On successful login to my spring security application configured with Oauth2, I received a response with Oauth2 token.
For the subsequent request I passed Oauth2 access_token in URI Query Parameter like this
http://localhost:8090/myapplication/users/user?access_token=4c520795-eb07-4c2d-a91b-474c85fb481e
It is working fine.
But instead of passing token in URI to make it more secure I wanted to send token in request headers.How to do this?
Use the usual HTTP Authorization header:
Authorization: Bearer <your-token-here>
For example
Authorization: Bearer 4c520795-eb07-4c2d-a91b-474c85fb481e
Related
Is it possible to use Google Header Auth with an API_KEY?
At the moment we are downloading files using:
https://www.googleapis.com/drive/v3/files/{fileId}?alt=media&key={our API key}
We want to migrate to using HTTP Header auth like this:
GET https://www.googleapis.com/drive/v3/files/[FILEID] HTTP/1.1
Authorization: Bearer [YOUR_ACCESS_TOKEN]
Accept: application/json
The first method uses our own API_KEY from Google Cloud Console.
The second method uses an ACCESS_TOKEN created by the user authenticating with the app with oAuth.
Is it possible to use our API_KEY for HTTP Auth? Or do we have to use the users ACCESS_TOKEN?
API key grants you access to public data only.
An access token is an authorized token which gives an application access to user data.
They are two different things.
The authorization header is used for sending authorization bearer tokens, access tokens to the server to authorize a request.
No you can not send an api key as a authorization header as it is not a bearer token. You need to authenticate your users using Oauth2 in order to get access to their data, which will give you an access token and the ability to add that as a authorization header and request access to download the users file.
I tried to search on the internet, but not found any clear. I am using spring-boot. I have the requirement for supporting either Basic Auth or Bearer (JWT Token). If the request coming with Basic Auth then, only Basic Auth configuration must execute and skip the JWT Token authentication. If Bearer authentication (JWT Token) request is coming, then only JWT Token authentication must execute and skip Basic authentication.
Any suggestions or input will helpful.
Thanks
Manoj
I understand that a resource server will make a call to the authentication server with a token to confirm that it is valid.
However is this token the same Cookie: JSESSIONID?
Oauth 2.0 Bearer tokens are of two types - General tokens(e.g like java uuid string) and JWT tokens.
General tokens will be stored in the authorization server token store along with their scopes, expiry, client ID, UserId and other related information. When client sends request to resource server, Resource server need to reach out authorization server(Spring oauth 2.0) for bearer token validation.
JWT tokens contains information about its expiry along other user information and self sufficient to work in stateless sessions, Here we don't need to validate oauth 2.0 JWT tokens from authorization server.
JSESSIONID Cookie is created by spring security by default, its not related to Bearer token authorization.
Well the standard solution is an introspection request, as in step 14 of this post: https://authguidance.com/2017/09/26/basicspa-oauthworkflow/
Not all solutions are standards based though - and I always recommend capturing the HTTP traffic
I am trying to create an oAuth policy to protect an API using an JWT access token. That token can be validated by calling an external URL.
I am using the following RAML for my Mule proxy.
#%RAML 1.0
title: Custom API
version: 1
baseUri: http://localhost:8081
securitySchemes:
oauth_2_0:
description: |
This API supports OAuth 2.0 for authenticating all API requests.
type: OAuth 2.0
describedBy:
headers:
authorization:
description: |
Used to send a valid OAuth 2 access token. Do not use with the "access_token" query
string parameter.
type: string
responses:
401:
description: |
Bad or expired token. This can happen if the user or the API revoked or expired an
access token. To fix, you should re-authenticate the user.
403:
description: |
Bad OAuth request (wrong consumer key, bad nonce, expired timestamp...). Unfortunately,
re-authenticating the user won't help here.
/hello:
get:
securedBy: [oauth_2_0]
However, mule is not able to send the Authorization header while validating against the external service.
The RAML that you posted is fine, but informative only. You have to implement the JWT oAuth token enforcement capability either as a custom policy or as part of your Mule flow. Currently, there is no out-of-the-box policy for JWT token validation.
Usually, for validating a token, an external endpoint is called providing the token as part of the internal [policy] request. That means that the policy itself will parse the incoming user request, and extract the token either from the query params or from the Authorization header (removing the bearer part). AFAIK, Authorization header is never sent to the introspection token URL.
I'm writing a REST API using Spring MVC. I'm trying to access a controller method via a POST request.
I always receive a 403error:
Invalid CSRF Token '' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
How can I deliver a CSRF token within my REST request?
I tried to use the default security password which is displayed during application startup as the value for _csrf but it wasn't successful.
How can I retrieve the CSRF token and is it correct to send the token in the _csrf parameter?
You will need to provide the correct header and CSRF token when making the request e.g.
request.setRequestHeader('${_csrf.headerName}', '${_csrf.token}');
You can also send the token as a request parameter using _csrf.parameterName.