There is an external service (lets say "https://external-service.com/service") which is secured by OAuth2. I have client ID (Lets say "123_my_client_id"), Secret ID ("324_mysecret") and the access token URL ( lets say "https://access-token.com/access-token") which returns me the token.
I want to access this service with my Mule 4 Http Request. I followed this https://docs.mulesoft.com/connectors/http/http-authentication#oauth2-client-credentials, but couldn't find any workable solution.
This can be done in Mule 3.9. but still struggling to set up this http request configuration for Mule 4. Can anyone please help to setup this request config .
In order to migrate the request authentication to Mule 4,the config now belongs in the http:request-connection component and the HTTP authentication configuration must be placed within an http:authentication component. This applies to all authentication types supported: basic, digest, NTLM and OAuth2.
From the example in the link provided:
<http:request-config name="HTTP_Request_Configuration"
host="some.api.com" port="80" basePath="/api/1.0">
<oauth:client-credentials-grant-type
clientId="your_client_id" clientSecret="your_client_secret"
tokenUrl="http://some.api.com/api/1.0/oauth/token"
scopes="access_user_details, read_user_files">
</oauth:client-credentials-grant-type>
</http:request-config>
Changes to something like:
<http:request-config name="HTTP_Request_Configuration">
<http:request-connection host="some.api.com" port="80">
<http:authentication>
<oauth:client-credentials-grant-type
clientId="your_client_id" clientSecret="your_client_secret"
tokenUrl="http://some.api.com/api/1.0/oauth/token" scopes="access_user_details, read_user_files" />
</http:authentication>
</http:request-connection>
</http:request-config>
Studio may complain about the oauth element, but it should start up fine. Just ignore it.
To anyone wondering how to do that through the user interface, it is pretty easy but the mulesoft documentation could be more clear.
I ended up finding out how to do it, here's the step-by-step process :
create your HTTP Request processor
choose the display name you want in "Display Name:"
choose the desired method in the "Method:" dropdown menu (ex. : GET)
set the path to the endpoint you wish to reach in "Path:"
then create a HTTP_Request_Configuration, by clicking the "+" on the right of "Configuration:" in the "Basic Settings" box
In the configuration window, set up the protocol (HTTP or HTTPS)
In the configuration window, set up the port (80 for HTTP and 443 for HTTPS)
In the configuration window, set up the host (ex. : www.url-to-request.com)
Scroll down to find the "Authentication:" dropdown menu
Choose "Client credentials grant type"
Set up you client-id and client-secret
Set up scopes if required by the application provider
And finally set up the "Token url" (url given by the application provider to retrieve the oauth identification token)
Click OK
After doing this, your oauth2 request should be working. As said in the mulesoft documentation, each time you run the project, a token will be automatically generated. You then can execute as many request as you want without worrying about the authentication anymore.
Related
I am pretty new into web development. Currently I am trying to do an Form Based Authentication on my Jakarta app. I managed to create a realm on Glassfish 6.0.0 and to integrate it on the web.xml descriptor. I managed to make the Basic Authentication work, but when I try it to change to Form Authentication I get an 403 status code ever time I want to login. I got the following error every time I send a POST request to j_security_check with good credentials, along with 403 status code:
***WEB9102: Web Login Failed:
com.sun.enterprise.security.auth.login.common.LoginException
: Login failed: Security Exception*** which doesn't say to much for me.
I wanted to create an Form Authentication in order to use j_security_check to login using form-data format from Postman. If I can not do this, is there a way to create a custom endpoint to send a request in order to authenticate?
I found out a method to do what I needed for the moment. I just sent parameters in URL. For now it is perfect, even though the security suffer with this method.
I need to perform one app that is signed in via login.microsoftonline.com, but I get this error "We can`t sign you in your browser is currently set to block cookies. you need to allow cookies to use this service." maybe someone else has experienced something similar.
I tried changing HTTP Cookie Manager type from standart to others, also I used CookieManager.save.cookies with true and false but nothing worked.
HTTP Cookie Manager
request
error
You're not supposed to have the request to login.microsoftonline.com as the very first request in your JMeter script.
My expectation is that you're trying to test an application which uses Microsoft Identity Platform as authentication provider so depending on your application auth flow you need to pass some parameters to this login.microsoftonline.com page and the parameters need to be extracted from the previous request.
So try starting with your application login page and I believe you should be redirected to the login.microsoftonline.com with valid cookies and appropriate parameters
I am following this guide (https://learn.microsoft.com/en-us/skype-sdk/ucwa/authenticationusingazuread) in order to access Skype for Business. Everything goes fine till the last part but let's do step by step. I am building my .net console application to do this but in order to explain you properly the problem I am having I will show you directly the http calls through Insomnia (software used to make http calls).
Step 1:
GET request towards https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root
I hit 200 and as answer I receive this:
Step 2:
I use the user link.
So I send an http request to https://webdir1e.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user and I get a 401 Unauthorized (everything still correct).
In the header of the answer it points me to the Identity Provider to ask for authorization (authorization_uri)
Step 3: I use that link to authorize my app, which has its own client_Id (that I hide in the following screenshot).
This is how I compose the call:
If I send this http request I get redirected to the page where it asks my personal login and by inserting my credentials I succesfully login and hit 404, where in the answer I receive back my access token.
Step 5: I use the access token towards the same AutodiscoverService link of step 1. This is to register my application. I hit 200 and I receive back the link to access Skype for Business.
Finally (and this is where things go wrong) I send a POST request towards the applications link with the Bearer token, and I receive a 403 Forbidden. I think I am following correctly the guide but I can't figure out why I can access the resource at the last step.
EDIT:
The permissions are granted. I hide the name since it contains the name of my company. But it is the same of the domain of my login.
So the token you generated authorizes you to access resources at https://webdir1e.online.lync.com which you've done to fetch a new set of resources including the "application" resouce which is on a DIFFERENT host: https://webpooldb41e14.infra.lync.com.
You actually have to get another OAuth token now which authorizes you for the application resource and then you can POST to that to generate your session in UCWA.
As a side note... If you've defined your own single-tenant application in Azure that has been granted rights to SkypeForBusinessOnline then I think you should be targeting authorization and authentication endpoints of the form:
https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/authorize
https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token
Also I should add, if you're trying to write a trusted secure client that users in your company will use I would suggest looking up the Resource Owner Password Credentials auth flow. It allows you to directly hit the token endpoint I mentioned above and exchange username/password credentials for an access token. Then you can manage auto-discovery and application creation easily under the hood without getting re-directed back and forth to Azure.
https://learn.microsoft.com/mt-mt/azure/active-directory/develop/v2-oauth-ropc
Shibboleth IDP and SP are talking great and the data I need is in the SAML.
What configuration is required for allowing shibboleth to return an HTTP Header with the info I need(yes I know it's a bad idea but don't have a choice).
I'm running SP 2.6 on IIS and need an HTTP Header with the username in the shibboleth3 IDP response.
Here's what I've tried for attribute-map.xml
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="netId" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
And it provides me with this data in the SAML
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="eduPersonPrincipalName"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string">me#school.edu</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
Due to the software I'm working with I need the username in the HTTP Header.
You can't have the Identity Provider release an HTTP header. That is not SAML Web Browser SSO profile.
You already have the middleware you are talking about, it's the Shibboleth Service Provider, and if your attribute-map.xml file is correct, you will be able to access the attributes from your application logic either as env variables or http headers as described here
An example for how an attribute is mapped to an HTTP header follows:
Let's say you
release the attribute with SAML name urn:oid:1.3.6.1.4.1.5923.1.1.1.6 from the IdP and that
in your SP attribute-map.xml you have an attribute decoder like:
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="netId" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
Taking into consideration that
When using headers, the main difference is that instead of using the names defined via the mapping process, the application must prefix them with "HTTP_", and in most tools upcase the rest of the name as well.
The HTTP header will eventually be HTTP_NETID
As to how you can read the header values, as described in this thread,
To iterate through all that are passed:
foreach (string key in Request.ServerVariables.AllKeys)
To reference a specific value:
value = Request.ServerVariables[key];
I am using apimanger 1.9.
I read this already : Add header with username into request to backend in wso2 apimanager.
I am able to add and forward username to backend in wso2 apimanager for specific service; but I want this for all service. I am modifying admin--<api_name>_<version>.xml for all services(50 services), which is very much manual. Something it leads to manual error.
Is there a single place configuration where I can set this (forward username to backend endpoint) for all service?
One more question - if I create and publish the APIs using "Publisher API" feature, is there a way to post something to set up the add header for each API?
Modify the velocity_template.xml which decides the template of an API. Please read my answer given to a similar requirement. You need to modify the relevant section in the velocity_template.xml.