Suppose that I invoke the following HTTP request:
https://accounts.example.com/oauth2/auth?
scope=openid+email&
nonce=53f2495d7b435ac571&
redirect_uri=https%3A%2F%2Foauth2demo.appspot.com%2Foauthcallback&
response_type=id_token+token&
client_id=753560681145-2ik2j3snsvbs80ijdi8.apps.googleusercontent.com
Which yields the following redirect response:
https://oauth2demo.appspot.com/oauthcallback#
access_token=ya29.AHES6ZSzX
token_type=Bearer&
expires_in=3600&
id_token=eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiY...
What is the point of the callback parameter, given that the returned metadata, containing id_token, etc., is positioned after a hash fragment in the URI, and are therefore not persisted as parameters to the callback function? How can a server-side callback receive the various tokens?
The response type that is used here is a so-called "Implicit" response type which is primarily meant for in-browser (e.g. Javascript) clients, in which case the Javascript code that is served on the callback URL can access the parameters in the fragment. Web applications should do either one of:
stick to the code flow which is meant for web application clients
use the Form Post response mode (http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html) if supported by the OP
serve Javascript on the callback URL that parses out the parameters from the fragment and POSTs them to the server
Bottom line is that if you need the tokens server-side, you should most probably use the code response type.
Related
We are building a PDF report using OpenPDF which prints client logo dynamically based on the url passed by the calling client.
Scenario:
A print request is received, it also has logoURL as a parameter.
Then in one of the steps while processing the request, this url is passed to Image.getInstance(logoURL) of the OpenPDF's Image class, which either returns a proper image or an exception. If exception occurs we fall back to a locally stored standard logo.
I wanted to know if this approach is secure to let the calling api or client send a url, and then we use that internally to download an image. If this is not the right approach, what is a standard way of achieving this.
Background:
Looking at some links like these below, I noticed two unique sets of descriptions for GET versus POST.
One description states that the difference is in how the information is sent: GET sends that information through the URL whereas POST sends that information through the HTTP request body.
Another description states that the difference is in which way that
information is sent: GET sends information to the server whereas POST
requests information from the server.
I find these descriptions to be lacking for the following reasons:
What if I want to get something from the server (GET) but I am sending a large amount of data first (eg. 50MB of text) so I would need to send it in the HTTP request body (POST). Would it be OK to use POST to get something from the server?
What if I don't want sensitive information to be stored in the URL, is it OK to instead use POST everytime?
The jquery GET function has the same method signature as the jquery POST function (see documentation), specifically it can also send data as A plain object or string that is sent to the server with the request, which I interpret as being added to the HTTP request body. If data for GET can be sent via the HTTP request body, then to me, this contradicts most of these sites that claim that as one of the differentiating descriptions of POST vs GET.
Nothing's to stop me from creating API endpoints which are GET but behave like POST (or PUT, or DELETE or PATCH)
Question:
Is the lack of strict descriptions because of my poor understanding, because of the ad hoc development process for HTTP/Ajax or is it something else entirely?
Supporting Links:
HTTP Request Methods
GET vs. POST
GET vs POST: Key Difference between HTTP Methods
jQuery - AJAX get() and post() Methods
I have an API which accepts many parameters.
Passing the values of the parameters will exceed the length of the URL Header.
I am using Postman client to pass the parameters in the body but this is not working any ideas on how to make this work.
The API accepts many parameters because the backend is legacy and is exposed as an API by a service bus.
Older versions of Postman didn't allow you to send body data with get request.
Yet, if your server receives data as URL parameters you won't be able just to change the way of sending them and include them to the body (server won't accept them).
So if the length of parameters is indeed so big and the server indeed can receive the same data from body instead of from parameters then the Postman is just not the tool that you can use (maybe cURL is for you).
If your server allows to send data only as URL parameters and they are so long (more then 2000 chars What is the maximum length of a URL in different browsers?) then I think you have no chances to test this API.
UPDATE: new Version 7.20.1 now allows to send Body with GET request
Workaround:
Change the request type to POST.
Set the value of your body
Change request type to GET
Send request and the body is included
Postman is already added this feature of sending body in get
request.
But i still i recommended to go for post request (if body is present) since many projects like angular http client does't have updated protocols yet.
Latest Postman supports body object for Get request
just choose json format as shown in pic above
If you want to make a GET request in Postman then you can use Params or Body to pass parameters, but not both. Either Params only or Body only. If you specify both Params and Body, Postman will select and send only Params (in GET request of course). So if you want it to send Body, clear Params.
CONTEXT:
I have an Ember.js 1.1.0-beta.1 application that exchanges JSON data with a Rails-API server (Rails 4). JSON data exchange is accomplished with Ember-Data 1.0.0-beta.2 and Active Model Serializers 0.8.1 (AMS). I'm using the default recommended configurations for both Ember-Data and AMS, and am compliant with the JSON-API spec.
On any given RESTful call, the client passes the current authentication token to the server. The authentication token is verified and retired, and a new authentication token is generated and sent back to the client. Thus, every RESTful call accepts an authentication token in the request, and provides a new authentication token in the response that the client can cache and use for the next RESTful call.
QUESTION:
Where do I put the authentication token in each request and response?
Should it be part of each object's JSON in request and response? If so, where is the token placed in the existing object's JSON structure (which has nothing to do with authentication)?
Or should they be placed in the HTTP header for each request and response object?
What is "The Ember Way" that one might eventually expect to find in the new Ember Guides Cookbook?
MORE CONTEXT:
I'm already familiar with the following links:
#machty 2 Embercasts: http://www.embercasts.com/episodes/client-side-authentication-part-2
#wycats tweet: https://twitter.com/wycats/status/376495062709854209
#cavneb 3 blog posts: http://coderberry.me/blog/2013/07/08/authentication-with-emberjs-part-1
#simplabs blog post: http://log.simplabs.com/post/53016599611/authentication-in-ember-js
...and am looking for answers that go beyond these, and are specific to Ember-Data + AMS.
With the exception of the need to pass a new token back to the client in the response via Ember-Data, assume my client code is otherwise similar to the #machty Embercast example on GitHub: https://github.com/embercasts/authentication-part-2/blob/master/public/js/app.js
Thank you very much!
I've got a similar stack - ember, ember-data and rails-api with AMS. Right now, I'm just passing the authentication token (which I store in localStorage) in a header (though you could pass it on the query string) by modifying the RESTAdapter's ajax method.
My initial thought would be to avoid resetting the token on every request. If you're particularly concerned about the token being sniffed, it might be easier to just reset the token on the server at a regular interval (say, 10 minutes). Then, if any request from the client fails due to an old token, just fetch the new token (by passing a'reset token' that your server gives you at login) and replay the initial request.
As for where to put the token, there isn't really an "Ember Way" - I prefer passing it in a header since passing it in the query string can mess with caching and is also more likely to be logged somewhere along the way. I'd definitely avoid passing it in the request body - that would go against what ember-data expects, I'd imagine.
I have built something similar, although I do not reset the token unless the user signs out.
I would not put it in the request body itself - you are just going to pollute your models. There probably is no Ember way since this is more of a transport issue. I pass the token using a custom HTTP header and/or a cookie. The cookie is needed to authorize file downloads, which can not be done through ajax, although the cookie works for ajax calls too. In your case I would use a cookie and have the server set it to the new value each time. However, your scheme of resetting the token on each JSON request is not going to work on simultaneous requests. Is this really necessary? If you use TLS you probably don't need to worry so much. You could also timeout the token so that if there are no requests for 10 minutes a new token is generated.
i've been researching/creating a REST api, in the backbone.js to php context.
i understand the concept of HTTP verbs and when they should be used
GET - select
POST - create
PUT - update
DELETE - delete
i also understand the concept of passing an identifier as a semantic url, e.g.
GET http://api/users/123
DELETE http://api/users/123
in these cases the "123" is the id the business logic will use to get/delete a user.
but what about the POST and PUT contexts? when sending a request to
PUT http://api/users/123
the api will update user id 123 with the supplied parameters, here's where my question arises.
i would assume the input parameters to update with would be sent as PUT parameters. in php syntax this is represented as: file_get_contents('php://input') (this is the same for delete requests.)
when testing this via backbone.js it works perfectly.
but when i try and create a new element with
POST http://api/users/
i would assume the input values would sent as POST parameters/ in php syntax this is represented as $_POST. but this does not work.
after some testing, and reading up on rails style REST apis (which is what the backbone docs suggest), i realized that all request variables are sent the same way. if i change my code to use file_get_contents('php://input') to get the request parameters for every request type, backbone works perfectly.
is this standard fair for REST apis? or just "rails flavored" ones?
PUT, POST, PATCH, etc (everything but GET and DELETE*) accept request bodies. Generally data is passed as either:
A URL encoded string of name/value pairs (exactly the same as a URL querystring) that is decoded and parsed by the server into $_POST (or similar depending on your web framework of choice). This typically relies on the presence of a Content-Type header set to application/x-www-form-urlencoded (browsers do this by default when forms are submitted). If you see the data in file_get_contents('php://input') but not $_POST it's very likely this header is not present or is set to another value. If you're using Chrome, you can see what headers and body the client is sending in the Network tab of the dev tools.
The other popular request body format is to use Content-Type: application/json and then write out a JSON string to the body. This can be accessed via file_get_contents('php://input') and then parsed with a JSON parser.
* Note on DELETE: it's a little unclear whether or not using a request body with DELETE is allowed or a good practice.