AWS API Gateway: Add header if response is Unauthorized - http

I setup an API Gateway in AWS that uses custom authorizers to implement an OAuth2 flow. It works fine. When the user is not authorized they get a 401 Authorized response. That is correct as well, but I would like to add a header that gives the client the endpoint where it can get the token. Something like AuthorizeUrl: url
How can I add this header to my response?

Unfortunately this isn't possible but it's on our backlog. I know it doesn't really make sense when the client gets a 401 but you can't tell them how to authorize.
I don't have an ETA to provide but I'll add a +1 to the feature request.

AWS added this functionality last year.
Refer to this
To do it manually:
Go to 'Response Headers' in API Gateway Console.
Choose Unauthorized (401)
Below 'Response Headers' add AuthorizeUrl and url
Save and deploy API to some stage.
To add this to Cloudformation, refer to this similar answer.
You can also add this to swagger, by adding this snippet(yaml):
x-amazon-apigateway-gateway-responses:
UNAUTHORIZED:
statusCode: 401
responseParameters:
gatewayresponse.header.AuthorizeUrl:"url"
responseTemplates:
application/json: "{\"message\":$context.error.messageString}"

In the API Gateway console go to the "Method Response" interface. You can add HTTP Status 401. In "Response Headers" add your custom "AuthorizeUrl" header. Then in the "Integration Response" interface you can add the value you'd like for that header.

Related

Linked In API returning 403 (Forbidden) when a request for email-address is made

I am trying to get a user's email address from their Linked In.
I complete the whole OAuth 2.0 Authorization Code Flow and get an access token but when I make a GET request to the endpoint https://api.linkedin.com/v2/me?projection=(email-address), it returns a 403 (Forbidden) HTTP status code.
Here is what happens:
When I specify r_liteprofile r_email-address as the permission in the scope parameter when making a request for an authorization code, and when asking for data, as the fields, the parameter projection=(localizedFirstName, localizedLastName, email-address), I get a 200 HTTP Status code but in the result JSON, I get only the localizedFirstName and localizedLastName values.
If I specify just the r_emailaddress permission in the scope parameter and projection=(email-address) when asking for data, I receive a 403 (Forbidden) Status Code.
If I specify just r_emailaddress in the scope field and leave out specifying any fields, i.e. I hit the https://api.linkedin.com/v2/me endpoint without any parameters (but the access token sent appropriately in the Authorization header as a Bearer scheme token), I get a 403 (Forbidden) HTTP Status Code.
My application does have permission for r_emailaddress as that is a basic permission that is granted to all applications upon creation and does not need approval.
Am I hitting the right endpoint for getting the email address? Everything seems to be alright but I still get a 403. What's going on?
The request to retrieve the email address is:
GET https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~))
You need to request the r_emailaddress scope to use this endpoint.
See https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/sign-in-with-linkedin?context=linkedin/consumer/context for reference.

WSO2 ESB - HTTP 401 Unauthorized Error

I have been creating a Proxy service using service chaining mechanism.
1. First I make a call to an endpoint, get the result and send the result to a sequence.
2. In the sequence, I have a data mapper and then a property to specify the username and password to a secure endpoint and then send mediator to call an endpoint.
However, I have been getting the following error:
HTTPSender Unable to sendViaPost to url[endpoint Url] org.apache.axis2.AxisFault: Transport error: 401 Error: Unauthorized,
With the description as "This request requires HTTP authentication"
The solution I have tried:
1. Tried adding a property "FORCE_HTTP_1.0" to true before making a call to the endpoint.
But nothing seems to work. Any help would be appreciated.
Thanks in advance.
If your backend requires Basic authentication, set the following property before your backend call.
Mmh seems like it's not possible to paste Code from my iPhone. Hope the link works.
https://docs.wso2.com/display/ESB470/Enabling+HTTP+Basic+Authentication+through+a+Proxy+Server
Just set the property "Proxy-Authorization"

Can't get authentication token from web api 2

I am new to Web Api 2. I am trying to build a project to explore token authorization. I created a new project in VS 2013 and selected the WebApi2 template and used Fiddler to emulate http requests. I didn't change anything in the template, just ran it as it was and tried to play with it with Fiddler. I successfully created a user by issuing request to /api/account/register but I can't login by issuing a POST request to the /Token endpoint. The request is:
http://localhost:YYYY/token?grant_type=password&password=admin123456&username=admin
(i also tried to pass the parameters as a json object in the request body).
I get back this:
{"error":"unsupported_grant_type"}
From other posts such as ASP.NET WEB API 2 OWIN Authentication unsuported grant_Type I learned that I needed to enable CORS for web api and at the token endpoint, but that hasn't worked for me.
Are you sure that you are sending POST request message and not GET?
If you simply go to the URL with query string (or open connection to this URL from your code) you are sending GET message by default. It's not what WebAPI with "/token" path is listening for.
If you are calling web service from same place, CORS is not needed. The error "unsupported_grant_type" could be in the format of the data you are passing server in post action.
Try sending with Content-Type application/x-www-form-urlencoded

What http code shall I response if some parameters are not invalid?

I'm creating some restful apis. There is a "register" api, user can POST an "email" and "name" and "password" to register.
On the server side, I will check if the email has been used first. What http code shall I response if I found the email has already been used?
I response 400(bad request) for now, but I don't know if it's correct.
400 Bad Request is correct since there's no specific HTTP code for validation errors.
In a REST API, in general you only ever need to return four HTTP error codes:
401 for unauthorized access
404 for unknown resources
405 for unsupported methods (eg. GET is available but not POST)
400 for everything else

HTTP 401 Unauthorized or 403 Forbidden for a "disabled" user?

An authentication service allows user accounts be disabled (a sort of soft-delete).
If the server then receives an authentication request for a disabled user that would otherwise be valid, should the server return 401 or 403? With either status code, I would return a message indicating that the account had been disabled.
For quick reference, relevant quotes from HTTP/1.1 spec (emphasis mine):
401 Unauthorized
The request requires user authentication. The response MUST include a
WWW-Authenticate header field (section 14.47) containing a challenge
applicable to the requested resource. The client MAY repeat the
request with a suitable Authorization header field (section 14.8). If
the request already included Authorization credentials, then the 401
response indicates that authorization has been refused for those
credentials. If the 401 response contains the same challenge as the
prior response, and the user agent has already attempted
authentication at least once, then the user SHOULD be presented the
entity that was given in the response, since that entity might
include relevant diagnostic information. HTTP access authentication
is explained in "HTTP Authentication: Basic and Digest Access
Authentication" [43].
403 Forbidden
The server understood the request, but is refusing to fulfill it.
Authorization will not help and the request SHOULD NOT be repeated.
If the request method was not HEAD and the server wishes to make
public why the request has not been fulfilled, it SHOULD describe the
reason for the refusal in the entity. If the server does not wish to
make this information available to the client, the status code 404
(Not Found) can be used instead.
Based on an email written by Roy T. Fielding, there's apparently a bug in the current HTTP spec.
The way the spec is intended to be read is as follows (using quotes from above email):
401 "Unauthenticated":
you can't do this because you haven't authenticated
403 "Unauthorized":
user agent sent valid credentials but doesn't have access
So, in the case of a disabled user, 403 is the correct response (and 404 is also an option).
I've got two different answers for what to return in this case.
Semantic choice - 401 Unauthorized. In this case, your client has provided credentials, and the request has been refused based on the specific credentials. If the client were to try again with a different set of credentials, or if the account were to be re-enabled in the future, the same request might succeed.
Security choice - 404 Not Found. Many services will simply return a 404 for any failure, in order to avoid information leakage. Github comes to my mind immediately.
From General API Information, in github's developer docs:
Unauthenticated requests will return 404 to prevent any sort of
private information leakage.
For something I was deploying as a public service, I'd probably go with using 404 to avoid giving an attacker clues about their credential attempts. If it was for internal-only consumption, or in testing, I'd probably return 401.
technically both are correct, it really comes down to how much you want to reveal.
returning a 401 says to the caller that the account isn't valid, which is correct, but if your api is then going to be called again to register a user with the same credentials that call would also fail. which might not be much use to the caller.
so, it really depends on how your api will be used and who/what the target audience is.

Resources