Spring security OAuth2 request as object instead of query parameters - spring

I want to customise OAuth Endpoint URI's.
I want to sent parameters in post body instead of query params.
now my request is like -
example.com/oauth/token?grant_type=password&client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&username={USERNAME}&password={PASSWORD}
But I want it like this.
example.com/oauth/token
Request body -
{
grant_type=password,
client_id={CLIENT_ID},
client_secret={CLIENT_SECRET},
username={USERNAME},
password={PASSWORD}
}
How should I do it?

The token endpoint of a properly-implemented authorization server does NOT accept GET requests because RFC 6749, "3.2. Token Endpoint" says as follows:
The client MUST use the HTTP "POST" method when making access token requests.
So, your authorization server's token endpoint should reject GET requests.
RFC 6749, "4.3. Resource Owner Password Credentials Grant" says that request parameters of a token request using Resource Owner Password Credentials flow should be embedded in the request body in the format of "application/x-www-form-urlencoded". The following is an excerpt from "4.3.2. Access Token Request".
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=johndoe&password=A3ddj3w
Therefore, you don't have to customize your authorization server. If the server is implemented correctly, its token endpoint accepts POST requests.

The token endpoint created by spring-oauth2 already deals with POST as well.
It would be hard to customize it to accept a JSON request body, because the TokenEndpoint class expects all the params as #RequestParam params.
However, if your concern is about security (as HTTPs does not secure query parameters) you indeed can send the request parameters through post. It is just a matter of sending the request in the form "form-data" or "x-www-form-urlencoded". These are 2 ways of sending arbitrary key-value parameters in the request body, in a way that appears to the server as they are regular request parameters. So it is a matter of making your client using this.
Also, note that in spring-oauth2 it is possible to disable the GET endpoint, this way forcing your clients to use POST with one of the ways above.

Related

Authentication with 'Authorization: Negotiate' in the initial request with WCF

I'm trying to figure out if it is and how possible to initiate a connection with Authorization that avoids getting a 401 back from the server on the initial call.
According to the RFC (https://www.ietf.org/rfc/rfc4559.txt, end of section 4.2), the client should be able to send, with the initial request, an Authorization header containing a token, but for me that doesn't work. I've tried sending the same token (seems to be always the same) that is usually sent as a response to the first 401, but no luck.
Is there something in the configuration that needs to be changed to allow such behavior or do I need a different token?

How to pass bearer token in a request apart from Authorization manager and Header manager

I need to pass the token generated in one request into another request.
In second request,
I cannot pass the Authorization as the header because the API is not designed in a way to pass the token as header, nor Authorization manager is working as I need to pass the body and in Authorization manager I am not able to locate where to pass the body.
Is there any other way apart from Authorization manager or Header manager?
HTTP Authorization Manager generates and sends the relevant Authorization header, the header value differs depending on the protocol which is being used for the authentication/authorization from basic access control to NTLM and Kerberos
HTTP Header Manager allows you to send arbitrary HTTP headers including the aforementioned Authorization one
Unfortunately we cannot suggest how exactly you can pass the token, you need to
check the API contract or documentation, some API implementations have special documentation endpoints
contact the people who "designed" the "API"
capture the request from the real browser using browser developer tools or if it's another application use a sniffer tool like Wireshark or Fiddler

quay.io OAuth2 Proxy: Setting Bearer token to Authorization Header

What I want to do
Calling an URL which is proxied by the oauth2 proxy. The oauth2 proxy should perform an authorization code flow in case no authentication is available. In case there is already an authentication available, the access token should be set to the Authorization Header in the request which is forwarded to the upstream.
What I tried
According to the documentation I'd expect that, when setting --pass-authorization-header the token which is requested should be added to the authorization header.
I also experimented with --pass-access-token which should set an X-Forwarded-Access-Token header.
I couldn't see this header at my service either.
Could someone explain to me what I'm doing wrong?
I found the solution.
This post on a github issue lead me to my mistake.
I did misunderstand what the request is and what the response is and how to handle them using nginx ingresses.
If you are using OAuth2-Proxy with a Kubernetes ingress using nginx subrequests (https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/) the data that comes back to nginx is actually an HTTP response, so you will need to use HTTP Response headers (the --pass-* options configure request headers to the upstream).
Try --set-authorization-header and then you need to use this annotation to have the Kubernetes take the subrequest response header and add it to the proxied request header: nginx.ingress.kubernetes.io/auth-response-headers
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#external-authentication

Is it possible to convert Token from request string to Header in jwt authentication?

I'm using Tymon\JWTAuth with laravel
and I'm sending the requests like this
www.example.com/test?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjUzNywiaXNzIjoiaHR0cDpcL1wvbG9jYWxob3N0Ojg4ODhcL3YyXC9zZWxmXC9hdXRoZW50aWNhdGUiLCJpYXQiOjE0NzE0MzI0ODMsImV4cCI6MTQ3MTQ3NTY4MywibmJmIjoxNDcxNDMyNDgzLCJqdGkiOiI4ZDVlZGE4MmE2MTZlMzM5NjgwMmFmZTk5NWI3N2Q1MCJ9.-t0El5nJj_pgNzpgtLy8EVLUsf9dp8RTLhWA3cK_Vmw
I want to move this token to header is that possible ?
Yes. You can send the token with header.
From the documentation:
To make authenticated requests via http using the built in methods, you will need to set an authorization header as follows:
Authorization: Bearer {yourtokenhere}

Appropriate unauthorized response when using form based authentication

I have a web app that uses form based authentication. When an AJAX request fails due to session timeout, I need to send an appropriate notification. It looks like I could send:
403 Forbidden, but that implies "authorization will not help", which is false.
401 Unauthorized, but responses "MUST include a WWW-Authenticate header field" and the information on what exactly the value should be when using form based authentication is limited.
When an AJAX request fails because the user is not authenticated, what then is the appropriate response?
I tend to interpret 403 as "HTTP authorization will not help", and use it instead of 401 when not using HTTP authentication.

Resources