I looked through documentation on Event Notification (http://developers.box.com/webhooks/).
I would like to call an REST API, with basic authentication. Is there a way to do this?
like, customizing the HTTP headers (like adding Authorization:Basic ...) of the HTTP call triggered?
There currently isn't support for passing in special headers. You can, however, use HTTP Basic Auth by specifying it in the URL for event notifications to be sent to e.g.
https://username:password#www.example.com/path
Related
I have deployed a Google Cloud Function which requires authentication to be executed.
Then, I've scheduled this function using Google Cloud Scheduler, and setting authentication through OIDC token, which basically is an authentication header in the HTTP POST scheduled.
Now, I would like to provide some custom parameter to the Cloud Function as well, using the proper header in Cloud Scheduler, but seems not to work.
I'm afraid that is caused by what stated here, that is, authentication headers are overwritten.
Anyone faced the same issue?
How could be solved?
Thanks
You can use the Headers in Cloud Scheduler to add the headers that you want, except the Authorization header that is set automatically when you activate the OIDC auth.
You can also put some parameter in the body if you want, all depends where you would like to read the data (header or body.)
EDIT 1
I have a Cloud Run "logger" to simply logs the headers/body of requests. And it worked during my tests I have 2 custom headers + the authorization header automatically set. Have a look:
I've been doing some HTTP methods and header research recently if we should use GET with basic authorization instead of POST when submitting?
HTTP Methods
The GET method requests a representation of the specified resource. Requests using GET should only retrieve data.
The POST method submits an entity to the specified resource, often causing a change in state or side effects on the server.
As we see here, the POST method normally changes the state of the server. If sending out JWTs/HTTP cookies, we are not modifying the state of the server. Nor are we creating a new resource in the server.
I understand that we should not not send the username and password as a GET parameter but should we use the authorization header instead?
Basic authentication
For "Basic" authentication the credentials are constructed by first combining the username and the password with a colon (aladdin:opensesame), and then by encoding the resulting string in base64 (YWxhZGRpbjpvcGVuc2VzYW1l).
Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l
The only advantage I see to using POST over GET is that we need no extra code in the HTML/JS on the client side to send headers via the fetch API. To send headers, we would need an onsubmit and then check if status code is 200. If 200, we will need to redirect to the page after the login screen. Then again, if using the fetch API, this means the server does not need to send a new HTML page to the client all the time either.
Should we use GET with basic auth or POST when logging in since we don't create a resource/modify the server state?
Would this change if say we enable 2FA since we would need to generate a code for that user?
Doing basic authentication in the browser and using GET is not that recommended.
To do your own login form it is better to always do it using HTTPS and POST. Do post the username/password in the body of the request and secure it with proper CSRF protection.
If you want to level up, you can always look at the OpenIDConnect approach, but that is more advanced depending on your needs.
Also, a good approach is to explore how existing site implement a login form and look at the HTTP(s) traffic in a tool like Fiddler.
Trying to implement a Soap header handler I need a specific example of a Soap request that the Sonos client will make which includes the SessiondId.
Thanks
We are deprecating support for sessionid-based authentication. It will continue to work, but future integrations should be built using app linking.
In the meantime, a sessionid-container header would contain this credentials object:
<ns:credentials>
<ns:deviceId>00:00:00:00:00</ns:deviceId>
<ns:deviceProvider>Sonos</ns:deviceProvider>
<ns:sessionId>[sessionIdentifier]</ns:sessionId>
</ns:credentials>
I have an endpoint on API Gateway that I want to make it work with requests from Strip.com only. I have tried adding stripe.com on Access-Contril-Allo-Origin* as it shown below but does not seem to be working at all.
How do I set CORS on API Gateway?
CORS only applies to requests made from a browser. It doesn't apply if you're trying to protect, for example, a webhook URL that you want Stripe to send data to. The typical approaches here are either to include a shared secret in your webhook URL, or to configure a username & password, both of which Stripe support. Examples:
https://yourdomain.com/admin/webhook/6f637faa33a2116f410cfb12af2028a85d22fcf5
https://user:pass#yourdomain.com/admin/webhook/
The other protection here is that you can verify any event received by sending an API request to Stripe to retrieve that event:
https://stripe.com/docs/webhooks#verifying-events
I think you need to have the schema on the header, like, https://stripe.com as Access-Control-Allow-Origin
I'm using a jwt based authentication system and I'd like to ensure that google sends this token back in the header. Is there anyway to give google custom headers to send back to a server?
Not in the header, but you can use the state param to include it in the URL.