We have a Grails 3 project where we are using Oauth2 for authentication, we followed a tutorial
https://github.com/bobbywarner/grails3-oauth2-api
QUERY :-
curl -X POST -u demo-client:123456 http://localhost:8080/oauth/token -H "Accept: application/json" -d "password=xyz&username=bobbywarner&grant_type=password&scope=read%20write"
OUTPUT:-
{
"access_token": "ff16372e-38a7-4e29-88c2-1fb92897f558",
"token_type": "bearer",
"refresh_token": "f554d386-0b0a-461b-bdb2-292831cecd57",
"expires_in": 43199,
"scope": "read write"
}
if we use this command, it is generating a token for the user, token expires in 43 mins.
When we are running this application on embedded tomcat it is working fine, but when we create a WAR file and deploy on tomcat, its start behaving weirdly.
1) If deployed on embedded tomcat, the token generated for the user "bobby" is same within 5 sec gap, it is giving same token and an entry is made to "Oauth_access_token". If we use this token for subsequent APIs it works fine.
2) If deployed on tomcat after creating a WAR file, it is creating a new token for each request , even we hit the URL with in 1 secs. After this is use this token for subsequent APIs it gives us the message "token not valid" and delete that token from "Oauth_access_token".
Anybody faced issue like this for Grails 3 application, Please help me to out this.
Related
I am having some issue with having Keycloak 20.0.2 working for my web application.
I have my keycloak URL accessible at:
https://example.com/white-graduation/keycloak/auth
This is designed for backend application to work with keycloak. It fundamentally usse haproxy as a reverse proxy to connect the https address to my internal keycloak.
So far, all frontend login has been working, without any issue. I can also have access to the keycloak control console UI.
The internal keycloak address is at:
http://loginservice:8080/white-graudation/keycloak/auth
This is designed for backend application to work with keycloak.
However, the backend login is facing a 401 issue.
By experimenting with different curl call in the container that's running the backend, I found that:
curl -I -X GET https://example.com/white-graduation/keycloak/auth/realms/shirasaki-academy/protocol/openid-connect/userinfo -H "Authorization: Bearer Example-Bearer-Token"
This API call gives 200, but
curl -I -X GET https://loginservice:8080/white-graduation/keycloak/auth/realms/shirasaki-academy/protocol/openid-connect/userinfo -H "Authorization: Bearer Example-Bearer-Token"
This gives 401. i.e. back-channel didn't work.
I did an expansion of Example-Bearer-Token, it does show that the iss is indeed only https://example.com/white-graduation/keycloak/auth/realms/shirasaki-academy, because the backend still uses frontend to login. But it should still work.
My Keycloak 20.0.2's setting:
KEYCLOAK_ADMIN=admin
KEYCLOAK_ADMIN_PASSWORD=whatever
KC_HTTP_RELATIVE_PATH=/white-graduation/keycloak/auth
KC_HOSTNAME_ADMIN_URL=https://example.com/white-graduation/keycloak/auth
KC_HOSTNAME_STRICT=false
KC_HTTP_ENABLED=true
KC_HTTP_PORT=8080
KC_HOSTNAME_STRICT_HTTPS=false
KC_PROXY=edge
The Keycloak 20.0.2's Quarkus is run through:
/opt/keycloak/bin/kc.sh start-dev --import-realm --log-level=org.keycloak.events:debug --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true
Note that I did not set KC_HOSTNAME_STRICT_BACKCHANNEL but this is by default already false, which under such case should allow back-channel connection to work.
Note that this isn't the recommended setting for production environment. But this isn't a production environment after all.
Problem solved by setting:
KC_HOSTNAME_URL=https://example.com/white-graduation/keycloak/auth
which means, KC_HOSTNAME_URL == KC_HOSTNAME_ADMIN_URL
After such, the internal API point starts working.
Not really sure why...but at least this solves my problem.
I have created a job of JDBC to BigQuery using the web interface and it worked just fine.
Now I want to create the same job from the REST API of GCP so I took the rest equivalent of the request from the site and tried to send it from Postman.
I'm sending POST request for the following URL:
https://dataflow.googleapis.com/v1b3/projects/test-data-308414/templates:launch?gcsPath=gs://dataflow-templates/latest/Jdbc_to_BigQuery
which I got from the example in the GCP documentation.
I also pass the JSON that the GCP gave me in the body.
And the API key as get parameter in the next format "?key=[API_KEY]"
I'm getting 401 response from the server with the following message:
Request is missing required authentication credential. Expected OAuth
2 access token, login cookie or other valid authentication credential.
See
https://developers.google.com/identity/sign-in/web/devconsole-project.
With a status of:
UNAUTHENTICATED
I looked up at the link and found a tutorial on how to create google authentication on the front end
witch is not helpful to me.
I'm pretty sure that I'm passing the API key in the wrong format and that the reason it failed to authenticate.
But I couldn't find any documentation that says how to do it correctly.
PS> I have also tried passing it at the headers as I saw in one place
in the next format
Authorization : [API_KEY]
but it failed with the same message
Few days back I was trying to integrate GCP into MechCloud and struggling to figure out how to invoke a microservice ( which is acting as a proxy to GCP) with credentials for different projects which will be passed to this microservice on the fly. I was surprised that in spite of spending good amount of time I could not figure out how to achieve it because GCP documentation is focused on working with one project credentials at a time using application default credentials. Another frustrating thing is that API explorer shows both OAuth 2.0 and API Key by default for all the APIs when the fact is that API Key is hardly supported for any API. Finally I found the solution for this problem here.
Here are the steps to invoke a GCP rest api -
Create a service account for your project and download the json file associated with it.
Note down values of client_email, private_key_id and private_key attribues from service account json file.
Define following environment variables using above values -
GCP_SERVICE_ACCOUNT_CLIENT_EMAIL=<client_email>
GCP_SERVICE_ACCOUNT_PRIVATE_KEY_ID=<private_key_id>
GCP_SERVICE_ACCOUNT_PRIVATE_KEY=<private_key>
Execute following python code to generate jwt_token -
import time, jwt, os
iat = time.time()
exp = iat + 3600
client_email = os.getenv('GCP_SERVICE_ACCOUNT_CLIENT_EMAIL')
private_key_id = os.getenv('GCP_SERVICE_ACCOUNT_PRIVATE_KEY_ID')
private_key = os.getenv('GCP_SERVICE_ACCOUNT_PRIVATE_KEY')
payload = {
'iss': client_email,
'sub': client_email,
'aud': 'https://compute.googleapis.com/',
'iat': iat,
'exp': exp
}
private_key1 = private_key.replace('\\n', '\n')
# print(private_key1)
additional_headers = {'kid': private_key_id}
signed_jwt = jwt.encode(
payload,
private_key1,
headers=additional_headers,
algorithm='RS256'
)
print(signed_jwt)
Use generated jwt token from previous step and use it as a bearer token to invoke any GCP rest api. E.g.
curl -X GET --header 'Authorization: Bearer <jwt_token>' 'https://compute.googleapis.com/compute/v1/projects/{project}/global/networks'
The best practice to authenticate a request is to use your application credentials. Just make sure you installed the google cloud SDK.
curl -X POST \
-H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
-H "Content-Type: application/json; charset=utf-8" \
-d #request.json \
https://dataflow.googleapis.com/v1b3/projects/PROJECT_ID/templates:launch?gcsPath=gs://dataflow-templates/latest/Jdbc_to_BigQuery
I've got some code (a script on a server) that tries to send an OAuth2 request to get a token from an API. I have a client id, and client secret from the "OAuth 2.0 Client Ids" section of the "Credentials" tab in the Google Cloud Platform > APIs and Services. I also have a refresh token that I originally obtained somehow.
The URL I am POSTing to is:
https://www.googleapis.com/oauth2/v4/token
I'm sending the header
Content-Type: application/x-www-form-urlencoded
In the body of my post I have the following information:
grant_type=refresh_token&client_id=${encodeURIComponent(client_id)}&client_secret=${encodeURIComponent(client_secret)}&refresh_token=${encodeURIComponent(refresh_token)}
However, it has been a long time since I last ran this code and now it returns an error "bad grant". On this page it says that a refresh token will stop working if it has not been used for six months, which explains why I am getting the error. However, it does not say how to get another refresh token using the client id and client secret similar to how I am now creating a post to get an access token. How do I do this?
I believe your goal and your current situation as follows.
You want to retrieve new refresh token from the current client ID and client secret.
Your client ID and client secret are the valid values.
In this case, in order to retrieve new refresh token, it is required to use the additinal 2 parameters of scope and redirect_uri. These parameters can be confirmed at your created client ID of "OAuth 2.0 Client IDs" of "Credensials" tab in the Google Cloud Platform. When the parameters including client_id, client_secret, scope and redirect_uri are used, new refresh token can be retrieved. The flow for this is as follows.
1. Retrieve authorization code.
Please create the following endpoint using client_id, redirect_uri and scope.
https://accounts.google.com/o/oauth2/auth?client_id={your client ID}&redirect_uri={your redirect uri}&scope={your scopes}&response_type=code&approval_prompt=force&access_type=offline
When you created above endpoint, please access it to your browser. By this, the login screen is opened. When you logged in to Google account, the authorization screen is opened. When you permit the scopes, the authorization code can be retrieved.
When your credential is for the web application, you can retrieve the code at the URL on the browser like http://{your redirect uri}/?code={the authorization code}&scope={your scopes}.
Please copy the code.
2. Retrieve refresh token.
Using the retrieved authorization code, you can retrieve new refresh token. The sample curl command for this is as follows.
curl \
-d "client_id={your client ID}" \
-d "client_secret={your client secret}" \
-d "redirect_uri={your redirect uri}" \
-d "grant_type=authorization_code" \
-d "code={retrieved your authorization code}" \
"https://www.googleapis.com/oauth2/v4/token"
When above curl command is run, the following result is obtained.
{
"access_token": "###",
"expires_in": 3600,
"refresh_token": "###",
"scope": "{your scopes}",
"token_type": "Bearer"
}
Reference:
Using OAuth 2.0 to Access Google APIs
I have a jenkins server using the Github OAuth plugin and authorized in the "Authorized applications" section of github, it works fine from my browser, i can access to the jenkins server as long as i'm authenticated with github.
Is there a way to access to the jenkins server api using oauth credentials/token from CURL or a ruby client?
I've generated a token in https://github.com/settings/applications -> Personal access tokens -> Generate new token (there is no option to scope it to a third party application)
that token works fine to access github :
curl -H "Authorization: token cfbcff42e6a8a52a1076dd9fcxxxxxxxxxxxxxxx" https://api.github.com/user
however, that token is not valid for jenkins-server:
curl -H "Authorization: token cfbcff42e6a8a52a1076dd9fcxxxxxxxxxxxxxxx" https://jenkins-server/user/restebanez/api/json/\?pretty\=true
It generates this error:
<html><head><meta http-equiv='refresh' content='1;url=/securityRealm/commenceLogin?from=%2Fuser%2Frestebanez%2Fapi%2Fjson%2F%3Fpretty%3Dtrue'/><script>window.location.replace('/securityRealm/commenceLogin?from=%2Fuser%2Frestebanez%2Fapi%2Fjson%2F%3Fpretty%3Dtrue');</script></head><body style='background-color:white; color:white;'>
Authentication required
<!--
You are authenticated as: anonymous
Groups that you are in:
Permission you need to have (but didn't): hudson.model.Hudson.Read
... which is implied by: hudson.security.Permission.GenericRead
... which is implied by: hudson.model.Hudson.Administer
-->
</body></html>
```
the jenkins server has installed GitHub API Plugin 1.58 and Github Authentication plugin 0.19
I'm probably missing some fundamentals of oauth b/c i have googled this for a while and i haven't found anything
I'm not sure if you ever got to the bottom of this, but after trying several routes I finally got a scripted build using Github OAuth on Jenkins. The trick is that the API token is not one for GitHub but rather one from Jenkins.
For my setup I have a machine user on github, I logged in normally via the web with that user, then clicked on the username in the upper right corner. From there I clicked "Configure" on the left-hand menu, and finally "Show API Token" in the main content area.
Once I had that I could run:
curl --user <username>:<api_token> https://jenkins-server/user/<username>/api/json/?pretty=true
More information.
You should just use a Jenkins API token. This is configurable per user. See $JENKINS_URL/me
This will allow your scripted client to access Jenkins regardless of whatever authentication strategy is being used.
You should use "Basic" rather than "token"
For example:
curl -H "Authorization: Basic cfbcff42e6a8a52a1076dd9fcxx"
https://jenkins-server/user/restebanez/api/json
This worked for me (using getting commit statuses as an example):
url=https://api.github.com/repos/myowner/myrepo/commits/f40ddce88593482919761f74910f42f4b84c004b/statuses
curl -X GET -u :${GITHUB_TOKEN} ${url}
I'm trying to fork a repo using the GitHub V3 API via REST, however, I am having issues making a POST request as per the docs (https://developer.github.com/v3/repos/forks/#create-a-fork).
Basically, what I have so far:
A logged-in user with an OAuth Token
A POST request setup to the API (URL: https://api.github.com/repos/carmichaelalonso/infiniteflight/forks/) - I am testing this with hurl.it to begin with.
Headers in the request: one has the name Authorization with the value 'token ...', the other specifies Content-Type with the value application/json
A body with the following JSON: {"organization" : "shortlisthome"} (shortlisthome is the account I am trying to fork the repo to.
I am not intending to fork this to an organization, instead of a standard user account, which is where I am getting confused. When I run the request, I do not get any authentication errors or 404 errors (I previously had but I had been entering incorrect values by mistake, causing such errors).
When I run this request though, I get the following result (a 422 unprocessable request):
{
"message": "Validation Failed",
"documentation_url": "---url-to-docs---",
"errors": [
{
"resource": "Fork",
"code": "invalid",
"field": "organization"
}
]
}
I am unsure whether or not I am able to fork this to a standard user, or if it is an error with my request. Please let me know if I can provide any more info (first post here so a bit unfamiliar with the convention).
Thanks!
In order for shortlisthome to fork the repository you need to authenticate as them. The repository you're trying to fork is public, so all you need to do is obtain a OAuth token for shortlisthome and then make a similar request to the one you're making now. The only difference will be that you do not need to provide the JSON body of {"organization": "shortlisthome"}.
For what it is worth, the optional JSON body is intended for you to use when you are a member of an organization with proper permissions and you want to fork the repository to that organization. You cannot fork a repository to someone else's account unless you are authenticated as them.
I've so far avoided OAuth2, and do not know hurl. Yet, perhaps this can help.
This post shows how it can be done using cURL's -u username flag:
curl -u 'myusername' https://api.github.com/repos/carmichaelalonso/infiniteflight/forks/ -d ''
The -d (or alternatively --data) flag turns it into a POST request.
Without that flag cURL defaults to a GET request, which is not what you want.
Since, the data is part of the URI for this request, send an empty string for the data that must follow the -d param, as such: -d ''.
Of course, using -u will require you to also supply a password..
Here is what GitHub shows using OAuth2 with their API:
OAuth2 Token (sent in a header):
curl -H "Authorization: token OAUTH-TOKEN" https://api.github.com
OAuth2 Token (sent as a parameter):
curl https://api.github.com/?access_token=OAUTH-TOKEN
Read more about OAuth2. Note that OAuth2 tokens can be acquired programmatically, for applications that are not websites.
OAuth2 Key/Secret
curl 'https://api.github.com/users/whatever?client_id=xxxx&client_secret=yyyy'
I suspect that adding -d '' (or some equivalent in hurl),
plus one of the formats above for sending OAuth2 info might get you most of the way there.
I used this command to fork on github enterprise
curl -vX POST https://git.redacted.com/api/v3/repos/<org-to-fork-from>/<repo-to-fork>/forks?access_token=<api-token> -d #gh-fork.json --header "Content-Type: application/json"
gh-fork.json is just
{
"organization": "org-to-fork-to",
"description": "",
"homepage": "https://git.redacted.com",
"private": false
}