Is it possible to send multiple access token via form encoded parmeter or multiple authorization header of type bearer token parameter to an api?
Related
In my application, we have four different user roles. When I tried to generate the JWT token using postman, though the token is retrieved, it is not providing the user role so that I cannot inject the retrieved token in the respective endpoints.
So how can I retrieve the right token using postman
get : https://login.microsoftonline.com/tenantid/oauth2/token
We're going to expose a custom built API (.NET) through Azure API Management. We want to conform to well-known standards where ever possible, so we don't surprise our API consumers. The API is secured through an API key which users generate from APIM's Developer Portal.
My understanding is that the Authorization header should be used for authentication and authorization purposes.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization
But strangely, API-Key is not included as an authentication scheme.
https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml#authschemes
Should API consumers use an authorization header to authenticate?
E.g. Authorization: API-Key xxx-xxx
Or a custom header.
E.g. my-key:xxx-xxx
Technically, you shouldn't need any API-key if you have a token in the authorization header. I assume API-key/client and secret key are already used to generate a token. When the client sends token via an authorization header, the API owner validates your token and returns a response.
I have been using drf since a couple of months . For authentication I decided to use djoser package and use JWT token for better authentication. However whenever i try to use postman to send requests i can only send the three jwt requests. I'm wondering if i can use the Base endpoints as well such as re-setting the password and finding the user-
Base Endpoints - https://djoser.readthedocs.io/en/latest/base_endpoints.html
Not able to send requests. the error on postman always comes as "detail": "Authentication credentials were not provided."
even if i apply the Bearer Token type in postman.
can someone tell me how to use Base endpoints along with jwt ?
To use JWT with Djoser, send a Get request to
http://127.0.0.1:8000/auth/users/me
Instead of Bearer or Token, Set your Authorization header pass JWT as follows:
Authorization: JWT your-JWT-access-token
Here's a sample request using insomnia
> GET /auth/users/me/ HTTP/1.1
> Host: 127.0.0.1:8000
> Authorization: JWT eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNTk1MDYyNTcxLCJqdGkiOiI2NmZkODFkNDVlNmY0OTdlYWZiMGExZWE2YmRmZmM0MyIsInVzZXJfaWQiOjF9.uXZadgc_hYcS79tuZWet_4eDqNQlduKpcmD1a2JvfjY
if you had set up your urls correctly it will return your username, email and user-ID
I'm auditing an API whose client is a mobile application using the OAuth2 workflow but I'm missing something. I have a first endpoint of the /token.oauth2 API which allows me with credentials to get an access token needed to call other endpoints of the API. So far OK but on top of that I have an "x-api-key" which is transmitted along with the access token and if both the API key and the access token are not present, the server sends me a HTTP 401 response.
I can't find any mention of a connection flow using both an "x-api-key" and an access token in the OAuth2 standard. When do you think?
I am looking for an easy way to add bearer tokens to PostMan. I have imported my API into PostMan from a swagger definition, and am wondering if authorization can be added automatically to all requests in some easy way, such that I do not have to change the Authorization header for each endpoint whenever the token changes.
I am currently requesting a token at /token for my API by sending an x-www-form-urlencoded request containing the parameters username, password and grant_type with a password value.
The returned access_token is then appended to the Authorization header in the format "Bearer token-received-from-token-endpoint" for each request to the API.
The backend is implemented with AspNet Identity Framework and AspNet Web API 2.
Good approach here is chaining request
When you get a token, assign it to an environment variable and use that variable in your subsequent requests.
This way you will have a fresh token every time and your other requests can use that on runtime