Created a container with Postgrest (REST API to Postgres tables/views). Postgrest uses JWT authentication to derive user name to connect to the database. Basically a header with "Authorization: Bearer ". The container is deployed inside Kubernetes. To protect from unauthorized access is used Ambassador. Ambassador has basic authentication and requests user and password when trying to access the container.
Trying to access this configuration with Postman or curl can't make it work with both authentications active. So that Ambassador asks for user and password and after authenticating user the request proceeds with the JWT token used by Postgrest. Is there at all a way to do that?
Tried to put both authentications together as header "Authorization: Basic <username:password in base64>, Bearer ". Does not work.
Tried using Poorman's Bearer Authentication from here: API key auth for Ambassador . Also does not work.
Ended up using bypass_auth: true in the Ambassador mapping for the Postgrest container. Considering to try JWT filter in the Ambassador mapping (https://www.getambassador.io/docs/edge-stack/latest/topics/using/filters/jwt).
Related
There are two levels of authentication in my API
Basic auth for the API domain (API hosted website is secured through a basic auth)
Basic auth for the specific API call.
I used the following call and domain level basic auth is working. But API call level basic auth isn't working.
curl https://example.com/test.json
-u "abc:abcd1234" // domain level authentication
-k -H 'Authorization: Basic erwf234werwrefdsf234245wewrwer==' // API call level authentication
-d 'data={}'
I do not believe you can it if both services require the same header for authorization.
Both methods (-u and -H) end up putting the information in the same header field (more detail is provided here: cUrls's option "-u" )
Additionally, here is a discussion about the use of multiple headers with the same name, as well as the option for some headers (but not Authorization) to accept multiple values as a list:
Multiple authentication schemes for HTTP 'Authorization' Header
I have been using drf since a couple of months . For authentication I decided to use djoser package and use JWT token for better authentication. However whenever i try to use postman to send requests i can only send the three jwt requests. I'm wondering if i can use the Base endpoints as well such as re-setting the password and finding the user-
Base Endpoints - https://djoser.readthedocs.io/en/latest/base_endpoints.html
Not able to send requests. the error on postman always comes as "detail": "Authentication credentials were not provided."
even if i apply the Bearer Token type in postman.
can someone tell me how to use Base endpoints along with jwt ?
To use JWT with Djoser, send a Get request to
http://127.0.0.1:8000/auth/users/me
Instead of Bearer or Token, Set your Authorization header pass JWT as follows:
Authorization: JWT your-JWT-access-token
Here's a sample request using insomnia
> GET /auth/users/me/ HTTP/1.1
> Host: 127.0.0.1:8000
> Authorization: JWT eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNTk1MDYyNTcxLCJqdGkiOiI2NmZkODFkNDVlNmY0OTdlYWZiMGExZWE2YmRmZmM0MyIsInVzZXJfaWQiOjF9.uXZadgc_hYcS79tuZWet_4eDqNQlduKpcmD1a2JvfjY
if you had set up your urls correctly it will return your username, email and user-ID
I'm developing a solution that has: an Authorization Server (AS), a Resource Server and two clients. The two clients are: a web app with Angular 2 and a mobile app with Angular 2 + Ionic 2. I have started to develop the Authorization Server following this sample https://github.com/Baeldung/spring-security-oauth
For both the clients, I have decided to use the "Password Code Grant" because the client are trusted by the AS.
But now I have a problem storing the "client secret code" on the apps. Because the API (.../oauth/token) is secured by Basic Authentication so every time that I ask a token to the AS I need to send something like that:
curl.exe -v -u client_id:client_secret http://localhost:8080/backend/oauth/token -d grant_type=password -d client_id=client_id -d username=admin -d password=admin
So, the questions are:
Where I can store safely the client secret code on the apps?
Is it safe to remove the Basic Authentication from the oauth API?
Have I use another code grant type?
Thank you,
Paolo
Applications running in a browser (Angular) are not able to keep their secrets safe, so I would choose the OAuth2 Implicit flow. The implicit flow requires the use of HTTPS for communication with your Authorization Server, since the tokens are transferred over the network.
You should not remove the authentication from the token endpoint - it would compromise other flow types. For example the authorization grant flow doesn't require the client to be served by HTTPS and the auth code can be visible to anyone, so the token endpoint secret is important there (the Resource Server must ask for the tokens using HTTPS).
Using the implicit flow, you will have to check the validity time of the access token and request a new one before the current one expires. For example using the prompt=none auth request parameter.
I am developing an app to access its own resources via Rest endpoints.
Users are required to acquire access token via email/password. After completed Authentication server configuration, I had this observation:
With:
curl client:secret#localhost:9999/uaa/oauth/token -d grant_type=password -d username=user -d password=password
I am getting the correct response:
{"access_token":"7541a4f6-e841-41a0-8a54-abf8e0666ed1","token_type":"bearer","refresh_token":"d3fdd7e3-53eb-4e7b-aa45-b524a9e7b316","expires_in":43199,"scope":"openid"}
However With:
curl http://localhost:9999/uaa/oauth/token -d grant_type=password -d username=user -d password=password -d client_id=client -d client_secret=secret
I am getting the following error:
DEBUG 4123 --- [nio-9999-exec-7] o.s.s.w.a.ExceptionTranslationFilter
: Access is denied (user is anonymous); redirecting to authentication
entry point
org.springframework.security.access.AccessDeniedException: Access is
denied at
org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
It looks like the client_id & client_secret are not being recognized when send as parameters. Is this a configuration issue or to do with the version of OAuth2 I am using (spring-security-oauth2, 2.0.5.RELEASE)
A lot of example I come across on the Internet suggest approach one should work with OAuth2.
Thanks :)
There's no method of authenticating the Client against the Authorization Server that is mandatory to implement by spec. Two methods that have been specified that MAY be supported are the HTTP Basic Authentication pattern and the HTTP POST parameter pattern that you've used in your examples. Apparently Spring supports only the first, which seems to be supported by the docs at: http://projects.spring.io/spring-security-oauth/docs/oauth2.html
Yes, lots of examples show the client credentials being passed as form parameters, but it turns out that approach is not recommended, while passing the credentials using "Basic" authentication via the HTTP Authorization header is standard.
Section 2.3.1 of RFC 6749 says
The authorization server MUST support the HTTP Basic
authentication scheme for authenticating clients that were issued a
client password.
And further says
Alternatively, the authorization server MAY support including the
client credentials in the request-body using the following
parameters:
client_id ...
client_secret ...
Including the client credentials in the request-body using the two
parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
to directly utilize the HTTP Basic authentication scheme (or other
password-based HTTP authentication schemes).
In my experience, however, there are some servers that, in violation of the RFC, will not accept HTTP Basic authentication and will only accept form parameters in the body.
The documentation for the Heroku platform API states that it can be accessed with basic HTTP authentication using the API token, as follows:
HTTP basic authentication must be constructed from email address and
api token as {email-address}:{token}, base64 encoded and passed as the
Authorization header for each request, for example Authorization:
Basic 0123456789ABCDEF=.
We have tried this but keep on getting an "Invalid credentials provided" error.
However, if we substitute our Heroku account password for the token, authentication works:
e.g. {email-address}:{password}, base64 encoded.
However, we don't want to have to use our password for API authentication. How do we get this working using the API token as described?
Look again at the same documentation you linked to (it has changed in the meantime).
You should use Authorization: Bearer HEROKU_TOKEN, not Authorization: Basic HEROKU_TOKEN as you are doing.