Simultaneous authentication through both redirect and API

Hello everyone!

I was faced with the need to somehow authenticate users not only through the redirect mechanism, but also using the API (primarily needed for testing). Maybe you can tell how to implement this similar scheme.

Not sure how that would work? Currently, OAuth2 is the only mechanism to get access tokens.

I mean that users can authenticate by Oauth2, testers and developers can be authenticate by API (will go through the same stage of checks, only without a redirect to the frontend with form login )

the problem is that you need two ways for authentication, roughly speaking, through Postman and through the Web
If i settinng up that authenticate will be as first redirect into frontend (with form login) that not working for Postman,

I have stack ory hydra, ory oathkeeper. I write self provider auth, with implement login-consent flow. But, frontend page with auth form placed in another app with main frontend. I think my flow not working, because need implement login page in provider auth where i can understand how i can authenticate and in this case i will have only one needed redirect to oidc =)

maybe u can get me best practice for this case?

You can only use OAuth2 with Hydra, it does not implement any bespoke/closed source flows. Postman does support OAuth2 iirc. You can not disable the redirection in OAuth2!

yes, but if redirects will be preparing in oidc provider which i writed, i can create flow for authenticate from POSTMAN and any other programms like postman. That’s no mean that i broke oath2 redirects, i decide using auth from postman like:

  1. Get auth link in public api hydra with client_id, response_type and redirect_url
  2. Get request to this link (redirected into openid provider where i can get login_challenge_
  3. POST request with coockie oauth_… and login_challenge to oidc provider with credentials (process for auth_
  4. After post request hydra redirect to callback address, which can get by code auth access token which i responsed to requested client. This is backend-side auth with oauth

Hi Kubitre,

I have a similar issue, did you find a way to solve this problem? :slight_smile:

i’m wondering how you create the coockie oauth2_consent_csrf and oauth2_authentication_csrf because i added these coockies by myself in client side but always encounter the issue “ The CSRF value from the token does not match the CSRF value from the data store ”. i presume hydra store the coockie value somewhere so it works fine with browser :thinking:. Do you have any idea or could you please share some of your experience :)? Thank you!

Hi SimonWangJY,

I solve this problem by added some logic in my login-consent provider. If request call by browser it works by redirects into my login-consen provider.

In my case it works for browser by:

  1. hydra will REDIRECT to my login-consent provider. And additional hydra enter some cookies for authenticate.
  2. In this case in browser exist some cookies for authenticate operation. User enter credentials and send to login-consent provider. (in my case it’s POST ajax request with Cookies which setting up from cookies storage into request HEADERS)
  3. Login consent provider authenticate or rejected user in hydra (check that user exist in system). if user exist, login-consent accept request in hydra and user will redirect to CALLBACK url, which is the my login=consent provider.
  4. After alll, login-consent provider getting from hydra access token and other info by code in callback request from hydra

Case for POSTMAN like authenticate:

  1. User go to hydra by GET request. Hydra will redirect to login-consent and this request will setting up cookies (csrf tokens) into cookies storage
  2. User transimite to login-consent user credentials. And also, user transmite in request csrf tokens from cookies storage.
  3. Login-consent authenticate or rejected request. After all accept or reject request in hydra by REST API.
  4. Hydra redirect request into CALLBACK which is my login-consent
  5. Login-consent getting information and tokens from hydra and response to client which call this request.
1 Like

Solution for working with POSTMAN and anything else http clients IT’S only for DEVELOP MODE. This case not used for real production in my company.

thank you very much for your information and it inspires me a lot. Because in our project we wish to get the token from an api by user credential for develop mode, this is what i did:

  1. use one api call to get the challenge ID and csrf token from cookie. if user credential is valid then it will return the challenge ID and oauth2_authentication_csrf cookie
  2. the second api will accept the login request and also add the csrf token into header so it can redirect to the consent provider and in the end get the required token.

The reason i separate two apis is because i cannot pass the login credential like user name and password to the login provider without open the browser. Cheers :slight_smile: