I am trying to access an API by only using a Web address. The documentation says:
Is there any way this would be achievable through the use of only the Web address?
I don't need to know this, but I am just curious.
I am sorry if this question is very basic; I'm just learning how to use apis.
As the text explain, this API uses an HTTP Header named Authorization to receive a Bearer token. It's impossible to access it directly on browser, you will need to use curl for example to access it directly.
There are a few visual tools to allow you debugging some api that you will be able to do this request, like Postman and Insomnia.
Related
I have a Lambda function which triggered by API Gateway service, however this API is accessed by front-end application, this application not requiring the users to login or sign up to use it.
However I would like to secure my API to allow only from my front-end application.
After my research I found that I can use custom authorization in API Gateway, this custom authorization will check the authorization header of the incoming request and validate it.
the question is, can I use Amazon Cognito for something like this(implicit grant type)?
if not what is the thing that the front-end application will send to me to be validated and how can I keep it always changeable, so no one can guess it?
Thank You.
You could check the headers, but if they're always the same, someone can send an HTTP request with those headers - from any client - and trick your Lambda into thinking it's coming from your UI.
Even if you generate a unique token every time your UI is loaded and include it in the headers, someone could take that token and send requests from another client as well.
You could build fancy JavaScript tricks to make headers more dynamic, but it would only make it harder to use your API from another client, not impossible.
I'm trying to pass a request with AWS API but I get this error
AWS was not able to validate the provided access credentials
My request is:
https://ec2.amazonaws.com/?Action=RunInstances&ImageId=ami-6df1e514&KeyName=key1&InstanceType=t2.micro&Placement.AvailabilityZone=us-west-2&AWSSecretAccessKey=**********************&AWSAccessKeyId=******************
My access credentials are right, there is no doubt about that.
I found that the problem could be caused by clock delay but My PC's clock is correct.
Could someone help me, I did not find a solution.
You never send your secret access key to AWS when making an API call. Instead, you sign your request with the access/secret keys (as described here). You can read more about signing here.
Ideally, use the JavaScript SDK rather than manually generating query requests.
You should also rotate the credentials that you were using because you have exposed the secret key.
Where did you find this way of authentication by passing access-key and secret-key as parameters?
AWS SDK like java-sdk or boto3 provide easy to use APIs to make such calls so I would recommend using them.
Also look at authentication mechanism required by AWS API calls:
http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
I'm trying to create some SSRS reports that will get data from our web api.
I understand how you can set up a datasource from a particular endpoint of a web service, however connection to our api requires header values being added to the request such as the bearer token for authentication and some other values that we use along with the content type that I need back from the api.
I don't know how or if you can make changes to the request header to allow successful connection to use this as a datasource. I've come up empty from extensive googling!
Does anyone know how to do this or any articles that describe how to do this?
I think that solution for you is to implement your own data-processing extension, which will be able to connect to your web service endpoint and provide required headers.
See more info on MSDN.
I'm planning an API and I haven't found any information about where the access token should be placed in the response. I'm interested in the case where I'm providing the access token. What is the best practice to send the token to the clients (from the backend service)?
Should it be sent to clients in the Header or in the Body of the answer?
You should look at examples and see what others do. For example, Facebook, Twitter, Google, Amazon... and all those popular PaaS services exposing a REST API all use OAuth2 as authentication mechanism:
In OAuth2 you'll see the specification requires to send the generated token to the client in the body of a json response: https://www.rfc-editor.org/rfc/rfc6749#section-5 . But you can also see how Google and other vendors extend this mechanism so it can be sent as a callback url param, for example (Check out https://developers.google.com/identity/protocols/OAuth2UserAgent).
Once you get the authorization token you put it on the Authorization: HTTP header you send on your requests for accessing protected resources. They have to support this way of doing it, because it is how the OAuth2 standard specifies it https://www.rfc-editor.org/rfc/rfc6749#section-7
If you want to tinker a little bit more with oauth, check out https://developers.google.com/oauthplayground
(OAuth is pretty much the same thing.)
They usually also extend the Authorization header mechanism to allow the token to be provided as a GET/POST parameter in the url or the body of the response, respectively (For example, Facebook's Graph API also supports passing an access_token= parameter on your HTTP POST request body or GET URI). There is no way to manipulate or even read HTTP headers on a javascript browser application (see the modern fetch API and other proposals on Accessing the web page's HTTP Headers in JavaScript), so providing this functionality makes life easier for many app developers.
Another popular authentication scheme is SOAP authentication. It doesn't support tokens but it supports digest authentication, which is a similar thing. The interesting part of it is that it is not HTTP/Web based (although it is primarily used that way), so you can use it over other application protocols. It's a little more cumbersome, but you can find ready to use implementations for both server and client.
You can also use digest authentication over HTTP without SOAP. It is also based on Authorization: headers and every browser supports it. Check out https://en.wikipedia.org/wiki/Digest_access_authentication to see how the authorization headers are formed in different ways depending on the level of security you want to reach.
Some services, like redmine, allow you to use an API token (API key) instead of a session token. Then you can make basic http auth on your requests like https://whatever:yourapikey#example.com/protectedMethod, although passing of auth data on URLs is currently deprecated in favor of basic auth header, and plain passwords / static API keys should only be sent over secured SSL connections. In this case the client can have the server generate an api key using a web interface or a rest api (so the generated key will be passed as a JSON response). This method may not be such a good idea, though: Check http://talks.codegram.com/http-authentication-methods#/intro if you want to know why, and also this question discussing where to put them: Where should I place API keys in REST API calls?
I am Java developer and my customer wants to make web application using CKAN.
But he wants too many functions more over CKAN offers or not corresponds with CKAN's architecture.
So I decided to write Java program which has functions that customer wants and calls CKAN's RESTful API using Apache HttpComponent
But I encountered authorization issue.
Because my To-Be system will works without login to CKAN, I have to know users API-KEY when I call some apis need authorization.
But I can't get API-KEY unless login CKAN site(right?) and I think that getting someone's API-KEY by another way is nonsense.
If you don't think so, could you tell me how to get users API-KEY?
I also considered another way making all objects need authorization public.
But some apis send authorization error when I don't put API-KEY in Http header whether the object I intend to handle is public or private
Because of these reasons, development is been delaying.
Could you give me some advice?
The only way to get a user's API key is for the user herself to login to the CKAN web interface and go to their profile page.
If you're writing an API client, the way a client would normally work is to ask the user to enter their username and API key, either in a configuration file or into a GUI.