I intend to implement a simple login app with Spring Boot REST API, JWT(Auth0 -java-jwt), and Angular 8. After login, I am receiving a Cookie from the REST API as follows:
Cookie cookie= new Cookie("token",token);
cookie.setPath("/");
cookie.setDomain("localhost");
cookie.setHttpOnly(true);
cookie.setMaxAge(60 * 60 * 24 * 365 * 10);
//cookie.setSecure(true); - for deployment
httpServletResponse.addCookie(cookie);
In the browser(Dev tools, Response headers), I can see the Cookie received, with the correct token. However, I can't see it in chrome://settings/siteData?search, I tried Chrome, Chromium, and Firefox, all showing the same results.
Now, this is how I am sending my request from the Angular client:
const h = new HttpHeaders().append("Authorization", "Bearer ");
this.http.get("http://localhost:8080/api/users", {headers:h, withCredentials: true })
In the request headers, I am not seeing this cookie, and for that reason, I suppose, the request does not get authorized.
What is it that I am missing? Also, I appreciate any articles that demonstrate a simple login with Spring Boot (REST API only, not with Thymleaf or something), Angular and JWT (java-jwt). Thank you.
In my opinion here the problem is that you are sending an Authorzation header without the JWT, in fact you are writing in your code const h = new HttpHeaders().append("Authorization", "Bearer ");.
I had solved a similar problem with fetch in a react application, but I guess that it should be the same for you, without setting Authorization header but setting like you withCredentials: true.
at the end m suggestion is try to remove the header due to with your configuration you does not sending the JWT token
TIPs if in your question you have written a blank token but in your actual production code you are inserting it properly perhaps you should check if your resource server works fine with I do not know... postman curl or something like that
or you should check that your token is a valid token and not an expired token
p.s. in your backend server implementation I saw a very low level details I suggest you to use Spring Security oauth2 module if you are useing a spring boot 2.x or Spring Cloud Security OAuth2 if you are using a Spring Boot 1.5.x version
Related
I'm writing a spring boot backend in java which endpoints are secured by okta.
The application uses the okta api service app integration since only the frontend and never a user is retreiving data from it.
To get a valid access token from the okta api I followed these steps: https://developer.okta.com/docs/guides/implement-grant-type/clientcreds/main/#request-for-token
Sadly all my attempts result in an error.
My postman configuration:
Okta api endpoint:
https://dev-61814681.okta.com/oauth2/default/v1/token
Authentication method:
Basic auth with client id as username and client secret as password
Headers:
accept = application/json
cache-control = no-cache
content-type = application/x-www-form-urlencoded
Body:
grant-type = client_credentials
scope = MyDefault
The response:
400 bad request
It would be nice if someone could push me in the right direction with this one.
It should be grant-type instead of what you wrote (grand-type).
Also, make sure you have defined the "MyDefault" scope in your Okta API app and that it has the necessary permissions for your client to access the endpoints it requires.
Hopefully the typo fixes the issue in this case.
I was able to solve my problem by doing the following:
I took the cURL pictured at https://developer.okta.com/docs/guides/implement-grant-type/clientcreds/main/#request-for-token
After that I inserted my Okta domain, added my authorization (client id and client secret written in the same line seperated by ':' and encoded as base64) and updated the scope from customScope to my own custom scope.
I imported all of that into postman by pressing the import button and inserting the raw text.
Now everithing works fine.
So I am using AWS Cognito as the IDP provider. I have the integration with AWS Cognito working, at least it feels that way.
I have an end-point (http://localhost/api/v1/test-me) which when I open in the browser takes me to the AWS Cognito login window, and upon successful returns the return value of the end-point ({"result": "success"}, HTTP Response Code 200) in this case.
Now, I want to test this end-point in Postman. I followed the solution from this post to configure Postman, and I can successful create an access token. However, when testing the endpoint, with GET http://localhost/api/v1/test-me, I get the sign-in HTML page back in Postman. It shows Status: 200 OK, but it is clearly not letting the call go through to my end-point. I am ensuring that the token is being used with the "Bearer" header prefix.
Not sure what to do here ...
I am practicing an azure sample named OAuth 2.0 Sample for Azure AD Spring Boot Starter Resource Server library for Java.I followed the steps but blocked in Check the authentication and authorization.I have got the access_token successfully, but I don't know how to use it in postman or any other ways. Is there any doc or advice? Thanks very much!
Okay, I added the Authorization in request header, but I got 401 and an error message. And this is way where I got the access_token.
Is there something wrong?
You could do something like below :
You can add the necessary URL and HTTP verb at the top.
You will have to add Authorization Headers in the postman and add the oauth token bearer like below
Authorization : Bearer <Oauth Token>
Update :
I used BlazeMeter's chrome extension to build a .jmx file for testing our login page in JMeter. Most of our application is written in node js. We are using Auth0 for our login and the /login/callback is giving me a 400. I am not sure why. My goal is to test our applications with about 200 users. Any help would be great!
The HTTP 400 Bad Request response status code indicates that the server could not understand the request due to invalid syntax.
Most probably you are getting this error due to malformed request body or missing header, most probably you need to add a HTTP Header Manager and configure it to send Content-Type header with the value of application/json
Also be aware that OAuth authorization flow isn't something you will be able to record and replay, it is all about obtaining an Authorization Bearer token and sending it along with the requests requiring authorization via the aforementined HTTP Header Manager.
There are several ways of obtaining an OAuth token, check out How to Run Performance Tests on OAuth Secured Apps with JMeter guide for more details on bypassing OAuth login challenge in JMeter tests.
I'm going to rewrite my previous question.
Glassfish redirects after form login to the last accessed resource, how do I go about to turn this off?
Our problem is that we get 415 in FF and IE because if I have a JSESSION cookie Glassfish will redirect to the last resource I tried to access but does not switch content type from (x-form-urlencoded).
Pseudo example (requests are the browsers' XMLHttpRequest):
GET /secure/resouce1 (json) -> Response "you're not logged in."
GET /login.xhtml
POST /j_secure (x-form-urlencoded) -> New location /secure/resource1 (x-form-urlencoded)
GET /secure/resource1 (x-form-urlencoded) <- HTTP ERROR 415 content type not JSON.
You will probably need to write a Filter to check for and catch that case. I like this tutorial (hoping the translation to English is understandable).
In my opinion it is better to use Basic or Digest authentication over SSL for RESTful services. Other options are including the credentials as part of the payload or creating a dedicated login service, which accepts credentials and returns a token. There are various reasons why form based authentication is less suitable for RESTful service: it requires a session, it does not use the existing HTTP Authorization and more.
If you need to call your RESTful service using AJAX then using a cookie for authentication can be a valid solution. They should only affect if the user can make a call, but not how the server responds.
If you would like to keep using form based authentication for your application I would suggest adding an additional JAAS authentication provider which will handle the RESTful services authentication. You can read more about it here.
Another option, which should be easier than JAAS, would be using Spring Security or Apache Shiro instead of the container based authentication.
Here is an example of configuring form based authentication with Spring Security. This post shows an example of how to secure RESTful services using Spring Security.
in your login page
reset the JSESSIONID cookie to prevent redirect last page
// login_form.jsp
Cookie jsess = new Cookie("JSESSIONID", null);
jsess.setMaxAge(0);
jsess.setPath(pageContext.getServletContext().getContextPath());
response.addCookie(jsess);