I'm writing some API tests using Katalon Studio which test an AWS API Gateway secured with AWS Cognito. If I provide the JWT in the authentication header, the tests passes as expected. I'm struggling to work out how I should be requesting the JWT based on supplied credentials as part of the test. Is there an easy way I'm missing?
Related
We are running the Jenkins with the SAML authentication. Now, we are trying to extract build user info from Jenkins buildURL xmi path and need to authenticated with the jenkins server. I created api token using my user and this is used by every build to communicate with buildURL job.
Is there any way, we can create a common api credential to authenticate with Jenkins.
Thanks
I have a system that is using Firebase authentication with Google provider. I have an issue with automating integration tests for API. Tests are represented by a bunch of HTTP requests (Postman collections). I need to do some steps before tests to get a token from Firebase.
Only solution I can see is to add refresh token to the tests and call Refresh token endpoint to get a new token. Not sure how long will the refresh token live. Doesn't look like a good solution. E2E frameworks like Selenium are not an option.
What I want to achieve in the ideal scenario:
The input for the test is username/password for Google account and maybe settings pointing to the correct Firebase project. I need to perform some
magic HTTP requests (without user interaction) to get Firebase token back.
Does anyone knows if that is feasible? If not - how this flows can be automated without Selenium?
I try to login into an application that uses a login with Google Accounts. I try with the script recorder but it doesn't work.
Most probably login via Google Account is implemented using OAuth protocol and this is not something you can record and replay. Actually you don't need to load test the logging in process itself as it mostly being performed on Google side.
In order to be authenticated you need to supply correct Authorization Bearer token via JMeter's HTTP Header Manager. The token can be obtained using one of the following ways:
By recording (look for Authentication: Bearer token in the HTTP Header Manager
Using real browser from the WebDriver Sampler and once you're logged in - copy session information from browser into JMeter
From the Google Console if you have permissions
By performing full authentication process using i.e. OAuth Client Library for Java from JSR223 Sampler
See How to Run Performance Tests on OAuth Secured Apps with JMeter article for more detailed explanation on each of the approaches.
I want to use OneLogin to write a command-line program that takes a username/password and generates a SAML assertion that can be used to authenticate to other sites.
The problem is that calling the "Generate SAML Assertion" API itself requires an access token generated from API credentials. So to distribute my app to users would require me to bake in API credentials to make that call. That would be fine, but the only authorization profile that allows callers to POST to the SAML resource is "Manage All", which is way more permission than is safe to give.
Has anyone done something like this?
OneLogin people, can you add an API credential type for calling only the SAML Assertion APIs? Or you could just make the API open. (Note that AWS's "AssumeRoleWithSAML" API doesn't require user credentials -- the whole point of the API is that you have credentials you want to convert to another credential type.)
Do you give a developer a personal application to generate the SAML token or do you build a web service that returns a SAML token?
The former is bad (since the app has the key) the latter is infinitely more secure.
When we do lower the required rights to get a SAML assertion with a key (ID & secret) you should still look into building this as a web service. One your command line tool should call to get the SAML assertion.
Because contrary to popular opinion - Cloud-based means better security.
We will be publishing an update shortly to lower the type of token to "Read/Write Users," since you are simply exchanging the user's credentials for the SAML assertion. Will that suffice?
Note: I initially mistakenly wrote "Read" instead of "Read/Write"
There is now an Authentication Only API scope, which can be baked into your application.
The endpoints available in this scope include:
Verify Factor (SAML Assertion)
Generate SAML Assertion
Verify Factor (Login)
Create Session Login Token
Log User Out
Writing a web app to get the SAML assertation would be the best solution and let the CLI interact with it. Especially if you consider the "Log User Out", which can log out any given user as long as you can guess the ID (easy).
If you trust your employees you could embed an Authentication Only scoped client ID/secret in your CLI. This is exactly what we will do at the first step with our OneLogin AWS-STS CLI tool. Of course we could have a rogue employee abusing this, but it's an edge case and really easy to revoke the client ID/secret and rollout a new version with a new client ID/secret.
Can we integrate AWS cognito to authenticate API calls to our back-end? I was planning to use cognito access token which would be given to a reverse proxy server to create a JWT by value for back-end micro services. But I could not find any method to check the AWS token for validity. Any suggestions?
Thanks :)
Amazon Cognito was not designed to secure developer built APIs and I would caution you from using only the Amazon Cognito token to secure your API.
That being said, the vended Amazon Cognito token is a normal JWT signed using asymmetric encryption. This thread on the AWS forums has some example code in C# that another customer was able to use to verify the token.
Update 2015-07-09 AWS has announced Amazon API Gateway. Using API Gateway you can build a REST interface to your existing API (or to AWS Lamdba functions) secured with credentials retrieved via an Amazon Cognito authflow. See this blog post for additional announcement details.
You can retrieve the JWT tokens after authenticating users using Cognito. Pass the Access or ID token (depending on usecase) to your backend app and decode the token using any standard JWT decoder libraries.
Here is an article with sample code for reference explaining the process.