What are the keys of username/ password in webhook connect header response? I tried with username/ password/ X-DocuSign-Password/ X-DocuSign-UserName but is not
webhook connect response is sent from DocuSign to your web server following events that occured and based on your configuraiton.
No password is ever going to be sent from DocuSign.
You may be referring to the header that was used in the past to make API calls before OAuth 2.0 was implemented. That is an insecure way to authenticate and therefor no longer allowed for new applications that are under development.
Related
this is regarding incoming sms from a mobile phone via twilio.
when testing with postman (and I append the header with a Bearer JWT token I received from my app), everything works fine and my app can recognise the request.
but sending an sms results in a 401 error as my endpoints are not reachable. any proven ways of doing this or do I have to hack my app to bypass incoming requests from twilio and just every request that comes from that twilio number.
please help!
Twilio developer evangelist here.
Twilio will not send a bearer token JWT in requests because it doesn't know to authenticate with your application like that.
You will need to bypass the JWT check for requests from Twilio. If you're using express that should be straightforward and if you share some code we can look into how to make that happen for your app. On the up side, there are other security methods you can put in place instead.
Twilio supports HTTP authentication via basic or digest auth. If you can set the endpoint in your app to require authentication in this way instead, then it can be secured.
You can also check against the X-Twilio-Signature header that is sent with every request to validate that the request came from Twilio. There is a guide on how to validate Twilio requests in Node.js with Express.
I've successfully completed account linking on api.ai, and now I'm trying to execute a webhook. The problem here is that I need the token that was generated during the linking process to go into the authentication field. Otherwise I will always get a "403" error back. How can you change the auth token in the webhook header field dynamically for each user that issues a Google Home voice command?
For all I know that's not currently possible. I pretty much had the same issue, and I resorted to connecting to an intermediate server that handles the webhook, extracts the access token (available via the actions-on-google node.js API as getUser().access_token), and then forwards the request in the right format to the original host.
I am registering a button with gapi.signin.render
I then use gapi.client.load('oauth2', 'v2');
and gapi.client.oauth2.userinfo.get().execute();
I send the user email and name to my server to create an account for the user.
My concern is, anyone could POST that info to my server, I'm not verifying anything.
Is there a GET url that Google provides that I send the Access token to and receive the email back to ensure that the user has authorised? Figure I must be missing something :-/
It is not safe to just send the profile details via ajax. You should send the access_token to the server and have the server perform an authenticated people.get API request to get the details.
GET https://www.googleapis.com/plus/v1/people/me?access_token=xyz123
I am server side and using nodejs
I would like to check authentication of client request. I mean, I would like to check if it is valid or eligible person or not who send request to me(server).
what is the best way?
server~client authentication
I have not implemented this yet - have been working with oAuth for API validation - but will use something similar to this http://www.quietless.com/kitchen/building-a-login-system-in-node-js-and-mongodb/ for user log in/validation.
I'm working on a client- server system where the client is an iphone app that communcates with the backend via SOAP messages.
Right now the client sends the username and password in the SOAP body with each request, which isn't good of course.
The solution to this needn't (in fact: can't) be too sophisticated, I just don't want to send the username and password around too much.
Would an "okay" solution be to let the client authenticate once with username/ pw, then receive a token that is valid for say 1 hour and has to be sent with every request?
What would be the 'best practice' for this scenario? WS- Security?
Using security token valid for a certain period is pretty common practice. Sending credentials with each request is certainly not recommended.
you can refer following links for more details:
https://softwareengineering.stackexchange.com/questions/83037/best-practices-for-expiration-of-tokens-in-a-security-token-service-sts
https://developers.google.com/accounts/docs/MobileApps