I try to generate a Javascript JDK to connect my SSO (Identity Server 4), when try to retrieve a JwtToken for client call in Post the method {{loginUrl}}/connect/token with body parameters grant_type (client_credentials), client_id, client_secret and scopes.
But when try to retrieve JwtToken for me User table in Identity Server 4 db passing username and password the system return me an error.
Is possible to suggest me an npm library to return me the token (for example authentication.login(username,passwor)).
Thank's
every vanilla javascript method or packege to use
Related
I have a dApp where you login with your Elrond wallet and you generate a signature (containing the wallet address and some more data).
While making requests to an endpoint, I pass the signature on payload and I need to verify it on the backend (so you can't change the wallet address and make requests on someone else's behalf).
I am using PHP with Laravel Framework.
How can I verify the signature on the backend and get the wallet address?
i've written a Laravel SDK for Elrond that can help you with that, or you can copy the logic from: https://github.com/Superciety/elrond-sdk-laravel
note: it's still work in progress & mostly undocumented - i'd welcome any contributions
to verify signatures coming from your dapp, you'd use it this way:
$isValid = Elrond::crypto()->verifyLogin($token, $signature, $address);
where $token is an arbitrary string unique to the user's session to avoid replay
I want to authenticate to Odoo from an express application using token. I am using odoo-xmlrpc node module to connect Odoo with
my express app. Odoo requires users of the API to be authenticated before they can use any other API. And this node module provides this function
const odoo = new Odoo({
url: config.odooUrl,//odoo url
db: config.odooDB,//odoo db path
username: "john#gmail.com",
password: "john_pass123"
});
odoo.connect(function(err, uid) {
if (err) {
errors.auth = "invalid cridentials";
return res.status(400).send(errors);
}
//execute something from/to odoo server
})
The problem is, I have to enter the user's credentials every time I want to execute an Odoo command. And if I store the user's password it would be stored as a plain text.
My question is, is their token-based authentication to Odoo that can be used through API. Or any other alternative solution to my problem
Currently in Odoo unfortunatelly there is no good solution to this. There is work in progress for support for api token access and 2-factor authentication in this pull request: https://github.com/odoo/odoo/pull/33928.
There are also multiple Odoo rest api modules in app store that support token authentication. You can find these with seach ”rest api” or ”token”. To me none of these have been perfect for my use-cases. I look forward to get native support for this in Odoo Community.
In order to get token i post following request:
http://example.com/wordpress/wp-json/jwt-auth/v1/token?username=MYLOGIN&password=MYPASSWORD and in response i get token - that's nice, but... what if i don't want to show username and login in requested URL, even a single time.
Everyone who can see my computer requests can catch my login and password easily. Can I somehow hide this sensitive data in request headers instead of url parameters? I'm using "Chrome Insomnia" App to test REST api and next to PARAMS and HEADERS there is an AUTH tab where i can type username and password - maybe that is the place i could use to send user data to get access token without beeing seen easily?
I tried to login using AUTH tab, but in response:
{
"code": "jwt_auth_bad_auth_header",
"message": "Authorization header malformed.",
"data": {
"status": 403
}
}
Please don't send me back to wp-api documentaion because i couldn't find a clear answer by reading the docs there.
Use OAuth.
It is a secure way to authorize yourself on a REST-Api without having to send your username and password as plain text.
The WP-API documentation has a section called OAuth Authentication. The API uses OAuth 1.0. Basically you have to install the OAuth-Plugin, then generate a Client which automatically gets a Key and a Secret assigned. You can use this pair for a secure authentification.
You can find more detailed information in the link I gave above, it is fairly simple to implement.
To answer your original question on how you can keep people from seeing your passwords in Insomnia, it is recommended that you put sensitive data in an environment variable and reference it in your request.
You can define your environment JSON like this...
{
"username": "MyUsername",
"password": "MyPassword"
}
And reference them in the params tab (or anywhere else) using Nunjucks template syntax like {{ username }} and {{ password }}.
Here's a link to the docs on Environment Variables inside Insomnia.
~ Gregory
Although I agree OAuth (Really OpenID Connect) is a better solution,
USE HTTPS.
Since the SSL/TLS is performed before you make the request, it will be encrypted over the network.
I am building a SPA using vue.js which has a PHP backend server (slim framework 3). These are two separate projects, leave on two different servers and the backend has no front end at all.
SPA (vue.js) makes requests to backend via ajax.
Now I want to implement Google Calendar API to create a calendar and events every time user creates a todo item. To do that I need server to server access to Google Calendar API (I might need to make changes to the event on GCAL even if user is not logged in).
What I am trying to understand, how can I get the access token (and refresh token) using Google JS library using vue.js and save this in the db so that my backend can use it to make offline requests to GCAL Api.
When I use the Oauth v.2 using the JS library, all I get is the access_token which cannot be using for server to server communications.
[UPDATE]
Ok, a little bit more information. I am following the guides from Google and my front end looks like this at the moment
jsbin
So I can successfully authorise user and access their calendar using the javascript sdk. But the token Javascript SDK returns is something like this
{
_aa: "1"
access_token: "xxxxxxx"
client_id: "yyyyyyyyyy"
cookie_policy: undefined
expires_at: "1456400189"
expires_in: "3600"
g_user_cookie_policy: undefined
issued_at: "1456396589"
response_type: "token"
scope: "https://www.googleapis.com/auth/calendar"
state: ""
status: Object
google_logged_in: false
method: "AUTO"
signed_in: true
token_type: "Bearer"
}
I send this token to my backend server and try to make a request to GCAL api as follows
$token = $request->getParam('token');
$client = new Google_Client();
$client->setApplicationName('Web');
$client->setScopes([Google_Service_Calendar::CALENDAR]);
$client->setAuthConfigFile(ROOT_DIR . '/client_secret.json');
$client->setAccessType('offline');
$client->setAccessToken(json_encode($token));
$service = new Google_Service_Calendar($client);
$calendarId = 'primary';
$optParams = array(
'maxResults' => 10,
'orderBy' => 'startTime',
'singleEvents' => TRUE,
'timeMin' => date('c'),
);
$results = $service->events->listEvents($calendarId, $optParams);
And it returns error saying the token is expired. I checked the Google Code and found out the reason it returns this error is because of these lines
public function isAccessTokenExpired()
{
if (!$this->token || !isset($this->token['created'])) {
return true;
}
// If the token is set to expire in the next 30 seconds.
$expired = ($this->token['created']
+ ($this->token['expires_in'] - 30)) < time();
return $expired;
}
As you can see the token that comes from the front end doesn't have created field as well as no refresh_token field.
Thanks for updating the question! I am thinking the issue is that using the client-side flow does not allow you to get a refresh token. From the docs:
OAuth 2.0 client-side flow (AKA Implicit flow) is used to obtain
access tokens (it does not support the issuance of refresh tokens) and
is optimized for public clients known to operate a particular
redirection URI. These clients are typically implemented in a browser
using a scripting language such as JavaScript.
The authorization server MUST NOT issue a refresh token.
see for more: How to get refresh token while using Google API JS Client
You'd need to use the server-auth flow to get a token you can refresh and use long-term. Here's a quickstart guide for PHP.
One other thing to consider is that you will only receive a refresh_token the first time someone authorizes your app. After that, auth attempts will only return an access token. So if you lose the refresh token, you will need to either disable the authorization from your google account, or use the "force re-auth" option in the API.
Can I access Google Analytics data using a service account in a client-side application? If not, are there other ways of achieving the same outcome?
Must be entirely client-side, and must not require users to authenticate (hence the desire to use a service account).
Yes you can in https://code.google.com/apis/console make sure you say that its a Service account it will give you a key file to download. With that you dont need a user to click ok to give you access.
For a service acccount to work you need to have a key file. Anyone that has access to that key file will then be able to access your Analytics data. Javascript is client sided which means you will need to send the key file. See the Problem? You are handing everyone access to your account. Even if you could get a service account to work using javascript for security reasons its probably not a very good idea.
You can use the official (and alpha) Google API for Node.js to generate the token. It's helpful if you have a service account.
On the server:
npm install -S googleapis
ES6:
import google from 'googleapis'
import googleServiceAccountKey from '/path/to/private/google-service-account-private-key.json' // see docs on how to generate a service account
const googleJWTClient = new google.auth.JWT(
googleServiceAccountKey.client_email,
null,
googleServiceAccountKey.private_key,
['https://www.googleapis.com/auth/analytics.readonly'], // You may need to specify scopes other than analytics
null,
)
googleJWTClient.authorize((error, access_token) => {
if (error) {
return console.error("Couldn't get access token", e)
}
// ... access_token ready to use to fetch data and return to client
// even serve access_token back to client for use in `gapi.analytics.auth.authorize`
})
If you went the "pass the access_token back to client" route:
gapi.analytics.auth.authorize({
'serverAuth': {
access_token // received from server, through Ajax request
}
})