I use this shell:
(1)curl -X POST http://localhost:5000/v2.0/tokens -d '{"auth":{"passwordCredentials":{"username": "changzhi", "password":"dddddd"}}}' -H "Content-type: application/json"
And in http.log I find a instance:
(2)url -i -X GET http://10.0.3.139:35357/v3/projects -H "User-Agent: python-keystoneclient" -H "Forwarded: for=10.0.3.139;by=python-keystoneclient" -H "X-Auth-Token: 04ef789a010c6f252a9f572347cac345
Q:In (1), I can get a long json string. It include token.id . But I don not know what the difference between X-auth-token in (2) and token.id . Could someone tell me the difference ?Thank you !
Since the first query is against the endpoint for port 5000, it is handing back a user token.
The second query is against the endpoint for port 35357, typically set up as the management endpoint for Keystone. So that token will be different, plus the call is against /projects not /tokens.
You can pass X-auth-token as a header for subsequent http requests, but realize that admin tokens and user tokens offer differing access to resources.
Keystone services are provided by 2 endpoints, one having port 5000 and other being 35357.
35357 port offers admin related operations whereas port 5000 offers general API functionality.
Tokens can be Scoped (for specific Project/Domain) or Unscoped (generated just with username/password).
When you request a Token using v2 api , you receive tokenId in the response whereas in v3 api the tokenId is in response header for key : X-Subject-Token.
You need to provide X-Auth-Token in every API request . You can also use super user in X-Auth-Token header. Super user token is present in keystone.conf (admin_token key)
Related
I'm trying to use the Linkedin standardized data APIs. But its not clear how to permission myself to this via the Developer Portal.
https://learn.microsoft.com/en-us/linkedin/shared/references/v2/standardized-data/titles#get_all
curl -X GET https://api.linkedin.com/v2/titles -H 'Authorization: Bearer BEARER_TOKEN'
Returns:
{"serviceErrorCode":100,"message":"Not enough permissions to access: GET /titles","status":403}
Whereas
curl -X GET https://api.linkedin.com/v2/me -H 'Authorization: Bearer BEARER_TOKEN'
Returns
HTTP/1.1 200 OK
With Payload
Looks like LinkedIn needs to enable the client_credentials flow but not obvious where to request this: linkedin "this application is not allowed to create application tokens" ?
I have created an application in the developer portal in WSO2 and am trying to generate a token using this curl command:
curl -v -X POST -H "Authorization: Basic <base64encoded clientId:clientSecrect>" -k -d "grant_type=password&username=alex&password=alex123&scope=somescope" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token
But I get the below response:
180{"error_description":"A valid OAuth client could not be found for client_id: ClientId","error":"invalid_client"}
I have tried also the following command :
curl -v -X POST -H "Authorization: Basic <base64encoded clientId:clientSecrect>" -k -d "grant_type=client_credentials&client_id=&client_secret=" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token
But with no success, I can generate the token from the devportal no problem but while executing it does not recognize the client for some reason. Could someone tell me what might be the problem for this.
You are missing the client id and secret in the Authorization header. You need to base64 encode client id and secret.
curl -k -X POST https://localhost:9443/oauth2/token -d "grant_type=password&username=Username&password=Password" -H "Authorization: Basic Base64(clientid:client_secret)"
curl -k -X POST https://localhost:9443/oauth2/token -d "grant_type=password&username=admin&password=admin" -H "Authorization: Basic VjhZRVdfUldISURZb0hJSU5yOTczVEhqYnBnYTpyVGg4N1VhUERPdGFlN25GUFFLc1pCR2FJdm9h"
So I kinda half solved it because it is still not giving me the desired behavior. In carbon port 9444 I added a user and assigned it roles to the application that I want the token and when executed the curl i got the token did the same thing for carbon but with port 9443 and it still displays as
180{"error_description":"A valid OAuth client could not be found for client_id: ClientId","error":"invalid_client"}
Is there a reason for this?
The following are the complete steps on registering an application in devportal, generating the client credentials, generating the access token, and using the access token to invoke the API calls. Please note that all these steps are achieved via the wso2am-3.2.0 devportal REST API calls.
WSO2 REST APIs are protected using OAuth2 and access control is achieved through scopes. Before you start invoking the API, you need to obtain an access token with the required scopes. This guide will walk you through the steps that you will need to follow to obtain an access token. First, you need to obtain the consumer key/secret key pair by calling the dynamic client registration (DCR) endpoint. You can add your preferred grant types to the payload. A Sample payload is shown below.
{
"callbackUrl":"www.google.lk",
"clientName":"rest_api_devportal",
"owner":"admin",
"grantType":"client_credentials password refresh_token",
"saasApp":true
}
Create a file (payload.json) with the above sample payload, and use the cURL shown below to invoke the DCR endpoint. The authorization header of this should contain the base64 encoded admin username and password. Format of the request
curl -X POST -H "Authorization: Basic Base64(admin_username:admin_password)" -H "Content-Type: application/json" -d #payload.json https://<host>:<servlet_port>/client-registration/v0.17/register
Following is a sample response after invoking the above curl.
{
"clientId": "fOCi4vNJ59PpHucC2CAYfYuADdMa",
"clientName": "rest_api_store",
"callBackURL": "www.google.lk",
"clientSecret": "a4FwHlq0iCIKVs2MPIIDnepZnYMa",
"isSaasApplication": true,
"appOwner": "admin",
"jsonString": "{\"grant_types\":\"client_credentials password refresh_token\",\"redirect_uris\":\"www.google.lk\",\"client_name\":\"rest_api_devportal\"}",
"jsonAppAttribute": "{}",
"tokenType": null
}
Next, you must use the above client id and the secret to obtain the access token. We will be using the password grant type for this, you can use any grant type you desire. You also need to add the proper scope when getting the access token. All possible scopes for devportal REST API can be viewed in the OAuth2 Security section of this document and the scope for each resource is given in the authorization section of resource documentation. Following is the format of the request if you are using the password grant type.
curl -k -d "grant_type=password&username=<admin_username>&password=<admin_password>&scope=<scopes separated by space>" -H "Authorization: Basic base64(cliet_id:client_secret)" https://<host>:<gateway_port>/token
Shown below is a sample response to the above request.
{
"access_token": "e79bda48-3406-3178-acce-f6e4dbdcbb12",
"refresh_token": "a757795d-e69f-38b8-bd85-9aded677a97c",
"scope": "apim:subscribe apim:api_key",
"token_type": "Bearer",
"expires_in": 3600
}
Now you have a valid access token, which you can use to invoke an API. Navigate through the API descriptions to find the required API, obtain an access token as described above and invoke the API with the authentication header. If you use a different authentication mechanism, this process may change.
For further details please refer https://apim.docs.wso2.com/en/3.2.0/develop/product-apis/devportal-apis/devportal-v1/devportal-v1/#section/Authentication
Using the plugin, dropbox media importer in a wordpress app. I add the client key and secret after creating a personal dropbox app with full dropbox permission, I attempt to authorize the request but it returns an error that says invalided client_id or secret. When I try to do the curl request with the client_id & secret I get the same response.
Request:
curl -X POST https://api.dropboxapi.com/2/auth/token/from_oauth1 \
--header "Authorization: Basic <REDACTED>" \
--header "Content-Type: application/json" \
--data "{\"oauth1_token\": \"qievr8hamyg6ndck\",\"oauth1_token_secret\": \"qomoftv0472git7\"}"
Response:
{"error_summary": "invalid_oauth1_token_info/", "error": {".tag": "invalid_oauth1_token_info"}
The /2/auth/token/from_oauth1 endpoint you're attempting to use is only for exchanging existing OAuth 1 access tokens (e.g., as previously retrieved for use with the now-retired Dropbox API v1) for OAuth 2 access tokens.
If you're just integrating now, you wouldn't have any OAuth 1 access tokens, and so shouldn't be using this endpoint. (Accordingly, it's indicating that the oauth1_token and oauth1_token_secret values you're supplying are incorrect; the ones you're using are just copied from the documentation, but you would need to supply your real values.)
Instead, you should implement the Dropbox OAuth 2 app authorization flow. You can find more information in the documentation and guide.
I configured a REST webservice (a Spring Boot webapplication) on WSO2 AM and used the default /* mapping for resources. My webservice takes an assignee (text) and file parameters.
When I perform the calls, I've noticed that request parameters are not forwarded (HTTP Headers are) to the backed services. For example:
curl -i -X POST -H "Content-Type: multipart/form-data" -H "X-PD20-BillingSubscriptionId: e87d4400-b05f-4f40-9c39-06ae4d28cf4d" -H "Authorization: Bearer rrxRV5F6jdkSBcEPXv7I1yFl2x8a" -F "documentFile=#src/test/resources/sample-files/test-fea-1firma.pdf" -F "assignee=bla.bla#gmail.com" http://api.linksmt.it:8280/fea/1.0.0/signRequest
As you can see, It's a form that posts 2 fields, one of them being a file and another a simple text field.
The call is succesfully forwarded to the backed service but without the actual fields values (the headers instead are correctly passed, though their keys are lower-cased, that is "X-PD20-BillingSubscriptionId" is passed as "x-pd20-billingsubscriptionid").
Any hint on why is this happening?
Thanks
Ok, the problem was the same as described in multipart form data file upload using WSO2 API manger ? and I had to uncomment the declarations for
within the $WSO2_AM/repository/conf/axis2/axis2.xml file (and restart the server).
I am working on integrating OAuth2 to a REST API and I would like to know how am I supposed to send the access_token parameter for the requests.
Example:
My server accepts two routes:
POST /write
GET /read
For /write, am I supposed to put the access_token in the POST?
curl http://api.localhost/write -d 'access_token=[ACCESS_TOKEN]'
For /read, am I supposed to put it in the GET?
curl http://api.localhost/read?access_token=[ACCESS_TOKEN]
Or in both cases, is it supposed to be sent through POST?
Thanks,
Gasim
With OAuth, the token is generally passed in the request headers. You may wish to try something similar to the following, for both POST or GET:
POST: curl http://api.localhost/write -H 'Authorization: Bearer ACCESS_TOKEN'
GET: curl http://api.localhost/read -H 'Authorization: Bearer ACCESS_TOKEN'
The value part of the Authorization key/value pair can vary by REST service provider. With Github, for instance, the header key/value pair looks like this:
curl -H "Authorization: token your_token" https://api.github.com/repos/user/repo
You may need to consult the webservice provider docs for details.