I found an extension for generating JWT in Paw, but nothing so far about decoding the tokens and using the payload as dynamic vars.
You can use our JWT Decode extension: https://luckymarmot.com/paw/extensions/?extension_type=dynamic_value&q=jwt
Insert it in the field where you need the decoded value
Paste your JWT in the input filed or extract JWT from a previous response/request with a dynamic value (see screenshot)
Filter the value out of payload by keypath
Related
I have already implemented my own IPersistedGrantStore called PostgresPersistedGrantStore that stores grant in my postgresql database and it works really great.
Now i want to move really forward and i want to get the refresh token from the key that is stored in my postgresql table. But from what i read it is not a proper refreshtoken but a hash to protect the refreshtoken. Is there a way to decrypt, read the refresh token from the key property, using maybe a fuction from the identityserver api?
I am trying to implement my own impersonation workflow, so it would be easy to login as any user using the latest refresh token that exists persisted in my db
A long time has passed since the question had been asked, but I think I'm sharing a relevant information.
Here is the method which is implemented at IdentityServer4.Stores.DefaultGrantStore<T> and actually creates the key for the refresh token.
protected virtual string GetHashedKey(string value)
{
return (value + KeySeparator + GrantType).Sha256();
}
Where
value is the actual value of the refresh token,
KeySeparator is a
constant string field defined at the same class, the
value is ":",
GrantType is 'refresh_token' in this particular case.
This method is being used while creating/validating the refresh token.
I think this information clearly states that there is no way to get the refresh token value by using the key.
Reference:
https://github.com/IdentityServer/IdentityServer4/blob/main/src/IdentityServer4/src/Stores/Default/DefaultGrantStore.cs#L77
Identity Server 4 has a build-in endpoint for this - <server_url>/Connect/Token.
You need to send a POST request to this endpoint, with x-www-form-urlencoded body type, which contains:
refresh_token: current refresh_token
client_id: the client that you are refreshing the token for
client_secret: the secret of the client
grant_type: refresh_token
It will give you back a "refreshed" access_token along with a new refresh_token.
The initial refresh_token you should have received once you have logged in. Have in mind - once refresh_token is used (to get a new access_token) it gets invalidated. This is why you are receiving a new with every request to the endpoint.
Here is some more info about the refresh_token itself.
And here - about the token endpoint.
I have the endpoint POST /login where I send the params Form-Url encoded params email and password. The JSON Response contains the token.
Then I don't know how to tell my other Paw request, to get a valid token if needed. Because I'm not using GET as the Auth URL needs. I don't know if I need to create another endpoint and/or use ClientID and Client Secret. I'm missing the workflow of OAuth2 I think. Could you point to the right direction using a specific example?
Using the Paw app I would like to use the OAuth 2 "Get Access Token" functionality to automatically get or refresh token. I have no problem configuring it with the username and password and getting the proper response. However, the response is a JSON object, not just the access code, so Paw doesn't know what to do with it.
{"accessToken":"JWT content..."}
Error OAuth 2 Response 'Access Token' No access token found in the
response.
Is it possible to tell Paw what property to read in the response in order to get/refresh the access token? Or does it need to be configured with two separate requests (not utilizing the handy built-in OAuth 2 dialogue)?
If you return a JSON object then Paw expects it to be in the format
{"access_token": "....", ...}
which conforms to the OAuth2 standard https://www.rfc-editor.org/rfc/rfc6749#section-4.1.4
I have been unable to find any information on how you could configure Paw to look for a different key.
I'm working on javascript based extension for Paw REST Client - OAuth2 authorization with grant_type:password.
So I send the username and password and receive access_token and refresh_token. Here I want to store somewhere the tokens (with ttl 60m) using only javascript (and this method must be allowed by Paw's engine).
Are there any ways to do this and which of them is best?
I have implemented basic aunthentation from url http://www.asp.net/web-api/overview/security/basic-authentication. Now I have a question that how i send the basic aunthentation to user on login or on register action that is inside controller.
in short how i create a token and integrated in responsed header.
Kindly help me i have spent more then 4 hours on it.
Thanks
The token is created manually from the credentials users provide.
This means that you have to show a login form in your ios application, gather the username and password and then append the authentication header to each request.
The name of the header is Authorization.
The value is computed as follows. You take the username + ':' + password and encode such string to a byte array. Then you get base64 out of the array.
The value of the header is basic [base64ofusernamepassword] where the [base64ofusernameandpassword] is replaced by the base64 of the username and password you just computed previously.
The exact way of appending custom headers to requests can vary depending on the client technology but it should be easy, no matter which technology is used.