I have the endpoint POST /login where I send the params Form-Url encoded params email and password. The JSON Response contains the token.
Then I don't know how to tell my other Paw request, to get a valid token if needed. Because I'm not using GET as the Auth URL needs. I don't know if I need to create another endpoint and/or use ClientID and Client Secret. I'm missing the workflow of OAuth2 I think. Could you point to the right direction using a specific example?
Related
I am learning to connect to one of our 3rd party's API, and the first step in doing so is to first get an access token to use for additional requests.
To get that access token, I send a POST request that includes an API key in the header, along with the username and password in the body (as JSON). And that successfully returns a token.
But how do I set up that up in a collection? In postman I have options of API token, Basic Auth, Oath2, etc. But I do not see how you set up and include both the API key and user/password.
I've tried different scenario's of just the API Key and Oath2 with credentials, but unsure how you set it up to include both.
From a security standpoint, is it OK to pass a two-factor code via query strings on a GET request?
Let’s say I have a protected resource that I want to fetch. The user is logged in and has 2FA enabled. Since I want to only fetch a resource I would use the HTTP GET method.
But since the spec does ”not allow” a request body for GET requests, how would I securely pass the 2FA token from Google Authenticator or similar? Would it be considered secure to pass the 6-digit code in the URL as a query string?
GET https://example.com/api/my-resource?code=123456
Or would I have to change the endpoint to POST just for the sake of 2FA?
I am Looking at the Network activity of this page: https://helm.csod.com/ux/ats/careersite/4/home?c=helm&lang=de-DE.
Specifically at the post request with the Name: "search". Its using an authorization token.
tldr: How is the following authorization token stored on the Client side?
Goal:
I would like to understand how the browser (client-side) stores this authorization token. I dont Need to get the data or know how to scrape with selenium or sthg. I would just be interested in the mechanics behind.
What i tried:
I find the token in the page source: view-source:https://helm.csod.com/ux/ats/careersite/4/home?c=helm&lang=de-DE.
It seems like there is an object csod created in /player-career-site/1.15.4/pages/home.js.
then the key is stored in csod.context.
Finally, csod.player.initialize(csod.context) is called.
Unfortunately, i failed digging in the Code and finding These function as there where too many Matches for initialize and my js are skills too bad.
As storage i am only Aware of the Cookies. It might be transformed / encrypted and stored in the cookies? But how is it then restored to the "original" token, before being added to the request Header?
This seems to be a CSRF prevent method.
The token is created with a key in the back end, it stores the original key in a session and sends the token to the client side.
When the client sends a request, the token is posted with the data as a header or with the data, then the back end gets the stored key in the session, generate the token with the same method and compare it with the posted token. If they are equal there is no problem, access granted.
It is not necessary to restore as you can't decrypt that depending on the algorithm (sha256, md5, etc)
And the browser don't do that, as it can be manipulated, there is no sense to.
The token sent here is JWT(JSON Web Token). This is a widely used standard authentication mechanism.
You can create your own token in any languages like JS, Java, PHP, Python, etc.
I am adding a basic authentication flow:
Let's say a user comes on a form. Enter his email & password.
Now an HTTP request is being sent to the server with credentials. The backend server checks the details and if successful, then returns a response containing the authentication token.
Most of the time this token is stored in localstorage and sometimes in cookies.
Now for every request the token is picked from the stored location and sent in the header.
On the backend, it is checked if the request header has the details or not. And then respond accordingly.
At last, whenever someone logs out then that token is removed from the front end.
I hope it helps! Let me know if you have any queries
Using the Paw app I would like to use the OAuth 2 "Get Access Token" functionality to automatically get or refresh token. I have no problem configuring it with the username and password and getting the proper response. However, the response is a JSON object, not just the access code, so Paw doesn't know what to do with it.
{"accessToken":"JWT content..."}
Error OAuth 2 Response 'Access Token' No access token found in the
response.
Is it possible to tell Paw what property to read in the response in order to get/refresh the access token? Or does it need to be configured with two separate requests (not utilizing the handy built-in OAuth 2 dialogue)?
If you return a JSON object then Paw expects it to be in the format
{"access_token": "....", ...}
which conforms to the OAuth2 standard https://www.rfc-editor.org/rfc/rfc6749#section-4.1.4
I have been unable to find any information on how you could configure Paw to look for a different key.
I apologize in advance for some confusion over the terminology. I get a bit confused with the whole OAUTH process.
I've noticed that I need to pass a redirect_uri to the facebook grant access token method even though I can't see how it's being used. My server is making the request and getting the response so there is no redirect going on. Plus it seems that the redirect uri in the granting access token call must be the same one used in the request access token call (I understand that it's needed in the request access token call but not in the grant access token call).
Not sure this is needed but here is the code I'm using in order to get facebook to grant the access token.
var url = String.Format(
"https://graph.facebook.com/oauth/access_token?client_id={0}&client_secret={1}&code={2}&redirect_uri={3}",
this.AppId,
this.AppSecretKey,
code,
System.Web.HttpContext.Current.Server.UrlEncode(this.CallbackUrl)
);
Yes, to help Facebook verify the request to exchange the auth code for an access token, the redirect_url must be the same for both requests.
You're right in that to get the access token, no actual redirect is performed, the access token is returned in the body of the HTTP response.