I have two API projects. The main project is a Lumen project and JWT authentication is written there. The other project is a Laravel project which has APIs. Both the projects have tymon/jwt-auth installed and set up. And both the projects use the same secret key generated by JWT in the .env file.
My requirement is to validate the token from both sides (between these two project).
But it gave me "message": "Unauthenticated." message. Please help me to solve this problem.
Thank you in advance.
https://laravelquestions.com/2021/07/01/how-to-build-jwt-authentication-between-multiple-projects-in-laravel/
this is the very first time am working with JWT tokens and I have two API projects. Our main project is a Laravel project and JWT authentication is written there. The other project is a Lumen project which has some service APIs. Both the projects have tymon/jwt-auth installed and set up. And both the projects use the same secret key generated by JWT in the .env file.
My requirement is to validate the token received by the main Laravel project which has the authentication in the Lumen service project. Both the projects use different databases and the Lumen project does not have the users table.
So far what I’ve done in the Lumen project is created and registered a middleware in order to validate the received token and protected the routes using the created middleware. And the routes hit the middleware.
Then I installed the tymon/jwt as below:
composer require tymon/jwt-auth
Added the created middleware inside bootstrap/app.php as below:
$app->routeMiddleware([
‘auth’ => AppHttpMiddlewareAuthMiddleware::class
]);
Uncommented below the line in boostrap/app.php under providers section
$app->register(AppProvidersAuthServiceProvider::class);
Added below line to the providers in bootstrap/app.php
$app->register(TymonJWTAuthProvidersLumenServiceProvider::class);
pasted the generated JWT JWT_SECRET by main Laravel Project inside the .env file of Lumen project
Now for testing purposes, I wanted to create a token using the JWT_SECRET and validate the token using the same key in the Lumen project.
Related
Here is the problem.
I have an .net core web-api application with azure-ad authentication.
When I've added necessary AzureAD section to my appsettings.json file and redirect url-s to appregistration my backend worked fine.
But later I added build of react project to wwwroot folder and now, when I try to call backend method with authorize attribute I get CORS error from Loginmicrosoftonline
[CORS error from Loginmicrosoftonline]
First of all, web api project should be a daemon application so it doesn't have a sign in page as normal, nor a redirect url for AAD. And we can integrate AAD to protect our api but the api shouldn't ask users to sign in first.
In your scenario, it looks like you want to let users sign in in your react frontend app, then generating access token to calling the protected web api. I think you need to refer to this sample to integrate MSAL library in your react app(this sample containing an api written in nodejs, you can ignore api part since you had asp.net core api), and this sample for protecting your web api. You may also take a look at this answer.
And go back to your CORS issue, it appeared because you didn't use MSAL.js in your react app but directly going to the login URL. Microsoft identity platform required developers to use the library. I used to using ajax request to send a get request to the login url, and I got Cors issue as well.
I'm trying to create a micro-service on Node to send requests on the Google Compute API via POST (for example here). This micro-service will be hosted on a App Engine application.
If I understand the documentation, I need to generate a JWT token before (with the google-auth-library) and send that token with the request.
I set up the env variable GOOGLE_APPLICATION_CREDENTIALS with the JSON file path of the Service Account used by the App Engine application on my debugger (to get the same authorization on my dev env).
But I can't reproduce the sample hosted on Github gave by the Google Documentation. I get error UnhandledPromiseRejectionWarning: ReferenceError: require is not defined because I'm using Node14 with "type": "module" on the package.json.
I searched but I found no solution on this. Do you have some hint ? Maybe I need to use a different code to generate JWT token or to authentificate these POST requests ?
Thank you
I have an app on MERN stack in which react app runs on port 3000 while nodejs app runs on 3001 in development environment .
I want to integrate Keycloak in app.I started Keycloak instance and created Realm named MERN in which i created two clients one is react which is public client and other is node which is bearer-only client .
I created one user also
I integrated the keycloak on react with react keycloak client configuration and got access token and passed it to Authorization Bearer on backend.
I configured the NodeJs app with node keycloak client ..
keycloak provides method keycloak.protect() to protect Apis which is not working it always gives Access Denied.
There is another method in keycloak getAccount which takes bearer token parameter and returns account in promise object.
I extracted the token from Authorization header and passed it to getAccount which returned account.
For key cloak configuration i download it from installation tab in client and haven't done any tweak just copy pasted code from keycloak nodeJS docs.
So i am not feeling any need to write code or configuration here.
For testing you can generate app from express-cli and create-react-app.
For reactJs i used library called keycloak-js and for nodeJs i used keycloak-connect.
Question is why keycloak.protect() is not working??
If anyone knows answere please tell me.
I am developing a nodejs app deployed as a azure website. I am using JWT tokens for authentication using jws. This uses node crypto module underneath.
I created a self-signed RSA256 certificate and have uploaded these files with my app. The app creates the jwt token using the private key without a problem. But when it validates jwt token from a client request, it fails throwing the following exception;
Exception Details:
System.IdentityModel.SignatureVerificationFailedException: IDX10503:
Signature validation failed. Keys tried:
'System.IdentityModel.Tokens.X509AsymmetricSecurityKey
System.IdentityModel.Tokens.X509AsymmetricSecurityKey
Azure uses iisnode, for iis-node integration. When I run this locally on a windows 2008 R2 server, my application verifies the token without any issues.
I ran a test javascript file via command line node, through visual studio online editor, to test token creation and verification. This test worked fine, which indicates the actual host is capable of handling the decryption.
My questions;
1) Has anyone used JWT on a azure node JS app?
2) Have you come across this exception?
Thanks in advance.
Finally solve this. I had to do two things to solve this.
Disable the azure AD authentication I had on for the site.
Remove password protection for RSS private key. The certificate is used only in the backend. So this is fine.
I have developed a REST API with sailsjs and I'd like to add OAuth2 authorization to secure this API. I'm quite new to OAuth and I'm not sure where to start.
I found several modules that could be used for this purposes, for instance oauth2orize and an example of its usage https://github.com/aaron524/sails-oauth2-provider-example but I do not fully understand how this is working internally.
Basically, I'll have several clients consuming the API I'm developing:
- clients that I trust and that I'd like to use with the "Resource Owner Credential Authorization"
- clients that I do not trust and that will connect using the Authorization Code flow
I was thinking of adding a trusted property to the Client model within the sails application and then when a user will log onto an application:
- he will have a direct access to its resources (case of the trusted application)
- he will be requested to approve or deny the application from accessing his resources (case of the untrusted application)
Is this a good approach ? Any pointers on how to select the corresponding strategy based on the client trusted level ?
UPDATE
I've setup the following project on GitHub, using several tutorial and projects I found.
https://github.com/lucj/sails-oauth2-api
This project is not functional yet.
I'm still not clear on how to select the correct grant type (authorization code vs resource owner's password) when the user consume the API through an application. How to integrate this check in the policies ?
I do not manage to create the link between the OAuth endPoint (/oauth/authorize, /oauth/token) and the call to oauth2orize. Any idea ?
I finally struggled with Oauth2orize, sails and passport and managed to integrate OAuth2 security of my API in the project: https://github.com/lucj/sails-oauth2-api