I am new to the concept of authentication and JWTs. I modified my Sails app to generate JWTs with the help of jsonwebtoken. I sign the JWTs like this: jwt.sign(payload, secret, { expiresInMinutes: 120 });
Doesn't this mean a client having access to the token can access the protected resources?
How should the payload be used? Should I save the user-agent string in the payload and verify it on the client?
Yes, anyone in possession of the token can call your API. That's why everything should go over SSL, and expiration should be in line with the sensitivity of what it is doing.
The JWT will typically be sent on the Authorization header:
Authorization: Bearer {your token here}
BTW, you can test contents/signatures here: http://jwt.io
Related
I am trying to consume the Flagsmith APIs as documented here .
It seems some APIs like -- /flags/ need "x-environment-key" header, which is working.
But for others like /environments/ "x-environment-key" does not work. I have tried a bearer token authorisation by obtaining the API key ( Authorization: Bearer <> ). But that doesn't work either. There is no clear documentation on the authentication mechanism ( or I have missed it ).
Can someone throw some pointers ?
x-environment-key is for the SDK endpoints, where as /environments is an admin endpoint used in the dashboard to list a project's environments.
Those endpoints are protected via an API token, so you'd need to send
authorization: Token $API_TOKEN
You can find your API token in your account settings under keys
I want to authorize in the report portal application using chromedriver in webdriverio.
So I'm retrieving the API token via:
GET http://reportportal.io/uat/sso/me/apitoken'
Get response:
{
"access_token": "D1aexc0a-d11d-067f-xx7c-3e2e0fb96332",
"token_type": "bearer",
"scope": "api"
}
My next step is to use this token in my steps to bypass authorization.
I've tried to set this token as a cookie and as CSRF token, but no chance to receive anything successful.
I would appreciate any help or advice on how to use token to authenticate in the application.
Sorry if something written wrong or inadequately I'm new in this.
I need to send access_token to my REST server...
How to send access token to server with GET request?
Is it safe to make request like: https://localhost:8443/docs/1?access_token=12345 ? I am using HTTPS.
As per the OAuth 2.0 standards, it is recommended to pass the Access Token as a bearer header.
Please check RFC 6759 for more information.
I am using caspio rest api to authenticate my users in a mobile app. Upon authenticating, I was given an access token to which I included in my AJAX call under the parameter 'Authorization' : Bearer [access token].
I understand that I can renew the token with the refresh token given to me where I can use the POST call.
My question is: prior to using the POST call for a new token, must I store the access token?
Also, the Caspio website advised this format for the POST call:
Method: POST
URL: Token Endpoint
Body: grant_type=refresh_token&refresh_token= [token value]
Header parameters:
Authorization: Basic [string "Client_ID:Client_Secret" encoded in Base64]
Content-Type: application/x-www-form-urlencoded
Should I also include the client ID and client secret in the parameters? Upon using Firefox's rest client, I'm getting a bad request (400) error.
Thank you for the help!
I never using caspio rest api before. The answer base on my OAuth experiences.
My question is: prior to using the POST call for a new token, must I store the access token?
YES! The OAuth 2.0 using the access token to switch the refresh token at first time.
Should I also include the client ID and client secret in the parameters? Upon using Firefox's rest client, I'm getting a bad request (400) error.
According to the api document. You should include the client ID and client secret in your request, like most OAuth 2.0 do.
The bad request (400) error you may see the rfc6749 to find further information.
I need get user's profile in wso2 api manager, how could i do that?
Until now, i've done get access token, refresh token and revoke token:
https://localhost:9443/oauth2/token --> access and refresh token
https://localhost:9443/oauth2/revoke --> revoke token
Thanks for help me.
if you define openid as one of the scope, then you would be able to use userinfo endpoint to get the user related info.
Generate token with scope openid
curl -k -d "grant_type=password&username=admin&password=admin&scope=openid" -H "Authorization: Basic NzhfQURZNGdBMWJ6djd0ZVc0Zk11VkpMM0xVYTpQWE55RmZ1ZjlmbkVhUW9NYksyaUxjTFE1dndh" https://localhost:9443/oauth2/token
use that token to request userinfo
curl -k -H "Authorization: Bearer 14e78b764c91a1f18b5566ddbd88c5ff" https://localhost:9443/oauth2/userinfo?schema=openid
by default, response would only contain the sub value.
{"sub":"admin#carbon.super"}
You can define which parameters you should send by configuring the claims in the service provide application in API Manager
for that log in to carbon management console and select the service provider application
under the claim configuration you can set email, lastname, and any other claims you need as 'Requested claims'
ex: http://wso2.org/claims/emailaddress for email
once configured, you would get following kind of response for previous request
{"sub":"admin#carbon.super","family_name":"adhikarinayake","email":"chamilaa#wso2.com"}