I am running keycloak using docker with an intention to authenticate user via rest api.
Currently, my configuration includes using grant_type=password along with client-id and client-secret to authenticate a client.
curl --location --request POST 'http://localhost:8079/auth/realms/demo/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=admin-cli' \
--data-urlencode 'client_secret=234k23jk42j23i4u23iwerwlekrjwl'
--data-urlencode 'username=thor' \
--data-urlencode 'password=thor' \
--data-urlencode 'grant_type=password'
I have set to use signed jwt for my client for which I have a PEM file.
How do I supply PEM file in REST API to get access_token for the user ?
Related
I have created a GraphQL API with NestJS. Some endpoints are guarded by an access token. I use Auth0 to authenticate the user and get the access token.
I get the access token by running this command:
curl --request POST \
--url 'https://dev-9fo2g1ve.us.auth0.com/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=password \
--data username=test2#test.com \
--data password=123456789Test \
--data audience=MY_AUDIENCE \
--data scope=read:sample \
--data 'client_id=MY_CLIENT_ID' \
--data client_secret=MY_CLIENT_SECRET-
When I pass the bearer token's access_token value in the HTTP header, and call a guarded endpoint, it works fine when the API is running on localhost. However, when I deploy the API, it returns an Unauthorized 401 error.
Thanks for your help!
I am still receiving access_denied error even I have setup the required configuration I have found on Auth0 documentation https://auth0.com/docs/get-started/authentication-and-authorization-flow/call-your-api-using-the-authorization-code-flow#authorize-user
I have already enabled Implicit, Authorization Code, Refresh Token, Client Credentials on my application grant_types and enabled Refresh Token Rotation too.
I have tried researching more about this but I can't find anything on google as I am probably the first one encountering this? Or probably I am missing something out here.
here's the sample curl request I have
curl --location --request POST 'https://{MY_AUTH0_DOMAIN}/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--header 'Cookie: did=s%3Av0%3A6b3f22c0-ac00-11ec-b070-
0b6e59231b0a.LT0c0bBGB4EukRqKLcGtHtt9t%2B3YtiQ1nQ07bfKCkyU;
did_compat=s%3Av0%3A6b3f22c0-ac00-11ec-b070-
0b6e59231b0a.LT0c0bBGB4EukRqKLcGtHtt9t%2B3YtiQ1nQ07bfKCkyU' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'client_id={MY_CLIENT_ID}' \
--data-urlencode 'refresh_token=v1.MemAxcxZBez46BV3cDnUo97zIY_lfNDi15XTCDJr5tQKbrEvnZzBjiVNvtOfrny3A0QD1AsoUDLJETl3rFkzLMM'
I found the issue, in their documentation https://auth0.com/docs/get-started/authentication-and-authorization-flow/call-your-api-using-the-authorization-code-flow#authorize-user it doesn't require you to pass client_secret but it is needed when you do request for a refresh_token. Found it here https://community.auth0.com/t/use-refresh-tokens-in-node-js-and-axios-receiving-401-error-access-denied-unauthorized/79615
How to get jwt token in single step(api call) from aws cognito oauth2/token endpoint passing username and password
curl --location --request POST 'https://xxx.auth.us-east-2.amazoncognito.com/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic a......k' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=t34...nu'
--Authorization base64ecoded username:password
Response- "error": "invalid_client"
App client settings :
Allowed OAuth Flows : Authorization code grant, Implicit Grant
Allowed OAuth scope : email , openid
App clients : ALLOW_USER_PASSWORD_AUTH
I tried oauth2/authorize too but getting html page in response
There's no need to add the Authorization header. Instead, use the code you see in the URL. This worked for me.
curl --location --request POST 'https://xxx.auth.us-east-2.amazoncognito.com/oauth2/token'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'grant_type=client_credentials'
--data-urlencode 'client_id=t34...nu'
--data-urlencode 'code=afa78ac6-..-b8dd-5b'
--data-urlencode 'redirect_uri=path'
The client credentials flow to the token endpoint is to receive an access token for machine to machine communication. It is not based on a given user so no user name and password is required.
See 'Exchanging Client Credentials for an Access Token'
https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
To sign in with the oauth endpoints it is intended to do this via the HostedUI or an external IDP. However, you can do it pro-grammatically but will require a call to authorize and login endpoint.. You can see an example in python here:
https://github.com/starkshaw/aws-cognito-user-pool-custom-scope
This is a late answer, but following worked for me nicely with a client_credentials workflow.
curl --request POST \
--url 'https://XYZ.auth.us-west-2.amazoncognito.com/oauth2/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=client_credentials \
--data client_id=7*******e \
--data client_secret=2*****5pjk9valn
Here is the response I got:
{"access_token":"eyJra*****eA","expires_in":3600,"token_type":"Bearer"}
I am attempting to connect to the Rundeck API using CURL but I am getting a 401 Unauthorized error:
curl --insecure --location --request GET 'https://rundeck.example.com' --header 'Accept: application/json' --header 'X-Rundeck-Auth-Token: xyz'
401 Authorization Required
Authorization Required This server could not verify that
you are authorized to access the document requested. Either you
supplied the wrong credentials (e.g., bad password), or your browser
doesn't understand how to supply the credentials required.
Apache/2.2.15 (Oracle) Server at rundeck.example.com Port
80
If I try it using my username, it works.
curl --insecure --location -u 123456789 -p password --request GET 'https://rundeck.example.com' --header 'Accept: application/json' --header 'X-Rundeck-Auth-Token: xyz'
I created the auth token on Rundeck using my personal user that has admin privileges.
Please note that I have set up LDAP at web server level (httpd.conf) and control user access from there.
To access API you need to specify some action (for example: run a job, get metrics, etc.)
For example, get the instance metrics:
curl --location --request GET "http://yourhost:4440/api/34/metrics/metrics" --header "Accept: application/json" --header "X-Rundeck-Auth-Token: C8nVU5AhdzpQ8ucBeMG1ITFvSfaKCw6u"
Here you have a lot of examples.
Im trying to make a basic call to the ONELOGIN API. After generating the cliend ID and secret with MANAGE ALL permissions, im still unable to connect
Generated correctly the ID and secret with the right permissions as per official documentation
curl 'https://api.us.onelogin.com/auth/oauth2/v2/token' \
-X POST \
-H "Authorization: client_id:, client_secret:" \
-H "Content-Type: application/json" \
-d '{
"grant_type":"client_credentials"
}'
i expected to connect, instaead the output is
{"status":{"error":true,"code":401,"type":"Unauthorized","message":"Authentication Failure"}}