I’ve installed Conjur OSS using Minikube and Helm and both the cli and the Java API seem to be working fine. Now I’m trying to access to the UI but I haven’t been able yet. As far as I know, I should be able to do it by adding /ui to the base URL (in my case it’s https://192.168.64.8:32479/ui but I’ve also tried with the name I have in my /etc/hosts which worked fine with the Java API) and I should be asked for the username and password. Problem is I only receive the message “Authorization missing”.
I’ve also used Postman to send a GET request with two different approaches. Firstly I tried sending the same Basic Authorization needed for the /login endpoint. The message I get in this case is the same as accessing through the browser. Then I tried to generate a new token calling to the /authenticate endpoint and using the result to call the UI with an Authorization header just like “Token token=“my generated token””. If I do this all I receive is the message “Unauthorized: Invalid token”. I have used the admin user in both cases so I don’t think it’s a problem of privileges.
I hope you can help with this.
Thanks a lot!
EDIT:
I add a screenshot to show that I can access to the Conjur Server with that URL.
And I also attach another screenshot of the error when trying to get a response from the UI (sorry the double post but I can’t send two images in one post)
Can I ask where you saw there was a /ui route for Conjur OSS? We do have a UI for DAP (our enterprise offering based on Conjur OSS), but there is no UI for Conjur open source. I would be glad if you could let me know where you saw this info to make sure our documentation is accurate.
Regarding your authentication question, did you base64-encode the token you received from the login request before passing it on to authenticate? You can see on the docs here that you should base64-encode the token using
About the authentication if I’m not mistaken the service you mean is authenticate instead of login. I’ve tried to encode the token I receive (both just the payload field and the whole response) and I always receive a “Malformed authorization token” error. But it’s ok. If it’s true that there is no UI in the open source version there is no point in trying to authenticate against that /ui endpoint. Isn’t it?
@zevesh thanks so much for sharing that you found UI-related docs in a search - we recently separated our open source and enterprise documentation, and this looks like a bug. I’m filing it as one with the docs team, and hopefully this page will be removed soon!
Rereading my comments about authenticating, I can see why they’d be a little confusing - so let me try to restate. Once you have your server up and running with a user and their API key, you can authenticate to receive a short-lived access token (valid for 8 minutes). You will use this access token in all other requests you send to the API.
Note: If your user doesn’t have an API key but you know their password, you can retrieve their API key via the /authn/{account}/login route (link to docs).
To retrieve the access token you will run (replacing the text within curly brackets with your own values):
If you’re running through the quick start, the cacert can be found at conf/tls/nginx.crt
If your user isn’t stored in the root policy branch, the username you send in the authenticate request will need to be the urlencoded version of user@policy/branch
Once you have the access token, when you send additional requests you include the token in the Authorization “Token” header. For example:
It’s a shame that I can use the UI right now. I’ll study the possibility of upgrading to the enterprise version. Right now I’m trying to use Summon to retrieve the secrets so UI was just a way for me to view the resources but I don’t really need it at the moment.
Regarding the authentication your explanation was exactly what I needed and now I can access the server with curl. Just a mistake on my side with the path to the certificate but everything’s working properly now. Thanks a lot for that! All is left is using that certificate with Summon but I think I can manage it.
@zevesh hope everything works well for you from here on! I just wanted to update that based on your feedback we were able to update the Conjur docs so that others won’t have the same confusion about the UI. And if you’re interested in us building a UI into the project, please feel free to open a GitHub issue and ask us to add this functionality!
