Is there any way to validate json response in Paw-manually or via automation. I was told there is way in Postman and was asked if it's possible in Paw mac tool as well
Related
I am working on an automation tool that does not support Oauth specifically, but it supports adding URLs, payloads and has the following authentication methods: Basic, Digest, API Keys.
Is there a way to work around OAuth where I only use the above information and without using a callback URL so that the process is programmatic ?
Not enough information is available on this, but I tried with Google mail and had no luck.
While calling my AWS API's using postman we are able to configure authorization as "Aws signature". Want to implement same with karate, really stuck on to this because the Authorization header is dynamically changing through postman internally, any help on this would be really great.Postman AWS
In the previous sandbox I was able to use the flight search tool directly within my vue js app. I was able to do this by passing the API key in a string. Since the changeover to the self service API I am at a complete loss on how to implement the curl command in order to generate a token to use in my app. I have read the developer guide and it is spartan to say the least. It doesn't provide any steps on how to incorporate this in to any existing app. Does anyone have any ideas on how to do this ?
Did you check the authorization guide? The new version of the Amadeus API program implements the standard oauth2 process which is more secure than the API Key in the URL.
You have a curl example in the guide and examples in different languages.
You can check the GitHub organization as well to find more examples and different SDKs.
I am trying to access an API by only using a Web address. The documentation says:
Is there any way this would be achievable through the use of only the Web address?
I don't need to know this, but I am just curious.
I am sorry if this question is very basic; I'm just learning how to use apis.
As the text explain, this API uses an HTTP Header named Authorization to receive a Bearer token. It's impossible to access it directly on browser, you will need to use curl for example to access it directly.
There are a few visual tools to allow you debugging some api that you will be able to do this request, like Postman and Insomnia.
I'm planning an API and I haven't found any information about where the access token should be placed in the response. I'm interested in the case where I'm providing the access token. What is the best practice to send the token to the clients (from the backend service)?
Should it be sent to clients in the Header or in the Body of the answer?
You should look at examples and see what others do. For example, Facebook, Twitter, Google, Amazon... and all those popular PaaS services exposing a REST API all use OAuth2 as authentication mechanism:
In OAuth2 you'll see the specification requires to send the generated token to the client in the body of a json response: https://www.rfc-editor.org/rfc/rfc6749#section-5 . But you can also see how Google and other vendors extend this mechanism so it can be sent as a callback url param, for example (Check out https://developers.google.com/identity/protocols/OAuth2UserAgent).
Once you get the authorization token you put it on the Authorization: HTTP header you send on your requests for accessing protected resources. They have to support this way of doing it, because it is how the OAuth2 standard specifies it https://www.rfc-editor.org/rfc/rfc6749#section-7
If you want to tinker a little bit more with oauth, check out https://developers.google.com/oauthplayground
(OAuth is pretty much the same thing.)
They usually also extend the Authorization header mechanism to allow the token to be provided as a GET/POST parameter in the url or the body of the response, respectively (For example, Facebook's Graph API also supports passing an access_token= parameter on your HTTP POST request body or GET URI). There is no way to manipulate or even read HTTP headers on a javascript browser application (see the modern fetch API and other proposals on Accessing the web page's HTTP Headers in JavaScript), so providing this functionality makes life easier for many app developers.
Another popular authentication scheme is SOAP authentication. It doesn't support tokens but it supports digest authentication, which is a similar thing. The interesting part of it is that it is not HTTP/Web based (although it is primarily used that way), so you can use it over other application protocols. It's a little more cumbersome, but you can find ready to use implementations for both server and client.
You can also use digest authentication over HTTP without SOAP. It is also based on Authorization: headers and every browser supports it. Check out https://en.wikipedia.org/wiki/Digest_access_authentication to see how the authorization headers are formed in different ways depending on the level of security you want to reach.
Some services, like redmine, allow you to use an API token (API key) instead of a session token. Then you can make basic http auth on your requests like https://whatever:yourapikey#example.com/protectedMethod, although passing of auth data on URLs is currently deprecated in favor of basic auth header, and plain passwords / static API keys should only be sent over secured SSL connections. In this case the client can have the server generate an api key using a web interface or a rest api (so the generated key will be passed as a JSON response). This method may not be such a good idea, though: Check http://talks.codegram.com/http-authentication-methods#/intro if you want to know why, and also this question discussing where to put them: Where should I place API keys in REST API calls?