We're using postman to test our service APIs running on GAE. In order to authentication, we have to add a header value 'X-Auth' and copy the oauth authentication token used for our login (retrieved from google javascript library). We have to do this a lot because the token is rather short lived, so it's a real pain/bottleneck for our developers.
I've been looking into using the postman oauth authentication and even got it working... sort of. I successfully configured the oauth and logged myself in, granting the permissions, etc and received a token. However postman wants to put this token into the header not as 'X-Auth' but as 'Bearer' and for whatever reason, authentication is failing. Perhaps it's because the header name is wrong, perhaps I'm also getting the wrong token value.
So: Has anyone had success using postman with oauth on GAE?
PS, here's the 'code' Postman is generating :
GET /api/XXX/ST_W HTTP/1.1
Host: admin.mycompany.com:8080
Accept-Encoding: application/json
Authorization: Bearer ya29.GmDtA-o7ahRzDFl_kMQZD8n7Y3b38TUg58u3kon6t64JifRhOWNBBd8nsuSJ5-OcZW76xC8j3l9EN39D7Z0860qm1S6IwwwdX0AAvXmQwJZg_mXKQH1r9YZOLmgA95dq9_M
Cache-Control: no-cache
Postman-Token: a2182695-9b56-1834-5312-3885f2d77426
Related
I'm at a loss - I have a django backend and react frontend. On the frontend, I have a login page that sets a JWT token, and I use that token to query data from the django backend. This all works perfectly.
But I also have direct views to these APIs via something simple as http://localhost:8000/tables/data which will just show me a default django view of these tables (ie: a paginated "select * from data" call) ... and hooked in through a genericListAPIView.
Now, as I said, everything works fine when feeding it via a curl command (or postman, or whatnot). I get the JWT token, set it the Authorization access in the subsequent call to the API, and get the data back and do something with in in React.
What I can't seem to figure out is how to hoo that same JWT token when calling trying to access the generic view. When I browse to it, I get
HTTP 401 Unauthorized
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
WWW-Authenticate: JWT realm="api"
{
"detail": "Authentication credentials were not provided."
}
Which I guess make sense since I'm not going through any React authentication. Yet, it's the same server. Should be same authentication (and in fact the login accounts are being managed by django).
I've googled, and read (and tried) a bunch of different things and can't seem to wrap my head around what I am doing wrong. Any help, or any direction, would be much appreciated.
When you make a request from a browser, you can only rely on session cookies. The browser is not able to automatically add an access token to the request. In order to make a request with an access token, you have to make it using Javascript.
I want to make a React.js app that can interact with Odoo and its endpoints in a secure way while allowing to have the auth flag set to user and cors enabled.
For this I've set an endpoint like this:
#http.route('/endpoint', type='json', auth="user", cors="*")
def endpoint(self, **params):
This works with no problem when I post with axios from React.js with auth set to none but I want to keep user authentication, and if I do keep it with user="auth" I get the following.
Access to XMLHttpRequest at 'http://localhost:8069/endpoint' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
I don't understand, I have the cors flag in the endpoint and I'm sending in the headers the session_id that the authenticate method gives me.
"Content-Type": "application/json",
Accept: "application/json",
"X-Openerp-Session-Id": Cookies.get("session_id"),
I've tried many things but none has yield a good result. Is there no way to tell Odoo through a header that I'm a real user outside a template rendered by its engine? While keeping cors enabled (which apparently I haven't been able to do regardless of what the official documentation tells me) and an auth flag to keep the data secure?
I am trying to generate an access token from our policy but I am getting this error.
AADB2C90086: The supplied grant_type [client_credentials] is not supported.
This is a sample postman request
POST /{tenant}/oauth2/token?p=B2C_1A_SignUpOrSignInWithAAD HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
grant_type=client_credentials&client_id={client_id}&resource=https%3A%2F%2F{app_url}&client_secret={client_secret}
but it works fine if I don't use our custom policy and just go direct to the B2C tenant
POST /{tenant}/oauth2/token?api-version=1.0
... same as above
Is there something missing in our custom policy?
B2C does not support the Client Credential Flow. Additional details are here. And here Daemons/server-side apps.
but it works fine if I don't use our custom policy
That's because you getting a token from Azure AD, not B2C.
I have an API running asp.net core using jwt bearer token authentication. The authentication scheme seems to be working perfectly when I hit the API through Postman providing the Authorization header with my requests.
When I hit the API from my angular application, I get a 200 on the pre-flight request and then a 401 on the actual request.
The WWW-Authenticate message says:
Bearer error="invalid_token", error_description="The token is expired"
However, when I copy the bearer token out from my request from the angular application, and use that same token in a request from Postman, it works fine and I get my data back.
I'm sure I'm doing something stupid. But sometimes it will work just fine from the angular app, then sometimes when I run it, it will not work at all.
Any ideas are appreciated.
I had same problem and I solved it.
When I pass token from angular localStorage to Headers it added double quotation and so this was incorrect.
I changed this Authorization: Bearer "token " to
Authorization: Bearer token without double quotation and everything is fine now.
I'm encountering a pretty strange issue in IE11 where the browser is overriding the Authorization header in my requests even though I am setting it via AngularJS.
Basically, I have an HTTP interceptor registered for all requests that looks like this:
AuthInterceptorService.request = function (config) {
config.headers.Authorization = "Bearer " + bearerToken;
}
This works great in all browsers (even IE under certain conditions). I have my app set up in IIS as allowing anonymous authentication and I have basic/integrated authentication disabled for this subsite, however, the parent configuration has windows authentication eabled.
What is happening occasionally is that the browser will make a request to the root URL for a static file (say, /favicon.ico). This request is denied with a 401. The browser responds with negotiated authentication and gets the favicon. At this point, all other browsers still let my code set the Authorization header, but once this integrated authentication happens in IE, the authorization header seems to get stuck - no matter what my code does, the authorization header is always using integrated authentication. This causes all requests to my API to fail because no Bearer token is present.
I was able to work around the favicon issue by specifying a more local favicon (where static files can be served anonymously), but I am wondering if there is a less hacky solution to this issue. Can I somehow convince IE to let me set the Authorization header even if Windows authentication has taken place on a previous request?
Note: I found this question which seems to be related (maybe the same underlying cause).
If you look at the Negotiate Operation Example of the RFC 4559 document, it involves a pseudo mechanism used by IE to negotiate the choice of security when authenticating with IIS.
The first time the client requests the document, no Authorization
header is sent, so the server responds with
S: HTTP/1.1 401 Unauthorized
S: WWW-Authenticate: Negotiate
The client will obtain the user credentials using the SPNEGO GSSAPI
mechanism type to identify generate a GSSAPI message to be sent to
the server with a new request, including the following Authorization
header:
C: GET dir/index.html
C: Authorization: Negotiate a87421000492aa874209af8bc028
The server will decode the gssapi-data and pass this to the SPNEGO
GSSAPI mechanism in the gss_accept_security_context function. If the
context is not complete, the server will respond with a 401 status
code with a WWW-Authenticate header containing the gssapi-data.
S: HTTP/1.1 401 Unauthorized
S: WWW-Authenticate: Negotiate 749efa7b23409c20b92356
The client will decode the gssapi-data, pass this into
Gss_Init_security_context, and return the new gssapi-data to the
server.
So, I don't think its possible for you to intermingle while the negotiation takes place as the process is internal