API / Collection Authorization

[rsb-23]

Authorization

• Basic Auth
• Bearer Auth
• Digest Auth
• Cookie Auth - Auth: Cookies #968
• AWS SigV4 Auth
• OAuth 2.0 Auth: OAuth 2.0 #1003
• OAuth 1.0 Auth: OAuth 1.0  #1004
• API Key based Auth Auth: API Key based Auth #1005

If you'd like an auth method to be supported, please create a new issue

[helloanoop]

Hi @rsb-23

Supporting Auth is a huge priority, and I plan to have it developed and released within the next 10 days.
The api's I have mostly work on have api key based auth that is passed in the headers.

Planning to get a release out with these 2 Auths

1. Bearer Token Auth
2. API Key based auth (passed in headers/query params/cookies)

Is there a specific auth that you'd like us to prioritise to build ?

[rsb-23]

These two are mostly used, hence this plan is perfect.

[faolitarna]

Is OAuth 2.0 support planned? That's the only thing missing that stops us to move to Bruno.

[muser1492]

Will OAuth 1.0a and Basic Authorization be supported?

[helloanoop]

Auth is a key feature that is remaining to be implemented. I will be spending some time this week to get this completed.

[markwimpory]

Im sure many many people are looking for a Postman alternative right now. Bruno looks great to us we just need that auth stuff in particular oauth2 but im sure everyone has their favourite. I will hold on making a decision until we hear more.

[ChristianSch]

Just wanted to add my +1. We're exploring alternatives to Insomnia and oauth2 is a must for us to use our APIs properly.

[helloanoop]

I will be releasing support for these Auth's tomorrow (Fri 29 Sep)

• Basic Auth
• Bearer Auth
• OAuth2.0

[yjlcoder]

Hello. Do you have any plan to implement cookies? i.e. set-cookies, cookies management, and automatically send the cookies under the same domain

[jthln]

OAuth 1.0a support would be great, too.
Used by Magento 2, for example.
Since OAuth 2.0 is not backwards compatible to OAuth 1.0.

[helloanoop]

Got busy with reviewing and merging PR's. Will be working over the weekend to get the auth support completed.

[DJphilomath]

Will this also cover sending an auth bearer token when fetching a Graphql schema?

[helloanoop]

Hello. Do you have any plan to implement cookies? i.e. set-cookies, cookies management, and automatically send the cookies under the same domain

@yjlcoder Yes, we will support this. Its crucial.

Will this also cover sending an auth bearer token when fetching a Graphql schema?

@DJphilomath Yes, we will

OAuth 1.0a support would be great, too.

@jthln Yes, We will support it after completing Oauth2.0

[ChadDa3mon]

Just came here to say thanks a ton for this, I'm looking forward to trying it out. Seems like you're hard at work on the Auth issue, and that was my only big nag so far. I'm coming from Insomnia and I really like how they handled Authentication options via a dedicated tab. Being able to specify a username/password for basic auth, or various token options was quite helpful.

I see you make mention of it in your documentation, but I can't see any easy way to implement this in the GUI.

[helloanoop]

Support for Bearer and Basic Auth is now available in v0.18.0

Hoping to have Oauth 2.0 shipped in another 2 days time. I appreciate your patience.

[danielraab]

Thanks for this cool new feature.
Now it would be perfect if the fields would be filled on an import (from e.g. Insomnia) :)

[fuxx]

Cool! Thanks for the update @helloanoop - This will be a massive forward for bruno :)

[dahlsin]

Hi! This was exactly what we were waiting for! It seems like it doesn't work to use collection variables for the auth values though, is that right or am I doing something wrong?

[lared]

@dahlsin tracked under #329

[Finkregh]

Reading authentication from ~/.netrc would be quite helpful as it allows sharing the config as well as usage of the same credentials by i.e. curl -n.

Thanks!

[rmueller83]

Currently, the Auth credentials are stored in plain text in the bru file of the request. I do not think that this is a good idea, since projects are shared via Git.
The credentials should be encrypted or put into a separate file which can be excluded from git via .gitignore.

[helloanoop]

@rmueller83 You'll be happy to see https://docs.usebruno.com/secrets-management/overview.html !

[helloanoop]

Thank you @petoc for updating the insomnia importer to import basic and bearer auth strategies
PR: #380

[olekyd]

Hello, it would be nice to add AWS IAM auth method to the list

[helloanoop]

@bmrodgers148 took a look at your changes. Love it 🔥
Looking forward to your PR..

So glad to see you take a stab at making changes in the Bru Lang Parser.

[helloanoop]

I could not work on OAuth 2.0 auth as Ive been busy with adding Collection Level Headers, Auth, Scripts and Tests #334

Looking forward to get Oauth 2.0 done on priority in the next 2-3 days

@bmrodgers148 looking forward to your PR 😊 to add AWS IAM support.

[matbgn]

Is there any chance to see Digest Auth implemented in Bruno?

[WtfJoke]

Do you think it would make sense to split the issue? I could imagine it would be easier to track the different progress.
For example I am mainly interested in OAuth 2.0 (and the progress is quite mixed, what I can totally understand but its a bit harder to follow) :)

[premeaswaran]

Hey there @helloanoop , any update on this regarding Oauth 2.0?

[nomorsug]

What happend with the API Key based auth (passed in headers/query params/cookies) ?

[Pessiun]

When do we expect the JWT Bearer Auth to be in place?

[JoshatPNNL]

Hi! This was exactly what we were waiting for! It seems like it doesn't work to use collection variables for the auth values though, is that right or am I doing something wrong?

@dahlsin Try putting it in the body

Then in Vars write the response to a new variable and reference that in your next call

[Pessiun]

I managed to fix my JWT issue. It worked! Sometimes we need to apply try and error technique to succeed.

[markwimpory]

Do we have an oauth2 update? this is the only thing stopping us adopting Bruno right now.

[nickheniser]

Not yet, but I think it is on the horizon soon. For a workaround see this post: #385 (comment)

[palhal]

As others have mentioned, I would like to see a static API Key that can be included either as a header or in the query. I guess a screenshot from Postman will explain it:

My specific use case is the Mapbox API.

Btw, I just switched from Postman and I'm loving Bruno so far.

[gagan1393]

Hi, Right now Oauth 2.0 is not available in bruno. Any idea when it is going to available? Or is there any alternative we can pass Oauth2.0 for a time being in bruno?

Thanks!!

[mmornati]

Acutually, for the oAuth2, client_credential is possible with a simple script already shared on GitHub.
The real missing part is with other auth methods, even trying to simulate it, when you need to open a webpage to fillup the credentials, Bruno is not letting you a lot of latitude (I think it is not executing JS in the page preview, right?).

[gousse]

Hi, for OAuth2.0, if the issue is the browser interaction, the easiest way is to use the device grant.
https://www.rfc-editor.org/rfc/rfc8628
it let you use any browser in another network/technical context to interact with the human user, while the "code on bruno side = device client" is just polling the token endpoint with a simple POST request. The ascii schem on rfc illustrate this.

[gagan1393]

Acutually, for the oAuth2, client_credential is possible with a simple script already shared on GitHub. The real missing part is with other auth methods, even trying to simulate it, when you need to open a webpage to fillup the credentials, Bruno is not letting you a lot of latitude (I think it is not executing JS in the page preview, right?).

Yes.. for client_credential its working fine. I am able fetch the token. But i need it for implicit grant type. If it is possible, let me know??

[joe-gre]

@helloanoop Any update on cookie support, including signed cookies? Our team uses this for authentication so its blocking us from adopting Bruno. I got parsing the cookie and setting it in a context variable in a post script working, but its not sending the cookie correctly. I hope this feature gets added so we can migrate. I've been waiting for an API client that integrates with git in this way for a while and I love the scripting support.

[joe-gre]

I got cookie authentication working. It would be nice to have it as an out-of-the-box feature though. Here is what I did: #968 (comment)

[osminogin]

I would also like to suggest implementing an SSL/TLS client authentication method or any way to add and manage digital certificates in Bruno. This is a fairly popular way to authenticate clients to private APIs.

This functionality is also available in Postman:

[helloanoop]

I would also like to suggest implementing an SSL/TLS client authentication method or any way to add and manage digital certificates in Bruno. This is a fairly popular way to authenticate clients to private APIs.

@osminogin This is already available.

You can click on client certificates inside the collection settings (click on gear icon on top right corner once you open a collection)

[helloanoop]

@yjlcoder @nomorsug @joe-gre
Cookie support has landed in v1.2.0

If you encounter any issues or have additional feedback, please comment on #968

[helloanoop]

This thread has become unmaintainable. I have created separate issues to track each kind of Auth.

• Basic Auth
• Bearer Auth
• Digest Auth
• Cookie Auth - Auth: Cookies #968
• AWS SigV4 Auth
• OAuth 2.0 Auth: OAuth 2.0 #1003
• OAuth 1.0 Auth: OAuth 1.0  #1004
• API Key based Auth Auth: API Key based Auth #1005

Locking this thread. If you'd like an auth method to be supported, please create a new issue

PS: I appreciate the patience of folks waiting for OAuth 2.0.