I have generated OAuth 1.0 header separately by using OAuth 1.0 custom header generator including following details.
oauth_consumer_key
oauth_token
oauth_signature_method
oauth_timestamp
oauth_nonce
oauth_version
oauth_signature
My requirement is to trigger an GET request including OAuth 1.0
Is it the correct way to send GET request with Authorization header? header sample is below.
Authorization : OAuth oauth_consumer_key="XXXX",oauth_token="XXXX",oauth_signature_method="HMAC-SHA256",oauth_timestamp="1632196528",oauth_nonce="XXXX",oauth_version="1.0",oauth_signature="XXXX"
Yes,
Once you generate a OAuth 1 header successfully, it can be used as a header under Authorization like following.
Authorization : OAuth oauth_consumer_key="XXXX",oauth_token="XXXX",oauth_signature_method="HMAC-SHA256",oauth_timestamp="1632196528",oauth_nonce="XXXX",oauth_version="1.0",oauth_signature="XXXX"
Related
I am trying to call Azure Copy Blob API from postman. I have passed below headers and hit the request but I am getting "AuthenticationFailed" error.
I am sure, I might have given wrong header values or missed some required headers. Can some please help me what am I missing.
Here is the request:
Method: PUT
URL: https://accountname.blob.core.windows.net/containername/SAMPLE_FILE.CSV
Headers:
Authorization = SHARED ACCESS SIGNATURE:?sv=2020-08-04&ss=bfqt&srt=sco&sp=rwdlacupitfx&se=2023-05-30T06:52:46Z&st=2022-05-31T22:52:46Z&spr=https,http&sig=lP1fdHkWabckHlMFOrUsAWyVu6zxxJwNX4l%2B6a0WAmE%3D
x-ms-version = 2015-04-05
x-ms-copy-source = https://accountname.blob.core.windows.net/containername/SAMPLE_FILE.CSV
x-ms-date = 2022-06-13T18:51:28.5001104Z
Response Received:
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:aa820193-601e-0037-5959-7f7a5b000000
The reason you are getting this error is because you are using incorrect authorization header.
When you use SAS token, you would need to use SAS URL as the base URL for your copy operation and do not include authorization header as SAS token already contains the authorization information.
Do try with the following PUT URL and you will not get the authorization failed error (assuming your SAS token is valid):
Method: PUT URL:
https://accountname.blob.core.windows.net/containername/SAMPLE_FILE.CSV?sv=2020-08-04&ss=bfqt&srt=sco&sp=rwdlacupitfx&se=2023-05-30T06:52:46Z&st=2022-05-31T22:52:46Z&spr=https,http&sig=lP1fdHkWabckHlMFOrUsAWyVu6zxxJwNX4l%2B6a0WAmE%3D
I authenticate using OAuth 2.0 authorization code workflow successfully and get redirected back to Postman. Here is more information on the Azure DevOps REST API I am trying to do.
In the console, I get an error: request URL is empty
I do not see the authorization code in the response for me to parse, but if I expand the error message and look in the Request Body > code, my authorization code is there!
I am able to use the authorization code to successfully obtain an Access Token as well.
Steps to reproduce error:
I set all of the values in the OAuth 2.0 form
I click Get New Access Token
I get redirected to my browser to accept
I get a successful authentication & get redirected back to Postman
I get the Authorization code in the request body of a console error (I also get the auth code in the URL after authenticating)
On step #5, I expect to get redirected back to Postman successfully with the authorization code in the body of the message.
EDIT: The solution below works for the Azure API with a scope of https://graph.microsoft.com. If the scope is https://app.vssps.visualstudio.com (which is what I'm using), the solution will not work oddly enough.
Please try my steps to get access token with OAuth 2.0 in Postman.
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Callback URL: the Redirect URI in Application > Authentication. It is required. Don't select Authorize using browser.
Auth URL: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
For more information, you could refer to the blog which uses oauth2 v1.0.
Should a OAuth 2.0 Client send his client_id and client_secret only at his initial request for authorization?
Or at every request he sends to the Authorization/Resource-Server?
Thanks in advance!
#Edit 1: We try to implement the 'Resource Owner Password Credentials'-Flow.
#Edit 2: My guess is that you dont need to send it after you aquired the Access Token. Cause when you already have the access token, the client sends his request directly to the Resource Server. But if you need a refresh token and request one from the Authorization Server, then you need to send client_id and client_secret too. Or am i mistaken?
It all depends on what you want to do with oauth (the flow you use).
You should refer to the flows described here :
https://www.rfc-editor.org/rfc/rfc6749
The client_id is required when you redirect to the authorization endpoint of the authorization server. The secret is used when you exchange an authorization code with the authorization server.
Then you should send your access token at every request of your client with your resource server (api) using the header "authorization"
We have our development website password protected with htaccess and htpasswd. We have REST API on our dev website and we are able to bypass the password protection when we are not using any authorization header by passing the username and password as Basic Auth Type. Please check the below screenshot
Postman Authorization Type
However, we are having few other APIs as well where we need to pass the bearer(token) as authorization header. In this case we are not able to pass multiple authorization header for both htaccess password and token.
Is there a way we can pass both the htaccess authorization header as well as the API authorization header? Or can we bypass password protection only for API calls and not for the website?
For additional information, we are using Apache/2.4.28.
Thanks
Super old question, but I just ran into this issue and figured out you can combine the Basic Auth and the Bearer Token into 1 Authorization call.
This is how I did it with Postman:
Create the Basic Auth to get past your htaccess pw:
Go to the Headers section and copy the Hashed Basic Auth Value:
Still in Headers add a new Authorization Key. For the Value add your copied Basic Auth Hash and then your Bearer token. Should look like this:
Basic dGVhbToxxxXXXxxxXx== Bearer 2|XDIrp...wqhKCzvOpK
Now go back to the Authorization Tab (Step 1) and Change the Basic Auth back to Inherit Auth from parent
The final Header should look like this:
Now you can get through the htaccess and authenticate your Api route with the bearer token.
If you use postman basic authentication with username add password it will bypass the htaccess.
If you using through code, encode your "username:password" using base64 and pass it in the headers as,
'Authorization': "Basic BASE64ENCODE"
While implementing OAuth Server in NodeJS with https://github.com/thomseddon/node-oauth2-server
I'm trying to understand flow of OAuth 2.0
Somehow i'm successful with this npm package implementation, But I doubt, Something is going wrong.
I'll explain how i'm successful.
1st REQUEST:
POST: http://localhost:3000/oauth/token
grant_type=password
client_id=1011
client_secret=somesecret
username=admin
password=admin
1st RESPONSE:
{
token_type: "bearer"
access_token: "7f5261011fb0f84a4e193889fff4b7478f2a4cb2"
expires_in: 3600
refresh_token: "da83de41966979ced65b3841e1758335a811c0c2"
}
after getting access token, I'm sending another http call
2nd REQUEST:
GET http://localhost:3000/secret
Authorization: Bearer 7f5261011fb0f84a4e193889fff4b7478f2a4cb2
2nd RESPONSE:
{"data":"Secret area accessible"}
But here i'm fully confused about
Question 1. Authorization_code part is missing
Question 2. In first call I need to send client_secret and user_password - If I sending both means oauth client is exposing secret to user(Browser) or User is providing password to OAuth Client.
Please share me if any request/response pattern of whole OAuth 2.0 like below
a. browser -> oauth server POST /oauth/authorize?client_id,username,password
b. USER GRANTS PERMISSION
c. browser -> oauth server RESPONSE auth_code
d. browser -> oauth client POST auth_code
e. oauth_client -> oauth server POST auth_code
e. oauth server -> oauth_client RESPONSE access_token
f. oauth_client -> resource_server POST /resource?access_token (Question 3. But here how resource server validates access token is valid or not )
OAuth 2.0 defines several ways of obtaining an access token through so-called "grants". Your requests show that you're currently using the Resource Owner Password Credentials grant, see: https://www.rfc-editor.org/rfc/rfc6749#section-1.3.3. That grant is indeed exposing the username/password to the Client which is why it defeats most of the purpose of OAuth 2.0 and is for migration purposes only, see: https://www.rfc-editor.org/rfc/rfc6749#section-10.7
The Authorization Code grant is a separate grant type by which a user is redirected with a browser to an authorization endpoint so that the Client stays out of the user authentication process. You seem to refer to that in the flow described in a.-f. Since that is a different grant type, you won't see the "authorization code" as part of the resource owner password credentials grant.
In a correct Authorization Code grant flow, a. would be a redirect instead of a POST as in: a. browser -> oauth server Redirect /oauth/authorize?client_id,response_type=code