The documentation for the Heroku platform API states that it can be accessed with basic HTTP authentication using the API token, as follows:
HTTP basic authentication must be constructed from email address and
api token as {email-address}:{token}, base64 encoded and passed as the
Authorization header for each request, for example Authorization:
Basic 0123456789ABCDEF=.
We have tried this but keep on getting an "Invalid credentials provided" error.
However, if we substitute our Heroku account password for the token, authentication works:
e.g. {email-address}:{password}, base64 encoded.
However, we don't want to have to use our password for API authentication. How do we get this working using the API token as described?
Look again at the same documentation you linked to (it has changed in the meantime).
You should use Authorization: Bearer HEROKU_TOKEN, not Authorization: Basic HEROKU_TOKEN as you are doing.
Related
I have been using drf since a couple of months . For authentication I decided to use djoser package and use JWT token for better authentication. However whenever i try to use postman to send requests i can only send the three jwt requests. I'm wondering if i can use the Base endpoints as well such as re-setting the password and finding the user-
Base Endpoints - https://djoser.readthedocs.io/en/latest/base_endpoints.html
Not able to send requests. the error on postman always comes as "detail": "Authentication credentials were not provided."
even if i apply the Bearer Token type in postman.
can someone tell me how to use Base endpoints along with jwt ?
To use JWT with Djoser, send a Get request to
http://127.0.0.1:8000/auth/users/me
Instead of Bearer or Token, Set your Authorization header pass JWT as follows:
Authorization: JWT your-JWT-access-token
Here's a sample request using insomnia
> GET /auth/users/me/ HTTP/1.1
> Host: 127.0.0.1:8000
> Authorization: JWT eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNTk1MDYyNTcxLCJqdGkiOiI2NmZkODFkNDVlNmY0OTdlYWZiMGExZWE2YmRmZmM0MyIsInVzZXJfaWQiOjF9.uXZadgc_hYcS79tuZWet_4eDqNQlduKpcmD1a2JvfjY
if you had set up your urls correctly it will return your username, email and user-ID
I'm trying to write a script to update metadata on various datasets, using an authorized app. Using OAuth seems like the wrong approach (it's not a web-facing application for other users to use as themselves), and passing my own user name and password seems...icky.
The SODA API authentication documentation is pretty confusing:
All HTTP-basic-authenticated requests must be performed over a secure (https) connection, and should include an application token, which is obtained when you register your application. However, authentication [sic, should be "application"?] tokens are not strictly required when a request is authenticated. Authenticated requests made over an insecure connection will be denied.
Here is a sample HTTP session that uses HTTP Basic Authentication:
POST /resource/4tka-6guv.json HTTP/1.1
Host: soda.demo.socrata.com
Accept: */*
Authorization: Basic [REDACTED]
Content-Length: 253
Content-Type: application/json
X-App-Token: [REDACTED]
So:
Can you even use app token + secret token to authenticate with HTTP basic?
Which of the two "[REDACTED]" is the app token, and which is the secret token?
My guess (based on some testing) is that the answers are:
No
The first "[REDACTED]" is the Base64 version of username+password, the second one is the application token, which is not relevant to authentication.
Application tokens and secret tokens aren't actually tied to any sort of pre-baked user authentication. They're tied to your application, and are then used in OAuth to ensure that your app is what it claims to be when the user is passed through the OAuth workflow. Once the user authenticates, the app can retrieve an authentication token that is used to actually authenticate their requests.
What you're really looking for is a way to retrieve a "bearer token", which some API providers allow you to generate. This would allow you to basically "pre-OAuth" and get an authentication token without going through the full workflow. Unfortunately we're not one of them (yet) so you'll need to authenticate with plain old HTTP Basic and your username and password.
If you want a slightly-less-icky way to do that, I recommend registering a "bot" account that you grant only the necessary permissions on the necessary datasets. Then at least you're not baking your regular user credentials into your config. But keep in mind that even if we had bearer tokens, you'd be putting those into your config somewhere.
To answer your more specific questions:
No, because then one of them would have to be a bearer token, which they are not.
The Authorization header is the Base64 encoded username:password, while the X-App-Token is your application token. In this case the latter is just an extra header that would identify that request as having come from your app.
Thanks for your feedback on the docs - I'll clean them up and try to be more straightforward, and I'll definitely fix that typo.
I'm using ember-simple-auth and torii to handle client-side OAuth2 authentication against Facebook and Google in an Ember app I'm building. I receive an authorization code from that process.
I want to send that code from the client to my REST API and exchange them for access tokens to get their user ID so I can figure out what information they should have access to.
Then, I want to put the user ID into a JSON web token that the client can send me in subsequent requests for data from the BE app.
My Problem: All examples I've found of using Passport for OAuth2 authentication rely on redirecting the user on the server side and using callbacks rather than just exchanging an already-provided authorization code.
What am I missing? This seems like something many apps would need to do.
Assuming a compliant OAuth 2.0 implementation, exchanging an authorization code for an access token is accomplished by performing a POST request to the token endpoint URL and providing the following parameters using the application/x-www-form-urlencoded format:
grant_type - Must be set to authorization_code.
code - Will contain the value of the code you have.
redirect_uri - Must be included and the value match, if it was also included in the request to obtain the authorization code.
Additionally, depending on the client you'll have to either provide the client_id parameter if the client was not issued credentials or if the client has credentials you need to perform client authentication, which can be done by passing an HTTP Basic authentication header containing the identifier and the secret.
An example, using unirest, but easily adapted to other HTTP clients:
unirest.post(tokenEndpointUrl)
.headers({
'Accept': 'application/json',
'Content-type': 'application/x-www-form-urlencoded'
})
.auth({
user: clientId,
pass: clientSecret
})
.send(`redirect_uri=${redirectUrl}`)
.send(`code=${code}`)
.send('grant_type=authorization_code')
.end(function (response) {
// Handle response
});
Although the fundamentals will probably not change, check each provider documentation, because they may have extensions put in place or be more flexible in how you can provide the info. For example Auth0 and I think Google is the same will also allow you pass the parameters in a JSON encoded body instead of just in application/x-www-form-urlencoded format.
Update:
Specific authentication providers may implement additional libraries that simplify things for developers integrating with them. For example, Auth0 provides you with passport-auth0 that abstracts and simplifies the way you can integrate Auth0 authentication into your application.
I want to use the Azure Management rest API to start and stop some Virtual Machines.
In the HTTP header I need a Authentication token as described here: Common parameters and headers.
I create a new app in the AD Section of Azure portal and added the auth token to the http header in this format:
Authorization : Basic clientID:token
where clientID:token is base64 encoded, but I am getting this error:
{"error":{"code":"AuthenticationFailedInvalidHeader","message":"Authentication failed. The 'Authorization' header is provided in an invalid format."}}
REST API - Start a virtual machine
After you get the access_token, you should set HTTP Authenticate header like this:
Authorization: Bearer ACCESS_TOKEN
Basically it would look like a:
GET /subscriptions HTTP/1.1
Host: management.core.windows.net
x-ms-version: 2016-04-21
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciO.....o-ZeMSUbOlC4YEw
And you can refer to Microsoft Azure REST API + OAuth 2.0 for more help. Hope it do help.
I am looking for an easy way to add bearer tokens to PostMan. I have imported my API into PostMan from a swagger definition, and am wondering if authorization can be added automatically to all requests in some easy way, such that I do not have to change the Authorization header for each endpoint whenever the token changes.
I am currently requesting a token at /token for my API by sending an x-www-form-urlencoded request containing the parameters username, password and grant_type with a password value.
The returned access_token is then appended to the Authorization header in the format "Bearer token-received-from-token-endpoint" for each request to the API.
The backend is implemented with AspNet Identity Framework and AspNet Web API 2.
Good approach here is chaining request
When you get a token, assign it to an environment variable and use that variable in your subsequent requests.
This way you will have a fresh token every time and your other requests can use that on runtime