/json'"
ResponseTemplates:
"application/json" : '{"errors": [{errorKey: "error Value"}]}'
StatusCode: '404'
#defaultResponse: true
security:
oauth2:
client:
registration:
google:
clientId: #############################
clientSecret: #############################
redirectUriTemplate: "{baseUrl}/oauth2/callback/{registrationId}"
scope:
- email
- profile
facebook:
clientId: ##################
clientSecret: ###############################
redirectUriTemplate: "{baseUrl}/oauth2/callback/{registrationId}"
scope:
- email
- public_profile
github:
clientId: #######################
clientSecret: ###########################
redirectUriTemplate: "{baseUrl}/oauth2/callback/{registrationId}"
scope:
- user:email
- read:user
linkedin:
client:
clientId: ##############
clientSecret: ##################
redirectUriTemplate: "{baseUrl}/oauth2/callback/{registrationId}"
scope: r_liteprofile r_emailaddress
clientAuthenticatioMethod: POST
provider:
facebook:
authorizationUri: https://www.facebook.com/v3.0/dialog/oauth
tokenUri: https://graph.facebook.com/v3.0/oauth/access_token
userInfoUri: https://graph.facebook.com/v3.0/me?fields=id,first_name,middle_name,last_name,name,email,verified,is_verified,picture.width(250).height(250)
This is my application.yml page. I Have used code from this Link for integrating linkedIn like facebook and google.
but it is showing error
Authorization Request failed: java.lang.IllegalArgumentException: Invalid Client Registration with Id: linkedin
Kindly help me out in this.Thanks in advance
Properties you provided seem to be incorrect in following line:
linkedin:
client: <--- this is unwanted
clientId: ##############
clientSecret: ##################
redirectUriTemplate: "{baseUrl}/oauth2/callback/{registrationId}"
scope: r_liteprofile r_emailaddress
clientAuthenticatioMethod: POST
You should remove line with "client" and keep like this:
linkedin:
clientId: ##############
clientSecret: ##################
redirectUriTemplate: "{baseUrl}/oauth2/callback/{registrationId}"
scope: r_liteprofile r_emailaddress
clientAuthenticatioMethod: POST
Like the above ones. I suppose you should also include provider for linkedin to make OAuth working.
How to pass the pathParameter user_id to the first function in a Step Function?
PS: I'm using API Gateway to invoke the step function.
stepFunctions:
stateMachines:
hellostepfunc:
name: HelloStep
events:
- http:
path: users/list/{user_id}
method: GET
cors: true
authorizer: aws_iam
You can try something like below, hope it helps.
serverless.yml
events:
— http:
path: users/list/{user_id}
method: get
cors: true
request:
parameters:
paths:
user_id: true