I'm working in a demo where I need to consume a REST API that needs an access token. Currently I'm generating this token with Postman and using it parametrically but I need to make automatic. I already have everything I need but the service to generate this token.
If someone can help me, I would be very thankful.
I tried to generate the token with Postman and use it in a variable, it works, but I need to make ir automatic.
Related
I am new to Micronaut and trying to develop a gateway that connects on the client side to a REST API. The API requires an authentication token which is obtained by first sending a POST requests with credentials in the body. The API is then responding with a valid token which needs to be refreshed from time to time. I am able to inject a bearer token in the headers to authenticate my requests but I do not understand whether I have to handle the whole authentification process myself or if the Micronaut framework can manage it on its own?
Thank you very much for your help.
You could create an HttpClientFilter to handle authentication, refresh and the header. You can find an example here which cover basic authentication.
Yours will be more complicated since you need to refresh etc.
Also doing this way, allow you to decouple your authentication code from your API.
I am trying to access an API by only using a Web address. The documentation says:
Is there any way this would be achievable through the use of only the Web address?
I don't need to know this, but I am just curious.
I am sorry if this question is very basic; I'm just learning how to use apis.
As the text explain, this API uses an HTTP Header named Authorization to receive a Bearer token. It's impossible to access it directly on browser, you will need to use curl for example to access it directly.
There are a few visual tools to allow you debugging some api that you will be able to do this request, like Postman and Insomnia.
I have a Lambda function which triggered by API Gateway service, however this API is accessed by front-end application, this application not requiring the users to login or sign up to use it.
However I would like to secure my API to allow only from my front-end application.
After my research I found that I can use custom authorization in API Gateway, this custom authorization will check the authorization header of the incoming request and validate it.
the question is, can I use Amazon Cognito for something like this(implicit grant type)?
if not what is the thing that the front-end application will send to me to be validated and how can I keep it always changeable, so no one can guess it?
Thank You.
You could check the headers, but if they're always the same, someone can send an HTTP request with those headers - from any client - and trick your Lambda into thinking it's coming from your UI.
Even if you generate a unique token every time your UI is loaded and include it in the headers, someone could take that token and send requests from another client as well.
You could build fancy JavaScript tricks to make headers more dynamic, but it would only make it harder to use your API from another client, not impossible.
How can i get auth token by token endpoint /az/v1/token from mfp8? I try to get it by Postman http "post" request with non confidential client credentails and have been getting "errorCode":"invalid_client" all the time. What do i need for validateCredentials method, on my Security Check, works? Thank you in advance!
As a first step, you need to register a confidential client for your use. Specify the scopes that you need authenticated into. Once this is done, in your Postman REST client, provide the confidential client credentials in Basic authentication, grant type and scopes in the headers.
Fire away and you should have the Bearer token for your use.
More details here.
if you want to simulate multiple clients for some test scenario, Please follow this blog https://mobilefirstplatform.ibmcloud.com/blog/2016/08/09/performance-testing-for-mobilefirst-foundation-8-0/#prerequisites
Using JMeter ,test flow that emulates multiple MobileFirst clients is described in detail with step by step instruction and scripts.
This question already has answers here:
How do I authorise an app (web or installed) without user intervention?
(2 answers)
Closed 5 years ago.
I have a client id and client secret for my Google Container Engine app obtained via Credentials and I just want to do some local testing of the JSON API endpoints.
How can I convert this into a Bearer token so that I can just get some work done? Is there a Google page where I provide these things and get a token that I can use in my app?
I don't want to have to write an entire OAuth handling mechanism at this point in time (which would use the flow described in oauthplayground). It's an app to be run only for my account, in headless mode, on a trusted machine, to manage my cluster.
NOTE: must not require any proprietary software installations (e.g. the Google SDK).
Google provides an API Client Library for Java, which itself depends on an OAuth client library.
For the project of 9Cards launcher for Android, within the back-end, we had to use this library to fetch applications usage statistics from Google Analytics. In our code, because it is a case of "server to server" authentication, we use a Service Account's credentials. The code issues a request from Google a short-lived OAuth2 Auth Token. The library may provide similar features if you use a Client-ID and Client-Secret.
Regarding the issue of licenses, the library is published under Apache License v2, so in that regard it is not too proprietary.
I have a client id and client secret for my Google Container Engine app obtained via Credentials and I just want to do some local testing of the JSON API endpoints.
Good start. I guess by "the JSON API endpoints" you mean the Google APIS. Make sure you created OAuth Client IDs and not one of the other options.
How can I convert this into a Bearer token so that I can just get some work done? Is there a Google page where I provide these things and get a token that I can use in my app?
Yes the OAuth Playground will do that for you. The detailed steps and sample code to consume the token is at How do I authorise an app (web or installed) without user intervention? (canonical ?)
I don't want to have to write an entire OAuth handling mechanism at this point in time (which would use the flow described in oauthplayground).
Follow the steps linked to above and you will see that you don't need to write any code at all. Once you have the refresh token (a one time procedure), you're all set. I exaggerate slightly, you do need one line of code to post the refresh token to the Google Oauth endpoint to fetch an access token. See the bottom of the linked answer for an example. Or you could just compose a curl to do it from the command line and put the Access Token into an environment variable.
I just wanted to avoid the whole thing and get a code printed on the screen
A bit like https://youtu.be/hfWe1gPCnzc?t=198