I am trying to follow the list of set of steps at https://auth0.com/docs/what-to-do-once-the-user-is-logged-in/calling-an-external-idp-api but despite my best effort am not able to get the access token as I am getting a error as follows:
POST https://r***s.eu.auth0.com/oauth/token 401 (Unauthorized)
when I try to obtain the access token.
My code is the following:
var data = {
client_id : '****',
client_secret : '****',
audience : 'https://r****.eu.auth0.com/api/v2/',
grant_type : 'client_credentials'
};
var config = {
json: true,
headers : {
'Content-Type': 'application/json;'
};
}
$http.post('https://r***.eu.auth0.com/oauth/token',data, config).then (
function(response) { console.log(response); }
);
The problem is that you're setting an incorrect Content-Type when doing your POST request.
The correct content type for a JSON request is the following: application/json
You're appending an extra ; character at the end which is causing the server to issue a 401 response.
Additionally, that code snippet seems to be from an AngularJS application. If that's the case there's two additional problems, due to CORS limitation unless the application domain is white-listed in the Allowed Origins (CORS) list in the client settings (Auth0 Dashboard), you won't be able to perform the request anyway. This is the first problem, but not the biggest one... if you solve this by adding the domain to the white-list you now have a client identifier and secret stored on a client-side application which means anyone can access it just by looking at the code. In almost all (probably 99.9%) situations this is just wrong.
Related
It's my first time using GraphQL and im trying to access the content of a given query but i can't acces this given query because of lack of permissions, in this case I have been given a username and a password to access this GraphQL api, and i'm able to get and verify the token using these credentials in GraphQL but my question is the following, how do I become authenticated in the API to be able to access the queries of the API?
My error is as follows.
"errors": [
{
"message": "You do not have permission to perform this action",
I believe this is something very basic, but I just not able to find a way to solve this issue.
Click HTTP Header and add your token as shown below:
{
"Authorization": "Bearer YOUR_TOKEN_HERE"
}
you may have to remove Bearer and only use the token, it depends on how you did authorization on the server.
This is for JWT authentication in REQUEST HEADERS on GraphiQL below:
{
"Authorization": "JWT your_jwt_access_token_here"
}
If anyone stumbles upon same issue, just sending the HTTP didn't work in my case, because I had this line in my #auth-directive:
let token = req?.cookies?.token
Which would only check token from cookies and never from request-headers where I was passing the Authorization-header.
Fixed the issue by changing it to:
let token = req?.cookies?.token ?? req?.headers?.authorization
I'm trying to interact with Keycloak via its REST API. I have the master realm and the default admin user, and a test realm. Firstly, I get an access token for the admin account and test realm:
let data = {
grant_type : 'password',
client_id : 'test-realm',
username : 'admin',
password : 'admin'
};
let headers = {
'Content-Type': 'application/x-www-form-urlencoded'
};
axios.post(
'https://someurl.com:8080/auth/realms/master/protocol/openid-connect/token',
qs.stringify(data),
headers
)
That works ok. Then I try to make a call to create a user (or do anything else) and I get a 401 unauthorized error:
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Authorization': `Bearer ${accessToken}`
};
data = {
rep: {
email: "test#email.com",
username: "test#email.com"
},
path: 'test-realm'
};
axios.post('https://someurl.com:8080/auth/admin/realms/test-realm/users',
qs.stringify(data),
headers
)
Is that not the correct way to include the token? Is the access token the one you use for authenticating other API calls? Shouldn't the admin account's token work for authenticating calls to other clients with the master realm? Would it be some setting in the master realm that I have to change in the admin console? Any help appreciated.
I got a 401 error because I generated the offline token by using http://localhost:8080 and then I tried to request the api by using http://keycloak:8080 which is not allowed. Unfortunately the log doesn't tell you that.
To debug JWT tokens I recommend https://jwt.io/
Is that not the correct way to include the token?
This is a correct way.
You just do something incorrectly.
Please, refer for an example from keycloak-request-token Node.js module:
https://github.com/keycloak/keycloak-request-token/blob/master/index.js#L43
You use
client_id : 'test-realm'
but there is
client_id: 'admin-cli'
there.
Also, to create a user, you should use
'Content-Type': 'application/json'
You can refer for Node.js examples of Keycloak REST API here:
https://github.com/v-ladynev/keycloak-nodejs-example/blob/master/lib/adminClient.js
Examples of other useful stuff like:
custom login
storing Keycloak token in the cookies
centralized permission middleware
can be found in the same project: keycloak-nodejs-example
I fixed it by enabling the below "Service Accounts Enabled" button under Settings for admin-cli
I had this issue and solved it by making sure that there is no more than 1 minute between the first and the second API request. So, if you are doing this manually (2 curl requests), the token may expire and you may get error 401. Nevertheless, you should use admin-cli as mentioned above.
I came this issue recently and after struggling for a while i figured. using a realm name containing white spaces will trigger 401 unauthorized error when interacting with via SDKs or API.
IN SUMMARY:
change: realm name
to: realm-name
When I call ubers API from my front end, the call gets blocked with the following error: No 'Access-Control-Allow-Origin' header is present on the requested resource. However, when I call from a node js application the call goes through just fine. The code is the exact same. See below:
$.ajax({
url: "https://api.uber.com/v1/estimates/price",
headers: {
Authorization: "Token " + uberServerToken
},
success: function(result) {
};
This is due to CORS policy enforced by the browser. For cross domain requests the server must include a header Access-Control-Allow-Origin: *. This is likely on purpose as you should never include a server tonken in your client code. For the client you should be using a bearer token. Take a look at the Uber API documentation.
Since the server is at your own control you're free to make API requests to anywhere.
Attempting to sign in (and enter a session) using user credentials in an Angular app using the Backand SDK. From the Backand docs I am attempting to sign in using the Backand.signin() method (from my local) which looks to be initially sending an OPTIONS http request to the API which unfortunately is causing this cross origin error:
XMLHttpRequest cannot load https://api.backand.com/token. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:xxxx' is therefore not allowed access. The response had HTTP status code 400.
The exact response from the endpoint is: {"error":"unsupported_grant_type"}
I've combed through the documentation extensively but can't find anyone else having these errors.
This is exact code I am using:
function Login(username, password, callback) {
Backand.signin(username, password).then(function(response){
console.log(response);
}, function(error){
console.log(error);
});
}
The error is logged to the console as a null object.
It looks like the error was in fact on my end.
While attempting to set up my own Authorization service in my Angular app I inadvertently was adding an encoded Authorization token header somehow. When the requests were being made to Backand from the Backand SDK, the headers were not correctly set and thus causing issues.
I have set up a servicestack service with basic authentication using the first example, here:
https://github.com/ServiceStack/ServiceStack/wiki/Authentication-and-authorization
This automatically sets up a route: /auth/basic
However, I cannot find any information or examples on how to format a request to this URL (Variables/GET/POST/Auth Header, etc.).
I am able to access a simple service using the basic authentication credentials, so they are active and correct.
I have no custom authentication plugged in, just basic authentication.
I have tried:
Using a JsonServiceClient to send UserName and Password variables by GET or Json POST to /auth/basic, with and without an Auth header also containing the user & pass.
Using a browser to send GET requests with URL parameters of the user/pass, or as http://user:pass#localhost:123/auth/basic
I always just get "HTTP/1.1 401 Invalid BasicAuth credentials".
The only examples I can find involve some kind of custom authentication, and then /auth/credentials is accessed, but I want to use /auth/basic
I have looked at the code and it looks like it reads an Auth header, but the service does not accept one.
I am actually trying to get this working so I can then disable it and verify it is disabled (I want to require basic authentication for every request).
Questions are:
What is the correct way to call the /auth/basic service? I will take a servicestack client API example, specifications or even a raw http request!
How do you disable the /auth services altogether?
Many thanks.
What is the correct way to call the /auth/basic service? I will take a servicestack client API example, specifications or even a raw http request!
var client = new JsonServiceClient("http://localhost:56006/api");
var resp = client.Post(new Auth() { UserName = "TestUser", Password = "Password" });
This assumes you have also registered an ICacheClient and IAuthUserRepository (and added a user account)
The JSON format looks like this if you call into /auth/basic?format=json
{
"UserName": "admin",
"Password": "test"
"RememberMe": true
}
How do you disable the /auth services altogether?
Don't add the AuthFeature plugin to configuration.
You can also remove plugins
Plugins.RemoveAll(x => x is AuthFeature);
Putting the following in apphost config seems to do the trick.
//Disable most things, including SOAP support, /auth and /metadata routes
SetConfig(new EndpointHostConfig()
{
EnableFeatures = Feature.Json | Feature.Xml
});
I am a little suspicious about what this does to /auth however, because it returns an empty response, while most routes return 404.
So, would this truly disable the /auth functionality? As in, if someone formed a correct request to /auth/credentials, will it still return an empty response?