Is it okay if the server returns the API Key and Shared Secret Key when a client tries to login on the API using Basic Authentication? For example, if a user enter this link http://api.example.com/authorize?auth=some_encoded_Base64_string, the response will be:
Content-Type: application/xml
Date: Fri, 10 Nov 2006 20:04:45 GMT
Transfer-Encoding: chunked
Authorization: apiKey;secretKey
Will I have issues using this method? I wanted to be like this since the API core methods will only accept APIKey hashes and in order to obtain that they need to use the Basic Authentication as they're first step. I'm not gonna use OAuth here for now.
I'm trying out the new ASP.NET Web API for this project.
HTTP does not define an Authorization header in the response so if you need to define a custom header, use X- prefix.
Also from the design point, HTTP headers are to pass data which is orthogonal to the call. You seem to be trying to pass a piece of data which needs to be in the payload so I would refrain from using the headers.
I would pass this data in the payload.
If you use SSL and pass data in the URL, HTTP headers or payload it will be secure.
Related
I am working on .net application. I can see that whenever https status code is 401, a www-authenticate header is appended with value Bearer.
I want change it so that it contain the authorization uri as follows
WWW-Authenticate: Bearer authorization_uri="example.com/login"
I have spent lots of time but I am not able to figure out how this token is auto appended in response when status code is 401.I can only see that after the call to onsending headers, the www-authenticate header is appended.
I tried to add new www-authenticate header, but I am getting following
WWW-Authenticate: Bearer authorization_uri="example.com/login", Bearer
So I am not able to figure out how the value is auto appended.
Thanks
I figured it out.WindowsAzureActiveDirectoryBearerAuthenticationOptions class is responsible for setting it. We can add options in it like realm.
I have encoded my video in azure media services and I want to request the url into my controller (C#).
I check the microsoft site to get the url from https://learn.microsoft.com/en-us/rest/api/media/operations/locator#list_locators
And here is the code:
GET https://<accountname>.restv2.
<location>.media.azure.net/api/Locators('nb:lid:UUID:627cbafb-3d81-4623-
97c2-2194282b6d16') HTTP/1.1
Content-Type: application/json;odata=verbose
Accept: application/json;odata=verbose
DataServiceVersion: 3.0
MaxDataServiceVersion: 3.0
x-ms-version: 2.11
Authorization: Bearer http%3a%2f%2fschemas.xmlsoap.~~~~
Host: media.windows.net
anyone know how to use this code into my C# controller so I can return the video's url?
Couple issues I noticed:
1) your Authorization: Bearer token looks like the old ACS version - make sure that you are using AAD authentication and JWT tokens. See the docs for AAD authentication support in the REST API.
2) To get a Locator, It may be handy to look at the REST API Postman Collection that I created up here - https://learn.microsoft.com/en-us/azure/media-services/postman-collection
That should show you how to create and Get a locator for Streaming.
There is also an article that covers basic Streaming with the REST API here -https://learn.microsoft.com/en-us/azure/media-services/media-services-rest-deliver-streaming-content
NOTE: That documentation page still has the older style Authorization header. Don't copy that header. You will need to use an Auth Header like this:
Authorization: Bearer {{ENCODED JWT TOKEN}}
Full walkthrough on how to get that JWT Token for AAD is here: https://learn.microsoft.com/en-us/azure/media-services/media-services-rest-connect-with-aad but you can also use my Postman collection as a nice quickstart.
I'm interested in interfacing with Discord using the Discord API. I would describe their documentation as "sparse," but maybe I'm just not looking in the right places. Most of my information comes from this page:
https://discordapp.com/developers/docs/topics/oauth2
I've already set up my Discord guild and application (and even a bot, which may be unnecessary). My specific plan to is to allow users to give my site permission to add them to a private Discord guild/server. I have a hyperlink on one of my site's pages that references this URL:
https://discordapp.com/api/oauth2/authorize?client_id=[ClientID]&scope=guilds.join&response_type=code&redirect_uri=[RedirectURI]
This part seems to work well. The user approves the request. The user is then sent back to my site with a "code" key-value pair in the query string. I think this code is what is called an "authorization code." So how can I use this authorization code to add the user to my guild? I found this page on the Discord site:
https://discordapp.com/developers/docs/resources/guild#add-guild-member
From that page I can see I need to initiate a PUT to this URL:
https://discordapp.com/api/guilds/{guild.id}/members/{user.id}
But I don't know the {user.id}. I only have an authorization code.
It also says, "... provided you have a valid oauth2 access token for the user with the guilds.join scope." I don't have an access token. Again, I only have an authorization code.
So it seems to me I need to somehow exchange this authorization code for an access token and a user ID. Can someone tell me how to do that? I've been experimenting with the following URL, but I don't know what method (GET, POST, etc.) or what parameters to send it:
https://discordapp.com/api/oauth2/token
Because I'd like to understand the intracacies of how this works, I'd prefer to know how to do this with ordinary Web requests (such as HttpWebRequest and WebClient, as opposed to using some OAuth library).
Update
I decided to read (selectively) this RFC:
https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3
I have linked the section that I think is the most appropriate. It seems the correct procedure is to send a POST request to the following URL and parameters:
https://discordapp.com/api/oauth2/token
grant_type=authorization_code&code=[AuthorizationCode]&redirect_uri=[RedirectURI]&client_id=[ClientID]
This also seems to be in accordance with Peter G's answer. Unfortunately, this request fails with a 401 (Unauthorized) error. So I figured this was a dead end. I've tried it several times, but hopefully there's a solution. I received this response body:
{"error": "invalid_client"}
And I received these headers:
Connection: close
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
Alt-Svc: clear
CF-RAY: [RedactedJustInCase]
Content-Length: 27
Cache-Control: no-store
Content-Type: application/json
Date: Fri, 07 Apr 2017 01:12:19 GMT
Set-Cookie: __cfduid=[RedactedJustInCase]; expires=Sat, 07-Apr-18
01:12:19 GMT; path=/; domain=.discordapp.com; HttpOnly
Server: cloudflare-nginx
Via: 1.1 google
You're almost there as far as getting the OAuth token is concerned. You just need to use the other URL listed on the documentation you linked, https://discordapp.com/api/oauth2/token. POST to it with the following parameters: https://discordapp.com/api/oauth2/token?client_id=[ClientID]&grant_type=authorization_code&code=[AuthorizationCode]&redirect_uri=[RedirectURI]&client_secret=[Secret] where the AuthorizationCode is the return from the first URL and the Secret is the client secret you got when first registering your app.
That should get you the client token back (as well as how long it will take for the token to expire) in the response body. As for getting the User object, you need to add scope identify to the first request so you can use the token to call https://discordapp.com/developers/docs/resources/user#get-current-user (in case the link breaks, it's GET users/#me). That API will return the User object in JSON form.
Finally, you can add the user by PUT-ing to https://discordapp.com/api/guilds/[guild.id]/members/[user.id] using the user object you just got.
When using the APIs after getting the client token (the ones to get the user object and put the user in the guild), you need to put the token in the HTTP request under the authorization header using the Bearer auth scheme. Basically, that means the header should be set to "Bearer TOKEN_HERE". You should also use content-type "application/x-www-form-urlencoded" if you weren't already using it.
If there's anything you don't understand here, I strongly suggest reading about oauth from the source RFC (don't worry, these two sections are short): getting an auth code, getting a token, authenticating with Bearer scheme. Them's the breaks when you don't use a library.
I'm new to web api and I need to create a server for a client. I have no control over the client - can't change a thing.
The client sends in an html encapsulated json request in a POST body. However, the content-type can vary. What do I need to do to allow my ApiController to process different content-types?
Under the hood, Web Api supports Content Negotiation mechanism to automatically opt the correct formatter based on the header Content-Type in HTTP request.
By default content negotiation supports three formatters: json, xml and form-urlencoded data. If no formatter found, client will receives HTTP error 406 (Not Acceptable).
See more:
https://learn.microsoft.com/en-us/aspnet/web-api/overview/formats-and-model-binding/content-negotiation
If you need to allow Web Api support another Content-Type, you can write your own custom formatter:
https://learn.microsoft.com/en-us/aspnet/web-api/overview/formats-and-model-binding/media-formatters
Where do I find the basic HTTP authentication credentials (username and password) in the incoming request to my server?
Is it somewhere in the Request object, or is there some other way to get them?
Running: IIS 7 - ASP.NET - .NET Framework 4 - C#
Basic authentication details will be in the Request.Headers, with the key: "Authorization"
It's a base64 encoded string, which you'll need to decode. Check out this post, there's a code sample in there that demonstrates picking that header apart.