I am using WSO2 Identity Server 5.10 and API manger 3.2.
When I generate JWT access token, it does not contain required scopes wrt to the roles assigned to the user.
Role validation of the user is not happening during JWT token generation. All the scopes passed during token generation are been granted to the user without validating user roles.
When we generate JWT access token for a user say "operator" with only "view_role" by passing all the created scopes in the token api body like 'scope=openid,create_scope, view_scope, edit_scope'.
In token api response able to see all the scopes which are passed during token generation.
The issue is seen only on a HA setup not on single node setup.
Token Api curl:
curl --location --request POST 'https:///oauth2/token'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'grant_type=password'
--data-urlencode 'password=xyz#123'
--data-urlencode 'username=abc#tenant.com'
--data-urlencode 'client_id=xxxxxx'
--data-urlencode 'client_secret=xxxxxx'
--data-urlencode 'scope=openid operator_access_scope admin_access_scope creater_access_scope
adaptor_admin_access_scope
Steps to reproduce:
Create different scopes associated with Roles(Ex: "create_scope" with "create" role associated, similarly edit_scope, view_scope) in publisher portal( APIM 3.2).
Assign the scopes to some resources.
Create new user with only "view" role assigned.
Generate JWT access token by passing all the scopes in the body (scope = openid, create_scope edit_scope view_scope)
Notice that all the scopes passed during token generation are granted even though user has only "view" role expected is only view_scope has to granted for the user.
My Requirement is: I need to pass all the scopes created under publisher portal to the token api but token should be granted with only those scopes which are relevant to roles assigned to the user. This behavior is working fine in one of our single node setup. Did I miss any configuration changes for HA setup. Please assist.
Related
i know how to use Azure API in following way.
go to app registration and create new app
get "client id", "Directory (tenant) ID" and secret.
go to "API permission" section and add what API you want to access.
OR
use app-id as SP and add it to role like "billing reader" and it will work too.
then use /oauth2/token pass client_id and client_secret and get bearer token.
then use any API by passing "Bearer {{access_token}}" in header and everything works.
But
what if i want to use API like billing or Cost Management or "Microsoft.Storage/storageAccounts" but by my ID? what will be the flow? how to get bearer token from /oauth2/token by using my ID (my AD email)?
AND
is it possible to use my privilege but without me passing my password? can i authorize some app_id to emulate as me for like an hr ?
To generate bearer token in non-interactive way, Client credentials flow is mostly recommended.
If you want to get bearer token using your ID, you can make use of OAuth 2.0 ROPC grant flow.
I tried to reproduce the same in my environment and got the below results:
I generated access token via Postman by providing parameters like below:
POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token
client_id : xxxxxx-xxx-xxx-xxxx-xxxxxxxx
grant_type : password
scope : https://management.azure.com/.default
username : sri#xxxxxxxxxxxx.onmicrosoft.com
password : xxxxxxx
client_secret : xxxxxxxxxxxxxxx
Response:
Using the above token, I'm able to call API to get list of storage accounts (Microsoft.Storage/storageAccounts) successfully like below:
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Storage/storageAccounts?api-version=2021-09-01
Response:
Please note that, password parameter is mandatory for this flow.
Reference:
Resource owner password credentials grant | Microsoft Docs
I'm trying to refresh the users auth token on the server in NextJS, currently I have the token set in cookies that I access like this:
export async function getServerSideProps(ctx) {
const cookies = nookies.get(ctx);
try {
const client = useClient(cookies.token);
// etc
}
}
unfortunately if the token has expired this will fail with the token has expired error.
I do have access to the refresh token but not sure how to use it, firebase.auth().currentUser is undefined in getServersideProps as well
I had similar issue using NuxtJS and the easiest way is to redirect user to a different page where you can get a new Firebase ID Token on client side and then refresh the cookie. For example, you may redirect to a page something like https://domain.tld/auth/refresh?redirect_uri=/dashboard. The query parameter redirect_uri tells where the user was and must be redirected back after refreshing the token.
If you want to avoid the redirect, you would have to store the "Refresh Token" on your server side. I am not sure how secure that will be but don't store refresh token in cookies. But just in case you are wondering how to get new Firebase ID Token using the refresh token, you can make a POST request to this URL:
https://securetoken.googleapis.com/v1/token?key=FirebasePublicAPIKey
The API key is available in your Firebase Config. The body for this POST request seems to be URL encoded and has grant_type and refresh_token fields.
Here's a cURL request for the same:
curl "https://securetoken.googleapis.com/v1/token?key=firebaseAPIKey" \
-H 'Content-Type: application/x-www-form-urlencoded' \
-X POST \
-F 'grant_type=refresh_token' \
-F 'refresh_token=firebaseRefreshToken'
I just used Chrome DevTools to check how tokens are refresh and found that.
The first method sounds safer to me and I personally use it over storing refresh tokens somewhere on server or cookies. In fact, I use custom JWT tokens from my server in cookies instead of Firebase ID Tokens themselves.
We want to disable UI access for our build users.
They can not use plain-text password for REST APIs for security reasons.
I am trying following to get encrypted password without allowing Build users UI access.
- I created one build user(Non admin with UI disabled)
- Created access token for that build user using admin account.
When I try to use Token to fetch encrypted password of build user I get following error.
ANYBRIDGEBUCK:~ jainish.shah$ curl -H "Authorization: Bearer $TOKEN" http://jainish.artifactory.com/artifactory/api/security/encryptedPassword
{
"errors" : [ {
"status" : 404,
"message" : "User not found: token:automation"
} ]
Is there any other way to get encrypted password without using plain-text password or via UI.
The Get User Encrypted Password REST API requires that the request needs to be authenticated using a clear-text password. i.e. when submitting the request to Artifactory, the password provided for authentication needs to be in clear-text.
I work on Drupal8 project and created Rest API, everything works fine until I want to add Oauth2 when I try to get a token I got an invalid grant type error.
This is the error code:
{
"error": "invalid_grant",
"message": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.",
"hint": "Check the configuration to see if the grant is enabled."
}
This is the url that i called:
http://myserver/oauth/token?grant_type=password&client_id=6db9da8d-b831-4381-b279-381bc5a57e90&scope&username=webmasterrest&password=webmasterrest&client_secret=$S$EamACyfemGWic74kmkwUvphMmr9FL132KC297mI1GEkTKhyBJyAo
I added a client, but I can't add a grant type "password" to this client, any help please?
To add Oauth 2 authentification
Install the module using Composer: composer config repositories.drupal composer https://packages.drupal.org/8 && composer require drupal/simple_oauth:^2. You can use any other installation method, as long as you install the OAuth2 Server composer package.
Generate a pair of keys to encrypt the tokens. And store them outside of your document root for security reasons.
openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout > public.key
Save the path to your keys in: /admin/config/people/simple_oauth.
Go to REST UI and enable the oauth2 authentication in your resource.
Create a Client Application by going to: /admin/config/services/consumer/add.
Create a token with your credentials by making a POST request to /oauth/token. See the documentation about what fields your request should contain
(Not shown) Permissions are set to only allow to view nodes via REST with the authenticated user.
Request a node via REST without authentication and watch it fail.
Request a node via REST with the header Authorization: Bearer {YOUR_TOKEN} and watch it succeed.
From this
NOTE: I user drupal/simple_oauth version 2.x because i got an exception n version 3.x
The http API docs request that a special token be created for several operations (e.g. List Buckets, All Changes)
X-Simperium-Token — Authentication token must have been created using an API key that has admin privileges
How do I create this token?
I have tried a few things:
curl -H 'X-Simperium-Token: {my admin key}' https://api.simperium.com/1/{app_name}/buckets.
This results in the "meta" buckets {"buckets": [{"name": "exception"}, {"name": "code"}, {"name": "message"}]} which is kind of interesting.
curl -H 'X-Simperium-API-Key: {my admin key}' -d '{"username":"{valid user}", "password":"{valid password}"}' https://auth.simperium.com/1/{app_name}/authorize/.
Result: invalid app credentials
Authorize with my normal key, which works fine and gives me an access token which I can use for the other (non-admin) operations.
My thinking is that I need to pass in my admin key into 'authorize' somehow and generate an auth token blessed with admin privileges for this user (to list all of his buckets, for example).
Thanks in advance.
You should be able to use the admin key directly for the token anywhere that requires a token that was created with an API key with admin privileges. We're currently working on the UI to actually create these API keys with different options. In the meantime, you can either use the admin key from your dashboard directly, or contact us and we can create one for you.