I am looking for an easy way to add bearer tokens to PostMan. I have imported my API into PostMan from a swagger definition, and am wondering if authorization can be added automatically to all requests in some easy way, such that I do not have to change the Authorization header for each endpoint whenever the token changes.
I am currently requesting a token at /token for my API by sending an x-www-form-urlencoded request containing the parameters username, password and grant_type with a password value.
The returned access_token is then appended to the Authorization header in the format "Bearer token-received-from-token-endpoint" for each request to the API.
The backend is implemented with AspNet Identity Framework and AspNet Web API 2.
Good approach here is chaining request
When you get a token, assign it to an environment variable and use that variable in your subsequent requests.
This way you will have a fresh token every time and your other requests can use that on runtime
Related
JWT Token is generated in our application and using the same token within the expiration time I can call my API from postman also. I need to restrict that , so how can we identify if the API call with JWT token is coming from Postman or from browser and how to authenticate it in .net core ?
I have been using drf since a couple of months . For authentication I decided to use djoser package and use JWT token for better authentication. However whenever i try to use postman to send requests i can only send the three jwt requests. I'm wondering if i can use the Base endpoints as well such as re-setting the password and finding the user-
Base Endpoints - https://djoser.readthedocs.io/en/latest/base_endpoints.html
Not able to send requests. the error on postman always comes as "detail": "Authentication credentials were not provided."
even if i apply the Bearer Token type in postman.
can someone tell me how to use Base endpoints along with jwt ?
To use JWT with Djoser, send a Get request to
http://127.0.0.1:8000/auth/users/me
Instead of Bearer or Token, Set your Authorization header pass JWT as follows:
Authorization: JWT your-JWT-access-token
Here's a sample request using insomnia
> GET /auth/users/me/ HTTP/1.1
> Host: 127.0.0.1:8000
> Authorization: JWT eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNTk1MDYyNTcxLCJqdGkiOiI2NmZkODFkNDVlNmY0OTdlYWZiMGExZWE2YmRmZmM0MyIsInVzZXJfaWQiOjF9.uXZadgc_hYcS79tuZWet_4eDqNQlduKpcmD1a2JvfjY
if you had set up your urls correctly it will return your username, email and user-ID
we plan to introduce an API management solution and we're currently setting up a proof of concept with WSO2 AM. We want to use the WSO2 API gateway to check whether a certain consumer application is allowed to use an API and to throttle the request rate.
I work on the identity workflow and I wonder how a consuming application can pass a JWT token to the backend service with WSO2-AM in between.
First, this is our current scenario:
Without API gateway
The consuming application gets a JWT token for its carbon user from an identity provider. The JWT contains some claims about the user, e.g. the roles he/she belongs to.
The app calls the service an passes the JWT token in the Authorization HTTP header like: Authorization: Bearer
The service validates the issuer and signature of the JWT and retrieves the claims from it.
So, this is pretty straight forward. Now we put an API gateway in between the application and the service:
With API gateway
The consuming application gets a JWT token for its carbon user from an identity provider.
The consuming application uses OAuth2 to get an access token for the following API calls. We can use the client_credentials grant type and simply pass the the client id and client secret. I haven't yet tried it, but we could possibly use the JWT grant type (see https://docs.wso2.com/display/ISCONNECTORS/Configuring+JWT+Grant+Type) and use the JWT for passing user information to the API gateway.
The API gateway validates the JWT against the public key of the identity provider when using the JWT grant type.
An access token is returned to the app.
The app sends an API request to the gateway and passes the access token in the Authorization HTTP header.
The gateway validates the access token.
The gateway forwards the API request to the service.
And there is my problem: How can the JWT from 1/2. be passed to the service?
There is a documentation for "Passing Enduser Attributes to the Backend Using JWT" (see https://docs.wso2.com/display/AM210/Passing+Enduser+Attributes+to+the+Backend+Using+JWT), but this would introduce a new JWT, issued and signed by WSO2-AM, and I'm not sure, whether this JWT contains all information from the JWT used to create the access token (or even the original JWT).
Another way I could think of is using a custom HTTP header for passing the JWT through the gateway to the service. I cannot use the Authorization header (as we do without the API gateway), because WSO2-AM expects the access token in that header.
Since I'm not happy with either solutions, I want to ask the experts: How would you solve this?
Thanks,
Torsten
The only possibility I can think of is to send the JWT token in a custom Header for the backend service.
Starting with the following repo at https://github.com/mjrousos/IdentityServer4Authentication, I added a "ValuesController" with a single "Get" method with the [Authorize] attribute. When I login using the web front end I'm able to access this endpoint just fine - the web bits contain the standard web bits found in the IS4 Quickstarts.
However, when I request a token from the token endpoint (/connect/token) with the following body (raw) "grant_type=password&username=gvdonovan%40gmail.com&password=Pass20!7&client_id=myClient&scope=myAPIs" and then use this token in a Get request with a single Authorization header with a value of "bearer [my token]" I receive a 401 Unauthorized response.
You've got your Identity Server and your 'protected controllers' in the same project, with a single startup, which is a configuration I'm not used to.
For our use of IdSvr, we made sure that the startup for the client (a web api) used the middleware "UseIdentityServerAuthentication" in the configure method, with appropriate definitions for what the acceptable Authority and AllowedScopes are for that client.
Then the use of the Authorize header on protected API resources will auto-magically call the authority (our IdSvr) to verify the token.
Our IdSvr doesn't have controllers or "app.UseMvc", because it is just for issuing/verifying tokens.
The documentation for the Heroku platform API states that it can be accessed with basic HTTP authentication using the API token, as follows:
HTTP basic authentication must be constructed from email address and
api token as {email-address}:{token}, base64 encoded and passed as the
Authorization header for each request, for example Authorization:
Basic 0123456789ABCDEF=.
We have tried this but keep on getting an "Invalid credentials provided" error.
However, if we substitute our Heroku account password for the token, authentication works:
e.g. {email-address}:{password}, base64 encoded.
However, we don't want to have to use our password for API authentication. How do we get this working using the API token as described?
Look again at the same documentation you linked to (it has changed in the meantime).
You should use Authorization: Bearer HEROKU_TOKEN, not Authorization: Basic HEROKU_TOKEN as you are doing.