I'm using Tymon\JWTAuth with laravel
and I'm sending the requests like this
www.example.com/test?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjUzNywiaXNzIjoiaHR0cDpcL1wvbG9jYWxob3N0Ojg4ODhcL3YyXC9zZWxmXC9hdXRoZW50aWNhdGUiLCJpYXQiOjE0NzE0MzI0ODMsImV4cCI6MTQ3MTQ3NTY4MywibmJmIjoxNDcxNDMyNDgzLCJqdGkiOiI4ZDVlZGE4MmE2MTZlMzM5NjgwMmFmZTk5NWI3N2Q1MCJ9.-t0El5nJj_pgNzpgtLy8EVLUsf9dp8RTLhWA3cK_Vmw
I want to move this token to header is that possible ?
Yes. You can send the token with header.
From the documentation:
To make authenticated requests via http using the built in methods, you will need to set an authorization header as follows:
Authorization: Bearer {yourtokenhere}
Related
I need to pass the token generated in one request into another request.
In second request,
I cannot pass the Authorization as the header because the API is not designed in a way to pass the token as header, nor Authorization manager is working as I need to pass the body and in Authorization manager I am not able to locate where to pass the body.
Is there any other way apart from Authorization manager or Header manager?
HTTP Authorization Manager generates and sends the relevant Authorization header, the header value differs depending on the protocol which is being used for the authentication/authorization from basic access control to NTLM and Kerberos
HTTP Header Manager allows you to send arbitrary HTTP headers including the aforementioned Authorization one
Unfortunately we cannot suggest how exactly you can pass the token, you need to
check the API contract or documentation, some API implementations have special documentation endpoints
contact the people who "designed" the "API"
capture the request from the real browser using browser developer tools or if it's another application use a sniffer tool like Wireshark or Fiddler
I'm doing load testing my REST API - to hit the API request header should contain a valid token. I'm dynamically generating my request body - the same way I would like to generate header token dynamically using JMeter - what is the best approach to do that?
In order to access the resource which requires full authorization you need to provide so called "Bearer Token" via HTTP Header Manager, you need to add Authorization header with the value of Bearer ${followed by the dynamic token}
The process of obtaining the token depends on OAuth Grant Type used in your application, you need to figure out which authentication/authorization flow is being used and implement it in JMeter using HTTP Request samplers and suitable Post-Processors for correlating the dynamic values.
I am having problems in submitting POST request to secured Laravel API routes via Postman. My GET requests work fine, but my POST cant go through the security even though I have provided an api token.
So my question is: How properly to send POST request to secured Laravel API routes from Postman?
Add this is the request header.
[enter image description here][1]accept: application/json
content-type: application/json
authorization: "your_token"
Found the solution:
Set your Authorization to API Key:
Next, in headers section you need to add X-Requested-With field:
I want to customise OAuth Endpoint URI's.
I want to sent parameters in post body instead of query params.
now my request is like -
example.com/oauth/token?grant_type=password&client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&username={USERNAME}&password={PASSWORD}
But I want it like this.
example.com/oauth/token
Request body -
{
grant_type=password,
client_id={CLIENT_ID},
client_secret={CLIENT_SECRET},
username={USERNAME},
password={PASSWORD}
}
How should I do it?
The token endpoint of a properly-implemented authorization server does NOT accept GET requests because RFC 6749, "3.2. Token Endpoint" says as follows:
The client MUST use the HTTP "POST" method when making access token requests.
So, your authorization server's token endpoint should reject GET requests.
RFC 6749, "4.3. Resource Owner Password Credentials Grant" says that request parameters of a token request using Resource Owner Password Credentials flow should be embedded in the request body in the format of "application/x-www-form-urlencoded". The following is an excerpt from "4.3.2. Access Token Request".
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=johndoe&password=A3ddj3w
Therefore, you don't have to customize your authorization server. If the server is implemented correctly, its token endpoint accepts POST requests.
The token endpoint created by spring-oauth2 already deals with POST as well.
It would be hard to customize it to accept a JSON request body, because the TokenEndpoint class expects all the params as #RequestParam params.
However, if your concern is about security (as HTTPs does not secure query parameters) you indeed can send the request parameters through post. It is just a matter of sending the request in the form "form-data" or "x-www-form-urlencoded". These are 2 ways of sending arbitrary key-value parameters in the request body, in a way that appears to the server as they are regular request parameters. So it is a matter of making your client using this.
Also, note that in spring-oauth2 it is possible to disable the GET endpoint, this way forcing your clients to use POST with one of the ways above.
I have an ASP.NET Web API 2 which is using OAuth 2.0 for authorization. And let's imagine I have a simple Web API method, like:
GET: http://host/api/profiles/user123 (requires OAuth 2.0 token)
So, with Postman, it is easy to test this Web API. I get an OAuth token for user123 from the Web API OAuthAuthorization method and then I use that token in the header of the HTTP request:
GET /api/profiles/user123 HTTP/1.1
Host: {host}
Authorization: Bearer {Token}
Content-Type: application/json
Cache-Control: no-cache
However, if I save my test and run it later (either by Postman itself or by Newman), the token will be expired at that time and it won't work.
How can I make Newman to get a new token automatically for user123 and use it in the HTTP request?
Note: I know how to use Postman's Authentication helpers to ask for a new token. But this scenario doesn't fit the test-automation. In test-automation, I want to remove any human interaction.
It's simple, get your access token at run time and save it into environment variable. Then use it in your next Get request.
In Get Token request, do this in Tests sections:
var body = JSON.parse(responseBody);
pm.environment.set('AccessToken', body.access_token);
In your main Get request, you can use the environment variable in Authorization header:
Authorization: Bearer {{AccessToken}}
Hope this helps.