Paw Version 3.2 New request token not being set in headers - paw-app

In PAW I have an auth scheme created to generate 2 or 3 legged tokens and set the generated token in the Authorization header for each request.
I recently updated PAW to Version 3.2 and it seems that PAW is no longer automatically using the access token generated for my request. Manually generating the token and clicking Use Access Token is also not working. At this point the only thing that is working is to manually generate the token by navigating to the environment management section, opening up my 2 or 3 legged token generation variables, clicking Get Access token, highlighting and copying the generated token, pasting that into my header, and replacing Access Token: with Bearer.
Any direction as to how to get the automatic token generation working again would be much appreciated.

Related

Get 401 "Signature mismatch. Authorization signature or client credential is wrong." (JS)

When I call API to get token, this message shows up and I don't know why and how to fix it 1
And this is my Authorization: OAuth oauth_consumer_key="V3R6bm******DznqE-ellA", oauth_nonce="bbo8dYK6anE6JZsEIhj2RmKuEwV0****", oauth_signature="UQH1OnFWEscFbyZIx4DRn9qSOW+nvIlzCEgXrjm***=", oauth_signature_method="HMAC-SHA256", oauth_timestamp="1654152360", oauth_version="1.0"
Please refer to the below Steps to use OAuth 2.0 tokens and follow the instructions:
Step 1: Register your application
If you don't already have a HERE account, see Get a HERE account.
Sign in to developer.here.com.
Click your name, select Projects, and then your project from the list. Your project details and available application credentials are then displayed.
Select REST or HERE SDKs and click Generate App. When your application is created, its App ID is displayed.
Click Create Credentials to generate a maximum of two access keys for your application. The access key is created and displayed in a pop-up window. Download and securely store the access key secret. Also download the credentials.properties file as instructed.
Step 2: Get a token
For instructions on getting a token, see Code an OAuth 2.0 token request.
Step 3: Use the token
You have now successfully obtained an access bearer token to use in making REST requests to HERE APIs.
Include the token in the HTTP Authorization header of your REST requests as a bearer token:
Authorization: Bearer <token>
Sample REST Request
GET /maptile/2.1/maptile/newest/normal.day/13/4400/2686/256/png8
Host: 1.base.maps.ls.hereapi.com
Authorization: Bearer eyJhbGceOyJSAMPLEiIsImN0eSISAMPLEt7VTFIllwIM0cKNCjN2WCCTqlwEEmk-t3gx1BpqUFoeBSAMPLEvhj8nl-RBGcyoljY...
Cache-Control: no-cache
Note: If you are upgrading to API key and currently have old app code credentials, you can remove them by clicking Remove APP CODE credentials and use your new API key credentials in their place.
For more details refer to the following documentation link: https://developer.here.com/documentation/identity-access-management/dev_guide/topics/dev-token.html

How to use directus /auth/refresh correctly?

I'm using directus to grant users access to ressources required by an SPA written in Angular. To authenticate users I created an auth service and interceptor to handle sessions and attach the "Authorization" header. Those services work fine and login as intended. But here comes the problem:
Directus session times are configured with default values (15 min validity for access_token, 7d for refresh_token) but as soon as the access_token expires I cannot retrieve a new one using the refresh token. This bugs me, because the goal is to keep users logged in for the next 7d (refresh_token lifespan) or until logout if they check this option.
My attempts at achieving this:
Since i'm using graphQL, i tried the "auth_refresh" mutation from the authentication documentation. While the access token is still valid, refreshing works fine. After the access token expired there is no way to retrieve a new one via a valid refresh token.
Alternatively I tried to achieve a refresh via the POST request specified by the docs (to double check if it was some sort of config error with graphql) but I encounter exactly the same problems as with graphQL. Directus returns either "401 unauthorized : Token expired."
if i extend the lifespan of the access token for longer than the server defined lifetime,
Response: Sending a token with prolonged life
or "401 unauthorized : Invalid user credentials." if I request a new token without an
"Authorization" header.
Response: Sending no access token
The refresh token is correctly loaded and sent to the server as specified in the docs in both
cases.
Now my questions are:
Am I missing something? I haven't found any further specification in the docs and the Auth0 protocol specifies that a new access token should be retrievable with a valid refresh token.
If this feature is not intended: How could I achieve a "keep me signed in" option with directus? I would like to keep user rights management in one place and do not really want to handle user auth redundantly for my current use case.
2b. Why is the lifespan of the refresh token so much longer than the lifespan of the access token if this isn't intended?
One of my thoughts is, that it has to do with access rights of the "public" role on the "directus_sessions" table. But I can't think of a way to grant only read rights for owned/received tokens, since there are no payload variables available inside the filters. Could this be the cause? Would there be a way to achieve this?
Thx&Greetz

Retrieve Access Token with LinkedIn JS SDK to use in Back-end

Currently I have both Facebook and LinkedIn Oauth2 flow working fine. Because in some cases I don't want the user to redirect to another page, I use the Facebook JS SDK that works fine, retrieving the access token and sending it to the server where I retrieve user data with REST calls.
Unfortunately, I'm not having success in doing the same with the LinkedIn JS SDK. The official documentation isn't helpful at all in that regard: https://developer.linkedin.com/docs/getting-started-js-sdk.
I retrieve user data in the server because it's easy to forge fake data in the client side and send it to the server, so a client side solution for that is not an option.
If I try to use the token that I get in js in the REST API I get Invalid access token. (401)
There are several opened questions that doesn't have any response (or a helpful response) here in SO:
2015-08-03 - No response:
Javascript: Linkedin Access TOken
2016-05-29 - No response:
can I get access token through LinknedIn JS SDK?
2016-08-31 - No helpful response (data is retrieved in the front-end):
How to Get Access Token Using LinkedIn API JavaScript SDK
2017-06-30 - No helpful response:
LinkedIn OAuth token with Javascript SDK
In the below question, there is a comment that says what I'm already guessing:
[...] Honestly I think the JS API is completely useless like this
because if you can't verify/use the token server-side you basically
cannot trust any of the information.
2015-07-22 - No helpful response (data is retrieved in the front-end):
get linkedin Access Token with JavaScript SDK
There's some information about exchanging the Javascript API tokens with a REST API OAuth token, but in the references I've found the links are broken (and it would be impractical to do this, depending on the complexity, instead of using the token directly, like in the Facebook JS SDK):
http://developer.linkedin.com/documents/exchange-jsapi-tokens-rest-api-oauth-tokens
https://developer-programs.linkedin.com/documents/exchange-jsapi-tokens-rest-api-oauth-tokens
So, I would like to know if there is some way to login with LinkedIn using the JS SDK and retrieve the user data in the back-end using REST calls (like I do in the Oauth2 flow), hopefully with official docs.
I've had the same problem and the only way I found to use the JS token was to add the header oauth_token instead of an Authorization Bearer header:
POST https://api.linkedin.com/v1/people/~:(id,firstName,lastName,picture-url,email-address)?format=json
Headers {
'oauth_token': JS_TOKEN
}
The JS_TOKEN I'm reading on frontend from IN.ENV.auth.oauth_token.
I've been struggling with the same issue for some time, this is the way I solved it (not using the JS SDK):
Step 1: you send your user to the LinkedIn login page, in the redirect_uri param use an endpoint to handle all the logic related to LinkedIn.
Step 2: When the user finishes login in, Linkedin is going to send a GET request to that endpoint, this request will have an "Authorization Token", this token is just a temporal token and it won't allow you to get your user's data.
Step 3: Use the Authorization Token you just received and send a post request to Linkedin
Step 4: Linkedin will send you back an Access Token (this is the one you are looking for), now you can request all the information you want
Step 5: Redirect your user back to your web app.
The structure of the request as well of the anchor tag params are available here: https://developer.linkedin.com/docs/oauth2

Get access token via Paw

Using the Paw app I would like to use the OAuth 2 "Get Access Token" functionality to automatically get or refresh token. I have no problem configuring it with the username and password and getting the proper response. However, the response is a JSON object, not just the access code, so Paw doesn't know what to do with it.
{"accessToken":"JWT content..."}
Error OAuth 2 Response 'Access Token' No access token found in the
response.
Is it possible to tell Paw what property to read in the response in order to get/refresh the access token? Or does it need to be configured with two separate requests (not utilizing the handy built-in OAuth 2 dialogue)?
If you return a JSON object then Paw expects it to be in the format
{"access_token": "....", ...}
which conforms to the OAuth2 standard https://www.rfc-editor.org/rfc/rfc6749#section-4.1.4
I have been unable to find any information on how you could configure Paw to look for a different key.

Authorization environment variable gets replaced when executing request in Paw

I have 3 groups of variables in Paw.app for interacting with my API.
I have:
One called Global for target API (Production, Preproduction, Development).
One for Authentication (Either OAuth2 client_credentials auth or OAuth2 password auth).
One for Accounts (used only when using password Authentication)
My problem just declared and I think it didn’t do this earlier today so I don’t get what going wrong…
When executing a request containing an Header Authorization: {Authorization} which is a Dynamic variable inside my Global environment. The {Authorization} gets replaced by a standard OAuth2 dynamic value.
I made a video to illustrate the problem.
https://youtu.be/izFi9aA8kyg
It seems to happen when I change environment Authentication from Client to Password. (When it needs to request a new token)
One thing you can do to help fix this is to uncheck the box "Automatically get or refresh token" in the OAuth 2 settings. But then you'll need yourself to hit the button "Get Access Token" from your OAuth 2 settings (in your Global environment group) to get a new token when you get an invalid authorization response.
We planned to resolve this and have Paw be smarter and lookup where is the OAuth 2 settings in order to update the token there (instead of replacing the whole header). We should resolve this soon.

Resources