I'm trying to request the Ejabberd REST Web Services with the /api/connected_users endpoint but the request always returns me 401 Unauthorized HTTP errors.
Here is my OAuth configuration.
-
port: 5280
module: ejabberd_http
request_handlers:
"/websocket": ejabberd_http_ws
# OAuth Support
"/oauth": ejabberd_oauth
# ReST API:
"/api": mod_http_api
web_admin: true
http_bind: true
register: true
captcha: false
...
commands_admin_access: configure
commands:
- add_commands: user
oauth_expire: 3600
oauth_access: all
As explained in the documentation I use the following URL to generate an OAuth 2 Access Token for the admin user.
http://localhost:5280/oauth/authorization_token?response_type=token&client_id=myclient&redirect_uri=http://localhost:5280&scope=sasl_auth
It returns me my OAuth Token.
http://localhost:5280/?access_token=oLn8Hebh051l2PdCM15tSvHrEI25CpBs&token_type=bearer&expires_in=3600&scope=sasl_auth&state=
Finally to request the api/connected_users endpoint I do the following.
curl -v -X GET -H "X-Admin: true" -H "Authorization: Bearer oLn8Hebh051l2PdCM15tSvHrEI25CpBs" http://localhost:5280/api/connected_users
But it always returns me 401 Unauthorized errors.
In my ejabberd.log file I have this.
2016-02-09 09:47:12.177 [info] <0.497.0>#ejabberd_listener:accept:333 (#Port<0.16419>) Accepted connection 127.0.0.1:62395 -> 127.0.0.1:5280
2016-02-09 09:47:12.177 [debug] <0.546.0>#ejabberd_http:init:154 S: [{[<<"websocket">>],ejabberd_http_ws},{[<<"oauth">>],ejabberd_oauth},{[<<"api">>],mod_http_api},{[<<"register">>],mod_register_web},{[<<"admin">>],ejabberd_web_admin},{[<<"http-bind">>],mod_http_bind}]
2016-02-09 09:47:12.177 [info] <0.546.0>#ejabberd_http:init:158 started: {gen_tcp,#Port<0.16419>}
2016-02-09 09:47:12.177 [debug] <0.546.0>#ejabberd_http:process_header:281 (#Port<0.16419>) http query: 'GET' <<"/api/connected_users">>
2016-02-09 09:47:12.177 [debug] <0.546.0>#ejabberd_http:process:353 [<<"api">>,<<"connected_users">>] matches [<<"api">>]
2016-02-09 09:47:12.178 [info] <0.546.0>#mod_http_api:log:388 Admin call connected_users [] from 127.0.0.1:62395
So how to configure Ejabberd to allow the admin user to request all the Ejabberd REST Web Services ?
My users are stored in Mysql, as OAuth Tokens are stored in Mnesia could it be the problem ?
Thanks,
Baptiste
Be sure you are using the #host when entering username if it's specified in that way in ejabberd.yml. I wasn't receiving any response from REST requests because I was using just admin for user, when should be admin#somehost in user name.
Please let me know if this doesn't help.
make sure you enter correct User(jid): ( User (jid): user#hostname)
it worked for me.
Related
In the Keycloak server, we created a client that has an Access Type of confidential.
By calling /protocol/openid-connect/token endpoint with the client_id and the client_secret, we got the access_token, which was supposed to authenticate the application (client) in question in the follow-up requests.
Even though the token is valid (which I double-checked by calling the introspect endpoint), I am getting a 500 Error from the server for any request that has this access_token
So in short:
Calling this endpoint <base_url>/auth/realms/<realm>/protocol/openid-connect/token gives an access_token
Provided data: client_id,client_secret, grant_type: "client_credentials"
Calling <base_url>/auth/realms/<realm>/protocol/openid-connect/userinfo gives 500Internal Server Error
{
"error": "unknown_error"
}
Any insights on what the issue could be?
This should be fixed in Keycloak 13.0.0.
See this commit: https://github.com/keycloak/keycloak/commit/056b52fbbe5af06aab957d37405215f1f4ed6ecd
It is not quite clear from the question how you are sending the token to the userInfo endpoint, Provided that the access token you have received is valid make sure that you are sending the token in the request header. Try the below curl command:-
curl
-X GET
-H "Authorization: Bearer <Access Token>"
-H "Content-type: application/json"
http://{hostname}/auth/realms/{realm_name}/protocol/openid-connect/userinfo
I have a problem using keycloak gatekeeper for authorizing requests in a kubernetes cluster. A resource request is forwarded to login via keycloak, after login it is shown that access is forbidden using the gatekeepers forbidden page. The gatekeeper log looks like this:
{"level":"info","ts":1608128659.3984604,"msg":"keycloak proxy service starting","interface":":3000"}
{"level":"error","ts":1608128667.3914142,"msg":"no session found in request, redirecting for authorization","error":"authentication session not found"}
{"level":"info","ts":1608128667.3915262,"msg":"client request","latency":0.002089839,"status":307,"bytes":95,"client_ip":"192.168.42.129:48724","method":"GET","path":"/auth/"}
{"level":"info","ts":1608128667.4082289,"msg":"client request","latency":0.000065187,"status":307,"bytes":317,"client_ip":"192.168.42.129:48724","method":"GET","path":"/oauth/authorize"}
{"level":"error","ts":1608128671.970435,"msg":"unable to exchange code for access token","error":"unknown_error"}
{"level":"info","ts":1608128671.9705727,"msg":"client request","latency":0.203322612,"status":403,"bytes":2174,"client_ip":"192.168.42.129:48724","method":"GET","path":"/oauth/callback"}
I used a configuration similar to https://gist.github.com/carlosedp/80ea54104cc6303f04b3755033f9c4fe.
Is my redirect address maybe wrong, or is about the resource part in the configuration file?
The config file looks like this:
discovery-url: http://keycloak.192.168.42.129.nip.io/auth/realms/local/.well-known/openid-configuration
skip-openid-provider-tls-verify: true
client-id: gatekeeper
client-secret: XXX
listen: :3000
enable-refresh-tokens: true
tls-cert:
tls-private-key:
redirection-url: http://sb.192.168.42.129.nip.io
secure-cookie: false
encryption-key: XXX
upstream-url: http://127.0.0.1:5000/
forbidden-page: /html/access-forbidden.html
upstream-keepalives: true
skip-upstream-tls-verify: true
enable-logging: true
enable-json-logging: true
enable-encrypted-token: false
resources:
- uri: /*
I'm training to send an output event from FIWARE CEP (Proton), using the REST consumer, to an ActiveMQ queue. The credential for access the ActiveMQ queue are included in the URL, as http://user:passwrd#X.X.X.X:xxxx/api/message/myqueue, but I have the following error:
com.ibm.hrl.proton.webapp.resources.EventResource submitNewEvent
INFO: events sent to proton runtime...
org.apache.commons.httpclient.auth.AuthChallengeProcessor selectAuthScheme
INFO: basic authentication scheme selected
org.apache.commons.httpclient.HttpMethodDirector processWWWAuthChallenge
INFO: No credentials available for BASIC 'ActiveMQRealm'#X.X.X.X
com.ibm.hrl.proton.server.executorServices.SimpleThreadFactory$ProtonExceptionHandler uncaughtException
SEVERE: Uncaught exception in thread: Thread[4,5,main],exception: com.ibm.hrl.proton.adapters.rest.client.RESTException: com.ibm.hrl.proton.adapters.rest.client.RESTException: Could not perform POST of event instance: ...
with request headers:
Content-Type: text/plain
User-Agent: Jakarta Commons-HttpClient/3.0
Host: X.X.X.X:xxxx
Content-Length: 389
to consumer http://user:passwrd#X.X.X.X:xxx/api/message/myqueue, responce result: 401
Seems like that Proton doesn't extract the credential from the URL.
Anyone else had the same problem?
You can add to the CEP REST consumer definition an AuthToken parameter.
From the CEP user guide (can be found here):
AuthToken – an optional parameter. When set, it is added as an X-Auth-Token
HTTP header of the request.
I'm having a problem with triggering builds in Jenkins with authentication enabled and wondering if anyone has ideas.
I have Global Security configured to use LDAP with "Project-based Matrix Authorization Strategy" enabled. The "Anonymous" user has the "Job > Build" privilege, and no other privileges (in particular, the "Anonymous" user does NOT have "Overall > Read" privilege, since I don't want everyone to be able to view the list of jobs and other general information).
I want an automated script to be able to trigger a build using the "Trigger Builds Remotely" feature, where I specify a ?token=[token] value in the URL and the standard authentication should be bypassed, as long as the [token] value matches the one I set in the job's Configure page. The goal is to NOT need to provide a regular username/password in the request but simply provide the token for this specific job.
The documentation seems to indicate this should work:
https://wiki.jenkins-ci.org/display/JENKINS/Quick+and+Simple+Security
So specifically, I am expecting this HTTP request to work:
curl -i https://jenkinsHost/job/ProjectName/build?token=test
But I get:
[~]$ curl -i https://jenkinsHost/job/ProjectName/build?token=test
HTTP/1.1 403 Forbidden
Date: Sat, 27 Apr 2013 23:17:03 GMT
Server: Winstone Servlet Engine v0.9.10
Content-Type: text/html;charset=UTF-8
Content-Length: 629
X-Powered-By: Servlet/2.5 (Winstone/0.9.10)
Set-Cookie: JSESSIONID.e9bc4765=e1f0a30b9f04b3740bae527a7822b2d5; Path=/; HttpOnly
Connection: close
<html><head><meta http-equiv='refresh' content='1;url=/login?from=%2Fjob%2FProjectName%2Fbuild%3Ftoken%3Dtest'/>
<script>
window.location.replace('/login?from=%2Fjob%2FProjectName%2Fbuild%3Ftoken%3Dtest');</script>
</head>
<body style='background-color:white; color:white;'>
Authentication required
</body></html>
When I DO use API authentication, the request works:
curl --username "test_user:API_KEY" https://hostname/job/ProjectName/build?token=test
But again, according to the documentation I think it is supposed to bypass the global authentication if ?token is present and matches the project token I configure. Why is this not working? What other information/logs can I provide?
There's a new plugin that allows you to do that even when Jenkins prohibits anonymous read access:
Build Token Root Plugin
Use:
$ curl 'http://jenkins/buildByToken/build?job=jobname&token=mytoken'
Scheduled.
Likewise with buildWithParameters.
Example for using the "Build Authorization Token Root" plugin with POST:
wget --post-data="job=MyJob&token=SECRET&MyParameter=hello" http://servername/jenkins/buildByToken/buildWithParameters
note that "Trigger Builds Remotely" must be activated for this job (with authorization token "SECRET")
I'm currently trying to implement Devise with LDAP Authentication on RAILS3. I've got it setup and it appears to connect and try to auth, but appears to fail. I don't seem to get any sort of real error messages to work with so its very difficult to take it any further.
Log of login session:
Started POST "/users/sign_in" for 192.168.160.1 at Tue Dec 06 05:20:16 +0000 2011
Processing by Devise::SessionsController#create as HTML
Parameters: {"commit"=>"Sign in", "authenticity_token"=>"G2tEq9gPpJiN0RhanTd8HMWno62F+1oLWbU4xdX78bg=", "utf8"=>"\342\234\223", "user"=>{"remember_me"=>"0", "password"=>"[FILTERED]", "login"=>"richmond#email.com"}}
User Load (0.1ms) SELECT `users`.* FROM `users` WHERE `users`.`login` = 'richmond#email.com' LIMIT 1
LDAP: LDAP dn lookup: mail=richmond#email.com
LDAP: LDAP search for login: mail=richmond#email.com
LDAP: Authorizing user mail=richmond#email.com,ou=groupxx,o=company.com
LDAP: LDAP dn lookup: mail=richmond#email.com
LDAP: LDAP search for login: mail=richmond#email.com
Completed 401 Unauthorized in 7147ms
Processing by Devise::SessionsController#new as HTML
Parameters: {"commit"=>"Sign in", "authenticity_token"=>"G2tEq9gPpJiN0RhanTd8HMWno62F+1oLWbU4xdX78bg=", "utf8"=>"\342\234\223", "user"=>{"remember_me"=>"0", "password"=>"[FILTERED]", "login"=>"richmond#email.com"}}
Rendered devise/shared/_links.erb (0.1ms)
Rendered devise/sessions/new.html.erb within layouts/application (5.0ms)
Completed 200 OK in 23ms (Views: 21.4ms | ActiveRecord: 0.0ms)
Started GET "/assets/defaults.js" for 192.168.160.1 at Tue Dec 06 05:20:23 +0000 2011
Served asset /defaults.js - 404 Not Found (3ms)
ActionController::RoutingError (No route matches [GET] "/assets/defaults.js"):
Rendered /usr/local/lib/ruby/gems/1.8/gems/actionpack-3.1.0/lib/action_dispatch/middleware/templates/rescues/routing_error.erb within rescues/layout (0.5ms)
ldap config:
development:
host: ldap.company.com
port: 636
attribute: mail
base: ou=groupxx,o=company.com
#admin_user: cn=admin,dc=test,dc=com
#admin_password: admin_password
ssl: true
# <<: *AUTHORIZATIONS
I don't have access to the LDAP server so I cannot confirm anything from that end. The main issue I have is that I cannot get any error messages out of the login process - Is it not able to find the user? Does it find the user but fail login? Why does it do 2 LDAP searches?
same issue here. Did a ldapsearch, which works however. Company is running an ActiveDirectory server here:
ldapsearch -Z -h ldap.company.com -p 389 -s sub -D
"cn=somebody,ou=my_ou,dc=ldap,dc=company,dc=com" -W -b
"dc=ldap,dc=company,dc=com" "(&(cn=somebody))" mail
Solution:
I have found the solution: In config/initializers/devise.rb I missed to activate config.ldap_use_admin_to_bind = true. Only with this flag, devise_ldap_authenticatable really uses the BindDN (i.e. admin_user, admin_password which both have to be uncommented) defined at config/ldap.yml.
I found out the problem I had was that the LDAP server my company (IBM) uses was using a different protocol standard to the ones officially supported by NET-LDAP.
You simply need to change the PagedResults Control Type to a slightly different standard:
#PagedResults = "1.2.840.113556.1.4.319" # Microsoft evil from RFC 2696
PagedResults = "2.16.840.1.113730.3.4.2" # IBM Bluepages compatible ControlType
Full code change details here.
I forked it and fixed it over here on GitHub.
I did encounter the same problem on my ActiveDirectory. I tried using the bind user but it didn´t help either. I changed devise according to screencast 210 to use the username field. Here´s my ldap.yml
development:
host: dcburda0
port: 636
attribute: cn
base: OU=Organisation,DC=mydomain,DC=com
admin_user: CN=username,OU=Support Center Muenchen,OU=name GmbH,OU=Organisation,DC=mydomain,DC=com
admin_password: password
ssl: true