Apiadmin rest API

mho · May 4, 2021, 5:27pm

Hello,
i want to know how to use this token:
this command create token (jwt):
manage-api createtoken -r admin -u apiadmin
Auth-Token: b’eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ…’
valid 365 days

i create apiadmin:
pi-manage admin add apiadmin

but how to use it:
GET /user
Host: example.com
Accept: application/json
Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ…¨
but not works

when i use apiadmin with /auth i have a token but for 1 hour , i would like to have a authentication token for service account.
i thinked the token create with manage-api createtoken -r admin -u apiadmin could be used for that.

how to use this token?Auth-Token: b’eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ…’

Thanks for your help

cornelinux · May 5, 2021, 5:05am

Which version are you running?

Is this:

All output you get?

Take a look at the Audit log, when your call to GET /userfails.
(Note: it should also be GET /user/ to avoid a 301)

mho · May 5, 2021, 7:37am

Thanks for your help.
i have this message “Authentication failure. Error during decoding your token: Signature verification failed”"
i use authorization header and token without b’
like that
Accept: application/json
Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ…W2k4
GET /user/
any idea thanks for your help

cornelinux · May 5, 2021, 7:54am

You are probably running the creattoken as another user then the server.
=> You are using different secrets to encrypt the jwt.

mho · May 5, 2021, 9:54am

Thanks,
i don’t understand.
I am logged with root account i launched:
-manage-api createtoken -r admin -u apiadmin
-pi-manage admin add apiadmin
i have:
Username: apiadmin
Realm: API
Role: admin
Validity: 365 days
Auth-Token: b’eyJ0eXAiOiJKV1QiLCJhbGciOiJI…k’

and logged with root i launch:
curl -s -H “Accept: application/json” -H “Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJI…k” -k -X GET https://mfa.domain.com/user/

where is wrong?
Thanks

cornelinux · May 5, 2021, 9:56am

You running the pi-manage command might use another pi.cfg file than the privacyIDEA server!
Thus you would get different encryption keys.

Also: Obviously there is not relam “API”.

Use the parameter

-R ''

to specify an empty realm.

mho · May 5, 2021, 10:09am

Thanks,
how to dump the default pi.cfg ?