aws cognito get jwt token in single api call - amazon-cognito

How to get jwt token in single step(api call) from aws cognito oauth2/token endpoint passing username and password
curl --location --request POST 'https://xxx.auth.us-east-2.amazoncognito.com/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic a......k' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=t34...nu'
--Authorization base64ecoded username:password
Response- "error": "invalid_client"
App client settings :
Allowed OAuth Flows : Authorization code grant, Implicit Grant
Allowed OAuth scope : email , openid
App clients : ALLOW_USER_PASSWORD_AUTH
I tried oauth2/authorize too but getting html page in response

There's no need to add the Authorization header. Instead, use the code you see in the URL. This worked for me.
curl --location --request POST 'https://xxx.auth.us-east-2.amazoncognito.com/oauth2/token'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'grant_type=client_credentials'
--data-urlencode 'client_id=t34...nu'
--data-urlencode 'code=afa78ac6-..-b8dd-5b'
--data-urlencode 'redirect_uri=path'

The client credentials flow to the token endpoint is to receive an access token for machine to machine communication. It is not based on a given user so no user name and password is required.
See 'Exchanging Client Credentials for an Access Token'
https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
To sign in with the oauth endpoints it is intended to do this via the HostedUI or an external IDP. However, you can do it pro-grammatically but will require a call to authorize and login endpoint.. You can see an example in python here:
https://github.com/starkshaw/aws-cognito-user-pool-custom-scope

This is a late answer, but following worked for me nicely with a client_credentials workflow.
curl --request POST \
--url 'https://XYZ.auth.us-west-2.amazoncognito.com/oauth2/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=client_credentials \
--data client_id=7*******e \
--data client_secret=2*****5pjk9valn
Here is the response I got:
{"access_token":"eyJra*****eA","expires_in":3600,"token_type":"Bearer"}

Related

How do I perform this type of authentication in the postman

Good afternoon, everyone! Guys I'm going through a problem with basic authentication in Postman, I'll leave below details of what's going on. I need to send a Post so I can perform authentication and the server will return me a token bearer, but I'm taking a 400 error. I'll leave attached images of the Curl request and how I'm setting up in Postman.
Auth:
enter image description here
Body:
enter image description here
Reading the documentation I'm using I realized that I needed to perform a basic authentication using client_id and client_secret for me to be returned a token bearer, the same error is returned to me when I perform a request in curl. Could you help me with this mistake? Could you tell me where I'm going wrong?
Segue requisição curl:
curl -X 'POST' \
'https://portoapicloud-hml.portoseguro.com.br/oauth/v2/access-token' \
-H 'accept: application/json' \
-H 'Authorization: Basic NjZiNWJmMWI4MDE0NDExMWE1MGYwMWMyYmUxZjFiZDY6YzIwMGEwNzZlNmFkNDBkYThkYTkwODQ2YWI4OTI3MjU=' \
-H 'Content-Type: application/json' \
-d '{
"grant_type": "client_credentials"
}'

Auth0: Unauthorized - 401 error, when I connect to a guarded endpoint with a deployed API

I have created a GraphQL API with NestJS. Some endpoints are guarded by an access token. I use Auth0 to authenticate the user and get the access token.
I get the access token by running this command:
curl --request POST \
--url 'https://dev-9fo2g1ve.us.auth0.com/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=password \
--data username=test2#test.com \
--data password=123456789Test \
--data audience=MY_AUDIENCE \
--data scope=read:sample \
--data 'client_id=MY_CLIENT_ID' \
--data client_secret=MY_CLIENT_SECRET-
When I pass the bearer token's access_token value in the HTTP header, and call a guarded endpoint, it works fine when the API is running on localhost. However, when I deploy the API, it returns an Unauthorized 401 error.
Thanks for your help!

Auth0 - Third party Application - Refreshing Token - access_denied error

I am still receiving access_denied error even I have setup the required configuration I have found on Auth0 documentation https://auth0.com/docs/get-started/authentication-and-authorization-flow/call-your-api-using-the-authorization-code-flow#authorize-user
I have already enabled Implicit, Authorization Code, Refresh Token, Client Credentials on my application grant_types and enabled Refresh Token Rotation too.
I have tried researching more about this but I can't find anything on google as I am probably the first one encountering this? Or probably I am missing something out here.
here's the sample curl request I have
curl --location --request POST 'https://{MY_AUTH0_DOMAIN}/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--header 'Cookie: did=s%3Av0%3A6b3f22c0-ac00-11ec-b070-
0b6e59231b0a.LT0c0bBGB4EukRqKLcGtHtt9t%2B3YtiQ1nQ07bfKCkyU;
did_compat=s%3Av0%3A6b3f22c0-ac00-11ec-b070-
0b6e59231b0a.LT0c0bBGB4EukRqKLcGtHtt9t%2B3YtiQ1nQ07bfKCkyU' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'client_id={MY_CLIENT_ID}' \
--data-urlencode 'refresh_token=v1.MemAxcxZBez46BV3cDnUo97zIY_lfNDi15XTCDJr5tQKbrEvnZzBjiVNvtOfrny3A0QD1AsoUDLJETl3rFkzLMM'
I found the issue, in their documentation https://auth0.com/docs/get-started/authentication-and-authorization-flow/call-your-api-using-the-authorization-code-flow#authorize-user it doesn't require you to pass client_secret but it is needed when you do request for a refresh_token. Found it here https://community.auth0.com/t/use-refresh-tokens-in-node-js-and-axios-receiving-401-error-access-denied-unauthorized/79615

Authenticate user with pem certificate in keycloak rest api

I am running keycloak using docker with an intention to authenticate user via rest api.
Currently, my configuration includes using grant_type=password along with client-id and client-secret to authenticate a client.
curl --location --request POST 'http://localhost:8079/auth/realms/demo/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=admin-cli' \
--data-urlencode 'client_secret=234k23jk42j23i4u23iwerwlekrjwl'
--data-urlencode 'username=thor' \
--data-urlencode 'password=thor' \
--data-urlencode 'grant_type=password'
I have set to use signed jwt for my client for which I have a PEM file.
How do I supply PEM file in REST API to get access_token for the user ?

Rundeck API with LDAP Auth - 401 Authorization Required

I am attempting to connect to the Rundeck API using CURL but I am getting a 401 Unauthorized error:
curl --insecure --location --request GET 'https://rundeck.example.com' --header 'Accept: application/json' --header 'X-Rundeck-Auth-Token: xyz'
401 Authorization Required
Authorization Required This server could not verify that
you are authorized to access the document requested. Either you
supplied the wrong credentials (e.g., bad password), or your browser
doesn't understand how to supply the credentials required.
Apache/2.2.15 (Oracle) Server at rundeck.example.com Port
80
If I try it using my username, it works.
curl --insecure --location -u 123456789 -p password --request GET 'https://rundeck.example.com' --header 'Accept: application/json' --header 'X-Rundeck-Auth-Token: xyz'
I created the auth token on Rundeck using my personal user that has admin privileges.
Please note that I have set up LDAP at web server level (httpd.conf) and control user access from there.
To access API you need to specify some action (for example: run a job, get metrics, etc.)
For example, get the instance metrics:
curl --location --request GET "http://yourhost:4440/api/34/metrics/metrics" --header "Accept: application/json" --header "X-Rundeck-Auth-Token: C8nVU5AhdzpQ8ucBeMG1ITFvSfaKCw6u"
Here you have a lot of examples.