I created a users resource for my RESTAPI and now i am able to register a user.
After that i installed passport and i am getting the token.
When i tried to accesss
'/user'
I got as unauthorized.
When i pasted the token in Authorization Header, i was prompted with api_token column is missing, on which i updated my migration for api_token column with string 60.
Again when i tried to access '/user' i am still getting as unauthorized.
Followingly, let me say i got posts generated as resource. I want my moderator or admin only to have delete access not to the user. How can i achieve it? In short, how to control the authorization for resource routes.
Are you using the api middleware and auth:api? Submitting a X-CSRF-TOKEN as well? GET or POST? Need more info to help you out here.
Related
I have used lifeary service builder to build my services. some of my services require that the user is authenticated before he can use them.
how can i generate an auth token and send it in the header or in the URL?
I have tried username#host.com:password#http://localhost:8080/PortletName-portlet/api/jsonws/?serviceClassName=com.service.NameServiceUtil&serviceMethodName=getMyNames&serviceParameters=[userid]&userid=1
and it did not work!
I have made sure i have added the below line in my portal-ext.properties and restarted the server.
json.service.auth.token.enabled=true
What more should i do to be able to pass Auth Token? is there a better method that i can use?
You actually want to use AuthVerifier. This is the best way how to access the Liferay API and be authenticated. It similar to the autologin concept.
Have a look at https://dev.liferay.com/es/discover/deployment/-/knowledge_base/7-0/authentication-verifiers and check out the PortalSessionAuthVerifier class in the source code.
The concept is quite simple. Read the request object and determine who the user is. Perform your custom authentication and return the auth result with the user identification.
I got stock on how to get token. Pls do you have any tutorial on how to get refresh token? Thanks!I currently know how to show a model in a viewer, however, the token will be expire every 2 hours. It is frustrated for me to search online for how to get token. Pls could u help me on this? Thanks!
These two articles should be of help.
About Refresh Token
Landing your Forge OAuth authentication workflow
When requesting an access_token you'll also get back a refresh token that will enable you to get a new access_token without the user having to log in again.
Depending on which programming language and environment you are using you can also use our SDK's to make your life easier.
E.g. in case of Node.js you can just npm install our forge-api package that will have the necessary functions to request an access_token
The steps are:
1) Redirect the user to the Autodesk log-in page (change both the client_id and redirect_uri to match the values that is used by your registered Forge application):
https://developer.api.autodesk.com/authentication/v1/authorize?response_type=code&client_id=xxx&redirect_uri=xxx&scope=data:read
2) Implement in your application the endpoint that you specified for your Forge application's redirect_uri
3) Using the token you got back above request an access_token
https://developer.api.autodesk.com/authentication/v1/gettoken
4) When you need a new access_token you can use the refresh_token that the gettoken endpoint also returned: https://developer.api.autodesk.com/authentication/v1/refreshtoken
I am implementing spring oauth2 for securing my rest api. Basically i am limiting the use of rest api to particular users rather then limiting to every users.
I had implemented the backend and secured my api using spring oauth2.
I am following this steps:
1)Send the GET request with the five parameters.
localhost:8080/SpringRestSecurityOauth/oauth/token?grant_type=password&client_id=Awyi123nasdk89&client_secret=asdj39m32##$s&username=rahul#gmail&password=rahul#9831
2) Server validates the user with the help of spring security and return the json response with access code.
{
"access_token": "22cb0d50-5bb9-463d-8c4a-8ddd680f553f",
"token_type": "bearer",
"refresh_token": "7ac7940a-d29d-4a4c-9a47-25a2167c8c49",
"expires_in": 119
}
3)I access protected resources by passing this access token as a parameter, the request goes something like this:
localhost:8080/SpringRestSecurityOauth/api/users/?access_token=8c191a0f-ebe8-42cb-bc18-8e80f2c4238e
4) In case the token is expired, user needs to get a new token using its refreshing token that was accepted in step(2). A new access token request after expiration looks something like this:
localhost:8080/SpringRestSecurityOauth/oauth/token?grant_type=refresh_token&client_id=restapp&client_secret=restapp&refresh_token=7ac7940a-d29d-4a4c-9a47-25a2167c8c49
All the above step are working fine. Now i need to implement this on my client side. So that a particular client can access this call. I am using HTML/CSS as client side technology.
How client can get the access token? Should it be stored in the browser local storage? Or it should be generated every time the rest call is been made?
Any example would help me to proceed further.
I'm implementing my project like you. I use angularjs and get the access token from response json then store it into cookies.
This link provide sample code for you: http://www.baeldung.com/rest-api-spring-oauth2-angularjs. (See Frontend - Password Flow).
Because refresh token should keep secret and the client is html app, you should see this link http://www.baeldung.com/spring-security-oauth2-refresh-token-angular-js for handling refresh token.
For html client, after obtaining access token using refresh token when access token is expired, I use http-auth-interceptor ([http]://witoldsz.github.io/angular-http-auth/) to retry all rest requests failed because of expired access token.
I'm sorry that I have not enough reputation to post more than 2 links.
I was trying to make Box Enterprise API work using As-User. I have a admin account which i used to try to retrieve the Contents in a sub account.
I first used the admin account to retrieve the User ID of the sub account. And added the User ID as a field "As-User: ########". However, I was returned with a reply of 403.
The error message : "The request requires higher privileges than provided by the access token."
I am using the access token i had used to retrieve the user list. Do I have to get a new access token using the as the new user? or is the admin access token fine?
GET /2.0/folders/0/items HTTP/1.1\r
Host: api.box.com\r
Authorization: Bearer #######################\r
As-User: ########\r
Connection: close\r
\r
The access code is the same access code used to retrieve the user list /user
All the scopes has been checked
Your application must be manually approved by Box for As-User requests. The documentation mentions this but it's easy to miss. To start the approval process send Box a note and include your API Key.
I am unable to add a comment on this, so I would like to add (in case the support staff doesn't give you a head's up) you may have to do this after they enable the As-User header --
Go back to your - Admin Console->Business Settings->Apps
Find the Custom Applications section
Authorize or reauthorize the app you are working with
I had the same problem and found this:
https://support.box.com/hc/ja/community/posts/360049157874-Insufficent-scope-when-trying-to-make-a-call-using-As-User-header
So you should use the scope admin_on_behalf_of.
I'm using box API v2 and successfully with OAuth2. I'm successfully getting the access token back, but in order to avoid the "confused deputy problem" I need to have a way of getting the user id that a given access token relates to.
Is there a way of doing this? I'm trying to use the /tokens endpoint without luck. I read that you need to enable that but I can't find how. Even if I managed to enable it, would that help?
Thanks!
the /users/me endpoint will tell you the user id (and other info) associated with the access token that was used to authenticate the request. Documentation here.