I can successfully call my Api via a web browser. Using IdentityModel works fine.
But when I try to call the Api via Fiddler I get invalid_client. My client information comes from a database based on the MembershipReboot Client tables.
I tried passing data via the Post Body and via Authentication basic. Both fail.
When calling using Authentication Basic encoded parameters I have the following>
User-Agent: Fiddler
Host: qaquasaridentity
Content-Length: 0
Content-Type: application/x-www-form-urlencoded
Authorization: Basic dGVzdC5hcGk6c2VjcmV0
The actual encoded value in Fiddler shows:
No Proxy-Authorization Header is present.
Authorization Header is present: Basic dGVzdC5hcGk6c2VjcmV0
Decoded Username:Password= test.api:secret
When I call using the Post Body for parameters the data passed is:
client_id=test.api
&client_secret=secret
&grant_type=client_credentials
&scope=testapi
The Server log says
2017-01-20 12:06:13.968 -06:00 [Debug] Start client validation
2017-01-20 12:06:13.971 -06:00 [Debug] Start parsing Basic Authentication secret
2017-01-20 12:06:13.973 -06:00 [Debug] Start parsing for secret in post body
2017-01-20 12:06:13.973 -06:00 [Debug] No secret in post body found
2017-01-20 12:06:13.976 -06:00 [Debug] Start parsing for X.509 certificate
2017-01-20 12:06:13.976 -06:00 [Debug] client_id is not found in post body
w3wp.exe Information: 0 : 2017-01-20 12:06:13.976 -06:00 [Information] Parser found no secret
w3wp.exe Information: 0 : 2017-01-20 12:06:13.981 -06:00 [Information] No client secret found
w3wp.exe Information: 0 : 2017-01-20 12:06:13.983 -06:00 [Information] End token request
w3wp.exe Information: 0 : 2017-01-20 12:06:13.988 -06:00 [Information] Returning error: invalid_client
I have the client_id and client_secret but the error log says otherwise.
Can anyone explain what I am doing wrong? I can get my access_token via .NET on the backend but not via Fiddler.
The token endpoint does not take JSON, but form-data.
POST /connect/token
grant_type=client_credentials&client_id=test.api&client_secret=secret&scope=api
http://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
https://identityserver.github.io/Documentation/docsv2/endpoints/token.html
Related
I am trying to implement HMAC Authentication with Kong,
I am getting error “HMAC Signature does not match” .
I am making HTTP request using Postman Rest Client.
Can some one verify my request parameter below.
Credential of Consumer:
Username: "test"
Secret: "test123#"
Http Request Detail:
Date:Thu, 05 Sep 2019 09:56:28 GMT
host:172.17.0.3
Authorization: hmac username="test",algorithm="hmac-sha1",headers="date",signature="YTg5NmQwMjhmMzVmYWNhZmQyZTQwNmY5ZTVkMmUzNDM4NDAxNmY3MA=="
Http Response:
Http Code:401
Response Body:
{
message:"HMAC Signature does not match"
}
I did generation for signing string "Date: Thu, 05 Sep 2019 09:56:28 GMT". Yes you need space after date.
The signature should be MduuZsP0dKRPKGoMSTft/fT+Qmc= for hmac-sha1 secret is "test123#"
I made this document for anyone who might need it (relating to kong hmac).
I'm just running the API as a console app. If I have
app.UseHsts();
app.UseHttpsRedirection();
in my code, when I try to authenticate using Postman I get no response. In Postman I don't have the SSL certificate verification turned on.
The Kestrel output:
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 POST http://localhost:5000/connect/token applica
tion/x-www-form-urlencoded 74
dbug: Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware[1]
Redirecting to 'https://localhost/connect/token'.
dbug: Microsoft.AspNetCore.Server.Kestrel[9]
Connection id "0HLJ4UL9EORCS" completed keep alive response.
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 0.1439ms 307
dbug: Microsoft.AspNetCore.Server.Kestrel[25]
Connection id "0HLJ4UL9EORCS", Request id "0HLJ4UL9EORCS:00000001": starte
d reading request body.
dbug: Microsoft.AspNetCore.Server.Kestrel[26]
Connection id "0HLJ4UL9EORCS", Request id "0HLJ4UL9EORCS:00000001": done r
eading request body.
info: Microsoft.AspNetCore.Server.Kestrel[32]
Connection id "0HLJ4UL9EORCS", Request id "0HLJ4UL9EORCS:00000001": the ap
plication completed without reading the entire request body.
dbug: Microsoft.AspNetCore.Server.Kestrel[1]
Connection id "0HLJ4UL9EORCT" started.
dbug: Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets[6]
Connection id "0HLJ4UL9EORCT" received FIN.
dbug: Microsoft.AspNetCore.Server.Kestrel[10]
Connection id "0HLJ4UL9EORCT" disconnecting.
dbug: Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets[7]
Connection id "0HLJ4UL9EORCT" sending FIN.
dbug: Microsoft.AspNetCore.Server.Kestrel[2]
Connection id "0HLJ4UL9EORCT" stopped.
What does it mean that it doesn't read the entire request body?
If I run my app without HTTP redirection, it works fine. What is going on, how can I fix this?
I'm trying to impement the OpenID Connect server (resource owner password credentials grant) with ASOS by this post.
Everything works fine when I have both Authorization server and resource server in one app. But when I split them on two apps (but on one machine) resource server fails to validate token and returns The access token is not valid.
I downloaded the source code of AspNet.Security.OAuth.Validation to investigate the issue and it returns null here
Here are some logs from Authorization Server:
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 POST http://localhost:5000/connect/token application/x-www-form-urlencoded; charset=UTF-8 77
info: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
The token request was successfully extracted from the HTTP request: {
"grant_type": "password",
"username": "UserLogin",
"password": "[removed for security reasons]",
"scope": "offline_access"
}.
info: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
The token request was successfully validated.
trce: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
A sign-in operation was triggered: sub: 123, username: UserLogin ; [.scopes, ["email","profile","offline_access"]], [.resources, ["resource_server"]].
dbug: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[37]
Reading data from file 'C:\Users\User1\AppData\Local\ASP.NET\DataProtection-Keys\key-********-****-****-****-64bb57db1c3b.xml'.
dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[18]
Found key {********-****-****-****-64bb57db1c3b}.
dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver[13]
Considering key {********-****-****-****-64bb57db1c3b} with expiration date 2017-09-27 16:44:49Z as default key.
dbug: Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiXmlDecryptor[51]
Decrypting secret element using Windows DPAPI.
dbug: Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor[4]
Opening CNG algorithm 'AES' from provider '(null)' with chaining mode CBC.
dbug: Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor[3]
Opening CNG algorithm 'SHA256' from provider '(null)' with HMAC.
dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider[2]
Using key {********-****-****-****-64bb57db1c3b} as the default key.
trce: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector[31]
Performing protect operation to key {********-****-****-****-64bb57db1c3b} with purposes ('C:\Users\User1\documents\visual studio 2017\Projects\OpenIdDictSample\Aka.OpenIdConnectServer', 'OpenIdConnectServerHandler', 'AccessTokenFormat', 'ASOS').
trce: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
A new access token was successfully generated using the specified data format: CfDJ8NSKICBGwihOm75ku1fbHDtG4usEbfF-mLGaJcGGFEPQJLb36rfHqCTJ3Clu_SCBRHlaZ_B7s3pxNfUqS9fPfjtjjEH1KKmkiV6gvakRYf0Iof32BVddUUPgd7sEDrB0fET91pIDJT9WwsPx653viw5tFyvrztsSD5CYAOQZjm1werRcVPuvwRhXUQb_9Vbba52tqj8y7WbOjk78Hl17knbwSz4C70vwlRU5pL_Bp41R4vEEKwtm_VMQ_u1kSBKM5KjOh6OKdbDJ9jOhyh4RpNbvGN25ZskzByi8ndKRW3dmajWYyf-0cj6-4MEE5Hocd47te8C-haYIxEUb7tcQ-JTItknIiE1sk6W7zHlhLg3nprE2Ct4mvKi11G7Kvd1W4u-UmEvL1NesjVFNKpNJVdEaK2I8mcNzJLU69ZnM4poRrLqEqD__cHa8nCFgPtE9L0Jyo6IyFwc7NZ2sXz7y7lPfJ9Q3Pu1W_t0lOGBte5uKHfJZpiOYaqKrAwdJSpULLK52iKoCNhRYxOSdq__DNJs ; sub: 123, username: UserLogin ; [.scopes, ["email","profile","offline_access"]], [.resources, ["resource_server"]], [.issued, Fri, 30 Jun 2017 09:13:29 GMT], [.expires, Fri, 30 Jun 2017 10:13:29 GMT], [.token_id, e27cbb46-d1ea-4576-8803-dddc001b3fc8], [.audiences, ["resource_server"]].
trce: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector[31]
Performing protect operation to key {********-****-****-****-64bb57db1c3b} with purposes ('C:\Users\User1\documents\visual studio 2017\Projects\OpenIdDictSample\Aka.OpenIdConnectServer', 'OpenIdConnectServerHandler', 'RefreshTokenFormat', 'ASOS').
trce: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
A new refresh token was successfully generated using the specified data format: CfDJ8NSKICBGwihOm75ku1fbHDtcKlYz_IbJiNmiW_tfu19E7p5BIO9xE0b2qu8mYWw-zD7wCWB1F5Fx548L4FARrsJwlJls1AkK2GrqXjV0krH6me_btsSAxM9trrFCUL2ZrXkm2sStZ6DUcbf_cSNFh-YxXft-gbLGV11THAINTb8K9-v_fkeXq7aN8Qgu7zJfhON1ehflLwZ-DXZwW_S9assqx8f7oe-n5gTzOO6PjEyO5g0YMJ1SY7X-sMO1MKjn03vZxPB0ecT0l8NXB89vGhW7kZnoEaL1NwmSTiEOYMatwrkURPBgb2YLnpiu7sYAD04HxsicoLaQTDbc8ZJyWUJ7guLl6Mp2HLhZG_wLQM9REC_QeZX8eDn8aqSOiGKZeLF4G7A5y369VIZ0RPASdTpEsAHSE8ws0RB18jap-75bM_aAi3w3-PlfnY7ySnDYm3xkF1ImyBcph2XF6R8-imdAXhQG-tTAYd2FKw4msaWCPcnX5CxYlo-alVYpd878haDvo43fCvbd2_Dc2O1wI98 ; sub: 123, username: UserLogin ; [.scopes, ["email","profile","offline_access"]], [.resources, ["resource_server"]], [.issued, Fri, 30 Jun 2017 09:13:29 GMT], [.expires, Fri, 14 Jul 2017 09:13:29 GMT], [.token_id, c0cf40ad-cd47-4c82-9e37-6943cda95ffc].
info: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
The token response was successfully returned: {
"resource": "resource_server",
"scope": "email profile offline_access",
"token_type": "Bearer",
"access_token": "[removed for security reasons]",
"expires_in": 3600,
"refresh_token": "[removed for security reasons]"
}.
Here are some logs from Resource Server:
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET http://localhost:5001/api/values
trce: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector[5]
Performing unprotect operation to key {********-****-****-****-64bb57db1c3b} with purposes ('C:\Users\User1\documents\visual studio 2017\Projects\OpenIdDictSample\Aka.WebApi', 'OpenIdConnectServerHandler', 'AccessTokenFormat', 'ASOS').
dbug: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[37]
Reading data from file 'C:\Users\User1\AppData\Local\ASP.NET\DataProtection-Keys\key-********-****-****-****-64bb57db1c3b.xml'.
dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[18]
Found key {********-****-****-****-64bb57db1c3b}.
dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver[13]
Considering key {********-****-****-****-64bb57db1c3b} with expiration date 2017-09-27 16:44:49Z as default key.
dbug: Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiXmlDecryptor[51]
Decrypting secret element using Windows DPAPI.
dbug: Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor[4]
Opening CNG algorithm 'AES' from provider '(null)' with chaining mode CBC.
dbug: Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor[3]
Opening CNG algorithm 'SHA256' from provider '(null)' with HMAC.
dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider[2]
Using key {********-****-****-****-64bb57db1c3b} as the default key.
info: AspNet.Security.OAuth.Validation.OAuthValidationMiddleware[7]
Bearer was not authenticated. Failure message: Authentication failed because the access token was invalid.
1) What is wrong with my resource server?
2) How to configure the resource server on different machine (especially token signing/checking and encryption/decryption)?
How to configure the resource server on different machine (especially token signing/checking and encryption/decryption)?
You need to make sure the key ring (containing the master keys that are derived by ASP.NET Core Data Protection to create encryption and validation keys) is correctly synchronized and shared by both your authorization server and your resource server(s). The procedure is described here: https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview.
Here's an example of how it could be done using a shared folder:
public void ConfigureServices(IServiceCollection services)
{
services.AddDataProtection()
.PersistKeysToFileSystem(new DirectoryInfo(#"\\server\share\directory\"))
}
You'll also need to configure the two applications to use the same "application discriminator":
public void ConfigureServices(IServiceCollection services)
{
services.AddDataProtection()
.PersistKeysToFileSystem(new DirectoryInfo(#"\\server\share\directory\"))
.SetApplicationName("Your application name");
}
I'm trying to request the Ejabberd REST Web Services with the /api/connected_users endpoint but the request always returns me 401 Unauthorized HTTP errors.
Here is my OAuth configuration.
-
port: 5280
module: ejabberd_http
request_handlers:
"/websocket": ejabberd_http_ws
# OAuth Support
"/oauth": ejabberd_oauth
# ReST API:
"/api": mod_http_api
web_admin: true
http_bind: true
register: true
captcha: false
...
commands_admin_access: configure
commands:
- add_commands: user
oauth_expire: 3600
oauth_access: all
As explained in the documentation I use the following URL to generate an OAuth 2 Access Token for the admin user.
http://localhost:5280/oauth/authorization_token?response_type=token&client_id=myclient&redirect_uri=http://localhost:5280&scope=sasl_auth
It returns me my OAuth Token.
http://localhost:5280/?access_token=oLn8Hebh051l2PdCM15tSvHrEI25CpBs&token_type=bearer&expires_in=3600&scope=sasl_auth&state=
Finally to request the api/connected_users endpoint I do the following.
curl -v -X GET -H "X-Admin: true" -H "Authorization: Bearer oLn8Hebh051l2PdCM15tSvHrEI25CpBs" http://localhost:5280/api/connected_users
But it always returns me 401 Unauthorized errors.
In my ejabberd.log file I have this.
2016-02-09 09:47:12.177 [info] <0.497.0>#ejabberd_listener:accept:333 (#Port<0.16419>) Accepted connection 127.0.0.1:62395 -> 127.0.0.1:5280
2016-02-09 09:47:12.177 [debug] <0.546.0>#ejabberd_http:init:154 S: [{[<<"websocket">>],ejabberd_http_ws},{[<<"oauth">>],ejabberd_oauth},{[<<"api">>],mod_http_api},{[<<"register">>],mod_register_web},{[<<"admin">>],ejabberd_web_admin},{[<<"http-bind">>],mod_http_bind}]
2016-02-09 09:47:12.177 [info] <0.546.0>#ejabberd_http:init:158 started: {gen_tcp,#Port<0.16419>}
2016-02-09 09:47:12.177 [debug] <0.546.0>#ejabberd_http:process_header:281 (#Port<0.16419>) http query: 'GET' <<"/api/connected_users">>
2016-02-09 09:47:12.177 [debug] <0.546.0>#ejabberd_http:process:353 [<<"api">>,<<"connected_users">>] matches [<<"api">>]
2016-02-09 09:47:12.178 [info] <0.546.0>#mod_http_api:log:388 Admin call connected_users [] from 127.0.0.1:62395
So how to configure Ejabberd to allow the admin user to request all the Ejabberd REST Web Services ?
My users are stored in Mysql, as OAuth Tokens are stored in Mnesia could it be the problem ?
Thanks,
Baptiste
Be sure you are using the #host when entering username if it's specified in that way in ejabberd.yml. I wasn't receiving any response from REST requests because I was using just admin for user, when should be admin#somehost in user name.
Please let me know if this doesn't help.
make sure you enter correct User(jid): ( User (jid): user#hostname)
it worked for me.
I'm training to send an output event from FIWARE CEP (Proton), using the REST consumer, to an ActiveMQ queue. The credential for access the ActiveMQ queue are included in the URL, as http://user:passwrd#X.X.X.X:xxxx/api/message/myqueue, but I have the following error:
com.ibm.hrl.proton.webapp.resources.EventResource submitNewEvent
INFO: events sent to proton runtime...
org.apache.commons.httpclient.auth.AuthChallengeProcessor selectAuthScheme
INFO: basic authentication scheme selected
org.apache.commons.httpclient.HttpMethodDirector processWWWAuthChallenge
INFO: No credentials available for BASIC 'ActiveMQRealm'#X.X.X.X
com.ibm.hrl.proton.server.executorServices.SimpleThreadFactory$ProtonExceptionHandler uncaughtException
SEVERE: Uncaught exception in thread: Thread[4,5,main],exception: com.ibm.hrl.proton.adapters.rest.client.RESTException: com.ibm.hrl.proton.adapters.rest.client.RESTException: Could not perform POST of event instance: ...
with request headers:
Content-Type: text/plain
User-Agent: Jakarta Commons-HttpClient/3.0
Host: X.X.X.X:xxxx
Content-Length: 389
to consumer http://user:passwrd#X.X.X.X:xxx/api/message/myqueue, responce result: 401
Seems like that Proton doesn't extract the credential from the URL.
Anyone else had the same problem?
You can add to the CEP REST consumer definition an AuthToken parameter.
From the CEP user guide (can be found here):
AuthToken – an optional parameter. When set, it is added as an X-Auth-Token
HTTP header of the request.