You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am trying to play with the refresh endpoint so I can get a general understanding of how things work.
After a successful login / authentication I use static HMAC::generate() to generate the HMAC authorisation header (V1 - set version = 1 in the call to Authorization) as follows;
I then set this as the Authorization header in postman and also set the X-Date header
When I make a postman call to https://api.localhost/v1/user/refresh with the payload "refresh_token" => "IG36HCPXTNYFIBOHDT7IXAV3QEDYMGPIVSSE6XXW3Z5TD6YEGXZR3XZIYNK2BBGLXFY3XX5IDL2FDLRKY736VFB4B7V3A44WT4WCE6I", I always get Your request was made with invalid credentials.
In debugging this, I have set the driftAllowance to an unreasonably high number just to isolate timing in Authorization->verify().
It appears that the $hmac never matches $auth->getHMAC() in the lines;
if (\sodium_memcmp($hmac, $auth->getHMAC()) === 0) {
return true;
}
I'd appreciate your insights per what I could be doing wrong
Thanks
The text was updated successfully, but these errors were encountered:
Hi @dbd5. This repository was last updated over 4 years ago now, and there are better more robust solutions now. If you're looking for a couple I'd recommend (in no particular order).
Mutual TLS
Ncryptf (https://github.com/ncryptf/), if you like this style of authentication but need additional encryption on top of TLS 1.3
Hello;
I am trying to play with the refresh endpoint so I can get a general understanding of how things work.
After a successful login / authentication I use static HMAC::generate() to generate the HMAC authorisation header (V1 - set version = 1 in the call to Authorization) as follows;
Yii::warning(\common\yrc\tests_support\HMAC::generate(
'/v1/user/refresh',
[
"access_token" => "PAX4R4CJPW56UGDOC65EGHH6GQAVWGQ6PD6VERHF6W2XS5EC555Q",
"refresh_token" => "IG36HCPXTNYFIBOHDT7IXAV3QEDYMGPIVSSE6XXW3Z5TD6YEGXZR3XZIYNK2BBGLXFY3XX5IDL2FDLRKY736VFB4B7V3A44WT4WCE6I",
"ikm" => "4rUgb3f0hJVhUcyrw5495VcBC+sCS1biBxL5hoq+WZU=",
"expires_at" => 1716902878,
"secret_sign_kp" => "gVpGYJkATcwgMUbWtZL604VbNB7X6dw6GnSxEaCTqZahM99vqrwMSQWyEwseOsap1rHugbwxXUqn2gX0NnDKqQ==",
],
'post',
new DateTime(),
["refresh_token" => "IG36HCPXTNYFIBOHDT7IXAV3QEDYMGPIVSSE6XXW3Z5TD6YEGXZR3XZIYNK2BBGLXFY3XX5IDL2FDLRKY736VFB4B7V3A44WT4WCE6I",],
));
I then set this as the Authorization header in postman and also set the X-Date header
When I make a postman call to https://api.localhost/v1/user/refresh with the payload "refresh_token" => "IG36HCPXTNYFIBOHDT7IXAV3QEDYMGPIVSSE6XXW3Z5TD6YEGXZR3XZIYNK2BBGLXFY3XX5IDL2FDLRKY736VFB4B7V3A44WT4WCE6I", I always get Your request was made with invalid credentials.
In debugging this, I have set the driftAllowance to an unreasonably high number just to isolate timing in Authorization->verify().
It appears that the $hmac never matches $auth->getHMAC() in the lines;
if (\sodium_memcmp($hmac, $auth->getHMAC()) === 0) {
return true;
}
I'd appreciate your insights per what I could be doing wrong
Thanks
The text was updated successfully, but these errors were encountered: