Currently, I'm working on a very light version of Docker containers orchestrator and I have to be able to get image digest from public Docker Hub registry. I want to use Docker Registry API v2 for this purposes.
I'm trying to get authorization token using following API call:
curl https://auth.docker.io/token?service=index.docker.io&scope=repository:alpine:pull
... and I get a response like following:
{"token":"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJpbmRleC5kb2NrZXIuaW8iLCJleHAiOjE0NzQ1NDcyODMsImlhdCI6MTQ3NDU0Njk4MywiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiIzVTdCazF4dm9CLVA0MGJWVF9JSiIsIm5iZiI6MTQ3NDU0Njk4Mywic3ViIjoiIn0.516fS692WGHNi5Sc44iB8OFSLairrM6n1zNvVo5KXAxlsxsP4rE7VDmW5d0YqvTYeKfZAYIi9yEptx4xJlQ6DA"}
It seems that everything is okay and I'm trying to use obtained token for my next API call:
curl -i -H "Authorization: Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJpbmRleC5kb2NrZXIuaW8iLCJleHAiOjE0NzQ1NDcyODMsImlhdCI6MTQ3NDU0Njk4MywiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiIzVTdCazF4dm9CLVA0MGJWVF9JSiIsIm5iZiI6MTQ3NDU0Njk4Mywic3ViIjoiIn0.516fS692WGHNi5Sc44iB8OFSLairrM6n1zNvVo5KXAxlsxsP4rE7VDmW5d0YqvTYeKfZAYIi9yEptx4xJlQ6DA" https://index.docker.io/v2/alpine/manifests/latest
... and here what I've got:
HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:alpine:pull",error="invalid_token"
Date: Thu, 22 Sep 2016 12:27:54 GMT
Content-Length: 138
Strict-Transport-Security: max-age=31536000
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Name":"alpine","Action":"pull"}]}]}
Does anybody have ideas why token aouthentication fails for such simple flow?
The response in the Www-Authenticate header is trying to tell you what you need, although it could be more helpful.
First thing: the service you want is registry.docker.io.
Second thing: the repository name in the scope is incomplete. Official repositories only have a single-part name like alpine for the CLI, but in the registry it's properly called library/alpine.
So your token request should be:
curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:library/alpine:pull"
And then your image request is:
curl --header "Authorization: Bearer eyJh..." https://index.docker.io/v2/library/alpine/manifests/latest
And then you'll get the response.
Related
I want to execute an api call to a Saas platform. When I generate the api keys with my account in the platform then i get 2 things:-
api key id : 631f39f37564not/631f39f475646real/635c1192756key
Secret key : -----BEGIN RSA PRIVATE KEY----- ABCDE1234 -----END RSA PRIVATE KEY-----
I am executing the api with my following bash script
#!/bin/bash
export FIELD=90
HOST=https://example.com
PUT_BODY="{\"value\":\"${FIELD}\",\"valueObjectType\":\"String\"}"
curl -sk -X PUT "${HOST}/api/v3/xyz/endpoint" \
-H 'content-type: application/json' \
-H 'x-requested-with: XMLHttpRequest' \
-H "referer: ${HOST}/" \
-H "Authorization: apikey 631f39f37564not/631f39f475646real/635c1192756key" \
-d"${PUT_BODY}" | jq '.'
I get 401 unauthorized error
{
"error": {
"status_code": 401,
"status": "Unauthorized"
}
}
Is -H "Authorization: apikey 631f39f37564not/631f39f475646real/635c1192756key" the correct way to specify the apikey or do i need to append secret also in the request?
Edit: I cannot use bearer token, need to use api key only.
I converted your curl to PHP and changed the URL to my test site that response with the request header. Because you did not provide a link to the api documentation, I do not know if the request header is what they want.
I find the output request header is the first step in trouble shooting curl requests.
This is what my test site received:
BODY=
${PUT_BODY}
BODY urlencoded
${PUT_BODY}
Your request headers:
Content-Length: 11
Content-Type: application/json
Accept: */*
Referer: ${HOST}/
X-Requested-With: XMLHttpRequest
What is missing? The authorization not included?
So let's try another way.
When the is a key and secret they are usually posted as post data in a POST request.
Yours is a PUT request? No documentation.
When I tried your
"Authorization: apikey 631f39f37564not/631f39f475646real/635c1192756key"
curl ignored it and it was not in the request header.
Why the application/json content type header?
I would expect
Content-Type: application/x-www-form-urlencoded
And I would expect the key and secret to be posted as post data:
-d 'key=<key>&secret=<secret>'
But no documentation.
If it is supposed to be a PUT then the key and secret would be in the query string following the URL.
${HOST}/api/v3/xyz/endpoint?key=<key?&secret=<secret>"
Your api key does not look good. Again no documentation.
The secret is even not in your request. You say "need to use api key only".
If that is true, why does the secret exist?
I'd like to download an attachment from the conversation via REST API (Circuit Sandbox)
If I query the Conversation Item, I can see the attachments and within that the fileID. Then, if I am logged with a user account who is a member of the conversation, I can run the following to download the attachment or paste it in the browser where I am logged to the sandbox:
'''
start chrome https://circuitsandbox.net/rest/v2/fileapi?fileid=MyFileIdHere
'''
And that works. Is there a way to achieve the same with a Bot via REST?
A regular GET request will work.
curl https://circuitsandbox.net/rest/fileapi?fileid=<fileId> \
-H "Authorization: Bearer <ACCESS_TOKEN>"
and here is the REST notation.
GET rest/fileapi?fileid=<fileId> HTTP/1.1
Host: circuitsandbox.net
Authorization: Bearer <ACCESS_TOKEN>
The access token for a bot (client credentials grant) is obtained via OAuth 2.0:
curl https://circuitsandbox.net/oauth/token \
-d 'grant_type=client_credentials&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&scope=READ_CONVERSATIONS,WRITE_CONVERSATIONS'
REST notation:
POST /oauth/token HTTP/1.1
Host: circuitsandbox.net
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&scope=READ_CONVERSATIONS,WRITE_CONVERSATIONS'
I am using keycloak to secure my rest service and I am able to get the token , but when I am using this token for to get my rest service response, getting following error:
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache, no-store, must-revalidate, private
X-Powered-By: Undertow/1
X-XSS-Protection: 1; mode=block
Server: WildFly/11
X-Frame-Options: SAMEORIGIN
Date: Wed, 30 Jan 2019 07:42:45 GMT
Connection: keep-alive
WWW-Authenticate: Bearer realm="demorealm", error="invalid_token", error_description="Didn't find publicKey for specified kid"
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=UTF-8
Content-Length: 71
<html><head><title>Error</title></head><body>Unauthorized</body></html>
I followed below links but didn't get any output to solve this problem.
keycloak bearer token error - Didn't find publicKey for specified kid
Didn't find publicKey for kid ,Keycloak?
Edit 1 -
As per the detail token is properly generating with following command
curl -X POST -k -H 'Content-Type: application/x-www-form-urlencoded' -i 'https://<IP-ADDRESS>/auth/realms/apirealm/protocol/openid-connect/token' --data 'username=cwlcadmin&password=password#123&client_id=api-client-id&grant_type=password&client_secret=a682049d-587c-4c38-a594-814f08b0ca76'a#123&client_id=api-client-id
But when using this token hitting to rest-api,above declare exception is coming
curl -X GET -k -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJpeVlweXZtQU9Sc2RtNXlibWNqWUVSRUxJTnVFR2RNOThDeFVMSmdUTHFvIn0.eyJqdGkiOiJkZWQ4YzAzNC02NDM2LTRmNDAtYjZlNC0zYTI3MzcyNDJkODYiLCJleHAiOjE1NDg4NDUzMTQsIm5iZiI6MCwiaWF0IjoxNTQ4ODQzNTE0LCJpc3MiOiJodHRwczovLzEwLjUzLjIwMS4yMDcvYXV0aC9yZWFsbXMvYXBpcmVhbG0iLCJhdWQiOiJhcGktY2xpZW50LWlkIiwic3ViIjoiZjo4OWYzMDE0MC1kNTBjLTQ4ZjMtODIyYi02YmM1YTFkYjM3Yzg6MSIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFwaS1jbGllbnQtaWQiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiI0MWY4ZDU0MS1iZWQxLTQ4MjktOTM4ZC0xNjUxYmZlNzFkZTYiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHBzOi8vMTAuNTMuMjAxLjIwNyJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfSwiYXBpLWNsaWVudC1pZCI6eyJyb2xlcyI6WyJyZXN0Il19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoicHEvSmJRPT0gaEp6b1J5QT0iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJjd2xjYWRtaW4iLCJnaXZlbl9uYW1lIjoicHEvSmJRPT0iLCJmYW1pbHlfbmFtZSI6ImhKem9SeUE9IiwiZW1haWwiOiJ0NWZxV2c3TjF3aUVWaGIxVlEwPSJ9.mPVPVdoRpwXU5Im9E8tlLz3DMrM8NrJ-oRiRZL0hceaszU0H58ca2HKhrtncY2WzCxidcuPPxb1fIh3XNR7C-Q-ifOS4VaIbAbH3pAehmhuBqu0gq3LAfVw8vBWVClVP1iKtPOz4cGeKqGQpKRRO1f8epSihVnRe3NWk1WVaD63jexc0EqawZpY-DqH1VDf5xpz8BY4UUqAAfAq0X6kZ7kBoqoiHFofS5eZJHx1mbN-N6qiCwGSwXP-V6JucoBygmqVDkoNCS9Ebx9DyQlXHStSd_KGbCLeIgMlYVPB8vsUy55IcrZGNJWVFsWcvudqTXwW2Tg8BBq-tsFkVuABs5w' -H 'Content-Type: application/json' -i 'https://<IP-ADDRESS>/api/v2/0/zones'
FYI - Using Wildfly and Load-balancer also which is provided by Wildfly
At last after couple of days struggle we are able to resolve the issue and issue with the Subsystem added in Wildfly server ,it should be like this
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="sure-admin-web.war">
<realm>Realm_Name</realm>
<resource>CLIENT_APP</resource>
<use-resource-role-mappings>true</use-resource-role-mappings>
<auth-server-url>https://<KEYCLOAK-IP>:8666/auth/</auth-server-url>
<ssl-required>NONE</ssl-required>
<credential name="secret">7df18c0d-d4c7-47b1-b959-af972684dab0</credential>
</secure-deployment>
</subsystem>
in our case we missed <ssl-required>NONE</ssl-required> and in <auth-server-url> we added wrong load-balancer url while it should be Keycloak URL.
FYI - Load-Balancer in working on HTTPS while keycloak running on http
I had similar problem. My back end app was in spring boot.
Turns out application.properties needed keycloak.realm-key to be set.
Refer to
https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/java/java-adapter-config.adoc
I'm trying to add a user to a Github repository via their API, but I always get a 502 Bad Gateway error.
With curl I send a request like this (<...> replaced by a real owner, repo, etc.):
curl -i -H 'Authorization: token xxxxxxxxxx' -XPUT https://api.github.com/repos/<owner>/<repo>/collaborators/<username>
I also tried it with this url:
curl -i -H 'Authorization: token xxxxxxxxxx' -XPUT https://api.github.com/teams/<id>/members/<username>
As token I used a newly created Personal Access Tokens
But both times I get this back
HTTP/1.0 502 Bad Gateway
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>502 Bad Gateway</h1>
The server returned an invalid or incomplete response.
</body></html>
A GET on each URL works fine but a DELETE doesn't work either. So maybe it has to do with curl.
Quoting the reply from GitHub's support with changes in italic:
You're just getting trolled by HTTP and curl.
When you make a PUT request with no body, curl doesn't explicitly set a Content-Length header for that request. However, PUT requests with no Content-Length confuse servers and they respond in weird ways.
Can you please try explicitly setting the Content-Lenght header to 0, or supplying an empty body when making that request (so that curl can set the header for you)? You can accomplish that adding -d "" in your command.
I am trying to publish a message to GCM. But the send call fails with 401 status.
I am passing the Authorization header.
Passing the correct API key (with allow any IP).
I have Enabled the Cloud messaging service.
I have also tried using the browser key in place of API key(with no referrer)
The curl request looks like this >
curl -v --header "Authorization:key=VALID API KEY" --header Content-Type:"application/json" https://android.googleapis.com/gcm/send -d "{\"registration_ids\":[\"r1\"]}"
POST /gcm/send HTTP/1.1
User-Agent: curl/7.24.0 (x86_64-redhat-linux-gnu) libcurl/7.24.0 NSS/3.13.5.0 zlib/1.2.5 libidn/1.18 libssh2/1.2.2
Host: android.googleapis.com
Accept: */*
Authorization:key= VALID API KEY With allow all IP
Content-Type:application/json
Content-Length: 28
Nothing seems to work. Any idea on why this happens?