In my project I need both Token and Session Authentication: the first one is for clients that are consuming my endpoints, and the second one is for staff users who needs to login in the django admin.
The order is:
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.TokenAuthentication',
'rest_framework.authentication.SessionAuthentication',
),
However, I have a problem when I try to login from the client side.
I obtain 403 error, CSRF Failed: CSRF token missing or incorrect.
If I disable SessionAuthentication, the login works.
Is it normal this behaviour? Do I have to change something?
Thanks!
Please use custom authentication, based on different request users such as staff and client.403 error is failed authentication due to permission denied. Also share detail if you have used any permissions.
Related
In our angular 13 SPA application, we have integrated the Okta SSO. After successful login via the okta singIn widget window, we are trying to fetch the authenticated user information but getting the below error:
AuthSdkError: getUserInfo requires an access token object AuthSdkError: get user info requires an access token object.
How to get resolved this error, any help/suggestion on this will be appreciated.
Do you request token in your app configuration? Or only id_token? If latter, then include token as well
I have implement my api by using personal access token with the 1 month validity by using below code.
Passport::personalAccessTokensExpireIn(now()->addMonths(1));
I can receive an unauthenticated error once the token gets expired. In this case, i have to extend the validity which mean the user should be in login state unless they do logout manually.
Is it possible to keep the user in login mode?. If it can, pls give detailed explanation.
I think Passport can refresh the token only with oauth; but don't get me wrong, probably you don't need oauth. So you should refresh it by yourself because Passport doesn't handle it. What I can suggest in case you are building a backend API for a web-app is to use Sanctum Spa-Authentication, it gives you csrf protection and is really easy to understand
https://laravel.com/docs/8.x/sanctum#spa-authentication.
Once you logged in you can call your api routes.
But if it's not a web-app even Sanctum has not a refresh token method...
im using first time Passport laravel, but i still didnt understand quite is the difference between midlewareare auth:api and client:credentials (CheckClientCredentials ), doesnt these 2 types of middlware restrict routes? What is the difference between them?
The auth:api middle-ware is used for authentication. Whenever user will call an api, the user has to provide the authentication token with it. It depends on you which api you are restricting. From that token we can recognize the user or get the user object from request. Following is the way to get the user from token.
$user = $request->user();
for more information you can read the passport documentation at here
Client Credentials Grant Tokens
The client credentials grant is suitable for machine-to-machine authentication. For example, you might use this grant in a scheduled job which is performing maintenance tasks over an API.You can go through the doc at here
I am trying to get refresh token when authorizing the user.
This is the url that is being used for authorization.
request
https://...../oauth2/authorize?response_type=token&client_id=test-client&scope=all&redirect_uri=https%3A%2F%2Flocalhost:7002%2F...%2Foauth
redirect url with token and etc :
https://localhost:7002/..../oauth#access_token=b3961289-713c-41c9-9341-253286cbcc52&token_type=bearer&expires_in=300&scope=all
but there isn't any refresh token with this. I tried this with token endpont and it has the refresh token like this
request
curl --data 'grant_type=password&username=....&password=...' --basic --user 'test-client:client-secret' 'https://....../oauth2/token'
response
{
"scope":"all",
"access_token":"5a90edb7-5ded-451a-9d9b-d3bd879ac336",
"token_type":"bearer",
"expires_in":300,
"refresh_token":"ec0c94db-5e81-4229-a815-9c2d80086995"
}
Is there anyway that I can get refresh token in authorization endpoint. ? Or
can I use existing token to get refresh token ?
This got to long for a comment
It kind of depends upon the authentication server how it works. Some servers only return a refresh token the first time the user authenticates.
To get a Refresh Token, you must include the offline_access scope when you initiate an authentication request through the authorize endpoint.
For example, if you are using Authorization Code Grant, the authentication request would look like the following:
https://__AUTH0_NAMESPACE__/authorize?
audience={API_AUDIENCE}&
scope=offline_access&
response_type=code&
client_id=__AUTH0_CLIENT_ID__&
redirect_uri=__AUTH0_CALLBACK__&
state={OPAQUE_VALUE}
This is the only way to obtain a refresh token so no you cant use another token to request get a refresh token.
Implicit client
In the implicit grant flow, the client is requesting access to a resource by way of a "User Agent", aka browser with the user sitting there. So a client wants to grab something, but needs the user to enter permissions for it. If the authentication server provided a refresh token, then the client could skip asking the user for permission in the future and grant itself access forever (essentially refreshing its token whenever it wants without user permission). This is forbidden in the flow because the "untrusted" client should only have access by way of having the user enter their credentials (thus only when the resource owner allows it).
You can't get a refresh token when using the Implicit grant.
I presume your application is a Single Page App? i.e. html/JavaScript running in a user's browser. This is the main use case for the Implicit grant nowadays.
If it's not a SPA (e.g. native, mobile or web application) you should be able to use a different grant type which will give you a refresh token. e.g. Authorisation Code Grant or Authorisation Code with PKCE Grant.
Very new to okta flow, please bear with my ignorance.
I am doing a poc to access sharepoint from my external site and sharepoint is authenticated through OKTA. I want to start getting list view data from share point and expose it on my site.
1) What is the difference of authenticating using username / password flow (vs) using token to authenticate into OKTA?
Step 1: Auth in through username / password get the session token
Step 2 : After this I tried to create a session as per docs:
http://developer.okta.com/docs/api/resources/sessions.html#create-session-with-session-token
You're probably missing a valid Okta API token (cf. Getting a Token ) when calling the /api/v1/sessions endpoint. In any event, you should use the /api/v1/authn endpoint for authentication purposes and that one usually doesn't need an api token (unless you want to authenticate it from a trusted application).
The /api/v1/sessions API with the username/password payload is deprecated so you should shy away from using it in favor of the /api/v1/authn API.
I hope this helps!