I am working with an API that works well when consumed from Postman:
But when i try to consume it from Yii2 i get {"name":"Unauthorized","message":"Your request was made with invalid credentials.","code":0,"status":401} and i think i am sending all the headers
The authorization was made with a Bearer Token:
Don't know what i am doing wrong, thanks in advance.
I just got that i have to add my headers this way:
Was adding them the wrong way.
I am trying to integrate a third party API. I was provided with a username and password.
When I use Postman to send a post request to the login webpage; the request header contains a postman token:
Postman-Token: vvvvvvvvv-wwwww-xxxx-yyyy-zzzzzzzzzz //this is not the real value
If I supply the postman token to every request after the login request (as shown below) then everything still works as expected:
If I access the api through my webpage, then everything also works as expected. My questions are:
What is the Postman token? I have looked already here: https://stackoverflow.com/questions/36883046/what-is-the-postman-token-header-attribute-in-generated-code-from-postman#:~:text=1%20Answer&text=This%20is%20primarily%20used%20to,random%20token%20avoids%20this%20issue.
What is the alternative to the Postman token when accessing the API though a webpage. I can see no token in the request when looking at it using Fiddler. Were is the bearer token in Fiddler?
Postman Token :
So it is just a custom header to track and debug postman requests in the receiving server
It doesn't do any authorization
Why no token in fiddler:
Because you haven't added it . You can add any custom header to the request you are sending
Why it works when used as bearer token
Because in your login call your session is cached . So for subsequent requests it is using cached session
To close the session , update the Connection header from keep-alive to close
Try setting second request to no auth:
and see if the request is still successful to confirm you are using cached session
I am attempting to rewrite a client app that currently connects to Dynamics 365 using JavaScript
let URL = "https://<company-name>.operations.dynamics.com/data/FinancialDimensionValues?cross-company=true";
let body = '';
var headers = {'Content-Type':'application/json'};
let response = ai.https.authorizedRequest(URL, 'GET', body, headers);
Currently this JavaScript application works and gets back JSON data. I am attempting to rewrite this application using C#. I am first starting with Postman to make sure I have all the authentication steps in place before moving on the writing the C# code.
Using Postman I am able to successfully obtain a JWT token using the "Client Credentials" flow where I pass the Client ID and the Client Secret to the Access Token Request URL. However, when trying to access an API endpoint within Dynamics 365 I receive back an HTTP 401 even though I am passing the JWT access token properly.
Here is the Access Token Request URL:
https://login.microsoftonline.com/722b0db7-9629-4304-92a0-dfb4a1debe62/oauth2/token?resource=https://<company-domain-here>.dynamics.com
I am thinking that I must be authenticating properly or I would not get back a valid access token. Also since the JavaScript application already in place works without issue I am assuming that Dynamics 365 is provisioned properly to allow API access.
What I am trying to figure out is what I might be doing wrong within Postman that results in my receiving a 401? What could be different between the working JavaScript request and what I am sending via Postman?
Issue is finally solved.
As mentioned follow the documentation mentioned.
If you face 401 Error, here is the last trick.
In postman Under Authorization--> Add authorization data to--> select Request Headers.
Now fire the query you shall have the 200 ok.
Ref Article which helped me figure it out.
I'm testing an implementation of JWT Token based security based off the following article. I have successfully received a token from the test server. I can't figure out how to have the Chrome POSTMAN REST Client program send the token in the header.
My questions are as follows:
1) Am I using the right header name and/or POSTMAN interface?
2) Do I need to base 64 encode the token? I thought I could just send the token back.
For the request Header name just use Authorization.
Place Bearer before the Token. I just tried it out and it works for me.
Authorization: Bearer TOKEN_STRING
Each part of the JWT is a base64url encoded value.
Here is an image if it helps :)
Update:
The postman team added "Bearer token" to the "authorization tab":
I am adding to this question a little interesting tip that may help you guys testing JWT Apis.
Its is very simple actually.
When you log in, in your Api (login endpoint), you will immediately receive your token, and as #mick-cullen said you will have to use the JWT on your header as:
Authorization: Bearer TOKEN_STRING
Now if you like to automate or just make your life easier, your tests you can save the token as a global that you can call on all other endpoints as:
Authorization: Bearer {{jwt_token}}
On Postman:
Then make a Global variable in postman as jwt_token = TOKEN_STRING.
On your login endpoint:
To make it useful, add on the beginning of the Tests Tab add:
var data = JSON.parse(responseBody);
postman.clearGlobalVariable("jwt_token");
postman.setGlobalVariable("jwt_token", data.jwt_token);
I am guessing that your api is returning the token as a json on the response as:
{"jwt_token":"TOKEN_STRING"}, there may be some sort of variation.
On the first line you add the response to the data varibale.
Clean your Global
And assign the value.
So now you have your token on the global variable, what makes easy to use Authorization: Bearer {{jwt_token}} on all your endpoints.
Hope this tip helps.
EDIT
Something to read
About tests on Postman: testing examples
Command Line: Newman
CI: integrating with Jenkins
Nice blog post: master api test automation
Here is how to set token this automatically
On your login/auth request
Then for authenticated page
I had the same issue in Flask and after trying the first 2 solutions which are the same (Authorization: Bearer <token>), and getting this:
{
"description": "Unsupported authorization type",
"error": "Invalid JWT header",
"status_code": 401
}
I managed to finally solve it by using:
Authorization: jwt <token>
Thought it might save some time to people who encounter the same thing.
If you wish to use postman the right way is to use the headers as such
key: Authorization
value: jwt {token}
as simple as that.
Open postman.
go to "header" field.
there one can see "key value" blanks.
in key type "Authorization".
in value type "Bearer(space)your_access_token_value".
Done!
For people who are using wordpress plugin Advanced Access Manager to open up the JWT Authentication.
The Header field should put Authentication instead of Authorization
AAM mentioned it inside their documentation,
Note! AAM does not use standard Authorization header as it is skipped
by most Apache servers. ...
Hope it helps someone! Thanks for other answers helped me alot too!!
Everything else ie. Params, Authorization, Body, Pre-request Script, Tests is empty, just open the Headers tab and add as shown in image. Its the same for GET request as well.
I did as how moplin mentioned .But in my case service send the JWT in response headers ,as a value under the key "Authorization".
Authorization →Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJpbWFsIiwiZXhwIjoxNDk4OTIwOTEyfQ.dYEbf4x5TGr_kTtwywKPI2S-xYhsp5RIIBdOa_wl9soqaFkUUKfy73kaMAv_c-6cxTAqBwtskOfr-Gm3QI0gpQ
What I did was ,make a Global variable in postman as
key->jwt
value->blahblah
in login request->Tests Tab, add
postman.clearGlobalVariable("jwt");
postman.setGlobalVariable("jwt", postman.getResponseHeader("Authorization"));
in other requests select the Headers tab and give
key->Authorization
value->{{jwt}}
Somehow postman didn't work for me.
I had to use a chrome extension called RESTED which did work.
In Postman latest version(7++) may be there is no Bearer field in Authorization
So go to Header tab
select key as Authorization and in value write JWT
x-access-token on headers works for me.
key: x-access-token
value: token
I have to migrate from Google OAuth 1.0 to OAuth 2.0.
I just have wrote a small request in Chrome Rest Client:
POST: https://accounts.google.com/o/oauth2/token
Headers: Authorization: OAuth realm="", oauth_signature="PU3W5uRL0eAyEi", oauth_nonce="1396865138306881000", oauth_signature_method="HMAC-SHA1", oauth_consumer_key="XXXXX.apps.googleusercontent.com", oauth_token="YYYYY", oauth_timestamp="1396865138", Content-Type: application/x-www-form-urlencoded
Payload: grant_type=urn:ietf:params:oauth:grant-type:migration:oauth1&client_id=ZZZZZ.apps.googleusercontent.com&client_secret=SSSSS
For that I receive an error message:
Status: 400 Bad Request
"{
error: "invalid_request"
error_description: "Invalid authorization header."
}"
The problem could be that I try to migrate from one Project in Google Developers Console to another.
Could that really be a problem?
The reason that I moved to another project is because I cannot create OAuth 2.0 Client ID in the original Project. I receive the following error message:
"You can not create OAuth 2.0 client ID because this project already contains an Oauth 1.0 client ID."
Please suggest.
Thank you,
E
As pointed out in a similar post, when constructing the base string to sign your migration requests, please make sure that the string uses a POST method and that it contains all relevant migration parameters as per the migration documentation.
As per OAuth1 spec, a valid base string for a migration request should look like:
POST&https://accounts.google.com/o/oauth2/token&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=urn:ietf:params:oauth:grant-type:migration:oauth1&oauth_consumer_key=YOUR_CONSUMER_KEY&oauth_nonce=NONCE&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1396414006&oauth_token=THE_TOKEN_TO_MIGRATE
Note that, for readability purpose, the above is the decoded version of the base string (check out the OAuth1 spec for more examples).
Hope that helps, Miguel.
When generating the base string you will need to ensure that each individual parameter is URL encoded before constructing the base string.
As per the oAuth documentation to sign OAuth 1.0 requests the base string is made up of 3 components
The HTTP request method
The base URL the request is being sent to
A normalized string of the parameters in the request
When constructing the base string you need to do the following
Ensure HTTP request method is POST
URL encode the base URL
Ensure the three POST body parameters [client_id, client_secret, grant_type] are included in the normalized request parameters
Ensure each parameter is individually URL encoded and then URL encode the complete normalized request parameters string. So in effect, some of the paramters are double URL encoded. This double URL encoding is mentioned in Using OAuth with the Google Data APIs#Signing Requests for the oauth_token
Only after doing all these steps did I get the migration request to work and I received a valid refresh_token
Below is a sample base string
POST&https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Ftoken&client_id%3Dxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com%26client_secret%3Dxxxxxxxxxxxx%26grant_type%3Durn%253Aietf%253Aparams%253Aoauth%253Agrant-type%253Amigration%253Aoauth1%26oauth_consumer_key%3Dxxxxxxxxx%26oauth_nonce%3D4106001%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1400779530%26oauth_token%3D1%252FkklP1YPy_AULt7j_tttttt_tterwerkj_dfj45dflk