Keycloak invalid_grant with Authorization Grant flow - authentication

So this is what I did,
I have a Keycloak server running on localhost:8080 and I have configured a public client called myclient inside a realm myrealm.
I have added a response_url address as http://localhost:3000/*
I invoke a code request using this URL
http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/auth?client_id=myclient&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&response_type=code
I am challenged for a login and then after successful login I login get a callback something like this. which obviously gives me a Not found as I don't have anything running on 3000 Port.
http://localhost:3000/?session_state=6af80f75-19b0-4c65-8d8b-89ca1cf5fd0d&code=e2082b9d-4199-4f0e-a3de-d9216ab70ac5.6af80f75-19b0-4c65-8d8b-89ca1cf5fd0d.8fa6724d-ffd2-4bb4-9ed9-7302acb432e8
I pick the code from above and then make a curl call below
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=authorization_code&code=e2082b9d-4199-4f0e-a3de-d9216ab70ac5.6af80f75-19b0-4c65-8d8b-89ca1cf5fd0d.8fa6724d-ffd2-4bb4-9ed9-7302acb432e8&redirect_uri=http://localhost:3000/&client_id=myclient" http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token
I get an error saying
{"error":"invalid_grant","error_description":"Code not valid"}
when I try the same thing with https://www.keycloak.org/app/ it works. What am I missing here?

Related

Snapchat API User Auth VIA Redirect

Trying to authenticate with the snapchat API through CURL and I"m not sure what I'm doing wrong. I have tried the following:
curl -X GET \
-H "client_id={}" \
-H "redirect_url={}" \
-H "response_type=code" \
-H "scope=snapchat-marketing-api" \
https://accounts.snapchat.com/login/oauth2/authorize
through my terminal and I'm getting the following error:
curl: (3) URL using bad/illegal format or missing URL
zsh: command not found: -H
I'm fairly new to this so would appreciate any guidance. I was expecting to be redirected into a browser to authenticate and would be given a temp access token or refresh token
As per Snapchat documentation, you can actually pull the code by turning the request into a URL and the code will be displayed in the browser/address bar at the end of the redirect link after you authorise the app.
take bellow URL and fill in your details as required and follow it via your browser:
# Sample URL to redirect the OAuth users to - Single Scope
https://accounts.snapchat.com/login/oauth2/authorize
?client_id=4cxxxx8-1c33-xxxx-8798-xxxxxxxx
&redirect_uri=https://test.animalfarm.com/callback
&response_type=code
&scope=snapchat-marketing-api

How to get Bearer access token in Jmeter

I have problems to get Bearer access token in Jmeter. Problem's cause most probably is in
server authentication - do not really understand how to properly setup this in Jmeter.
curl consist of several parts:
curl -X POST -v https://xxxx.xxx.xx.lv/token -u
"d123c9e3-4e91-46db-931e-37e8a52b8c8d:0e7cb8ad50fe3686de05fcf46815abc0a9d7cd095c23f75446d933ccxyxy"
-d "grant_type=password" -d "username=xxxxxxx" -d "password=xxxxxx" -d "scope=scop"
I have tried to use HTTP AuthorizationManager, HTTP Request and HTTP Header Manager without any successful results. Any advices?
Thanks!
Tatjana
I think you should do something like:
HTTP Request sampler:
these protocol and Server Name bits can be moved to HTTP Request Defaults so you won't have to specify them for each and every HTTP Request sampler
HTTP Authorization Manager:
In general since JMeter 5.1 it's possible to create a test plan from curl command line, the option lives under "Tools -> Import from cURL" main menu entry:

Modify Github profile by API but got "message not found" error

I followed this page to practice GitHub API and try to edit my profile
https://docs.github.com/en/rest/reference/users
curl -X PATCH -H "Accept: application/vnd.github.v3+json" -H "Authorization: token MyToken" https://api.github.com/user -d '{"name":"myname"}'
But got the error message:
{
"message": "Not Found",
"documentation_url": "https://docs.github.com/rest/reference/users#update-the-authenticated-user"
}
I am very new to GitHub API, any help is appreciated!
As long as you have replaced MyToken by an actual PAT (Personal Access Token), registered to your account, this should work.
It should update the authenticate user.
Check first its old name (before renaming it) does exist with curl and its write outs:
curl -w '%{response_code}' 'https://api.github.com/users/<username>'
... Unless you are part of an organization that enforces SAML SSO for authentication, : see "Authenticating for SAML SSO".
But I suspect this is not your case.
The OP ITnewbie confirms in the comments it was a scope issue
Removed and regenerate the token which includes all permission, then it's work!
iqbal was, in the comments, following the "Get your own user profile" GitHub REST API tutorial.
When I changed the url from
curl -i -u your_username:your_token api.github.com/<<your user name>> to
curl -i -u your_username:your_token api.github.com/users/<<your user name>>, it worked.

Keycloak - invalid token when using nginx proxy

I’m trying to set up Keycloak using nginx as proxy.
The idea is to log in to web app using javascript adapter and then for each API request, nginx should ask Keycloak if token is valid (session could be revoked, etc.).
I’ve set it up without nginx locally - I have keycloak on my VM and I used Keycloak Gatekeeper to proxy API requests. It worked with no issues whatsoever.
Then, I deployed Keycloak and web app that uses js adapter on cluster and in nginx I proxied URLs required for login. Next, I configured auth module to call /auth/realms/cerulean-magnolia/protocol/openid-connect/token with grant_type=urn:ietf:params:oauth:grant-type:uma-ticket. There could be better endpoint to call but I’m always getting invalid_grant Invalid bearer token anyway.
Login works but when I try to use generated token, it becomes invalid and I can’t use it anymore.
I’ve set PROXY_ADDRESS_FORWARDING to true.
Any attempt of using this token ends up in getting:
{
"error": "invalid_grant",
"error_description": "Invalid bearer token"
}
If I would generate this token manually (via forwarded port) using password:
curl -L -X POST 'https://localhost:8141/auth/realms/cerulean-magnolia/protocol/openid-connect/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=lei' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'scope=openid' \
--data-urlencode 'username=...' \
--data-urlencode 'password=...' --insecure | jq
and then use this token to do:
http --verify=no -f https://localhost:8141/auth/realms/cerulean-magnolia/protocol/openid-connect/token grant_type=urn:ietf:params:oauth:grant-type:uma-ticket audience=lei-api response_mode=decision authorization:"Bearer ..."
It works fine. But if I use token generated via web app, I always get 401.
I’d be grateful for any help or hints.
Thanks in advance,
Patryk

CURL with 'Bearer token' works fine but same API isn't working on POSTMAP

My Below API using terminal works fine
curl -v --header "Authorization: Bearer LgiffI2nL4lEiCle" -X POST "https://<my-url>/api/source/loadAccounts/85296"
But When I'm trying the same usimng POSTMAN it's not, why ? I'm getting 403 forbidden
The token expiration time is 1 hour long, so I'm sure token isn't expired.
it is possible that postman's user-agent is not white-listed, while curl's user-agent is white-listed. (and going by the comments, this is probably the case)
another possibility could be that it's an IP block, and your terminal/curl is using an allowed IP (ssh'ed into something?), and you're running postman from a not white-listed IP.
Edit
Incase your App server blocking X-CSRF request and terminal/curl is enabled, you need to install Standalone POSTMAN and use User-Agent: curl/7.52.1