I used Java Hipster to create my Rest API. I want to use this Rest API in my Java code (I'm developing an Android application). But I don't understand how authenticate me to use my Rest API !
As example, my api is blabla/api/getUser. With Firebug I tried to understand how call my API. I simulate a HTTP request POST with parameters ?id=x and my token in the header (token I got from the request to login from the browser). It's okay, it works, I have my information.
But now, in my java code, I can't send the same HTTP request because I don't know the token. How can I get it ? How can I log me as admin ?
I know : login for admin, password for admin and the URL of my API and parameters I have to send.
Thank's !
OAUTH2
POST
URL:
http://localhost:8080/oauth/token
in the header:
Authorization: eg. 'BASIC Y2xpZW50aWQ6Y2xpZW50c2VjcmV0'
BASE 64 encoding the client details (source: www.base64encode.org/)
Y2xpZW50aWQ6Y2xpZW50c2VjcmV0 == clientid:clientsecret
in the body:
username
password
grant_type
scope
curl -X POST -vu clientid:clientsecret http://localhost:8080/oauth/token -H "Accept: application/json" -d "username=admin&password=admin&grant_type=password&scope=read"
edit:
in android look at retrofit by square
Related
So long story short, I am creating a java application for android and i need to access the USDA's "food data central" api. It is a REST api and I am using Retrofit to make my calls to the API. I am trying to figure out their example call to their API in the documentation but I am very new to this API stuff so I am a little lost.
They have this listed as their "Example Call"
curl -H "Content-Type:application/json"
-X POST
-d '{"generalSearchInput":"Cheddar cheese"}'
https://DEMO_KEY#api.nal.usda.gov/fdc/v1/search
I know the -X means it is a post command to the API and I believe the -d contains the request parameters but I am completely lost as to what the first line means. Also do you think the last line is the header? or the header and the endpoint. Thank you so much for looking.
Here is the link to the documentation page
What you have there is a http call being made by a tool called curl. It's just a way to make http requests via the command line. The last line is the endpoint.
Here are a few resources to get you started with curl:
The doc page for curl: https://curl.haxx.se/docs/manpage.html
Curl explained in video format: https://www.youtube.com/watch?v=7XUibDYw4mc
The first line sets the header Content-Type to the value application/json.
POST is the http method.
{"generalSearchInput":"Cheddar cheese"} is the body of the request
The last line is the URL containing a placeholder for the API key.
A raw request would look like
POST /fdc/v1/search HTTP/1.1
Authorization: Basic REVNT19LRVk6
User-Agent: curl/7.29.0
Host: localhost
Accept: */*
Content-Type:application/json
Content-Length: 39
{"generalSearchInput":"Cheddar cheese"}
I have a simple nativeScript application (ng-groceries ), which I created by following up a tutorial. And Now I have also managed to get Jhipster Microservice and Jhipster Microservice Gateway App is up and running. I am trying to login from nativeScript app to Jhipster app. I have searched many places, tried to understand generated code , but not able to figure out the solution. I know this has to do something with JWT token, Can someone please point me in the correct direction, or give an approach to the solution. It will be great help.
OK.
I have tried following things:
Tried calling http://169.254.86.103:8080/FITHSERVICEMONGO/api/authenticate/" in loginService.ts. but can not see any thing on the console of Jhipster service server.
169.254.86.103 is the external IP given when I start Jhipster service app by mvnw.
FITHSERVICEMONGO is the name of my service app.I had also tried removing this from url.When I login from gateway app from UI,the request that gets is http://169.254.86.103:8080/api/authenticate.I had tried with this too. same ,nothing on service console nor on gateway app console. both are started by mvnw
To check of this IP is really accessible from my emulator . I tried accessing //169.254.86.103:8080/#/ from emulator browser. It works.
The gateway application works in browser. where as //localhost:8080/#/. was not working.
I was expecting that, when I send an authenticate request with params as username and password. I will get a JWT token in return and that token I will pass with every subsequent request.
the syntax of my code is :
http.post(
//BackendService.apiUrl + "oauth/token",
"BackendService.apiUrl" + "/FITHSERVICEMONGO/api/authenticate/",
JSON.stringify({
username: user.email,
password: user.password
}),
{ Content-Type: "application/json"}
)
To authenticate a third party front-end app with JHipster's back-end you can do the same thing as the angular front-end, calling /api/authenticate and using passing the received the jwt token in api headers. Swagger UI is your friend on order to achieve this.
Here is how to retrieve the JWT token using curl:
curl -X POST localhost:8080/api/authenticate -d '{"password":"admin","username":"admin"}' -H 'Content-Type: application/json'
Sample authenticated request:
curl -X POST localhost:8080/api/users -H 'Authorization: Bearer YOURTOKENHERE'
I have an application that use oAuth2, and I try to request an access token from terminal with this command
curl -X POST -vu clientapp:123456 http://localhost:8080/oauth/token -H "Accept: application/json" -d "password=spring&username=roy&grant_type=password&scope=read%20write&client_secret=123456&client_id=clientapp"
it works fine and I get a response like this
{"access_token":"29c4c218-1d9a-4d2d-abe3-197bc2969679","token_type":"bearer","refresh_token":"6b7ffda7-4652-4197-b8e9-c80635eb9143","expires_in":38630,"scope":"read write"}
but the problem is when I try to request an access token via postman is always get this error:
Handling error: InvalidClientException, Unauthorized grant type: client_credentials
how do get access token via postman like I get token via curl command?
check the attached image, you need to pass like below .
And in header you also need to pass Authorization header.
Authorization --> Basic Y2xpZW50OnNlY3JldA==
This will work for me , I hope this will help you .
Please see the screenshot attached.
In the body, Just select x-www-form-urlencoded and then provide the grant_type and client_credentials in the as key value pair.
I'm developing a Java application which uses GitHub API to download Zips of users' repositories, but every time I execute it, it exceeds the rate limit . How can I authorize my Java application to reach 5000 requests per hour?
I don't want to use other libraries, just pure GitHub API
I have a token I can use to authorize
from https://developer.github.com/v3/
Increasing the unauthenticated rate limit for OAuth applications
If your OAuth application needs to make unauthenticated calls with a
higher rate limit, you can pass your app's client ID and secret as
part of the query string.
curl -i
'https://api.github.com/users/whatever?client_id=xxxx&client_secret=yyyy'
from https://developer.github.com/v3/ there are two ways once you have OAUTH token
OAuth2 Token (sent in a header)
curl -H "Authorization: token OAUTH-TOKEN" https://api.github.com
OAuth2 Token (sent as a parameter)
curl https://api.github.com/?access_token=OAUTH-TOKEN
e.g. curl https://api.github.com/rate_limit?access_token=xxxxxxxxxxxxx
Getting OAUTH (access) token Refer - https://developer.github.com/v3/oauth_authorizations/#create-a-new-authorization
Approach 1
Using your user id and password (as used to login on the web)
curl -X POST https://api.github.com/authorizations -d '{ "scopes": ["public_repo"],"note": "admin script"}' -u :
Approach 2
Using your application's client id and secret
curl -X POST https://api.github.com/authorizations -d '{ "scopes": ["public_repo"],"note": "admin script", "client_id": "", "client_secret": ""}'
Approach 3
curl -X PUT https://api.github.com/authorizations/clients/ -d '{ "scopes": ["public_repo"],"note": "admin script", "client_secret": ""}'
In the response of the any of the above calls you would get a value
"token": "abcdefgh12345678",
This is the OAUTH or access token. Keep a copy of this token.
You should be able to generate the token using the web as well https://github.com/blog/1509-personal-api-tokens
Since we have acquired this token with access to only the public repo, it should be safe to use it for gain in TPS.
I'm trying to understand and implement a client credentials flow between our new REST server and our existing client app. I've setup spring-security OAuth2 like this. From my understanding so far, my server should now support the following request:
$ curl -X -v -d 'client_id=the_client&client_secret=secret&grant_type=client_credentials' -X POST "http://localhost:9090/oauth/token"
but I get
InsufficientAuthenticationException: There is no client authentication
caused by the Principal being null here (spring-security code) :
#FrameworkEndpoint
#RequestMapping(value = "/oauth/token")
public class TokenEndpoint extends AbstractEndpoint {
#RequestMapping
public ResponseEntity<OAuth2AccessToken> getAccessToken(Principal principal,
#RequestParam("grant_type") String grantType, #RequestParam Map<String, String> parameters) {
if (!(principal instanceof Authentication)) {
throw new InsufficientAuthenticationException(
So it seems, I need to authenticate against the server first. But that's not what I want to do. I want two of my servers to talk to each other using a shared secret. The OAuth provider server should provide an access token to the (trusted) client server on request so that the client server can then use that token to access all REST resources on the server. This should protect the REST resources from external access.
Later I want to provide selected resources to a third party and eventually implement some finer grained security for the server-to-server communication as well. But for now I need to protect the REST server from external access.
Looks like I might have some misunderstandings about the whole client credentials flow or the application of spring-security right there so any clarification would be greatly appreciated.
You are not authenticating your client to the Authorization server.
You need to do something like this:
curl --user the_client:secret --data "grant_type=client_credentials" http://localhost:9090/oauth/token
This is authenticating the client to the authorization server and then specifying grant_type and other parameters. This will return an access token of type 'bearer' with scope determined by the oauth client details. Once you have the token, you can access your protected resources by setting the Authorization header:
curl -H "Authorization: Bearer <accessToken>" <resourceUrl>