The Basic authentication information that I currently set in the Http Request Module of Anypoint Studio is as shown in the attached image.
(The username and password information is described as it is in the property file.)
enter image description here
What I want to achieve is an image in which the value of the Authorization header is base64-encoded with username: password as the basic authentication setting value.
I would like to realize the following image with the HTTP Request module. Is it possible?
If it is possible, please teach me the detailed implementation method.
Authoraization: Basic [base64 encoded username:password]
The HTTP Requester supports using HTTP Basic Authorization directly, without needing to manually encode the values.
Example:
<http:request-config name="HTTP_Request_configuration" >
<http:request-connection protocol="HTTP" host="myhost.com" port="80" >
<http:authentication >
<http:basic-authentication username="secretuser" password="12345678" />
</http:authentication>
</http:request-connection>
</http:request-config>
See the documentation for details.
Related
I am creating an ASP.NET Core 6.0 Web API.
This is my controller
public virtual IActionResult GetStatus([FromHeader][Required()] string authorization, [FromRoute][Required] string requestId)
{ }
Problem is the request header is not accepting a parameter with name authorization. If I change name to something else it works fine. But when I change name to authorization, it is not working. I added a middleware and see that the request header does not have authorization in header.
My organization specification wants the name to be authorization only so I can not have any other name here.
Is there any way a Web API endpoint can accept a parameter named "authorization".
I tried creating a custom AuthenticationHandler, it does not solve the problem.
Is there any way a Web API endpoint can accept a parameter named
"authorization"
Reason: 1
Well, your issue is pretty obvious. You may hear about reserved keyword. Like in C# there are some compiler-reserve key for example static, class public and so on. We cannot set variable name as reserve key word.
If you navigate to System.Net.Http.Headers namespace and then move to below details, you would see Authorization is a reserve key word for HttpClientb request and its not wise to manipulate that system reserve word at all.
client.DefaultRequestHeaders.Authorization
Reason: 2
Likewise, if you use or attached Swagger in your program.cs so no longer you cannot use authorization, Content-Type, Accept as your self defined parameter, even if you use it will be skipped. However, Postman can allow you to do that. You can check swagger official reference here.
You can see the example below:
Swagger Request:
Postman Request:
Note:
Apparently, you can ommit swagger then it might work. Nonetheless, if you are using Authorization and Authentication within your application, then you might face unexpected issues if you still stick to use authorization as your custom parameter.
i am trying to generate access token to collect linkedin data. I followed the instructions provided in the linkedin API documentaion. I created an app in developers page and got the following:
Application Details
• Company:
Fresher
• Application Name:
xxxxxxxxxx
• API Key:
75pcum6zb2cael
• Secret Key:
xxxxxxxxxxxxxxxx
• OAuth User Token:
xxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
• OAuth User Secret:
xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx
Using the API Key i generated the authorization_code with the URL:
https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=75pcum6zb2cael&state=DCEEFWF45453sdffef424&redirect_uri=https://www.google.com
but when i finally tried to generate the access token using the below URL, i got an error response :
https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&code=AUTHORIZATION_CODE&redirect_uri=https://www.google.com&client_id=75pcum6zb2cael&client_secret=xxxxxxxxxxxxxxxx
{"error_description":"missing required parameters, includes an invalid
parameter value, parameter more than once. : Unable to retrieve access
token : appId or redirect uri does not match authorization code or
authorization code expired","error":"invalid_request"}
Even after multilple validations, the same error messages appears.
please help. thanks.
finally, i got the access token. The authorization code expires in 20 seconds, so the access token URL must be called immediately after generating the authorization code.
Well, I went through the same problem and here is the process which i went through to fix it.
STEP#1: Authentication:
Firstly, the authentication API is to be hit to fetch the authentication token.
For this, a URL with Encoded parameters is to be hit as a GET request.
Example: https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id=[your_client_id]&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flinkedin%2Fcallback&scope=r_emailaddress
Please note that here, the parameters are to be encoded programatically.
My non-encoded callback URL is: http://localhost:8080/linkedin/callback
Therefore, my encoded URL is: http%3A%2F%2Flocalhost%3A8080%2Flinkedin%2Fcallback
Once you hit this as a GET request, you will receive a callback with a code and an optional state parameter.
STEP#2: Getting Access Token:
There are three pre-requisites to this call:
The call must be POST
It must have a header Content-Type with value application/x-www-form-urlencoded
The data must be sent in request body.
The value of redirect_url MUST BE SAME as in the previous call.
In my case, it was: http://localhost:8080/linkedin/callback
Now the trick here is, that the call in (STEP#1 Authentication) was a GET request. Therefore, the redirect_url had to be programatically encoded.
Since the second call for is POST and is also application/x-www-form-urlencoded encoded, therefore the request body parameters do not have to be explicitly encoded. So, in this case, the redirect_uri would be sent as-is (http://localhost:8080/linkedin/callback)
Here is a snapshot of my Access Token API via postman:
My problem was in redirect_uri which contained url with query parameters (like redirect_uri=encodeURIComponent(http://example.com/callback?query=string)).
If redirect url is completely different linkedin will show you an error before showing you login form, but if redirect_url matches what you specified in linkedin app and contains extra query parameters, you'll not get an error, so once login form is submitted you'll get an invalid code and as a result error as above.
This error may be scopes related.
On the details of your application when selecting scopes there is this message:
Selecting both r_basicprofile and r_fullprofile is redundant.
r_basicprofile will be selected if neither r_basicprofile nor
r_fullprofile is checked.
If you are selecting both r_basicprofile and r_fullprofile just uncheck r_basicprofile or remove it from your Authorization Code Request.
I had the same problem, in my case I was using different redirect_uri for authorization and for access token. I had "proxy": "localhost:3001" in my package.json, and it overriden my request_uri.
So my suggestion: make sure the hosts and redirect_uri are all the same for two requests (both backend and server side).
I want to redirect my users browser using HTTP code 303 to a GET URL that I secure using HMAC. Because the request will come from the users browser, I will not have fore-knowledge of the request headers. So I am generating the HMAC hash using the values of the HTTP method and URL only. For example, the URL I want the browser to do to might be:
GET /download
?name=report.pdf
&include=http://url1
&include=http://url2
This create report.pdf for me, containing the contents of all the urls specified using the include query param.
My HMAC code will change this URL to be
GET /download
?name=report.pdf
&include=http://url1
&include=http://url2
&hmac-algorithm=simple-hmac
&hmac-signature=idhihhoaiDOICNK
I can issue HTTP 303 to the user using this URL, and the user will get their report.pdf.
As I am not including the request headers in the signature, I am wondering two things:
1) Can a would-be attacker take advantage of the fact that I am not signing the request headers?
2) Is there a better way to achieve what I am trying to do?
When I realised that what I am talking about here is a signed URL, I checked the Amazon Docs and found "REST Authentication Example 3: Query String Authentication Example" in this document: http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html.
This example is about a signed URL for use through a browser. About signing the headers, the document says:
You know that when the browser makes the GET request, it won't provide a Content-Md5 or a Content-Type header, nor will it set any x-amz- headers, so those parts are all kept empty.
In other words, Amazon leave the headers out of the signature.
Amazon make no mention of potential security holes, so until I hear otherwise (or get hacked :) ), I will assume my approach above is fine.
I have a web service REST API on a secure ASP.NET website which requires a login to work. What is the most secure way to request the username/password programatically? (just adding a ?username=me&password=mysecret to the URL doesn't seem all that secure to me (even though this is a HTTPS connection).
There are several ways to achieve what you need:
[WRONG WAY] One could pass the username and password along with the query string. In theory there is nothing wrong with this practice, but such a URL (http://example.com?username=me&password=mysecret) is usually cached by browsers, proxies, etc and thus leverage a potential risk that someone else can access to your protected data by using these stored data.
[GOOD WAY] In order to remove "almost all" risks related to caching abilities of browsers, proxies, etc. and moreover in order to use standard features of the HTTP protocol, you have to deal with the special HTTP Authorization header.
The HTTP Authorization header :
If you are using HTTP S connections, then you can use the Basic Access Authentication method.
The Authorization header is constructed as follows:
Username and password are combined into a string "username:password".
The resulting string literal is then encoded using Base64.
The authorization method and a space i.e. "Basic " is then put before the encoded string.
For example, if the user agent uses 'Aladdin' as the username and 'open sesame' as the password then the header is formed as follows:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
If you are using HTTP connections, then you should use the Digest Access Authentication method. Because it's more complicated and useless with HTTPS connections, I let you read more about it if you want (here maybe).
In the data model behind my RESTful API there are several entities with the CreatedBy/ModifiedBy fields. The only access to this data is through my API, and as such, the fields should be populated with the user id of the user making the request to my API.
I have considered either adding these fields to the models exposed by my API or expecting a request header containing the user id on all PUT/POST/DELETE requests. I would be interested in any opinions as to which approach is best, or any other approach.
I like the idea of providing it in the header since it is necessary for every request and I am wondering if there is a standard request header to contain the information, or a common x-header.
I have seen the from request header; however, it seems to be defined as the email address of the user making the request and I need to pass the user id.
In our current implementation, we use the authorization header to authenticate the calling application with the API, and not for a specific user.
Which header would you use to pass information to identify the user making a request?
You can extend the Authorization header to add your own parameters. Both the Digest and OAuth authorization schemes support parameters. The Basic scheme already have the user credentials readable. Something like:
Authorization: OAuth realm="Photos",
oauth_consumer_key="dpf43f3p2l4k3l03",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="137131200",
oauth_nonce="wIjqoS",
oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready",
oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D",
xoauth_user_guid="alganet"
Yahoo! does something similar with their OAuth implementation, but in another context.
http://developer.yahoo.com/oauth/guide/oauth-accesstoken.html.
However, if these fields are shown or exposed somehow in your public API, they belong to RESTful resources and should be represented always in the body, not the headers. If you GET the username in the message body, you should POST the username using the message body as well.
Assuming you can use HttpClient
HttpClient client = HttpClientManager.getNewClient();
HttpMethod get = new GetMethod(...);
get.addRequestHeader("x-newHeader", "value");
more here
OR using URLConnection using setRequestParameter