I am having trouble being able to validate a users token with OpenAM. Particularly what type of Agent I should create. Is there anyone that can recommend a solution?
Essentially the REST API will read the users OpenAM tokenid and validate the token with OpenAM which then will return data which contains a username. That username can be used in the REST API method to identify who is accessing the method.
Even more simplified is how can I use a OpenAM token to get the OpenAM user info.
Thanks!
You can use the following endpoints:
Authenticate user:
curl --request POST --header "X-OpenAM-Username: demo" \
--header "X-OpenAM-Password: changeit" \
--header "Content-Type: application/json"
"http://openam.example.com:8080/sso/json/authenticate"
{"tokenId":"AQIC5wM2LY4SfcyTReB5nbrLt3QaH-7GhPuU2-uK2k5tJsA.*AAJTSQACMDEAAlNLABMyOTUxODgxODAwOTE0MTA4NDE3*","successUrl":"/sso/console"}
Validate token:
curl --request POST \
--header "Content-Type: application/json" \
"http://openam.example.com:8080/sso/json/sessions/AQIC5wM2LY4SfczadxSebQWi9UEyd2ZDnz_io0Pe6NDgMhY.*AAJTSQACMDEAAlNLABM3MTMzMTYwMzM1NjE4NTE4NTMx*?_action=validate"
{"valid":true,"uid":"demo","realm":"/"}
Get profile attributes:
curl --request GET \
--header "iPlanetDirectoryPro: AQIC5wM2LY4SfczadxSebQWi9UEyd2ZDnz_io0Pe6NDgMhY.*AAJTSQACMDEAAlNLABM3MTMzMTYwMzM1NjE4NTE4NTMx*" \
"http://openam.example.com:8080/sso/json/users/demo"
{"username":"demo","realm":"/","uid":["demo"],"userPassword":["{SSHA}cIgTNGHWd4t4Ff3SHa6a9pjMyn/Z3e3EOp5mrA=="],"sn":["demo"],"createTimestamp":["20160406210602Z"],"cn":["demo"],"givenName":["demo"],"inetUserStatus":["Active"],"dn":["uid=demo,ou=people,dc=example,dc=com"],"objectClass":["devicePrintProfilesContainer","person","sunIdentityServerLibertyPPService","inetorgperson","sunFederationManagerDataStore","iPlanetPreferences","iplanet-am-auth-configuration-service","organizationalperson","sunFMSAML2NameIdentifier","oathUser","inetuser","forgerock-am-dashboard-service","iplanet-am-managed-person","iplanet-am-user-service","sunAMAuthAccountLockout","top"],"universalid":["id=demo,ou=user,dc=openamcfg,dc=example,dc=com"]}
I ended up going with with idFromSession:
curl --request POST \
--header "iplanetdirectorypro: AQIC5wM2LY4SfczUFNs-TJwFrCVAKgR0NulIAyNaIkQmjis.*AAJTSQACMDEA
AlNLABQtNTQ3NDE2Njc5ODk4MjYzMzA2MQ..*" \
--header "Content-Type: application/json"
http://openam.example.com:8080/openam/json/users?_action=idFromSession
Then in my java REST API method I used:
String httpsURL = "https://openam.example.com:8080/openam/json/users?_action=idFromSession";
URL url = new URL(httpsURL);
HttpsURLConnection con = (HttpsURLConnection) url.openConnection();
//add request headers
con.setRequestMethod("POST");
con.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0");
con.setRequestProperty("Accept-Language", "en-US,en;q=0.5");
con.setRequestProperty("Content-Type", "application/json");
// Add session token as header
con.setRequestProperty("iplanetdirectorypro", "AQIC5wM2LY4SfczUFNs-TJwFrCVAKgR0NulIAyNaIkQmjis.*AAJTSQACMDEA
AlNLABQtNTQ3NDE2Njc5ODk4MjYzMzA2MQ..*");
// Send post request
con.setDoOutput(true);
// Read output
BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream()));
Based the HTTP POST off of: https://www.mkyong.com/java/how-to-send-http-request-getpost-in-java/
don't you need cookies to be set ..
Response fieldResponse = given().auth().oauth2( oAuthLogin.getToken())
.config(new RestAssuredConfig().
decoderConfig(
new DecoderConfig("UTF-8")
).encoderConfig(
new EncoderConfig("UTF-8", "UTF-8")
))
.header("iplanetDirectoryPro", oAuthLogin.getToken())
.header("Content-Type", "application/json")
// .contentType("application/json")
.body(myRequest).with()
.when()
.post(dataPostUrl)
.then()
.assertThat()
.log().ifError()
.statusCode(200)
.extract().response();
is failing as bad request 400.Same content header is working in postman.
Only difference i see is cookie.enter image description here
Working as per postman
Not working one which used restassured framework enter image description here
Related
I'm trying to make a multipart request using restassured. The request fails with the tested API telling me that the "information" part of the request is not an object. Here is my code:
RequestSpecification request;
Options options = Options.builder()
.printMultiliner()
.build();
RestAssuredConfig config = CurlLoggingRestAssuredConfigFactory.createConfig(options).multiPartConfig(MultiPartConfig.multiPartConfig().defaultCharset(StandardCharsets.UTF_8));
request = given()
.relaxedHTTPSValidation()
.config(config)
.header("Authorization", "Bearer " + LoginSteps.accessToken)
.queryParam("memberId", memberId)
.queryParam("policyId", policyId)
.contentType(String.valueOf(ContentType.MULTIPART_FORM_DATA))
.multiPart("information", "{\"description\":\"info\"}")
.multiPart("documents", new File(filePath), contentType)
.log().everything();
return request.post(baseUrl + endpoint);
and now here is the weird part. The standard restassured log looks like this:
Request method: POST
Request URI: myUri/?param1=149479812¶m2=19281999
Proxy: <none>
Request params: <none>
Query params: param1=149479812
param2=19281999
Form params: <none>
Path params: <none>
Headers: Authorization=Bearer aToken
Accept=*/*
Content-Type=multipart/form-data; charset=ISO-8859-1
Cookies: <none>
Multiparts: ------------
Content-Disposition: form-data; charset=ISO-8859-1; name = information; filename = file
Content-Type: text/plain
{"description":"info"}
------------
Content-Disposition: form-data; charset=ISO-8859-1; name = documents; filename = testFile.jpg
Content-Type: image/jpg
src\test\resources\testData\testFile.jpg
Body: <none>
Being a bit desperate to determine the cause of the issue, I also turned on curl logging and here's what I saw:
13:58:05.312 [main] DEBUG curl - curl "myUri/?param1=149479812¶m2=19281999" ^
--request POST ^
--header "Authorization: Bearer aToken ^
--header "Accept: */*" ^
--header "Host: theHost" ^
--header "Connection: Keep-Alive" ^
--header "User-Agent: Apache-HttpClient/4.5.13 (Java/11)" ^
--form "information={""description"":""info""};type=text/plain; charset=US-ASCII" ^
--form "documents=#testFile.jpg;type=image/jpg" ^
--compressed ^
--insecure ^
--verbose
As you can see, the content of "information" here has duplicated quotation marks. Which seems to be the cause of why this is failing. I also copy-pasted everything into Postman and it passes, and returns a 201 as expected. Log and screenshot below:
POST myUri/?param1=149479812¶m2=19281999 {
"Request Headers": {
"authorization": "Bearer aToken"
"user-agent": "PostmanRuntime/7.29.0",
"accept": "*/*",
"postman-token": "bb25e9db-87c0-4fdd-959a-e4229ed36e7a",
"host": "host",
"accept-encoding": "gzip, deflate, br",
"connection": "keep-alive",
"content-type": "multipart/form-data; boundary=--------------------------115811667537577795637808",
"content-length": "28196"
},
"Request Body": {
"information": "{\"description\":\"info\"}",
"documents": ""
}
I have honestly no idea what I'm doing wrong here. When I remove the quotation marks, I get no quotation marks. when I insert one I get two in the curl log. I don't think the API is at fault, as the same request works using postman. Can anyone help, please?
After configuring the service to show logs of what requests are arriving, I found out that the quotation marks are not duplicated. It turns out the curl logger was responsible for that. And the request did not pas due to a bug in the API
I have api using curl
curl -X PUT "http://localhost:8080/kie-server/services/rest/server/containers/containerid/tasks/210/expiration" -H "accept: application/json" -H "content-type: application/json" -d "{ \"java.util.Date\" : 1540025263987}"
Now I want to call this api using java code :
I am using javax.ws.rs.PUT class for api calling and HttpConnection class.
I have set the requestMethod(POST) and request property.
This is url i am using :
http://localhost:8080/kie-server/services/rest/server/containers/"+containerId+"/tasks/"+taskId+"/expiration
url = new URL( http://localhost:8080/kie-server/services/rest/server/containers/"+containerId+"/tasks/"+taskId+"/expiration);
conn.setRequestMethod(PUT);
conn.setRequestProperty("Accept", "application/json");
conn.setRequestProperty("Content-Type", "application/json");
I want to pass this parameter to api but not sure which method to use ?
{java.util.Date:1534343434"};
This parameter is passed in body.
Can anyone suggest how do I pass this parameter in java rest api ??
I am new to Oauth, I have application with Spring Oauth2 with xml
configuration. Have taken reference from
http://www.beingjavaguys.com/2014/10/spring-security-oauth2-integration.html
So the URL below to get the token is
http://localhost:8080/SpringRestSecurityOauth/oauth/token?grant_type=password&client_id=restapp&client_secret=restapp&username=beingjavaguys&password=spring#java
It gives the token reseponse.
So here in request url the client_id is hardcoded inside xml file.And I want to send the clientId,grantType at run time.
What things need to be taken care of here.
Normally you would send the client_id/client_secret in a header.
OAuth2 is only secure if https is used as there are secret data transmitted.
Here an example (angularjs):
auth = 'Basic ' + window.btoa(client_id + ':' + client_secret);
$http.defaults.headers.common.Authorization = auth;
$http.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';
grantparam= 'grant_type=password&username='+loginData.username + '&password=' + loginData.password;
$http.post('https://localhost:8123/oauth/token?'+grantparam)
here in curl from postman:
curl -X POST -H "Accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic 111111111111111" -H "Cache-Control: no-cache" -H "Postman-Token: 11111111-111111111111111" "https://localhost:8443/sf/api/oauth/token?grant_type=password&username=11111111111&password=**********"
I have a Curl request like:
curl -u "key:value" -H "headers" https://example.com
So, when I try to create a Rest client using this curl request in Java I am confused where to send the -u data in my request. Do we need to send it in Header or as URL parameter. Can somebody help me and tell me how can I send this -u in my Java code?
This is the code I am using:
URL url = new URL("https://example.com");
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setDoOutput(true);
conn.setRequestMethod("POST");
conn.setRequestProperty("Content-Type", "application/json");
conn.setRequestProperty("Headers", "Value");
***conn.setRequestProperty("u", "key:Value");***
The header Authorization: Basic base64encoded(user:pass) works for this question.
I can't find the way to reproduce the following curl oAuth authentication call in Java:
curl 'https://id.herokuapp.com/oauth/token' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Accept: application/json' -H 'Authorization: Basic AUTH_VALUE' -H 'Connection: keep-alive' --data 'username=_USERNAME&password=_PASSWORD&grant_type=password&scope=read%20write&client_secret=_SECRET&client_id=_CLIENT_ID' --compressed
I don't know how to pass the --data value to the call.
If you're using standard java.net.URL it can be done but the syntax is rather cumbersome, I suggest that you try using HTTP Components library. You should end up with something like this:
final HttpUriRequest request = RequestBuilder.get()
.setUri("https://id.herokuapp.com/oauth/token")
.setHeader("Content-Type", "application/x-www-form-urlencoded")
.setHeader("Accept", "application/json")
.setHeader("Authorization", "Basic AUTH_VALUE")
.addParameter("username", "_USERNAME")
.addParameter("password", "_PASSWORD")
.addParameter("grant_type", "password")
.addParameter("scope", "read write")
.addParameter("client_secret", "_SECRET")
.addParameter("client_id", "_CLIENT_ID")
.build();
final HttpClient client = HttpClientBuilder.create().build();
final HttpResponse response = client.execute(request);
final HttpEntity entity = response.getEntity();
System.out.println(EntityUtils.toString(entity)); // or whatever processing you need
GZip/deflate and keep alive handling is provided out of the box if the HttpClient is created using HttpClientBuilder.