There are two levels of authentication in my API
Basic auth for the API domain (API hosted website is secured through a basic auth)
Basic auth for the specific API call.
I used the following call and domain level basic auth is working. But API call level basic auth isn't working.
curl https://example.com/test.json
-u "abc:abcd1234" // domain level authentication
-k -H 'Authorization: Basic erwf234werwrefdsf234245wewrwer==' // API call level authentication
-d 'data={}'
I do not believe you can it if both services require the same header for authorization.
Both methods (-u and -H) end up putting the information in the same header field (more detail is provided here: cUrls's option "-u" )
Additionally, here is a discussion about the use of multiple headers with the same name, as well as the option for some headers (but not Authorization) to accept multiple values as a list:
Multiple authentication schemes for HTTP 'Authorization' Header
Related
Created a container with Postgrest (REST API to Postgres tables/views). Postgrest uses JWT authentication to derive user name to connect to the database. Basically a header with "Authorization: Bearer ". The container is deployed inside Kubernetes. To protect from unauthorized access is used Ambassador. Ambassador has basic authentication and requests user and password when trying to access the container.
Trying to access this configuration with Postman or curl can't make it work with both authentications active. So that Ambassador asks for user and password and after authenticating user the request proceeds with the JWT token used by Postgrest. Is there at all a way to do that?
Tried to put both authentications together as header "Authorization: Basic <username:password in base64>, Bearer ". Does not work.
Tried using Poorman's Bearer Authentication from here: API key auth for Ambassador . Also does not work.
Ended up using bypass_auth: true in the Ambassador mapping for the Postgrest container. Considering to try JWT filter in the Ambassador mapping (https://www.getambassador.io/docs/edge-stack/latest/topics/using/filters/jwt).
I'm developing a solution that has: an Authorization Server (AS), a Resource Server and two clients. The two clients are: a web app with Angular 2 and a mobile app with Angular 2 + Ionic 2. I have started to develop the Authorization Server following this sample https://github.com/Baeldung/spring-security-oauth
For both the clients, I have decided to use the "Password Code Grant" because the client are trusted by the AS.
But now I have a problem storing the "client secret code" on the apps. Because the API (.../oauth/token) is secured by Basic Authentication so every time that I ask a token to the AS I need to send something like that:
curl.exe -v -u client_id:client_secret http://localhost:8080/backend/oauth/token -d grant_type=password -d client_id=client_id -d username=admin -d password=admin
So, the questions are:
Where I can store safely the client secret code on the apps?
Is it safe to remove the Basic Authentication from the oauth API?
Have I use another code grant type?
Thank you,
Paolo
Applications running in a browser (Angular) are not able to keep their secrets safe, so I would choose the OAuth2 Implicit flow. The implicit flow requires the use of HTTPS for communication with your Authorization Server, since the tokens are transferred over the network.
You should not remove the authentication from the token endpoint - it would compromise other flow types. For example the authorization grant flow doesn't require the client to be served by HTTPS and the auth code can be visible to anyone, so the token endpoint secret is important there (the Resource Server must ask for the tokens using HTTPS).
Using the implicit flow, you will have to check the validity time of the access token and request a new one before the current one expires. For example using the prompt=none auth request parameter.
I am developing an app to access its own resources via Rest endpoints.
Users are required to acquire access token via email/password. After completed Authentication server configuration, I had this observation:
With:
curl client:secret#localhost:9999/uaa/oauth/token -d grant_type=password -d username=user -d password=password
I am getting the correct response:
{"access_token":"7541a4f6-e841-41a0-8a54-abf8e0666ed1","token_type":"bearer","refresh_token":"d3fdd7e3-53eb-4e7b-aa45-b524a9e7b316","expires_in":43199,"scope":"openid"}
However With:
curl http://localhost:9999/uaa/oauth/token -d grant_type=password -d username=user -d password=password -d client_id=client -d client_secret=secret
I am getting the following error:
DEBUG 4123 --- [nio-9999-exec-7] o.s.s.w.a.ExceptionTranslationFilter
: Access is denied (user is anonymous); redirecting to authentication
entry point
org.springframework.security.access.AccessDeniedException: Access is
denied at
org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
It looks like the client_id & client_secret are not being recognized when send as parameters. Is this a configuration issue or to do with the version of OAuth2 I am using (spring-security-oauth2, 2.0.5.RELEASE)
A lot of example I come across on the Internet suggest approach one should work with OAuth2.
Thanks :)
There's no method of authenticating the Client against the Authorization Server that is mandatory to implement by spec. Two methods that have been specified that MAY be supported are the HTTP Basic Authentication pattern and the HTTP POST parameter pattern that you've used in your examples. Apparently Spring supports only the first, which seems to be supported by the docs at: http://projects.spring.io/spring-security-oauth/docs/oauth2.html
Yes, lots of examples show the client credentials being passed as form parameters, but it turns out that approach is not recommended, while passing the credentials using "Basic" authentication via the HTTP Authorization header is standard.
Section 2.3.1 of RFC 6749 says
The authorization server MUST support the HTTP Basic
authentication scheme for authenticating clients that were issued a
client password.
And further says
Alternatively, the authorization server MAY support including the
client credentials in the request-body using the following
parameters:
client_id ...
client_secret ...
Including the client credentials in the request-body using the two
parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
to directly utilize the HTTP Basic authentication scheme (or other
password-based HTTP authentication schemes).
In my experience, however, there are some servers that, in violation of the RFC, will not accept HTTP Basic authentication and will only accept form parameters in the body.
I'm working on writing API for web-project. For identifying API users basic authentication is used. And in order to test API call I can use curl command line tool and write something like this:
curl -H "Authorization: Basic Tm9TY1hETjRGNjIwZ1FwcTZOMENjMHczSjJDTjFlcnM6VmhWM21kUHF1MkIyMjFDaWRKVE4odyYmbyRpTEBsM0U=" http://example.com/api/function
On the test server we have HTTP authentication. I've uploaded scripts with API functionality and now I don't understand how I can make call to the API function on the test server. How I can provide username and password for HTTP authentication and after provide username and password for API?
Basically, you are trying to perform two authentications in a row, with the same method. This is not a scenario covered by [this authentication protocol][1]---so in short, you cannot with standard settings.
The reason why the protocol cannot cater with this scenario is a header clash: The first challenge will use the WWW-Authenticate / Authorization header pair, as well as the second in a single request.
One way to allow for a double authentication requires changes (that you may not be allowed to do):
You could have the first authentication process accept two pairs of headers, authenticate against the first one, and then rewrite the headers for the second authentication process. This should be fine for a test environment, provided the environment contains no security-sensitive data, e.g. customer data. Absolutely a bad idea otherwise.
You could replace the first authentication process by a different protocol. For example, you could deactivate the process and require an SSH / VPN tunnel to access the machine. Then, all HTTP requests could be tunneled and they would just need to authenticate against the second process.
One final thing. I did not know this would not work:
curl --user "test:password" http://stan:uberflow#myserver.com
Both --user and the credentials in the URL use basic authentication, so they step on each other. It may depend on the implementation; in my environment --user has precedence.
[1]: I carefully avoided to say security protocol, as HTTP Basic Authentication is not "very" secure, and it offers poor protection over HTTPS.
The documentation for the Heroku platform API states that it can be accessed with basic HTTP authentication using the API token, as follows:
HTTP basic authentication must be constructed from email address and
api token as {email-address}:{token}, base64 encoded and passed as the
Authorization header for each request, for example Authorization:
Basic 0123456789ABCDEF=.
We have tried this but keep on getting an "Invalid credentials provided" error.
However, if we substitute our Heroku account password for the token, authentication works:
e.g. {email-address}:{password}, base64 encoded.
However, we don't want to have to use our password for API authentication. How do we get this working using the API token as described?
Look again at the same documentation you linked to (it has changed in the meantime).
You should use Authorization: Bearer HEROKU_TOKEN, not Authorization: Basic HEROKU_TOKEN as you are doing.