I'm using a jwt based authentication system and I'd like to ensure that google sends this token back in the header. Is there anyway to give google custom headers to send back to a server?
Not in the header, but you can use the state param to include it in the URL.
Related
I've been doing some HTTP methods and header research recently if we should use GET with basic authorization instead of POST when submitting?
HTTP Methods
The GET method requests a representation of the specified resource. Requests using GET should only retrieve data.
The POST method submits an entity to the specified resource, often causing a change in state or side effects on the server.
As we see here, the POST method normally changes the state of the server. If sending out JWTs/HTTP cookies, we are not modifying the state of the server. Nor are we creating a new resource in the server.
I understand that we should not not send the username and password as a GET parameter but should we use the authorization header instead?
Basic authentication
For "Basic" authentication the credentials are constructed by first combining the username and the password with a colon (aladdin:opensesame), and then by encoding the resulting string in base64 (YWxhZGRpbjpvcGVuc2VzYW1l).
Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l
The only advantage I see to using POST over GET is that we need no extra code in the HTML/JS on the client side to send headers via the fetch API. To send headers, we would need an onsubmit and then check if status code is 200. If 200, we will need to redirect to the page after the login screen. Then again, if using the fetch API, this means the server does not need to send a new HTML page to the client all the time either.
Should we use GET with basic auth or POST when logging in since we don't create a resource/modify the server state?
Would this change if say we enable 2FA since we would need to generate a code for that user?
Doing basic authentication in the browser and using GET is not that recommended.
To do your own login form it is better to always do it using HTTPS and POST. Do post the username/password in the body of the request and secure it with proper CSRF protection.
If you want to level up, you can always look at the OpenIDConnect approach, but that is more advanced depending on your needs.
Also, a good approach is to explore how existing site implement a login form and look at the HTTP(s) traffic in a tool like Fiddler.
I'm building a SaaS project that requires authentication (duh!) and for that I am using Auth0.
I've managed to the steps detailed here successfully.
Code from above link:
https://YOUR_DOMAIN/authorize?
response_type=code&
client_id=YOUR_CLIENT_ID&
redirect_uri=https://YOUR_APP/callback&
scope=SCOPE&
audience=API_AUDIENCE&
state=STATE
But I'm not sure what to do when I redirect to the redirect_url (here my dashboard url, e.g: dashboard.example.com). I mean I don't know how to use this code.
I get the code appended to url after redirect, so I think everything's working, but am not sure how to use it further to populate the dashboard with user details and retrieve content.
Do I use my API endpoint here instead of the dashboard url?
Hope my question is clear.
Any help would be wonderful!
Thanks in advance!
Edit:
I am using Universal Login, not using any SDK as of now.
After you receive the code you will exchange it for tokens via the POST /oauth/token endpoint.
Here is an example code exchange request from the Authentication API docs
POST https://YOUR_DOMAIN/oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
client_id=YOUR_CLIENT_ID&
code_verifier=CODE_VERIFIER&
code=AUTHORIZATION_CODE&
redirect_uri=https://YOUR_APP/callback
Then, you can use the ID token to populate your user's info, and the access token to retrieve other data from your backend API.
magento REST API, how i will get token and token secret to be fill in
Postman REST resquest. I have only consumer key and consumer secret.
Please provide me the steps to follow.
First, you want to request a valid OAuth token and secret. Do this by hitting the /oauth/initiate URL of your Magento store with a GET parameter for oauth_callback. We're going to use httpbin so that we can echo anything that is passed to our callback. Make sure you have "Auto add parameters" checked on the OAuth 1.0 settings for Postman.
That will give you an oauth_token and oauth_token_secret, which are only temporary. These are referred to as a "request token" and secret. Save these values somewhere because you will need them later.
Now, assemble a new regular HTTP request to the /admin/oauth_authorize URL of your Magento store. This will return a login form where you can accept the oauth token and authorize your app, however since we're using Postman we aren't able to interact with the form.
Instead, view the source and pull out the form_key hidden input value. Then assemble a new HTTP request to fake the submission of the authorization form. Make sure it is a POST request. Your new HTTP request should look like this.
Now, you need to actually confirm the authorization. Simply issue a GET to the /admin/oauth_authorize/confirm URL of your Magento store with the oauth_token as your parameter. When you send this request it will redirect to your oauth_callback from the first step. Now, you can see why we used httpbin as our callback in the first step.
OK. So, we're almost home. The last piece of the puzzle is to use the oauth_token, oauth_secret, and oauth_verifier all together to get a valid and persistent "access token". So, take the oauth_token_secret from the first step, and combine and assemble a new OAuth request like so.
You should get a returned token and secret. These will never expire! You can use them to query products and stuff.
Now, you can assemble your OAuth requests like this. Edit: Note, you must check the "Add params to header" checkbox in order for Magento REST calls to work properly.
I have an endpoint on API Gateway that I want to make it work with requests from Strip.com only. I have tried adding stripe.com on Access-Contril-Allo-Origin* as it shown below but does not seem to be working at all.
How do I set CORS on API Gateway?
CORS only applies to requests made from a browser. It doesn't apply if you're trying to protect, for example, a webhook URL that you want Stripe to send data to. The typical approaches here are either to include a shared secret in your webhook URL, or to configure a username & password, both of which Stripe support. Examples:
https://yourdomain.com/admin/webhook/6f637faa33a2116f410cfb12af2028a85d22fcf5
https://user:pass#yourdomain.com/admin/webhook/
The other protection here is that you can verify any event received by sending an API request to Stripe to retrieve that event:
https://stripe.com/docs/webhooks#verifying-events
I think you need to have the schema on the header, like, https://stripe.com as Access-Control-Allow-Origin
normally browser stores and adds authentication header automaticly after successfull authentication.
I have a XMLHttpRequest and added the authentication header for basic auth. No problem at all.
Then I try to send a second request to the same url that is basic http protected without adding manually the http request header to this request. Poorly it seems that the browser is not storing the authentication provided in request 1. My goal is to add the authentication handler transparently to every request that follows the first one (like a native browser do).
Any idea? Thanks.
Browser only storing authetication requested from user. So, if you send 1st request w/o authentication fields, browser will prompt user for auth this time, remember credentials and use it for next requests transparently.