Admin Oauth authentication in Ejabberd - api

I am new to Ejabberd and Erlang and I am struggling to understand why I can only use the GET method to authenticate and not the POST.
I can successfully authenticate using the GET (https://myserver/oauth/authorization_token?response_type=token&client_id=Client1&redirect_uri=http://client.uri&scope=ejabberd:admin), which opens a web form that I will put my credentials and submit and it redirects me to a url like http://client.uri/?access_token=VuzKqO55OZoCFp45lBkapLis3dsMGKB7&token_type=bearer&expires_in=31536000&scope=ejabberd:admin&state=.
The problem is, I don't want to use the webform I want to use the API directly from my application, but I'm not allowed to use the POST method directly, even though that's what Ejabberd uses behind the scenes.
I can see it in ejabberd_oauth.erl both methods.
process(_Handlers,
#request{method = 'GET', q = Q, lang = Lang,
path = [_, <<"authorization_token">>]})
and
process(_Handlers,
#request{method = 'POST', q = Q, lang = _Lang,
path = [_, <<"authorization_token">>]})
I can't figure out why the GET is accessible and the POST isn't.

I'm not allowed to use the POST method directly
Do you mean something like this?
I first followed the standard procedure, and sniffed the HTTP traffic. Then I wrote a small shell script to perform the POST directly:
concents of call.sh:
CONTENT='username=user1%40localhost&password=asd&response_type=token&client_id=Client1&redirect_uri=http%3A%2F%2Fclient.uri&scope=get_roster+sasl_auth&state=&ttl=31536000'
curl -v -k -X POST -H "Content-type: application/x-www-form-urlencoded" \
-d "${CONTENT}" "http://localhost:5280/oauth/authorization_token"
Result:
❯ ./call.sh
...
< Location: http://client.uri?access_token=4Vh9Ib9JOJYFvUILjzNouNlrkWRIsgs8&token_type=bearer&expires_in=31536000&scope=get_roster sasl_auth&state=
...
A more complex way to obtain a token, as explained in https://docs.ejabberd.im/developer/ejabberd-api/oauth/#authorization-token is to use the oauth_issue_token ejabberd command. For that you must enable ReST or ejabberd_xmlrpc, and you have to restrict permissions, as that gives access to all ejabberd.

Related

GCP REST api authentication missing

I have created a job of JDBC to BigQuery using the web interface and it worked just fine.
Now I want to create the same job from the REST API of GCP so I took the rest equivalent of the request from the site and tried to send it from Postman.
I'm sending POST request for the following URL:
https://dataflow.googleapis.com/v1b3/projects/test-data-308414/templates:launch?gcsPath=gs://dataflow-templates/latest/Jdbc_to_BigQuery
which I got from the example in the GCP documentation.
I also pass the JSON that the GCP gave me in the body.
And the API key as get parameter in the next format "?key=[API_KEY]"
I'm getting 401 response from the server with the following message:
Request is missing required authentication credential. Expected OAuth
2 access token, login cookie or other valid authentication credential.
See
https://developers.google.com/identity/sign-in/web/devconsole-project.
With a status of:
UNAUTHENTICATED
I looked up at the link and found a tutorial on how to create google authentication on the front end
witch is not helpful to me.
I'm pretty sure that I'm passing the API key in the wrong format and that the reason it failed to authenticate.
But I couldn't find any documentation that says how to do it correctly.
PS> I have also tried passing it at the headers as I saw in one place
in the next format
Authorization : [API_KEY]
but it failed with the same message
Few days back I was trying to integrate GCP into MechCloud and struggling to figure out how to invoke a microservice ( which is acting as a proxy to GCP) with credentials for different projects which will be passed to this microservice on the fly. I was surprised that in spite of spending good amount of time I could not figure out how to achieve it because GCP documentation is focused on working with one project credentials at a time using application default credentials. Another frustrating thing is that API explorer shows both OAuth 2.0 and API Key by default for all the APIs when the fact is that API Key is hardly supported for any API. Finally I found the solution for this problem here.
Here are the steps to invoke a GCP rest api -
Create a service account for your project and download the json file associated with it.
Note down values of client_email, private_key_id and private_key attribues from service account json file.
Define following environment variables using above values -
GCP_SERVICE_ACCOUNT_CLIENT_EMAIL=<client_email>
GCP_SERVICE_ACCOUNT_PRIVATE_KEY_ID=<private_key_id>
GCP_SERVICE_ACCOUNT_PRIVATE_KEY=<private_key>
Execute following python code to generate jwt_token -
import time, jwt, os
iat = time.time()
exp = iat + 3600
client_email = os.getenv('GCP_SERVICE_ACCOUNT_CLIENT_EMAIL')
private_key_id = os.getenv('GCP_SERVICE_ACCOUNT_PRIVATE_KEY_ID')
private_key = os.getenv('GCP_SERVICE_ACCOUNT_PRIVATE_KEY')
payload = {
'iss': client_email,
'sub': client_email,
'aud': 'https://compute.googleapis.com/',
'iat': iat,
'exp': exp
}
private_key1 = private_key.replace('\\n', '\n')
# print(private_key1)
additional_headers = {'kid': private_key_id}
signed_jwt = jwt.encode(
payload,
private_key1,
headers=additional_headers,
algorithm='RS256'
)
print(signed_jwt)
Use generated jwt token from previous step and use it as a bearer token to invoke any GCP rest api. E.g.
curl -X GET --header 'Authorization: Bearer <jwt_token>' 'https://compute.googleapis.com/compute/v1/projects/{project}/global/networks'
The best practice to authenticate a request is to use your application credentials. Just make sure you installed the google cloud SDK.
curl -X POST \
-H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
-H "Content-Type: application/json; charset=utf-8" \
-d #request.json \
https://dataflow.googleapis.com/v1b3/projects/PROJECT_ID/templates:launch?gcsPath=gs://dataflow-templates/latest/Jdbc_to_BigQuery

How can we log into a webserver using username password csrftoken and csrfmiddlewaretoken

I am trying to log into a server using my authentication(username and password) for app development purpose with swift 4. However my server requires csfrtoken and csrfmiddlewaretoken. How can I extract the csrfmiddlewaretoken value and make a Post request to log with all the other authentication?
Keep tadmans comment in mind. If you really want to do it the way as you described it in your question you would need to make a GET request in order to parse the CSRF token of your desired login page. The token should be located inside the login form.
I have added a bash script to extract the token from stackoverflow as a reference:
fkey=`curl https://stackoverflow.com/users/login? | grep -P -o '(?<=value\=\")\w*(?=\")'`
echo $fkey # got the token
# make a post request with the freshly parsed token
curl -L -c cookies -d 'fkey='$fkey'&ssrc=head&email=MY_MAIL_ADDRESS&password=MY_PASSWORD&oauth_version=&oauth_server=&openid_username=&openid_identifier=' https://stackoverflow.com/users/login?ssrc=he$
# finally browse the site with your obtained cookies
curl -b cookies https://stackoverflow.com/users/7727583/yannic-hamann
It is convenient to set up a token-based authentication method via the Django REST framework. But this is only an option in case you are developing your own API.

How to make Twitter API call through curl in unix

I would like to pull the data from Twitter REST API. I have created the consumer key, secret and Access token, secret. I have tried with "Test OAuth", it generates a CURL command but if I change any one parameter then it is giving the below error.
Message: {"errors":[{"code":32,"message":"Could not authenticate you."}]}
Now I would like to call the twitter API using CURL in shell script for different screenNames.
I want a sample command some thing like mentioned below
curl --get 'https://api.twitter.com/1.1/statuses/user_timeline.json' --data 'count=2&screen_name=aswin' APIKEY:"xxxxxx",Acesstoken:"yyyyyyyy"
Thanks in advance.
Regards,
Aswin
I found the answer.
curl --get 'https://api.twitter.com/1.1/statuses/user_timeline.json' \
--data 'count=2&screen_name=twitterapi' \
--header 'Authorization: OAuth oauth_consumer_key="AAAAAAAAAAAAAAAAAAAA", oauth_nonce="BBBBBBBBBBBBBBBBBBBBBBB", oauth_signature="CCCCCCCCCCCCCCCCCCCCCCCCCCC", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1471672391", oauth_token="DDDDDDDDDDDDDDDDDDDDDDDDDDDDDD", oauth_version="1.0"'
Since your specific query doesn't require a user context you can use Application only authentication to make this request. The bearer token won't change per request so it should allow you to keep using curl.
https://dev.twitter.com/oauth/application-only
n.b. it won't work for all endpoints, but should for the case you listed.
Because most twitter requests require calculating the oauth signature, you should either write a client yourself or reuse an existing command line client.
https://github.com/twitter/twurl
https://github.com/sferik/t
https://github.com/yschimke/oksocial/wiki (Mac focused/cross service)
As you saw any change to the request will generally invalidate the query, and even time is one of the inputs.

OAuth2 without confirmation code using Python requests

I am trying to get a response from payever's API
I managed to get the authorization token using only my client_id and my client_secret, the problem is when I try to pass in the paramters as suggested by the documentation, I get the following error response:
u'{"error":"access_denied","error_description":"OAuth2 authentication required"}'
I assume it is because I didn't go through the whole OAuth2 flow, the problem is that to be compliant with that, I would need a confirmation code, which I never need since I can obtain the access token using only my client_id and client_secret.
Any ideas on how to do this? I have looked all around, trying to skip even some steps with the requests_oauthlib:
import requests_oauthlib
token = get_token(client_id, client_secret)
oauth = requests_oauthlib.OAuth2Session(client_id, redirect_uri=redirect_uri, scope=scope)
oauth.token = access_token
oauth.access_token = True
payments_url = 'https://mein.payever.de/api/payment'
rr = oauth.get(payments_url)
but no luck
u'{"error":"invalid_grant","error_description":"The access token provided is invalid."}'
EDIT:
I used subprocess.check_output('curl -......') and worked fine
By looking at the Payever API, I would not use requests_oauthlib, but pure requests instead. API seems to be extremely simple, so there is no need for Oauthlib.
I would start by accessing the resources with directly Curl in terminal or using pure Requests-library in Python.
API referece shows following way to get token:
curl -k https://mein.payever.de/oauth/v2/token \
-d client_id="{client_id}" \
-d client_secret="{client_secret}" \
-d grant_type="http://www.payever.de/api/payment" \
-d scope="API_CREATE_PAYMENT"
JSON response contains access_token and it can be used to access the resource with Curl command explained in the reference: Payever API reference

Authenticating to Magento Rest API via Curl and token-based authentication fails

As all I want to do is connect to my own site, I should be able to ignore oAuth and do token-baseed authentication as per:
http://devdocs.magento.com/guides/v2.0/get-started/authentication/gs-authentication-token.html
My curl request looks exactly like:
curl -X POST "https://magento.host/index.php/rest/V1/integration/admin/token" \
-H "Content-Type:application/json" \
-d '{"username":"test#example.com", "password":"123123q"}'
The response I get is a HTML page from my own site that basically says 'page not found' I'm obviously going to the correct domain, but it seems something else in the URL is incorrect. Any ideas?
Am I using the wrong URL?
In version 1.9 you need to create a Guest endpoint. Then you don't need to use oAuth. You can see how to use it here: http://devdocs.magento.com/guides/m1x/api/rest/introduction.html
An authentication system that uses REST so that you do not need to actually track or manage the users in your system. This is done by using the HTTP methods POST, GET, PUT, DELETE. We take these 4 methods and think of them in terms of database interaction as CREATE, READ, UPDATE, DELETE.
There is no direct way to use REST token based authentication on the Magento 1.x version. You need to write this functionality to you for your own. I have write this functionality by using REST API and you can also follow this article for more details.
https://www.ipragmatech.com/magento-token-base-rest-api-for-authentication-and-authorization