I am using Python Requests 2.7.0, and I am trying to pass a authtoken for a Session. I am able to successfully connect using session.auth(user,pass), but I am unfamiliar with how to pass a authtoken into a session.
I tried using headers for the session, but this did not work. Here is the general flow of what I have:
session = requests.Session()
session.headers.update({'Authorization': TOKEN})
...
You are correctly setting a header to be used for all requests sent with the session.
You are probably not setting the header value correctly, however. The Authorization header probably has to follow a specific pattern, as outlined in the documentation for the service you are contacting. It is typical that the value must start with a authentication scheme (like the Basic and Digest authentication schemes, so the value would be <scheme> <token>.
Related
I am using Kong oauth2 plugin to handle authentication for my dash plotly app. Dash plotly does not allow the user to set a custom header for the requests and so it very difficult to add an authentication header to my requests.
These headers work perfectly for normal web pages
"Authorization": "Bearer snakjdnjsbcksnbnddnndnsms" or
"authorization": "snakjdnjsbcksnbnddnndnsms"
However, due to the limitation of Dash Plotly not allowing to set the headers I want to try to send the authorization token in a cookie.
I tried sending a cookie with the "authorization" key and corresponding value via my flask app, however I still get an unauthorized response.
Is this method even possible ? I saw that it works in loopback.token of nodejs using signed cookies. If so how can I achieve this ? Appreciate any help in this regards.
I don’t think, this is even feasible. As per OAuth 2.0 RFC, the access token should be passed as a bearer header.
Typically, it involves
using the HTTP "Authorization" request header field [RFC2617] with an
authentication scheme defined by the specification of the access
token type used, such as [RFC6750].
Link to RFC 6749
How to get Authorization token from a webpage using python requests, i have used requests basicAuth to login, it was worked, but subsequent pages are not accpting te basicAuth, it returns "Authuser is not validated"
There is a login url where i have successfully logged in using python requests's basicAuth. then succeeding pages didn't accept basicAuth credential but it needed authorization header. after looking into browser inspect tool, found out that, this authorization header's value is generated as a part of session local storage. is there any way to get this session value without using webdriver API?
Sounds like what you need is a requests persistent session
import requests
s=requests.Session()
#then simply make the request like you already are
r=s.get(r'https://stackoverflow.com/')
#the cookies are persisted
s.cookies.get_dict()
>{'prov':......}
i can't really get more specific without more info about the site you're using.
I'm currently stopped in my work because of some authentication work on a project.
I set up a REST API, which needs to have a JWT authentication system.
Some work was already done and I overrode it. So the library used was Python's TurboGears2, and I used PyJWT to manage tokens.
My WS and the token's creation works well. The post method with auth info JSON request's body can create a token, that's sent in the response.
But after that, when I do a 'GET' request on the restricted resource, I can't retrieve the token.
What I do: send a GET request to the restricted resource, with "Authorization: Bearer <TOKEN>" in request headers.
But when I do a 'request.authorization' in my web service function, I always get 'None'.
Do I need to set up a full auth system using TurboGears to access this header?
thanks for help
Where are you trying to access the request.authorization from?
I tried with a newly quickstarted application and modified the index to print the authorization header:
#expose('testauth.templates.index')
def index(self):
"""Handle the front-page."""
print(request.authorization)
return dict(page='index')
And I sent the authorization header from Postman.
It worked fine and printed my test header
Authorization(authtype='Bearer', params='HELLO')
I also tried to disable any auth_backend so that authentication is disabled and it still works as expected.
I have an API Key for a Google API that I would like to use in all my requests to it. Some of these requests will originate from within a Google App Engine (Python 2.7) application. I had planned to use the UrlFetch library to complete the POST request, basically as follows:
headers = {'Content-Type': 'application/json'}
payload = {'longUrl': request.long_url}
result = urlfetch.fetch([API_REQUEST_URL],
method=urlfetch.POST,
payload=json.dumps(payload),
headers=headers)
json_result = json.loads(result.content)
I had set a referrer restriction on my API Key to *.[my-app].appspot.com/* with the hope that this would protect my API Key from unauthorized use and negate the need to update an IP-based key restriction (as App Engine IPs change all the time).
This approach as failed me though, because it seems that urlfetch does NOT specify a value for referrer on its own. I assume I could add my own referrer, but then so could anyone else. The approach isn't very secure.
What is the best practice? How should I restrict the key given that I'm using urlfetch from within App Engine? If I do use an HTTP Referrer restriction, which address do I use?
Many thanks.
You got like this error message?
Requests from referer <empty> are blocked.
urlfetch seems not to attach Refer automatically, so you should set Refer in your request header.
headers = {'Content-Type': 'application/json','Referer': '*.[my-app].appspot.com/*'}
As you observed the referrer header can be faked, so setting a referrer restriction on your API Key is rather useless to start with.
But you can add a check based on the X-Appengine-Inbound-Appid header, which is sanitized by the GAE infrastructure and precisely identifies the app. From Issuing a request to another App Engine app:
When issuing a request to another App Engine app, your App Engine app
must assert its identity by adding the header
X-Appengine-Inbound-Appid to the request. If you instruct the URL
Fetch service to not follow redirects, App Engine will add this header
to requests automatically.
To instruct the URL Fetch service to not follow redirects, set the
fetch follow_redirects parameter to False.
Note: If you are making requests to another App Engine application, use its appspot.com domain name rather than a custom
domain for your app.
I am struggling with Jira REST API authentication via kerberos. Basic authentication works as expected.
If I access the login page with the web browser (after I did kinit) and then use the generated JSESSIONID in my python script, I can use REST without getting 401. But I have no ide how to do that with my python script, I tried to use requests_kerberos, but when I request the login page, it simply returns the basic login form instead of automatic login.
Do you know how to use JIRA REST API with kerberos authentication?
Thanks for you answers.
After a day of struggle I finally figured it out.
First you have to send an HTTP GET request to ${jira-url}/step-auth-gss:
r = requests.get("https://example-jira.com/step-auth-gss", auth=requests_kerberos.HTTPKerberosAuth())
Then you get the JSESSIONID from the cookie header and you can REST away:
rd = requests.get(url, headers={"Cookie": "JSESSIONID=%s" % r.cookies['JSESSIONID']})
As explained by VaclavDedik, the first step is to get a valid JSESSIONID cookie (along with atlassian.xsrf.token and crowd.token_key cookies if you use Crowd for user management and SSO) upon successful Kerberos authentication on a private Jira resource / URL.
In Python, the PycURL package makes it very easy to authenticate with Kerberos. You can install it on Windows/Mac OS/Linux either with easy_install or pip. The PycURL package relies on libcurl. You will need to check that your libcurl version is >=7.38.0 as the HTTPAUTH_NEGOTIATE directive was introduced in that very version.
Then, it is as simple as:
import pycurl
curl = pycurl.Curl()
# GET JSESSIONID
curl.setopt(pycurl.COOKIEFILE, "")
curl.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_NEGOTIATE)
curl.setopt(pycurl.USERPWD, ':')
curl.setopt(pycurl.URL, <ANY_JIRA_PRIVATE_URL>)
curl.perform()
# Then REST request
curl.setopt(pycurl.URL, <YOUR_JIRA_REST_URL>)
curl.perform()
curl.close()
Please, check out the following page for detailed examples in Python, PowerShell and Groovy: https://www.cleito.com/products/iwaac/documentation/integrated-windows-authentication-for-non-browser-clients/
Though this is the official documentation of the Cleito IWAAC plugin mentioned by Xabs, this will work with any server-side Kerberos plugin for Jira