I have the following security schemes defined for a method in my swagger file:
...
get:
...
security:
- api_key: []
- firebase: []
securityDefinitions:
api_key:
in: query
name: key
type: apiKey
firebase:
authorizationUrl: ''
flow: implicit
type: oauth2
x-google-audiences: project-id
x-google-issuer: https://securetoken.google.com/project-id
x-google-jwks_uri: https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken#system.gserviceaccount.com
However, it will not work if I try to send a request using an api key, but it will if I use a firebase token (even if I do not provide the api key).
The response:
{
"code": 16,
"message": "JWT validation failed: Missing or invalid credentials",
"details": [
{
"#type": "type.googleapis.com/google.rpc.DebugInfo",
"stackEntries": [],
"detail": "auth"
}
]
}
If I remove firebase from the security definition, then it will work using the api key.
Is it a known issue that an api key security scheme will not work if there is also an oauth2 for the same method?
What happens is that "OR" security requirements are not supported when one of the alternatives is an API key. Therefore, you are experiencing the right behavior.
If you provide both alternatives the API key will be ignored, but if OAuth2 is removed and it only accepts the API key, it works.
According to the same documentation that I attached, you could require both authentication methods using an "AND" condition. Something like this:
...
security:
- api_key: []
firebase: []
....
Related
I used the following API in postman with integration key, client secret from the Admin API application but no luck.
GET: https://api-123abc.duosecurity.com/auth/v2/check
Furthermore,
I used basic auth for authorization
Integration key for username and created the password via
https://www.freeformatter.com/hmac-generator.html#ad-output (used
integration key for string and client secret from the duo UI)
I used the following headers:
Authorization:Basic
Integration-key:Secret-key
Date:Fri, 20 May 2022 02:26:39 +0000
Content-Type:application/x-www-form-urlencoded
Besides this I used the code
btoa('integration key:secret key')
to generate authentication code but it still gives the following error
{
"code": 40301,
"message": "Access forbidden",
"message_detail": "Wrong integration type for this API.",
"stat": "FAIL"
}
Add Postman PreRequest script
update/replace integration and secret keys in below script
follow docs
const cannon = [
new Date().toUTCString(),
pm.request.method,
pm.request.url.host.join('.'),
'/'+pm.request.url.path.join('/'),
];
if (pm.request.body.urlencoded){
cannon.push(pm.request.body.urlencoded);
}
function hmacSign(cannon, integrationKey, secretKey){
const message = cannon.join("\n");
console.log(message);
var hmac = CryptoJS.HmacSHA1(message, secretKey)
return btoa(`${integrationKey}:${hmac}`)
}
const sign = hmacSign(cannon, "DIWJ8X6AEYOR5OMC6TQ1", "Zh5eGmUq9zpfQnyUIu5OL9iWoMMv5ZNmk3zLJ4Ep")
pm.request.headers.add({
key: "authorization",
value: sign
});
I'm trying to set up a Vue3 SPA with a NestJS API in the back. I set up my Auth0 tenant and client to integrate with the SPA and plan to send the resulting JWTs to my API. In my SPA, I use the vue-auth0-plugin, which uses #auth0/auth0-spa-js under the hood.
I have successfully set up the Auth Code with PKCE flow, up to the point where I receive id, access and refresh tokens. However, something is wrong with the access token and I cannot understand why it is happening. The payload is invalid JSON and the token contains 2 consecutive .. When I paste the token into jwt.io, the header is decoded as follows:
{
"alg": "dir",
"enc": "A256GCM",
"iss": "https://xyz.auth0.com/"
}
I would be expecting:
{
"alg": "RS256",
"typ": "JWT",
"kid": "w1-e..."
}
I have not enabled JWT encryption as far as I know (I used the wizard to set up the SPA client), could anyone point out to me what I am missing? For the sake of completeness, this is the format of my auth request:
https://xyz.auth0.com/authorize
?client_id=REq...
&redirect_uri=http%3A%2F%2Flocalhost%3A1337
&scope=openid%20profile%20email
&response_type=code
&response_mode=query
&state=a2...
&nonce=bT...
&code_challenge=GjSw...
&code_challenge_method=S256
&auth0Client=eyJu...
Many thanks in advance.
As Gary said, the token is in JWE format. According to this Auth0 community post, the solution to the missing payload is to provide an audience parameter. You should be able to include that parameter in the query string to the /authorize endpoint.
I ended up finding this question and answer by testing the token at https://jwt.io/ which said the encoding was "A256GCM" and not "RS256" as expected.
The audience parameter fixed this, and should be passed as part of the authorizationParams object when creating the client when using "#auth0/auth0-spa-js": "^2.0.1"
auth0.createAuth0Client({
domain: "example.com",
clientId: "XXXXXXXXXX",
authorizationParams: {
redirect_uri: window.location.origin,
audience: "https://example.com/api/v1/"
}
}).then(async (auth0Client) => {
When I query GitHub's GraphQL API with the following:
query RetrievePackagesAssociatedWithRepo($repo: String!, $owner: String!) {
repository(name: $repo, owner: $owner) {
packages(packageType: NPM, first: 10) {
edges {
node {
id
name
packageType
}
}
}
}
}
I received an error stating:
{
"errors": [
{
"type": "INSUFFICIENT_SCOPES",
"locations": [
{
"line": 6,
"column": 11
}
],
"message": "Your token has not been granted the required scopes to execute this query. The 'id' field requires one of the following scopes: ['read:packages'], but your token has only been granted the: ['read:gpg_key', 'read:org', 'read:public_key', 'read:repo_hook', 'repo', 'user'] scopes. Please modify your token's scopes at: https://github.com/settings/tokens."
},
I followed the link https://github.com/settings/tokens and added the necessary permissions.
I tried to Authorizing a personal access token for use with SAML single sign-on but, the SSO button to enable is not present.
development settings token
Documentations I Followed: Creating Personal Token! | Authorizing Personal Token!
After trying out theses methods, the same error message persists "Your token has not been granted the required scopes".
My goal, through Github's API, is to retrieve packages associated with its repository.
Is there something I'm missing.
https://firebase.google.com/docs/reference/security/database/#authtokenF
{
"rules": {
"c":{
".write":"newData.child('email').val()=== auth.token.email"
},
}
}
Always it showing "Simulated write denied"
How to solve this problem ? Is there any mistake with my firebase rule
It looks like you're not providing an email address in the authentication data.
When you select a provider, the simulator shows the exact auth.token payload that it will use. For the Google provider my Auth token payload looks like this:
The simulator takes the literal JSON that is shown in here, and uses it as auth.token.
{
"provider": "google",
"uid": "27e08474-4e33-460d-ba92-ba437c6aa962"
}
Since there is no email provided, your rules (correctly) fail.
For testing this scenario, you'll want to switch to a custom provider, so that you can specify your own auth token with an email property:
I'm creating a simple web application that will use Google authentication to return an OpenID token, and then pass that token to AWS using javascript WebIdentityCredentials.
What I have done:
Created the Google Project, and saved the OAuth ClientID
Created an IAM role using Google IDP, and OAuth ClientID as Audience field.
Include both Google API and AWS API javascript in web page configured with above.
(Client) Request the id token from Google using the google js api
Configure the id token on an WebIdentityCredentials
Retrieve the AWS credentials (using that token)
When retrieving the credentials, I get this error from STS:
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>InvalidIdentityToken</Code>
<Message>Incorrect token audience</Message>
</Error>
<RequestId>28d09368-bf98-11e5-b52f-953b4c773ebf</RequestId>
</ErrorResponse>
Here is the AWS role:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"Federated": "accounts.google.com"},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"accounts.google.com:aud": "<my-oauth-client-id>"
}
}
}
]
}
And here is the code I use to configure the token on the AWS context:
AWS.config.update({
region: 'us-east-1',
credentials: new AWS.WebIdentityCredentials({
RoleArn: 'arn:aws:iam::<my-acct>:role/lab-amp-google-idp',
WebIdentityToken : token
})
});
And here is where I test the credentials by fetching them:
AWS.config.credentials.get(function(err) {
if (err) console.log(err);
else console.log(AWS.config.credentials);
});
I have validated the id token using jwt.io and I can see it has the proper expected fields. The "aud" and "azp" properties have the OAuth Client ID. I also double checked the Trust stansza in the AWS role to confirm it also has the exact same OAuth Client ID in the Condition.
I have passed in other invalid tokens and altered the RoleArn just to see the different errors, which I do.
I cannot find anything on the web describing reasons for "Incorrect token audience" so I'm at a loss for what to try next.