It is said that "To define cookie authentication, use API keys instead." in the official documentation
https://swagger.io/docs/specification/describing-parameters/#cookie-parameters
The fact is we tried with
components:
securitySchemes:
cookieAuth:
type: apiKey
in: cookie
name: sessionId
...
security:
- cookieAuth: []
Using the above code, in Swagger UI we are able to click on the padlock to set the value of the sessionId. But when we execute the method, the value of the cookie is NULL and we don't see the cookie sent in the Headers (Chrome Developer tool)
I tried also to put that in cookie parameter like this:
parameters:
- in: cookie
name: sessionId
required: true
schema:
type: string
But there again, same result (arrive null, and nothing in the debugger tool.
We use Swagger with openApi 3.0, other parameters, requestBody is working well, but not this cookie transmission.
Thx for anything that can have an idea.
Swagger UI and Swagger Editor currently do not support sending cookies in "try it out" requests:
https://github.com/swagger-api/swagger-js/issues/1163
As the developers explain, the issue is that it's almost impossible to send arbitrary cookie data to a different origin from within the browser.
SwaggerHub supports cookie auth and cookie parameters though. SwaggerHub sends "try it out" requests from its servers rather than from your browser, which makes it possible to send requests with a user-defined Cookie header.
Disclosure: I work for the company that makes SwaggerHub.
Related
I need to perform one app that is signed in via login.microsoftonline.com, but I get this error "We can`t sign you in your browser is currently set to block cookies. you need to allow cookies to use this service." maybe someone else has experienced something similar.
I tried changing HTTP Cookie Manager type from standart to others, also I used CookieManager.save.cookies with true and false but nothing worked.
HTTP Cookie Manager
request
error
You're not supposed to have the request to login.microsoftonline.com as the very first request in your JMeter script.
My expectation is that you're trying to test an application which uses Microsoft Identity Platform as authentication provider so depending on your application auth flow you need to pass some parameters to this login.microsoftonline.com page and the parameters need to be extracted from the previous request.
So try starting with your application login page and I believe you should be redirected to the login.microsoftonline.com with valid cookies and appropriate parameters
Following this procedure:
https://learn.microsoft.com/en-us/graph/auth-v2-user
I'm trying to get a refresh token from this microsoft end point:
https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize
Using PostAsync method from System.Net.Http.HttpClient class from nuget (asp.net core 2.2) library, I'm able to get a response back with this error: "AADSTS90102: 'redirect_uri' value must be a valid absolute Uri.":
I tried to set some redirect url in the Azure Portal including:
https://automation.legroupeti.com/Configurations/GetRefreshToken/
https://automation.legroupeti.com/Configurations/GetRefreshToken
https://automation.legroupeti.com/
https://automation.legroupeti.com
The post request is the following (Using PostAsync method from System.Net.Http.HttpClient class from nuget (asp.net core 2.2)):
Here are the configured redirect urls form the registred application in the Azure Portal:
I expect a valid response from the endpoint.
How do I configure the redirect_uri to be valid?
EDIT 1
I fixed the redirect_uri parameter.
From the screenshot, it appears that the URLEncoding is incorrect. The '/' character in the path should be encoded to %2F, while your code has %2. (After '.com' and before 'Configurations'.)
Also, have you considered the Authorization Provider from the SDK?
https://learn.microsoft.com/en-us/graph/sdks/choose-authentication-providers?tabs=CS#AuthCodeProvider
I was getting this error and for me the issue was that I was encoding the redirect_uri value in the post request to the /oauth2/v2.0/token endpoint. Notice how redirect_uri is not encoded in this request.
POST /{Tenant ID}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
Cookie: {cookie}
Content-Length: 941
client_id={Application (client) ID}
&scope=https://graph.microsoft.com/mail.read
&redirect_uri=http://localhost/myapp/
&grant_type=authorization_code
&client_secret={secret}
&code={code}
I used the Postman sample provided by Microsoft to find the root cause.
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#request-an-access-token
You seem to be mixing the authorize and token endpoints.
If you want the user to authenticate, you have to redirect the user to that URL, not send a POST request to it.
After the user returns to your app, you need to exchange the authorisation code for tokens.
Documentation: https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-call-api-overview
If you want a token just for your app without user authentication, you need to call the token endpoint.
Documentation: https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-overview
I also faced the same problem:
AADSTS90102: 'redirect_uri' value must be a valid absolute Uri.
I tried few URL variants (with encoding, without, etc.) in Chrome, but was getting different exceptions about a wrong URL. Then I used the Safari browser and voila, I got a response code.
In the final result, I just copied the URL from the documentation, pasted tenant and client_id values from the registered application into the return_url parameter, and instead of the /myapp/ prefix I pasted %3A8080, where %3A it's the : symbol. The redirect_utl param has to be the same as URL in the registered application.
GET /imfpush/v1/apps HTTP/1.1
Host: mobilefoundation-3b-mf-server.mybluemix.net
Authorization: Bearer eyJhbGciOiJSUzI1NiIsImp....
Content-Type: application/json
another type of invocation
curl -X GET -H "Authorization: Bearer eyJhbGciOiJSUzI1N...." "https://mobilefoundation-3b-mf-server.mybluemix.net/imfpush/v1/apps"
Error 502: Failed to make token request, reason: Unsuccessful request to Authorization Server, server responded with status code: 400 and body : {"errorCode":"invalid_client"}, check the Authorization URL: http://localhost:8080/mfp/api/az/v1/token
TL;DR: right now looks like there is a bug in the /imfpush/v1/apps endpoint where it does not filter the applications by the vendor (APNS, GCM, WNS), so you can only get a list of all applications instead...
Note however that it all depends on your end goal. You can accomplish this by code or by using tools such as curl or Postman, Swagger etc... it all depends on what you want to achieve.
Here are 3 ways:
In the local development server - not available in Mobile Foundation service on Bluemix, you can use this URL to see the REST endpoints exposed in Swagger. You can then view push-enabled applications with this one: http://localhost:9080/doc/?url=/imfpush/v1/swagger.json#!/Applications/getAllApplications
First, in MobileFirst Operations Console > Runtime Settings > Confidential clients:
Add (just an example, choose your own) a new user client (id: user, secret: user)
Add the apps.read and push.application.* scopes
Be sure to click on the knob and add the apps.read and push.applications.* scopes.
You will also be asked to authorize. Use the username and password for the user confidential client that you previously created.
Using the /imfpush service, as described below.
Using the mfpadmin service, as described below.
In my examples I will use Postman.
In MobileFirst Operations Console > Runtime Settings > Confidential clients:
Added (just an example, choose your own) a new user client (id: user, secret: user)
Added the apps.read and push.application.* scopes
Obtained an access token by making a POST request to http://localhost:9080/mfp/api/az/v1/token with:
Authorization tab:
Type: Basic Auth
user: user
password: user
Body tab:
x-www—form-urlencoded
grant_code: client_credentials
scope: apps.read push.application.*
Obtained the list of applications by making a GET request to http://localhost:9080/imfpush/v1/apps with:
Headers tab:
Authorization: Bearer the-access-token-from-step-2
To filter the list by platform, the URL should change to the following, like the example in the API documentation: http://localhost:9080/imfpush/v1/apps/?expand=true&filter=platform==A&offset=0&size=10 But since this does not work right now... use: http://localhost:9080/imfpush/v1/apps/
Of course, you need to change localhost to your server's host.
To only obtain a list of all applications, it'd be faster to use the mfpadmin service applications endpoint. Using Postman:
Created a new GET request to http://localhost:9080/mfpadmin/management-apis/2.0/runtimes/mfp/applications
You can change the domain to yours.
In the Authorization tab, I have set the following:
Type: Basic Auth
Username and Password: your username and password (to the console)
In return I have received a list of registered applications.
I have internal web application, which I have to test using Jmeter.
The application has secure protections as a username, password and auth token.
Auth token is changing with every new session. I'm unable to path through secure token. Token is include in URL, which look like
http://mytraining.application.net/(S(vj1ckr0nqyvjq3blehcl2jwl))/ApplDefault.aspx?tabid=1. Cookies has look like
Cookie: AUTH_TOK_vj1ckr0nqyvjq3blehcl2jwl=vj1ckr0nqyvjq3blehcl2jwl; AUTH_TOK_syq3r1yu4equ515xzunjobhb=syq3r1yu4equ515xzunjobhb;
So, my Jmeter able to successfully run only when I submit current token in URL.
Please let me know if you have any idea, how to avoid submitting token in all places (35) every time.
[![enter image description here][1]][1]
My AUTH_TOKEN
Regular Expression
It seems you can figure you your Auth_TOK value from the cookies
Add the next line to user.properties file (located in JMeter's "bin" folder
CookieManager.save.cookies=true
Restart JMeter to pick the property up
Add HTTP Cookie Manager to your Test Plan
Now you should be able to see Cookies stored as JMeter Variables using Debug Sampler and View Results Tree listener combination and use cookies values as part of your URL
I would also recommend checking out ASP.NET Login Testing with JMeter as my expectation is that you will have to deal with few other dynamic parameters.
First try with HTTP Cookie Manager as mentioned by Dmitri. This would work if auth token is used in Headers, like Cookie header. Jmeter automatically fetches from Set-Cookie Header, set by server, (when you add HTTP Cookie Manager) for each thread and store it locally, so that it can use in subsequent requests.
If Auth token is used in other places (but not headers) such as part of Url, request body etc, then we should explicitly capture it using Regular Expression Extractor (post processor) and
Regular Expressions Jmeter to correlate the dynamic values. Once you capture the value into a local_variable, we replace the actual values by local_variable (Reference name field in Regular Expression Extractor) wherever we observe the dynamic value in subsequent requests, here auth token, using syntax ${local_variable}.
I have set up a servicestack service with basic authentication using the first example, here:
https://github.com/ServiceStack/ServiceStack/wiki/Authentication-and-authorization
This automatically sets up a route: /auth/basic
However, I cannot find any information or examples on how to format a request to this URL (Variables/GET/POST/Auth Header, etc.).
I am able to access a simple service using the basic authentication credentials, so they are active and correct.
I have no custom authentication plugged in, just basic authentication.
I have tried:
Using a JsonServiceClient to send UserName and Password variables by GET or Json POST to /auth/basic, with and without an Auth header also containing the user & pass.
Using a browser to send GET requests with URL parameters of the user/pass, or as http://user:pass#localhost:123/auth/basic
I always just get "HTTP/1.1 401 Invalid BasicAuth credentials".
The only examples I can find involve some kind of custom authentication, and then /auth/credentials is accessed, but I want to use /auth/basic
I have looked at the code and it looks like it reads an Auth header, but the service does not accept one.
I am actually trying to get this working so I can then disable it and verify it is disabled (I want to require basic authentication for every request).
Questions are:
What is the correct way to call the /auth/basic service? I will take a servicestack client API example, specifications or even a raw http request!
How do you disable the /auth services altogether?
Many thanks.
What is the correct way to call the /auth/basic service? I will take a servicestack client API example, specifications or even a raw http request!
var client = new JsonServiceClient("http://localhost:56006/api");
var resp = client.Post(new Auth() { UserName = "TestUser", Password = "Password" });
This assumes you have also registered an ICacheClient and IAuthUserRepository (and added a user account)
The JSON format looks like this if you call into /auth/basic?format=json
{
"UserName": "admin",
"Password": "test"
"RememberMe": true
}
How do you disable the /auth services altogether?
Don't add the AuthFeature plugin to configuration.
You can also remove plugins
Plugins.RemoveAll(x => x is AuthFeature);
Putting the following in apphost config seems to do the trick.
//Disable most things, including SOAP support, /auth and /metadata routes
SetConfig(new EndpointHostConfig()
{
EnableFeatures = Feature.Json | Feature.Xml
});
I am a little suspicious about what this does to /auth however, because it returns an empty response, while most routes return 404.
So, would this truly disable the /auth functionality? As in, if someone formed a correct request to /auth/credentials, will it still return an empty response?