use my user id to access azure APIs (non interactive) - azure-authentication

i know how to use Azure API in following way.
go to app registration and create new app
get "client id", "Directory (tenant) ID" and secret.
go to "API permission" section and add what API you want to access.
OR
use app-id as SP and add it to role like "billing reader" and it will work too.
then use /oauth2/token pass client_id and client_secret and get bearer token.
then use any API by passing "Bearer {{access_token}}" in header and everything works.
But
what if i want to use API like billing or Cost Management or "Microsoft.Storage/storageAccounts" but by my ID? what will be the flow? how to get bearer token from /oauth2/token by using my ID (my AD email)?
AND
is it possible to use my privilege but without me passing my password? can i authorize some app_id to emulate as me for like an hr ?

To generate bearer token in non-interactive way, Client credentials flow is mostly recommended.
If you want to get bearer token using your ID, you can make use of OAuth 2.0 ROPC grant flow.
I tried to reproduce the same in my environment and got the below results:
I generated access token via Postman by providing parameters like below:
POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token
client_id : xxxxxx-xxx-xxx-xxxx-xxxxxxxx
grant_type : password
scope : https://management.azure.com/.default
username : sri#xxxxxxxxxxxx.onmicrosoft.com
password : xxxxxxx
client_secret : xxxxxxxxxxxxxxx
Response:
Using the above token, I'm able to call API to get list of storage accounts (Microsoft.Storage/storageAccounts) successfully like below:
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Storage/storageAccounts?api-version=2021-09-01
Response:
Please note that, password parameter is mandatory for this flow.
Reference:
Resource owner password credentials grant | Microsoft Docs

Related

Need help setting up Postman Collection Authorization with API Token and Credentials

I am learning to connect to one of our 3rd party's API, and the first step in doing so is to first get an access token to use for additional requests.
To get that access token, I send a POST request that includes an API key in the header, along with the username and password in the body (as JSON). And that successfully returns a token.
But how do I set up that up in a collection? In postman I have options of API token, Basic Auth, Oath2, etc. But I do not see how you set up and include both the API key and user/password.
I've tried different scenario's of just the API Key and Oath2 with credentials, but unsure how you set it up to include both.

Accessing D365 CRM API's

We are trying to access data from D365 API's,
We are flowing the flow like Getting the token by using the Client ID and client secret
We are getting the token, New trying to access other app url's but getting the response are unauthorised
here the thing we are missing is we need validate the user. I am not getting exact api, where we can validate the user and then access the data.
This is the first API, we are calling
https://login.microsoftonline.com/ tenant ID /oauth2/token
passing client_secret, Client_id and grant_type
For that we are getting the token.
with that token we are not able access out D365 API's
But here where we need to login the user ? Any references ?

Rest api authentication: how to get the token the first time

Thanks to this page api_key_authentication I have an authentication system which works well.
So, basically every user has his own api_key field (stored into the fos_user table), when I perform a request with any api_key from fos_user I see in the response that the user is recognized.
The question is: What does an API user do to retrieve his api_key?
You can generate api key and send it to the user (somehow) or make auth api where user send you his login and password and then you generate and send him his api key (this is the most known way).

access token and client id/api key relationship

I generated an access token using client id(apikey)_1 and client secret_1.
Now i am using that access token generated above with a GET resource call and pass api key2.
And its working.
.
But i want restrict this that only the api key1 which generated the access token can use that to access a resource.
Note - apikey1 and apikey2 both are authorized to access the resource. We want to restrict use of anyone else access token however.
Please let me know how to implement it.
When you validate the access_token Apigee will populate a variable for clientid (check the variables in the trace tool on the policy you're using validate the token). It should also populate the product that is associated with the key.
While you can build policies around a client_id, it's better to use products. Products allow you to restrict access by resource and are tied to the client_id that generates the access_token.
See the product documentation on Apigee at http://apigee.com/docs/developer-services/content/what-api-product for more info on how to configure and use them.

keystone v2 - Get token without using userid/password

I am writing one app which does authentication using keystone v2.0 APIs, now while authentication /v2.0/tokens, I get the token for all the projects which the user does have access to.
Now when a project is added using horizon how I can get the token for that project, as I am not storing userid/password for the logged in user, and to get the token for the project, I need to send the /v2.0/tokens with the below POST data,
{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "user", "password": "password"}}}
But as I am not storing the userid/password, once user is logged in, then after wards how I can get token for the new project?
Is it necessary to store the user id/password somewhere which can be used later? If yes, then usually what is the best way to store user credentials?
Regards,
-M-
After looking into the keystoneclient code of v2, I got the answer, we can get the token of a new project using existing token itself
data = {"auth": {"token": {"id": token}}}
data['auth']['tenantName'] = tenantName;
Regards,
-M-
There are various modes of authentication , it can be token , password , oauth etc.
If you have requested unscoped token previously then you can use the unscoped token to get a scoped one (for a project/tenant).

Resources