Is it possible to use basic authentication when the username and password fields do not make any restrictions on the type of characters to be used?
Example, could exist a user with the following values:
username: iamThe:User
password: My#Secure:Password
To convert to basic authentication:
concat username:password = iamThe:User:My#Secure:Password
convert to base64 and add to header Authorization: Basic aWFtVGhlOlVzZXI6TXlAU2VjdXJlOlBhc3N3b3Jk
How do I get back the username and password from the following field aWFtVGhlOlVzZXI6TXlAU2VjdXJlOlBhc3N3b3Jk? is there a solution for this?
Related
I am pulling data from a server using this API. In order to get an authToken I need to pass my username and password. The password input description says "Hashed password. May be passed as clear text, or as RSA-encrypted hash
(see above for RSA public key)."
To encrypt the password I am using the below code.
library(openssl)
aqKey <- read_pubkey("public_key.pem")
user_name <- "UserName"
password <- rsa_encrypt(charToRaw(askpass()), aqKey)
pw <- rawToChar(password)
This gives me a string with a bunch of unusable characters that produce a 400 error when used in the URL.
/GetAuthToken?user=USERNAME&encPwd=ˆ Ù\026Õ©1tÐÆ®IßÊ/ÛÅÆwéÙeµèB¾kz–V\t–ü˜ÞO«~=ñcѪÿC'p‰-zòjEü,\r¯eÑ}d‹ã\fÀ\030DR·W\026Â\022‰Å:™¶í©«cózÆlE\032Ï4$é¹Þ,ù«…s\021…–ì\026}h¯~?\nC\021ôj-†\032K}ò\026
If I use base64_encode() or URLencode() on either password or pw I get a 200 status but do not receive a token. This is equivalent to an incorrect password. When I pass the password as plaintext I get a token.
My question is, how should I be formatting the password once it has been encrypted so that the server will recognize it as an encrypted password?
I have installed Laravel Passport per the documentation and I have modified all areas of my code that is required.
I am working on setting up Password Grant Tokens so that users will be able to get an API token when logging in with their username and password for the site. I am hitting an issue though when it comes to the grant_type.
For some reason Laravel is complaining about an invalid grant type.
{
"error": "unsupported_grant_type",
"message": "The authorization grant type is not supported by the authorization server.",
"hint": "Check the `grant_type` parameter"
}
These are the fields that I am posting to /oauth/token
client_id = 4
client_secret = SMiYE7XqDNtXKQnmkYmFnXxfAaV83vRhnJ9zwCtZ
username = jcrawford#domain.com
password = **************
grant_type = password
scope = *
I have run php artisan passport:install and I have also tried running php artisan passport:client --password
Both commands worked and both created the client and secrets, however, I cannot seem to get past the error about the grant_type.
Any suggestions on what I should look at to get this solved so that Password Grant Tokens will work for me?
It appears that you must send the parameters as form data and not in the headers like I was doing... Rookie Mistake!
I'm using Postman and I have put all parameters in Params. Postman shows the following response
{
"error": "unsupported_grant_type",
"message": "The authorization grant type is not supported by the authorization server.",
"hint": "Check the `grant_type` parameter"
}
Now I put all parameters in Body and then press the Send button, It's working well.
For me the problem was that i wasnt using Request $request, i was using RegisterRequest $request which i had created.
Initial URL
https://restfulapi.test/oauth/authorize?client_id=3&redirect_url=http://restfulapi.test?response_type=code
Solution
https://restfulapi.test/oauth/authorize?client_id=3&redirect_url=http://restfulapi.test&response_type=code
I had to replace the question mark before response_type with the &
Reading the Laravel documentation saved me a lot of stress. The oauth\token is used to retrieve token using the grant type specified, the route will return a JSON response containing access_token, refresh_token, and expires_in attributes. The expires_in attribute contains the number of seconds until the access token expires (ref) You are meant to
Install passport
Publish the service providers and migrations and migrate.
Setup a route for login/register to create an account and login.
In your User model, add HasApiTokens from use Laravel\Passport\HasApiTokens;
In your response in your login method, add the token as part of the response.
Test your response on postman
Hi i am gooling but without result.
I am trying to check one field in DB while encoding password to user. How?
The service
services:
my_password_encoder:
class: TB\WelcomePageBundle\Security\Encoder\MyPasswordEncoder
<?php
namespace TB\WelcomePageBundle\Security\Encoder;
use Symfony\Component\Security\Core\Encoder\BasePasswordEncoder;
use TB\UserBundle\Entity\User;
class MyPasswordEncoder extends BasePasswordEncoder
{
public function encodePassword($raw, $salt)
{
$user = new User;
$old_or_new=$user->getOldNew();
print_r($user);
print_r($old_or_new);die();
The point:
1. withdrawn one field from DB from current logging user.
2. Depend on the value i need: encode his password MY WAY and log in + CHANGE THE PASSWORD THE SYMFONY WAY and update DB.
3. Depend on the value just use the symfony way.
There is easy condition. The problem is just how i can withdrawn this field + encode password symfony way. (how encode password my way i know). + encode the password not more via my way but symfony and update DB.
My points is to migrate low secure passwords to symfony2. Why? Because i have existing DB where the passwords are encoded my way. So i need to "update" them.
THE MAIN PART OF QUESTION:
HOW CAN I GET THE USERNAME OF USER WHO TRY LOG IN IN ENCODE PASSWORD FUNCTION??? THX!!!
I'd like to use HTTP Basic auth to do password-less authentication between trusted services in a private network. Is it acceptable to leave out the password field entirely when using Basic auth? Is there a better authentication mechanism I should research?
RFC 2617 defines them as
user-pass = userid ":" password
userid = *<TEXT excluding ":">
password = *TEXT
and * in the ABNF means "0 or more."
Meaning the userid and password can be empty, in which case : is encoded into Base64.
In HTTP Basic auth, the username and password are concatenated using a colon then encoded in base64 and the resulting header looks something like:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
The Basic part specified basic authentication and the second part is the base64 encoded token. It doesn't have to be a username/password combo, but can just be a username with a blank password, or a username alone. You just have to be aware of that when decoding the authorization header.
I'd like to e-mail all my users a link to a symfony site that I am writing, and have it so that when they follow that link they are logged in to the site (probably with a special role, like IS_AUTHENTICATED_REMEMBERED), and redirected to a certain page. How can I do this?
So the link would be something like:
http://example.com/?key=[some sort secret key with their account encoded in it]
i'd do something like this: generate the key with a hash function over the username.
Then send them a link to http://example.com/?user=username&hash=the-hash-result.
In the action that will recieve this url you can get the request parameter username and hash, apply the same hash funcion to the username you recived and compare the result to the hash key in the request parameters.
If match, just set the appropiate credentials to the user and log him in
Lets see some code, in your authentication class you should have a function to authenticate a user with the $user and $password parameters. Here or extending this class you can define a funciton like this:
function authenticate($user,$hash-key){
if(hashFunction($user) == $hash-key){
$user->setAuthFunction(true);//sort of
}
}
Hope it helped you!
Not so easy to implement I can tell you but you got to take a look to the UsernamePasswordFormAuthenticationListener::attemptAuthentication method...
Make your own service to atteptAuthentication automaticaly.
Inspired by this message and this code, I wrote a controller that gets the user from the database, verifies the secret key, then fakes a login token as follows:
$providerKey = 'secured_area'; // Name of firewall from security.yml - not sure this is correct.
$token = new UsernamePasswordToken($user, null, $providerKey, array('AUTO_LOGIN'));
$this->container->get('security.context')->setToken($token);
(you need this at the top of your file)
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
It seems to work, and the user has a role of AUTO_LOGIN so I can easily restrict them from accessing more sensitive stuff until they have logged in with a username and password as normal.