Is it possible to use Google Header Auth with an API_KEY?
At the moment we are downloading files using:
https://www.googleapis.com/drive/v3/files/{fileId}?alt=media&key={our API key}
We want to migrate to using HTTP Header auth like this:
GET https://www.googleapis.com/drive/v3/files/[FILEID] HTTP/1.1
Authorization: Bearer [YOUR_ACCESS_TOKEN]
Accept: application/json
The first method uses our own API_KEY from Google Cloud Console.
The second method uses an ACCESS_TOKEN created by the user authenticating with the app with oAuth.
Is it possible to use our API_KEY for HTTP Auth? Or do we have to use the users ACCESS_TOKEN?
API key grants you access to public data only.
An access token is an authorized token which gives an application access to user data.
They are two different things.
The authorization header is used for sending authorization bearer tokens, access tokens to the server to authorize a request.
No you can not send an api key as a authorization header as it is not a bearer token. You need to authenticate your users using Oauth2 in order to get access to their data, which will give you an access token and the ability to add that as a authorization header and request access to download the users file.
Related
We are trying to use auth0 for spring-boot application authentication.
Created Regular Web Application and Machine to Machine Applications in auth0.com and added users under User Management.
Intention is to have a login API to authenticate users and get the access-token after the successful authentication. Use access token (as bearer token) to access other APIs of the spring-boot application.
We provided proper login and callback urls under the Machine To Machine application configuration in auth0.com.
While generating bearer token, apart from client_id, client_secret we have provided grant_type (as client_credentials), audience as https://<>/api/v2 and scope with (openid profile my_scope email roles).
We are getting 401 error while accessing the other APIs using bearer token generated using client_id, client_secret, grant_type and audience.
Wherein, we are getting 403 error while accessing the other APIs using bearer token generated using client_id, client_secret, grant_type, audience and scope.
403 error stack is as below
Client is not authorized to access <<application-domain-in-auth0>>/api/v2/. You need to create a client-grant associated to this API.
We referred to the udemy session (https://www.udemy.com/course/build-secure-apis-with-auth0-and-postman/learn/lecture/12716335#overview)
Any inputs on the overall approach and where we are going wrong.
Thanks
Venkata Madhu
not sure if it can help, but found this more relevant to the problem statement.
https://community.auth0.com/t/how-to-generate-a-management-api-token-automatically/6376
There are a few things you need to do/check:
Create a non-interactive client in Auth0, which will be used to represent your service.
Authorize the non-interactive client to call the Auth0 Management API:
Dashboard > APIs > Auth0 Management API > Non Interactive Clients > Authorize your client
Ensure that the parameters used in the call to /oauth/token are for your non interactive client:
{
grant_type: 'client_credentials',
client_id: 'NON-INTERACTIVE-CLIENT-ID',
client_secret: 'NON-INTERACTIVE-CLIENT-SECRET',
audience: 'https://yourdomain.auth0.com/api/v2/" }
Make sure the access token you receive is passed in the Authorization header for every request made to the Management API. Authorization: Bearer <access_token>
I get now the Access Token from Lumen-API-JWT (Backend) but the question is how can i work with that in the laravel-8-Client (frontend) project
Any Idea ?
In generally when we working with HTTP API or call need to authentication the user, Server will return the Access Token (JWT or whatever). Every API Request you need to bind that access token along with the header. Ex. Authorization: Bearer {{access_token}}.
When you fail to bind the access token server will return unauthenticated HTTP status code with the relevant message.
Please refer below links,
https://www.loginradius.com/blog/async/everything-you-want-to-know-about-authorization-headers
I understand that a resource server will make a call to the authentication server with a token to confirm that it is valid.
However is this token the same Cookie: JSESSIONID?
Oauth 2.0 Bearer tokens are of two types - General tokens(e.g like java uuid string) and JWT tokens.
General tokens will be stored in the authorization server token store along with their scopes, expiry, client ID, UserId and other related information. When client sends request to resource server, Resource server need to reach out authorization server(Spring oauth 2.0) for bearer token validation.
JWT tokens contains information about its expiry along other user information and self sufficient to work in stateless sessions, Here we don't need to validate oauth 2.0 JWT tokens from authorization server.
JSESSIONID Cookie is created by spring security by default, its not related to Bearer token authorization.
Well the standard solution is an introspection request, as in step 14 of this post: https://authguidance.com/2017/09/26/basicspa-oauthworkflow/
Not all solutions are standards based though - and I always recommend capturing the HTTP traffic
I am developing web API 2 services with authentication as bearer Token using oauth 2. I am not able to understand how authorization server create Token and revalidate that Token for subsequent request with that token. I also want to know that if I request token for same user name and password from different machine how server manage the token generation .
Regards
I am developing an API using Codeigniter and Oauth2 (Alex Bilbies library).
The API is being used by my iPhone app. For every request I need to send along the access token as a parameter in the URL. Is there a way to send the token in a header instead? To avoid it getting "exposed"?
Thankful for all input!
OAuth 2.0 bearer tokens allow you to insert them in an HTTP Authorization header as follows:
POST /my/api HTTP/1.1
Host: rs.company.com
Authorization: Bearer abcdef123456
Where abcdef123456 is your Access Token (see: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-bearer-16#section-2.1). In fact the spec says you SHOULD do that in lieu of request parameters if it is possible.
The spec also describes many security considerations when using OAuth 2.0 bearer tokens (see: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-bearer-16#section-4)
Sending an access token over GET is just as insecure as sending it in a header.
OAuth 1 used to get around this with all sorts of encryption, secured passwords, hell you could even turn certifications on. This was all a massive ball-ache, so now in OAuth 2 you just have to use HTTPS which does all of this for you.