API Authorization questions

Hi,

I’m struggling to understand how the authorization works in the API from the documentation.

It seems I have a couple of different options where as I feel like I have tried them all (client_id and client_secret have been generated in the console already).

POST <awx>/api/o/token Content-Type: application/x-www-form-urlencoded grant_type=password&username=<username>&password=<password>&scope=write&client_id=<client_id>&client_secret=<client_secret>

Above gives me a token

{ "access_token": "<token>", "expires_in": 31536000000, "token_type": "Bearer", "scope": "write", "refresh_token": "<refresh token>" } // POST <awx>/api/o/token // HTTP/1.1 200 OK // Server: nginx // Date: Thu, 27 Feb 2020 19:40:12 GMT // Content-Type: application/json // Content-Length: 170 // Connection: keep-alive // Cache-Control: no-store // Pragma: no-cache // Vary: Accept-Language, Origin, Cookie // Content-Language: en // X-API-Total-Time: 0.280s // Strict-Transport-Security: max-age=15768000 // Content-Security-Policy: default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/ // X-Content-Security-Policy: default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/ // X-Frame-Options: DENY // Request duration: 0.357710s

Trying to now access /api/v2/job_templates for example

GET <awx>/api/v2/job_templates Content-type: application/json Authorization: Bearer <token>

This still returns the following

{ "detail": "Authentication credentials were not provided. To establish a login session, visit /api/login/." } // GET <awx>/api/v2/job_templates // HTTP/1.1 401 Unauthorized // Server: nginx // Date: Thu, 27 Feb 2020 20:11:24 GMT // Content-Type: application/json // Content-Length: 107 // Connection: keep-alive // WWW-Authenticate: Bearer realm=api authorization_url=/api/o/authorize/ // Vary: Accept, Accept-Language, Origin, Cookie // Allow: GET, POST, HEAD, OPTIONS // X-API-Node: awx // X-API-Time: 0.011s // Content-Language: en // X-API-Total-Time: 0.076s // Request duration: 0.146089s

Same goes for

GET <awx>/api/v2/job_templates Content-type: application/json Authorization: Basic <base64encoded credentials>

I’ve tried to POST and GET to /api/login but obviously that doesn’t help as it’s a page and not an API endpoint.
I don’t know if it’s me but the documentation seems a bit fuzzy and unclear on how to actually login

As a side-note, I have also tried using the to-be deprecated tower-cli

$ tower-cli login --password <password> --client-id <client_id> --client-secret <client_secret> <username>

which also returned a token

`
{
“expires_in”: 31536000000,
“token_type”: “Bearer”,
“scope”: “write”,
“refresh_token”: “”,
“token”: “”
}
Configuration updated successfully.

`

Try POSTing a payload like:

{
“description”: “",
“application”: None,
“scope”: “write”,
}

To /api/v2/tokens using basic auth to get to the page itself (don’t forget your Content-Type: application/json).

That should create you a new token which you can then use in an Authorization: Bearer header like you were before.
If you are going to do this programmatically, be sure to remove this token after you are done with it or they will pile up.

You can see an actual example of this in the awx_collection here: https://github.com/ansible/awx/blob/devel/awx_collection/plugins/module_utils/tower_api.py#L373

A preferred option would be to generate a single token for your application within Tower and then just use that in a Bearer header (without pulling a new token every time),

-John

Hi John,

Thanks for the reply.

Yeah, the creation of tokens does not seem to be the problem here. It’s the usage of one as a bearer.
I can create tokens just fine in any of the stated ways in the original post. Using the generated tokens gives me the /api/login feedback.

Sorry if that want’s fully clear.