When I send request with Postman and check response header I can see this:
When I try with old PAT I created, or with OAuth token after validation (I created app and validated user with OAuth flow from my DB, so I used this token in Postman just to check) to call GitHub REST API like this: https://api.github.com/repos/djordjeviclazar/rep/branches
and set access_token in header like in documentation, I can see in headers X-RateLimit-Limit is 60, and I could see that X-RateLimit-Remaining is less than 60.
From documentation:
For API requests using Basic Authentication or OAuth, you can make up to 5,000 requests per hour.
Authenticated requests are associated with the authenticated user, regardless of whether Basic Authentication or an OAuth token was used. This means that all OAuth applications authorized by a user share the same quota of 5,000 requests per hour when they authenticate with different tokens owned by the same user.
So I guess that means I can't make more tokens and expect more than 5000 requests per hour, but why only 60, why API treats my requests as anonymous? Also I think that Search API is more limiting. What is the right way to access GitHub REST API?
The issue is that this call is not authenticated since you've specified:
Add To Headers
Key: access_token
Value: {{PAT}}
It will add an HTTP header with the following value: access_token: [PAT value] which is not processed by Github.
Checkout the headers sent in the headers tab it should print Authorization: Token YOUR_TOKEN or Authorization: Bearer YOUR_TOKEN
The following configuration will work correctly:
Add To Headers
Key: Authorization
Value: Token {{PAT}} (also Bearer {{PAT}} works)
You can also use Authorization of Type Bearer Token which is the same as Bearer XXXX:
Also, you can also disable Authorization (to the value No), and in the headers, just append the Authorization header:
Note that the usage of access_token in the url query parameters has been deprecated since end 2019
Related
Postman headers I'm using secret keys to generate an access token that I will use to authenticate for an API that I call. The issue is that I'm getting the error:
status code was: 401, expected: 200
WWW-Authenticate: Bearer error="invalid_token", error_description="The audience value is invalid"
This is how I call the API
Given url `https://login.microsoftonline.com/tenant_id/oauth2/token`
And form field grant_type = `client_credentials`
And form field client_id = `value`
And form field client_secret = `value`
When method post
Then status 200
match response.access_token != null
def access_token = response.access_token
print access_token
Given header Authorization = 'Bearer ' + access_token
Given url 'url'
And header accept = `plain/text`
And header 'X-Mimic-User' = `confidential`
When method GET
Then status 200
I'm expecting to the authenticated to the API with the generated access token.
So it appears your error may be related to the Authorization header, although the error description is hard to decipher, possibly scope related? I would list the URL first, not the header, unless you are re-using it, and want to configure the value for subsequent requests. Another way of setting the Bearer token is:
And match response.access_token == '#present'
* def oauthToken = `Bearer ${response.access_token}`
But really the most important thing is for you to check your request, including headers and compare it between Karate and Postman to see what is different.
From what I see in the error description, the first API call made towards your auth provider is returning a 200 with an access token. but the second call you are making to your application server seems to be failing to see the audience value in your access token.
I doubt you are using the same client credentials input (client_id, client_secret) in your postman and karate setup. Make sure they are the same.
I would also confirm if the access token received is having the aud parameter by checking it in https://jwt.io or any other tool you trust to decode your access token JWT. for the sake of experimentation do the same for the access token you got from postman as well.
Ideally, these configurations are very internal to your application and identity team and may not be directly related to karate. The other teams mentioned should be the ones best to guide you.
I have a requirement to call 2 dependent api's in one scenario.
Below steps I have done.
Feature: Verify the output.
Background: Generate the token
Given I use the <token-endpoint> with <username> and <password>
When I send "POST" request to get the token
Then I should receive the token
Scenario: 1. <Statement>
Given I use the <token> endpoint with token
When I send a "POST" request to the <**first**> api
And I store the response in file1.json
Given I use the <token> endpoint with token
When I send a "POST" request to the <**second**> api
And I store the response in file2.json
Then the status should be 200.
<first> api is able to read the token but <second> api is not able to read the token resulting into "Forbidden" error.
NOTE : <Second> api is dependent on <first> api and using the same token.
In this article https://learn.microsoft.com/en-us/rest/api/resources/tenants/list I can get all the Tenants in my account. Now I want to get all the Organization in devops/vsts in each tenant or directory. Currently Im using this article https://learn.microsoft.com/en-us/rest/api/azure/devops/account/accounts/list?view=azure-devops-rest-5.0 and the token I get in the tenants is not working in getting all the organizations. Is theres a way to list all the organization in each tenant in my account? Thanks!
You can get the list via the below azure API call:
GET https://management.azure.com/tenants?api-version=2016-06-01
And for this API call to returns results correctly you need to gain access token and put it in the request header like that:
Authorization: Bearer access_token
And as shown in the documentation, you can gain the access_token from the below Identity end point as it's Implicit flow token:
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize
So the steps will be:
1- First make a call to:
https://login.microsoftonline.com/common/oauth2/authorize
With the appropriate parameters like the client_id and etc.
2- Gain access_token from the first step response.
3- Use this access_token to retrieve your talents list:
GET https://management.azure.com/tenants?api-version=2016-06-01
Authorization: Bearer access_token
And you can test this via postman or any curl based tool for verifying.
It seems IdentityServer4 will only pass access tokens as a cookie in the header unless I do resourceownerpassword which will pass an access token, but no refresh token. I need the access and refresh token directly passed in the header something like this
HTTP/1.1 200 OK Content-Type: application/json
{ "access_token": "eyJz93a...k4laUWw",
"token_type": "bearer"
"refresh_token": "sd4rR68..."
"expires_in":86400
}
I've read the entire docs and scoured the internet have found nothing. Is this possible with IdentityServer4?
Edit:
So I misunderstood what was happening with the token. Now I see it is in the body, I need this in the header.
With this specific need is it better for me to switch to nodejs oauth2?
IdentityServer4 does not pass access tokens as a cookie in the header.
If you use the authorization code, hybrid, or client credentials flow, then access tokens are returned from the token endpoint as JSON in the response body.
Refresh tokens are only supported by the authorization code, hybrid, and ROPC flows. To request one include the offline_access scope.
I have tried everything, yet I cannot access my API using google cloud endpoints using a Authentication:Bearer header. According to Cloud Endpoints Docs:
When you send a request using an authentication token, for security reasons, we recommend that you put the token in the Authorization:Bearer header.
it also says:
If you cannot use the header when sending the request, you can put the authentication token in a query parameter called access_token.
I can perfectly access the API using access_token=" +idToken in my URL. However, when I try to send an HTTP request with the Authentication header like this:
const url =
"https://<PROJECTNAME>.appspot.com/getbalance";
axios
.get(url,{headers:{'Authentication':'Bearer '+idToken}})
.then(response => {
console.log(response.data);
})
.catch(error => {
console.log(error);
});
I get this error:
JWT validation failed: Missing or invalid credentials
Is sending the token in a query parameter as safe as sending it in the header?
Your code example shows you setting an Authentication header, not an Authorization header. You should not typically use a query parameter as it will likely get logged in Cloud Console.
When using "Authorization: Bearer ", you would need to use an access token obtained through OAuth 2.0 authentication.
This can be illustrated if you use the Oauth Playground agains any of the Google APIs.
Keep in mind that if you want to access your Firebase database using the Oauth Playground, you would need to configure the client ID and client Secret of your Firebase project on the gear icon at the top right of the playground screen.
Also make sure to use these scopes:
https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/firebase.database
After completing all the steps, you will be able to make a REST request using the authorization header with the obtained access token.