I've been able to setup JHipster successfully using both Token and OAuth2 authentication. With both I can login using the default admin/admin account. However, in both cases, I get 401 errors when I want to access any API endpoint, i.e: http://127.0.0.1:8080/api/users
It renders a page with the following message:
Your request cannot be processed
Sorry, an error has occurred.
Status: Unauthorized (Unauthorized)
Message: Access Denied
Am I missing anything obvious?
Are you seeing any the spring security errors in the logs? Your angular session should be passing your recently acquired auth token for the admin user as part of the request to the api. If you want to access the api again outside of angular eg curl/Java client you'll need to request a new token for the user eg https://github.com/reddit/reddit/wiki/OAuth2-Quick-Start-Example
Related
I have created a Gitlab application (under User Settings / Applications).
I have the client Id and secret and am successfully fetching a token using:
POST https://gitlab.com/oauth/token?grant_type=client_credentials&client_id=<id>&client_secret=<secret> .
When using the token I receive on any API call I try, the response is {"message": "401 Unauthorized"} . (I have given the application permissions on everything, when testing).
The same API calls work with personal access tokens.
What am I doing wrong?
I have created ADB2C tenant and registered application. When I try to get access token using 'Auth code with PKCE' flow from postman using steps mentioned here I am getting below error.
Registered application:
Scope:
Permission granted:
UPDATE:
Issue was resolved just by restarting postman tool. Could be related to some cache or cookies.
• I also followed the same link that you have posted in your question and entered the values as below to get the access token and the refresh token for the Authorization code with PKCE request through Postman and it was successful as it returned me the refresh token as well as the access token. I also gave the scope of the application created the admin consent for accessing the application’s API further which I also stopped getting any issues in Postman. Also, you can clear the cookies any time whenever you use the Postman for getting any new tokens through the Authorization code with PKCE method. Though, it was good for you that when you restarted the Postman application, it successfully worked. It might be because your Postman application was pending for a restart post background application updates.
I have set up an instance of Azure FHIR with an Azure FHIR proxy using this tutorial:
https://github.com/microsoft/health-architectures/tree/master/FHIR/FHIRProxy##configuration
I am unable to call the proxy without getting the following error message:
You do not have permission to view this directory or page.
I have created a token successfully using the following tutorial:
https://learn.microsoft.com/en-us/azure/healthcare-apis/access-fhir-postman-tutorial
I have created an app service principal in Azure with the permissions to access the FHIR proxy:
https://func-fhir-proxy-2.azurewebsites.net
I am generating the token using the following in postman:
Auth URL: https://login.microsoftonline.com/e34c8e67-182a-4085-9dc0-39a38dddea12/oauth2/authorize/?resource=https://func-fhir-proxy-2.azurewebsites.net
Access Token URL: https://login.microsoftonline.com/e34c8e67-182a-4085-9dc0-39a38dddea12/oauth2/token
Client ID: 4d138742-44c0-42cb-9878-8647a1d2ef17
Client Secret: Well..that's a secret!
Scope: openid profile
State: 12345
Postman returns 3 tokens: Access_token, Refresh_token, Id_token.
I have tried each token and all return the same 401 error.
ID token JWT looks like this:
I have tried calling the FHIR proxy API's, due to the tutorial I am not 100% which are the correct URLs:
https://func-fhir-proxy-2.azurewebsites.net/api/fhirproxy/Patient
https://fhir-test-apis.azurehealthcareapis.com/Patient/
None of this works, I just keep getting the same error. Does anyone know what I am doing wrong? Should I be calling the FHIR proxy API using the token? If so, why is the API not letting me in?
I managed to fix the issue. I found that the resource ID was needed in the auth URL:
This can be obtained from Enterprise Applications:
Also, creating two separate app registrations:
The link ending with ".../api/fhirproxy/Patient" is correct for the proxy deployment.
I'd suggest that you do a quick test that you can access the FHIR API without the proxy. You can use the existing deployment and follow instructions at https://learn.microsoft.com/en-us/azure/healthcare-apis/access-fhir-postman-tutorial.
Once you get that working, test the FHIR API with the proxy. You can start with the proxy that has the its security disabled (The FHIR api still requires security and you cannot disable it). Once you get that working, you can enable the proxy's security.
Since the proxy is a web app acting as a proxy, you will need two sets of credentials, one set for the FHIR api itself, which you specify in the proxy app, and one set for the proxy web app, which you specify in your client app, e.g. Postman or curl.
The reason for the error is actually very simple, you are using the wrong scope.
Usually the 401 error means that the audience of your token does not match your api. When you use the token to call the api, you will receive a 401 unauthorized error. The access token is issued based on the audience, so you must Make sure to set the scope to your api when you request the token. Of course you can also parse the token, check the aud claim, and make sure it is the api you want to call.
Therefore, according to your requirements, try to change the scope to: https://func-fhir-proxy-2.azurewebsites.net/.default
By the way, if you want to call api, you should use access token instead of refresh token and id token.
I have react app, which can login user via Azure AD. After that, I created from react app request into my .net core mvc app with header Authorize. But when I added [Authorize] attr into my controller, I get error:
Bearer error="invalid_token", error_description="The signature is invalid"
All I need that my backend app only check scope or role from JWT token and allow to get some data. I know that JWT is correct and react app login user without any problems.
Similar issue to this one:
https://forum.ionicframework.com/t/validating-token-signatures-in-asp-net-core/108226
I summarize the comments and post it as an answer:
Usually the 401 error means that the audience of your token does not match your api. When you use the token to call the api, you will receive a 401 unauthorized error. The access token is issued based on the audience, so you must Make sure to set the scope to your api when you request the token. Of course you can also parse the token, check the aud claim, and make sure it is the api you want to call.
When you expose an api protected by Azure, then you need to set the scope to your custom api, usually api://{api app client id}/scope name, and then you need to add the client application to the api application.
I am developing a skype Api to show user presence using ucwa with the help of steps outlined at Authentication using Azure AD.
I got the bearer token, but when I Perform a GET on the root resource with the bearer token, it always returns 404, Reason Phrase: not found. If I do not include token, it will return un-authorized. So, seems it authorized, but can not find the resource. what could cause this?