I need get user's profile in wso2 api manager, how could i do that?
Until now, i've done get access token, refresh token and revoke token:
https://localhost:9443/oauth2/token --> access and refresh token
https://localhost:9443/oauth2/revoke --> revoke token
Thanks for help me.
if you define openid as one of the scope, then you would be able to use userinfo endpoint to get the user related info.
Generate token with scope openid
curl -k -d "grant_type=password&username=admin&password=admin&scope=openid" -H "Authorization: Basic NzhfQURZNGdBMWJ6djd0ZVc0Zk11VkpMM0xVYTpQWE55RmZ1ZjlmbkVhUW9NYksyaUxjTFE1dndh" https://localhost:9443/oauth2/token
use that token to request userinfo
curl -k -H "Authorization: Bearer 14e78b764c91a1f18b5566ddbd88c5ff" https://localhost:9443/oauth2/userinfo?schema=openid
by default, response would only contain the sub value.
{"sub":"admin#carbon.super"}
You can define which parameters you should send by configuring the claims in the service provide application in API Manager
for that log in to carbon management console and select the service provider application
under the claim configuration you can set email, lastname, and any other claims you need as 'Requested claims'
ex: http://wso2.org/claims/emailaddress for email
once configured, you would get following kind of response for previous request
{"sub":"admin#carbon.super","family_name":"adhikarinayake","email":"chamilaa#wso2.com"}
Related
I am trying to consume the Flagsmith APIs as documented here .
It seems some APIs like -- /flags/ need "x-environment-key" header, which is working.
But for others like /environments/ "x-environment-key" does not work. I have tried a bearer token authorisation by obtaining the API key ( Authorization: Bearer <> ). But that doesn't work either. There is no clear documentation on the authentication mechanism ( or I have missed it ).
Can someone throw some pointers ?
x-environment-key is for the SDK endpoints, where as /environments is an admin endpoint used in the dashboard to list a project's environments.
Those endpoints are protected via an API token, so you'd need to send
authorization: Token $API_TOKEN
You can find your API token in your account settings under keys
I'm trying to throttle the number of requests a client can make to my translator service which uses Azure Translation API.
The following link from Microsoft describes how to limit requests, but it's not clear where in the request this throttling information should be added. I assume the request headers?
https://learn.microsoft.com/en-us/azure/api-management/api-management-sample-flexible-throttling
Here is the curl. Note the rate limiting headers at the end. Is this the way to do it?
// Pass secret key and region using headers to a custom endpoint
curl -X POST " my-ch-n.cognitiveservices.azure.com/translator/text/v3.0/translate?to=fr" \
-H "Ocp-Apim-Subscription-Key: xxx" \
-H "Ocp-Apim-Subscription-Region: switzerlandnorth" \
-H "Content-Type: application/json" \
-H "rate-limit-by-key: calls=10 renewal-period=60 counter-key=1.1.1.1" \
-d "[{'Text':'Hello'}]" -v
The link you've shared is from API Management, a managed API Gateway available on Azure. The idea is to generate "products" and let your users to subscribe to them. This way, you'll be able to track the requests and perform the throttle using a rate limit policy (the link you've shared).
if needed, please watch this quick video showing this functionality in use:
https://www.youtube.com/watch?v=dbF7uVkGOw0
I need to send access_token to my REST server...
How to send access token to server with GET request?
Is it safe to make request like: https://localhost:8443/docs/1?access_token=12345 ? I am using HTTPS.
As per the OAuth 2.0 standards, it is recommended to pass the Access Token as a bearer header.
Please check RFC 6759 for more information.
I'm trying to get information about videos hosted by Vimeo (from my client's channel, so no rights issues). I'm using Javascript, specifically d3.js.
The request works fine when using the old API, with this type of url :
http://vimeo.com/api/v2/video/video_id.output
For instance, this works in d3.js :
d3.json("http://vimeo.com/api/v2/video/123456789.json", function(error,data){
console.log(data);
}):
But I can't get the new API to work as easily in a simple request, using this type of url for instance :
https://api.vimeo.com/videos?links=https://vimeo.com/123456789
What do I need to do ? Authenticate ? If so, how ? I'd be grateful to get examples in either jQuery of d3.
Vimeo's API documentation is not the best, so you have to dig a little around to actually get the information you need. In your case, you do not need to go through the whole OAuth2 loop if you are simply requesting data from endpoints that do not require user authentication, such as retrieving metadata of videos, as per your use case.
First, you will need to create a new app, by going to https://developer.vimeo.com/apps:
You can simply generate a Personal access token from your Vimeo app page under the section that says Generate an Access Token:
Remember that this token will only be visible once (so copy it when it is generated): and you have to keep it secure! The access token should be part of the Authorization header's bearer token. If you are using cURL, it will look like this:
curl -H "Authorization: Bearer <YourPersonalAccessToken>" https://api.vimeo.com/videos/123456789
Therefore, while you can do the following on your page to retrieve video metadata on the clientside, note that you are actually exposing your private token to the world:
d3.json("https://api.vimeo.com/videos/123456789/")
.header("Authorization", "Bearer <YourPersonalAccessToken>")
.get(function(error, data) {
console.log(data);
});
However, I strongly recommend that you proxy this request through your own server, i.e. create a custom endpoint on your server, say /getVimeoVideoMetadata. This API endpoint will receive the video ID, and will add the secretly stored access token you have on your server before making the request. This will mask your access token from your website visitors.
I am new to the concept of authentication and JWTs. I modified my Sails app to generate JWTs with the help of jsonwebtoken. I sign the JWTs like this: jwt.sign(payload, secret, { expiresInMinutes: 120 });
Doesn't this mean a client having access to the token can access the protected resources?
How should the payload be used? Should I save the user-agent string in the payload and verify it on the client?
Yes, anyone in possession of the token can call your API. That's why everything should go over SSL, and expiration should be in line with the sensitivity of what it is doing.
The JWT will typically be sent on the Authorization header:
Authorization: Bearer {your token here}
BTW, you can test contents/signatures here: http://jwt.io