I want to build a Cloud Run to Cloud Run communication and use this how-to:
https://cloud.google.com/run/docs/authenticating/service-to-service
I generate a id token and add them to the Authorization: Bearer ID_TOKEN header. My problem is, that I also need to send a custom JWT Token in the Authorization header.
Is there a way to pass both token in the Authorization header without a custom header? Or has google cloud the option for a alternative header?
Related
I'm writing a spring boot backend in java which endpoints are secured by okta.
The application uses the okta api service app integration since only the frontend and never a user is retreiving data from it.
To get a valid access token from the okta api I followed these steps: https://developer.okta.com/docs/guides/implement-grant-type/clientcreds/main/#request-for-token
Sadly all my attempts result in an error.
My postman configuration:
Okta api endpoint:
https://dev-61814681.okta.com/oauth2/default/v1/token
Authentication method:
Basic auth with client id as username and client secret as password
Headers:
accept = application/json
cache-control = no-cache
content-type = application/x-www-form-urlencoded
Body:
grant-type = client_credentials
scope = MyDefault
The response:
400 bad request
It would be nice if someone could push me in the right direction with this one.
It should be grant-type instead of what you wrote (grand-type).
Also, make sure you have defined the "MyDefault" scope in your Okta API app and that it has the necessary permissions for your client to access the endpoints it requires.
Hopefully the typo fixes the issue in this case.
I was able to solve my problem by doing the following:
I took the cURL pictured at https://developer.okta.com/docs/guides/implement-grant-type/clientcreds/main/#request-for-token
After that I inserted my Okta domain, added my authorization (client id and client secret written in the same line seperated by ':' and encoded as base64) and updated the scope from customScope to my own custom scope.
I imported all of that into postman by pressing the import button and inserting the raw text.
Now everithing works fine.
I have an Java backend app uses Azure Active Directory. I am using oauth2 bearer token to login. On backend side I am searching and using oauth2 attribute "preferred_username" and it works. However when I send login request from postman/insomnia there is oauth v1 token and there are oauth v1 attributes like instead of "preferred_username" there is "unique_name" but "ver" attribute is 1.0.
The token type seems oauth2
What causes this?
Please check the URLs you are currently using to send login request via Postman.
To get v2.0 OAuth2 token, you need to use v2.0 endpoints:
Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your App -> Overview -> Endpoints
In addition to that, ensure to modify Manifest file by changing accessTokenAcceptedVersion value to 2. By default, it will be null for single tenant applications.
I tried to reproduce the same in my environment and got below results:
Initially I generated access token with v2.0 endpoints, leaving Manifest file as default like below:
When I decoded the token, I found OAuth2 v1.0 attributes like below:
In order to get v2.0 token, I changed App's Manifest file like below:
I generated the access token via Postman with parameters like below:
POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token
When I decoded the above token, I got OAuth2 v2.0 attributes successfully like below:
In addition to #Sridevi s answer I realize that I need to add optional claim preferred_username as below from Azure Active Directory > App registrations > My App > Token Configuration.
Related documentation is https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims
Both are fixed my issue.
My quarkus backend is calling a rest web service which requires an access token. The access token is generated using client id, client secret and grant type client credentials. The token is valid for a couple of days.
This quarkus backend then propagates the data to an angular frontend.
I have a couple of questions:
Is there an out of the box implementation from Quarkus framework?
If not, please guide me if I should use httpclient or any other library for getting the access token.
How to check for refresh token?
How to save the access token, so that it can be used for other requests by other users?
Otherwise I end up generating an access token every time a user calls the rest service.
Since there is no answer, I will write here how I implemented this:
I use a java.net.http.httpclient to call the oauth server for getting the token with the client id and secret.
I cache the token using quarkus-cache and when the token expires, the quarkus-cache is invalidated and rebuilt with the new token.
Suggestions or better solutions are welcome.
I am using the angular-oauth2-oidc library in Angular to login via the PKCE Authorization Flow and then passing the token to my back end to secure my custom API.
The Spring boot back end is acting as the oauth2 Resource Server and securing my custom API's using the token.
SecurityConfiguration.java
http.cors().and()
.authorizeRequests().antMatchers("/home").permitAll()
.and()
.authorizeRequests().antMatchers("/actuator/health").permitAll()
.and()
.authorizeRequests().antMatchers("/**").authenticated()
.and()
.oauth2ResourceServer().jwt();
By default, Azure AD returns a valid JWT token only for Graph APIs. If you want to use the Azure AD OIDC authentication for your own API, you are dealing with a non-compliant provider.
Thus I created a custom scope in the App Registration → Expose an API page. Then I added this scope in the authorization request initiated by my Angular client along with the default openid scope.
Now that I have this token, which no longer contains the ‘nonce’ in its jwt header (which I needed to do to secure my custom api), how do I go about using this token to get a new token?
and then follow the On-Behalf-Of flow to create my graph api calls.
Is anyone able to guide me in the right direction on how to exactly get the 2nd access token?
You would need to send 2 messages in your API:
Send your access token to the token endpoint, to get a graph access token
Send the graph access token to the user info endpoint
I only have a sample in NodeJS, though the messages are quite simple, involving requests with form url encoded data, and JSON responses. So you should be able to do this fairly easily with any Java HTTP Client:
Sample Code in NodeJS
Blog Post with Screenshots
Allen's samples should demonstrate how to incorporate this into Spring Security.
I have two Java Spring applications, one is working as client and other as server. Client is Spring RESTful service.
My requirement is:
Once a server wants to communicate with a client, it should send some token. The token will get validated by client. If the token is valid then client performs some task and sends success result. Otherwise the response will be like not valid token and client does not perform any task for that request.
I think what you need is JWT token, you can learn JWT token and java in JWT token, using the java lib to generate token and validate.
The way to transfer token is to add custom header in request header, so you can just add a filter to intercept the request and validate the token.
If you want use authority not just a simple token you can use spring security and JWT token, the demo and reference can see REST Security with JWT using Java and Spring Security and demo.
In my project,I using spring security+ spring session rest+ hazelcast,it's also a way to protect my rest api by token.
You can chose the method you need and if any question you can comment under the answer.