How can i use Access Token in laravel project - laravel

I get now the Access Token from Lumen-API-JWT (Backend) but the question is how can i work with that in the laravel-8-Client (frontend) project
Any Idea ?

In generally when we working with HTTP API or call need to authentication the user, Server will return the Access Token (JWT or whatever). Every API Request you need to bind that access token along with the header. Ex. Authorization: Bearer {{access_token}}.
When you fail to bind the access token server will return unauthenticated HTTP status code with the relevant message.
Please refer below links,
https://www.loginradius.com/blog/async/everything-you-want-to-know-about-authorization-headers

Related

Authenticate opaque token in the spring security oauth server

Using the old authorization server, the user request an opaque token using the Client credentials grant and then use it inside an Authorization Header when calling APIs. On our resource server, we would contact the authorization server to authenticate this token and retrieve client information.
On the new server, we have no problem generating this opaque token but I don't understand how we can authenticate this token ?
When calling the introspection endpoint, we have always an Unauthorized result due to using AnonymousAuthenticationToken: obviously since the user is already logged in, we don't ask him to give his client_id and client_secret for each call.
Is it possible to allow this behavior ?
Calling the introspection endpoint and having a success with the decrypted token metadata and not a 401.

Secure Bearer token in Authorization header in Laravel

Within my Laravel 9 (Jetstream) installation, I've createad an account (admin) and also created an API token for it directly from the user interface available by default. So the API has an account and an API token for it.
I am able to login to my (Laravel) API, using that token as a Bearer token method 'Authorization: Bearer '.
Everything fine for now, I can access protected routes of the API that are only available for logged-in users.
I've implemented this approach within my frontend app (SPA), which is on a different domain.
At a certain point in my frontend app, I need to communicate with my API, so I am doing a request to it using the same approach like I did in Postman. Basically, within my (axios) request, I am configuring the route to the api, and also the required header (Authorization: Bearer xxxx) to authorize the request using the Bearer token.
axios.post(
'url',
{
"body": data
},
{
headers: {
'Authorization': 'Bearer <my token>'
}
}
)
Now, my main problem is that this request (including the token) can be seen in Chrome Developer tools for example (or other request trackings tools)
How can I secure this in a easy and strong way?
For those who know more about Laravel, this way of authorization that comes from Jetrstream is Sanctum, and comes out of the box. I know there's another method of creating tokens, by making an initial request to the API using basic auth, and in response, I'll get a token that I should use for each request. But does that mean that it's more secure? In the end, that "fresh" token will be also visible to next requests, right? Even if it will be deleted on logout. If someone sees that token, he can easily make a request to my API using it and pretend to be a logged in user.
Is JWT a solution?
There must be something that I'm missing here. Any solutions are welcome

springboot APIs to use Auth0

We are trying to use auth0 for spring-boot application authentication.
Created Regular Web Application and Machine to Machine Applications in auth0.com and added users under User Management.
Intention is to have a login API to authenticate users and get the access-token after the successful authentication. Use access token (as bearer token) to access other APIs of the spring-boot application.
We provided proper login and callback urls under the Machine To Machine application configuration in auth0.com.
While generating bearer token, apart from client_id, client_secret we have provided grant_type (as client_credentials), audience as https://<>/api/v2 and scope with (openid profile my_scope email roles).
We are getting 401 error while accessing the other APIs using bearer token generated using client_id, client_secret, grant_type and audience.
Wherein, we are getting 403 error while accessing the other APIs using bearer token generated using client_id, client_secret, grant_type, audience and scope.
403 error stack is as below
Client is not authorized to access <<application-domain-in-auth0>>/api/v2/. You need to create a client-grant associated to this API.
We referred to the udemy session (https://www.udemy.com/course/build-secure-apis-with-auth0-and-postman/learn/lecture/12716335#overview)
Any inputs on the overall approach and where we are going wrong.
Thanks
Venkata Madhu
not sure if it can help, but found this more relevant to the problem statement.
https://community.auth0.com/t/how-to-generate-a-management-api-token-automatically/6376
There are a few things you need to do/check:
Create a non-interactive client in Auth0, which will be used to represent your service.
Authorize the non-interactive client to call the Auth0 Management API:
Dashboard > APIs > Auth0 Management API > Non Interactive Clients > Authorize your client
Ensure that the parameters used in the call to /oauth/token are for your non interactive client:
{
grant_type: 'client_credentials',
client_id: 'NON-INTERACTIVE-CLIENT-ID',
client_secret: 'NON-INTERACTIVE-CLIENT-SECRET',
audience: 'https://yourdomain.auth0.com/api/v2/" }
Make sure the access token you receive is passed in the Authorization header for every request made to the Management API. Authorization: Bearer <access_token>

Google Drive Header Auth with an API_KEY instead of ACCESS_TOKEN

Is it possible to use Google Header Auth with an API_KEY?
At the moment we are downloading files using:
https://www.googleapis.com/drive/v3/files/{fileId}?alt=media&key={our API key}
We want to migrate to using HTTP Header auth like this:
GET https://www.googleapis.com/drive/v3/files/[FILEID] HTTP/1.1
Authorization: Bearer [YOUR_ACCESS_TOKEN]
Accept: application/json
The first method uses our own API_KEY from Google Cloud Console.
The second method uses an ACCESS_TOKEN created by the user authenticating with the app with oAuth.
Is it possible to use our API_KEY for HTTP Auth? Or do we have to use the users ACCESS_TOKEN?
API key grants you access to public data only.
An access token is an authorized token which gives an application access to user data.
They are two different things.
The authorization header is used for sending authorization bearer tokens, access tokens to the server to authorize a request.
No you can not send an api key as a authorization header as it is not a bearer token. You need to authenticate your users using Oauth2 in order to get access to their data, which will give you an access token and the ability to add that as a authorization header and request access to download the users file.

CORS issue while making an Ajax request for oauth2 access token

I am making an ajax call from my client to the google oauth 2 API 'https://accounts.google.com/o/oauth2/auth?redirect_uri=http://blah.com&response_type=token&client_id....' to get the access token, but i get following error:
Response to preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://blah-blah.com' is therefore not allowed
access
I want the call to be ajax so that the user is not disturbed when the call is made through url or window.location.href or in other words, how can i get the access token such that the whole page does not load, and is it possible to resolve the above error???
OAuth2 auth endpoint doesn't support AJAX by design. It's an entry point to the authentication system, so you must get there by redirect. The result of the authentication is again a redirect to the URL you provide, so AJAX doesn't make much sense there.

Resources