Keycload Admin Api - logout-all endpoint not working - api

When calling the /{realm}/logout-all endpoint, the request always results in a "500 - Internal Server Error" and "error": "unknown_error" in the body. All other endpoints work as they should.
I made sure to call the endpoint with a new token and the Authorization-key in the header of the request. All calls are made from postman for testing.
Did I miss something?
Edit 1:
Keycloak Version: 12.0.2
The call: (generated the token with the admin-cli client and the admin user, so pribvileges shoudln't be a problem (?))
The log:

For future reference and anyone who has the same problem with Keycloak:
In some of the requests (e.g. logout-all) you have to provide a Accept: application/json header, otherwise Keycloak defaults back to application/octet-stream, for which Keycloak is missing the necessary classes.

Related

Authorizing API Requests to 3rd Party Services in Mongodb Realm

I'm building a React app that allows users to login with Google and then connects to a webhook/3rd Party service in Realm. The service should only return data that the users own.
I've set up the OAuth 2 with Google and can get back access_token for a user and I then pass it in the header (I've also tried the URL params) to the webhook. But I get an error back saying:
400 "no authentication methods were specified" - "Invalid Parameter".
After much testing, I've identified that it must be a Realm issue - but I can't figure out what.
I've tried authenticating with Google in Postman and sending a request from there like this:
GET <incoming_webhook URL>
Request Headers
Authorization: Bearer <access_token>
User-Agent: PostmanRuntime/7.26.10
Accept: */*
Host: us-east-1.aws.webhooks.mongodb-realm.com
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
But I get the same error.
In Realm I have "Google" enabled as an authentication providers (and the authentication works just not the authorization through the webhook).
Per https://docs.mongodb.com/realm/services/configure/service-webhooks/#configure-user-authentication, you can choose email/password, an API key, or a custom JWT token. I don't know whether you can use google login directly to a webhook, but you're probably better off making a realm function instead.
Regarding the error no authentication methods were specified, you can specify the type of authentication method (using a custom JWT as an example) by either:
putting it in the header:
Header: jwtTokenString, Value: eyJhbGci.....
OR
by including it as part of the webhook body:
{
"jwtTokenString":"eyJhbGci...",
"mydata": "my data value"
}
If you try to use both methods, you get a multiple authentication methods used error. HTTP Bearer tokens in the header, etc, are useless here.
For an API Key, instead of jwtTokenString, use api-key; or email`password` for email\password authentication.
I found these methods of providing authenticating information really unintuitive and the documentation very unclear.

Fetching bearer token for OroCommerce returning error 405 Method Not Allowed

I'm attempting to fetch the bearer token for OroCommerce, via POSTMAN and am encountering a 405 error, for the following request:
URL: http://<OroCommerce DNS>/oauth2-token
Header: Content-Type: application/json
Body:
{
"grant_type": "client_credentials",
"client_id": "XXXX",
"client_secret": "XXXX"
}
I have generated the public and private keys and added them to the /var directory of the application. Per this issue, I have tried "Enabled Guest Access" checked and unchecked. Both result in the same 405 error w/ HTML in the response (see image below). The back-end is up, when attempting these requests. Any suggestions on where to look (configurations, etc), in order to successfully fetch the bearer token, via the REST API?
Response HTML
First of all, make sure an API is enabled: https://doc.oroinc.com/api/enabling-api-feature/.
Then, make sure you are using the POST HTTP method to submit the request.
If it wouldn't help, make sure the maintenance mode is fully disabled. It's step 13 in the upgrade guide: https://doc.oroinc.com/backend/setup/upgrade-to-new-version/#id1
Check the application log at var/logs/prod.log for errors. Usually, the error message explains what is wrong, or at least, you can use it to google the issue.
If nothing works, you can try to access the same endpoint using the dev environment. There should be a more explicit error message with the stack trace. Or enable an xdebug extension and check it step by step.

how to skip Preflight Requset in vue with content-type:application/json

error :"405 not allowed Method" in post method type call in request command vue
i need call api function with content-type:application/json and post Method type with request command in vue ,but browser add preflight request with options method type and it causes this error :"405 not allowed Method"
var options = {
method: "POST",
url: "http://api.sample.com/login",
headers: {
"Access-Control-Request-Method":"POST",
"cache-control": "no-cache",
"content-type": "application/json",
},
body: '{ Username: "demo", Password: "demo", Domain: "test" }'
};
request(options, function(error, response, body) {
if (error) throw new Error(error);
body.data;
alert("ok");
});
The OPTIONS call is done whenever you do a cross-origin request. This means the domain your application is running on is different from the domain where the api is. A pre-flight request is mandatory for these requests, because the browser needs to figure out if you are allowed to do these requests. A 405 error means that the server thinks you are not allowed to make that request.
To solve this problem you can move your api to the same domain as your frontend. Please note that it cannot be on a subdomain.
A different way of solving this, is by sending back the correct headers. In your case you seem to at least miss the Access-Control-Allow-Methods response header. Make sure to send this header and either dynamically figure out which methods are allowed, or do something like the following. That would allow the most common methods to work.
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
In the comments you said that you do not have control over the api, and as such cannot change the response header. In that case your best bet is to contact whoever maintains the api and ask how to best use their api.
In the comments you said that this worked fine when you did the same thing in ASP.NET. ASP.NET is a server-side language, which means that requests in that context do not have a concept of "cross-origin". Cross-origin only comes into play in the browser, where the application runs on an actual domain.
Assuming you can set up a proxy on your application domain, you can also create a proxy that proxies all requests to the api you actually want to communicate with. You would deploy your domain on https://example.com and do your requests to https://example.com/api/endpoint. Your proxy will listen for requests that begin with https://example.com/api and proxy it to https://whatever.the.api.is/ with the appropriate endpoint and data.
Please keep in mind that while some api's might just be configured incorrectly, a lack of cross-origin response headers might just mean that the api is nog meant to be consumed through the browser. Part of this could be that the request contains a secret that should not be exposed to users that use your application, but should instead only be on the server. Using a proxy in that case would set you up for impersonation attacks, because you would expose the secret to your application, but defeat the cross-origin headers by making it appear to the application that the api is on the same domain.

AWS: Amazon API Gateway Unknown Endpoint Error upon Testing Deployed API

We have an API that we would like to try connecting with the Amazon API Gateway. I've been trying some very basic calls, but to no avail. For example, if we don't pass any authentication data in the query strings during the GET call using Postman:
GET https://<host>/<resource>
Then I correctly receive an error message:
{
"error": "Invalid authentication key",
"errorcode": 0
}
In the Gateway I have the following settings for the method:
Method Request
No Authorization, API Key not required
Some query string parameters which are not being set in either Postman or the API Gateway call
No request headers
no request models
Integration Request
HTTP Proxy Integration type, GET
Endpoint URl is the same URL I call using Postman above
No parameter, header or body mappings
Integration Response
Single 200 OK passthrough
Method response
Various HTTP Statuses
Response model as per our API's Swagger definition
All other methods have mock integration. Calling the method via Postman at our backend domain works as intended (i.e. gives the error message above).
Calling the deployed API Gateway method, however, results in:
"message": "Unknown endpoint error." if done using the Method Test in the API Gateway
"message": "Internal server error", if called from the browser or Postman.
Has anyone experienced this issue before?
EDIT: I just noticed that one of the response headers that are set when using Postman or Browser is:
X-Cache: Error from cloudfront
The docs says that this errror is set if the origin server returns an expired certificate, an invalid certificate or a self-signed certificate, or if the origin server returns the certificate chain in the wrong order, but our certificate is valid and I cannot note and problems with the certificate chain...

PUT/POST request in SOAPUI giving 403 forbidden, while same request working fine in rest client Postman

There is no authentication on server side so authentication should not be issue.
URL format: PUT
https://localhost/api/v1/protections?integrationKey=111&userKey=1111&group=111&category=foo
Payload:
{"action":"BLOCK"}
This is working fine in Postman.
In SOAP UI , I am giving input as under:
EndPoint: https://localhost
Resource: /api/v1/protections
Parameters:?integrationKey=111&userKey=1111&group=111&category=foo
in Media type, I am selecting "application/json"
and entering {"action": "BLOCK"} but getting "Wed Jan 20 16:25:27 PST 2016:DEBUG:Receiving response: HTTP/1.1 403 Forbidden
"
Is there any suggestion to get the output in SOAP UI.
Depending on the server where the rest is exposed service generates an HTTP 403, you should verify that server is and thus find the fastest response.
Also try making a GET request from the browser to see if you can answer correctly because problem lock your machine to the server.
As is https, it may be that you lack some certificate set SOAPUI. possibly Postman you use already has configured. Try to check this setting.
In my case, I missed the Header "User-Agent" and "accept". I put in Soap UI and Works.
In Postman, this headers it put automatically.