I am using OIDC and okta's /oauth2/v1/authorize API to get the access_token. But it just returns the HTML of the redirect_uri.
My API looks like this,
`GET /oauth2/v1/authorize?
`response_type=code,token,id_token&client_id=*******&scope=openid&redirect_uri=http://localhost:8000 HTTP/1.1
Host: xome.okta.com
Content-Type: application/json
Please let me know what is wrong here.
If you are using cURL to call the url, you should call it like below
curl -v -D https://org-name.okta.com/oauth2/v1/authorize
If you are using a REST client to call this url then yes it would return the redirect uri. Because this is implicit flow which is to be called from browser. When you call this url from browsers (JavaScript or copy paste in url and press enter) you will be redirected to redirectUri and token (id token and or access token) will be in the url of redirected app like below.
http://localhost:/redirectUri/#id_token=eyJhbGcxx....
Therefore, right way to use this is call it from JavaScript and read url in redirected app and get id/access token.
Related
I'm using a SpringBoot 2 (2.7.0) application (including Spring security 5.7.1) to secure REST endpoints with Keycloak for authentication and authorization. Everything works fine but the only thing which bothers me is when I don't set the bearer token I get a HTTP 400 response. The response itself is correct but the body of the response contains HTML (Keycloak login page).
Is there a way to avoid that the body of the response contains the login page? I would like to set a custom response body.
That is an expected default behavior. If you want to instead get relevant 4xx error instead, you can try setting the the "bearer-only" in your "keycloak.json" file so that it would not redirect API calls (i.e. AJAX calls from browser) to the login page:
{
...
"bearer-only": true
}
I use WebAPI 2 and setup Swashbuckle there.
GlobalConfiguration.Configuration
.EnableSwagger(c =>
{
c.SingleApiVersion("v1", "medEbridge2.API");
}).EnableSwaggerUi(c =>{
c.InjectJavaScript(thisAssembly, "UHG.mb2.WebApi.SwaggerExtensions.onComplete.js"); });
Then in javascript, I overwrite api_key with my bearer
window.swaggerUi.api.clientAuthorizations.add('oauth2', apiKeyAuth);
So, now when I press "Try it out!" swagger
Sends requests and received OK response (checked with Fiddler)
Redirects me to request url https://mb2-api-local.uhg.com.au/fhir/valueset/authoritytype/$expand
So now I have open empty page
I did not do Oauth, but I have overridden swagger api_key with my token. But there I used custom HTML instead of customJS. Where you can configure your keys and token.
You can get swaggerUI HTML from GitHub and modify it as required.
Can you try it using
c.CustomAsset("index", thisAssembly, "yourHTMLHere.html");
and override keys there
I want to customise OAuth Endpoint URI's.
I want to sent parameters in post body instead of query params.
now my request is like -
example.com/oauth/token?grant_type=password&client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&username={USERNAME}&password={PASSWORD}
But I want it like this.
example.com/oauth/token
Request body -
{
grant_type=password,
client_id={CLIENT_ID},
client_secret={CLIENT_SECRET},
username={USERNAME},
password={PASSWORD}
}
How should I do it?
The token endpoint of a properly-implemented authorization server does NOT accept GET requests because RFC 6749, "3.2. Token Endpoint" says as follows:
The client MUST use the HTTP "POST" method when making access token requests.
So, your authorization server's token endpoint should reject GET requests.
RFC 6749, "4.3. Resource Owner Password Credentials Grant" says that request parameters of a token request using Resource Owner Password Credentials flow should be embedded in the request body in the format of "application/x-www-form-urlencoded". The following is an excerpt from "4.3.2. Access Token Request".
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=johndoe&password=A3ddj3w
Therefore, you don't have to customize your authorization server. If the server is implemented correctly, its token endpoint accepts POST requests.
The token endpoint created by spring-oauth2 already deals with POST as well.
It would be hard to customize it to accept a JSON request body, because the TokenEndpoint class expects all the params as #RequestParam params.
However, if your concern is about security (as HTTPs does not secure query parameters) you indeed can send the request parameters through post. It is just a matter of sending the request in the form "form-data" or "x-www-form-urlencoded". These are 2 ways of sending arbitrary key-value parameters in the request body, in a way that appears to the server as they are regular request parameters. So it is a matter of making your client using this.
Also, note that in spring-oauth2 it is possible to disable the GET endpoint, this way forcing your clients to use POST with one of the ways above.
I have an ASP.NET Web API 2 which is using OAuth 2.0 for authorization. And let's imagine I have a simple Web API method, like:
GET: http://host/api/profiles/user123 (requires OAuth 2.0 token)
So, with Postman, it is easy to test this Web API. I get an OAuth token for user123 from the Web API OAuthAuthorization method and then I use that token in the header of the HTTP request:
GET /api/profiles/user123 HTTP/1.1
Host: {host}
Authorization: Bearer {Token}
Content-Type: application/json
Cache-Control: no-cache
However, if I save my test and run it later (either by Postman itself or by Newman), the token will be expired at that time and it won't work.
How can I make Newman to get a new token automatically for user123 and use it in the HTTP request?
Note: I know how to use Postman's Authentication helpers to ask for a new token. But this scenario doesn't fit the test-automation. In test-automation, I want to remove any human interaction.
It's simple, get your access token at run time and save it into environment variable. Then use it in your next Get request.
In Get Token request, do this in Tests sections:
var body = JSON.parse(responseBody);
pm.environment.set('AccessToken', body.access_token);
In your main Get request, you can use the environment variable in Authorization header:
Authorization: Bearer {{AccessToken}}
Hope this helps.
I am working with Parse.com REST API where my working environment restricts me from using modified header on GET requests.
For now, the GET request using plain http is served good, and we can login to the parse using url formatted like this:
https://ParseAppID:javascript-key=ParseJSKey#api.parse.com/1/login?username=someName&password=somePass
But we can't check if current session is valid, as with GET request formatted like this:
https://ParseAppID:javascript-key=ParseJSKey#api.parse.com/1/users/me
we received invalid session response
Is there any way to put session token as additional or replacement of javascript-key? Thanks