Sabre getting started V3 AuthToken V3 - sabre

I am trying to access https://api-crt.cert.havail.sabre.com/v3/auth/token from the postman with valid base64 encoded Authorization header.
What is the valid value for username? Isn't it same which I used for registration. Document showing it as EPR in form 'user-group-domain'. Please help
I am getting an error.
{
"error": "invalid_client",
"error_description": "Credentials are missing or the syntax is not correct"
}

Go to: https://developer.sabre.com/user/{YOUR_USER}/applications
There you'll see YOUR_USER's application
Your user is what you have below Client ID and the password is below Client Secret. On that you have: Base64(Base64(Client ID):Base64(Client Secret)) (this is generic, to show how it should be coded.
This will only work on CERT environment.

It may be obvious what I am going to talk about, but you must have a SABER GDS authorized user to use this service.
If you do not have an authorized web user you will not be able to make the service work.
Ask Sabre or the agency that you represent this user to access, because without this credential correctly released you will not be able to make any REST / SOAP services work.
You can download the postman functionality package from the link below:
https://github.com/SabreDevStudio/postman-collections
https://developer.sabre.com/product-catalog?f%5B0%5D=product_type%3Aapi_reference

Related

How to use directus /auth/refresh correctly?

I'm using directus to grant users access to ressources required by an SPA written in Angular. To authenticate users I created an auth service and interceptor to handle sessions and attach the "Authorization" header. Those services work fine and login as intended. But here comes the problem:
Directus session times are configured with default values (15 min validity for access_token, 7d for refresh_token) but as soon as the access_token expires I cannot retrieve a new one using the refresh token. This bugs me, because the goal is to keep users logged in for the next 7d (refresh_token lifespan) or until logout if they check this option.
My attempts at achieving this:
Since i'm using graphQL, i tried the "auth_refresh" mutation from the authentication documentation. While the access token is still valid, refreshing works fine. After the access token expired there is no way to retrieve a new one via a valid refresh token.
Alternatively I tried to achieve a refresh via the POST request specified by the docs (to double check if it was some sort of config error with graphql) but I encounter exactly the same problems as with graphQL. Directus returns either "401 unauthorized : Token expired."
if i extend the lifespan of the access token for longer than the server defined lifetime,
Response: Sending a token with prolonged life
or "401 unauthorized : Invalid user credentials." if I request a new token without an
"Authorization" header.
Response: Sending no access token
The refresh token is correctly loaded and sent to the server as specified in the docs in both
cases.
Now my questions are:
Am I missing something? I haven't found any further specification in the docs and the Auth0 protocol specifies that a new access token should be retrievable with a valid refresh token.
If this feature is not intended: How could I achieve a "keep me signed in" option with directus? I would like to keep user rights management in one place and do not really want to handle user auth redundantly for my current use case.
2b. Why is the lifespan of the refresh token so much longer than the lifespan of the access token if this isn't intended?
One of my thoughts is, that it has to do with access rights of the "public" role on the "directus_sessions" table. But I can't think of a way to grant only read rights for owned/received tokens, since there are no payload variables available inside the filters. Could this be the cause? Would there be a way to achieve this?
Thx&Greetz

Calling Microsoft Graph API from AAD Authenticated .NET Core API

I currently have a web application that uses Azure AD to authenticate a user. This generates a JWT token which is then sent to my .NET Core Web API, which authenticates and authorizes successfully. The relevant parts of the JWT token that is sent across looks like this when put into jwt.ms (if you need more on this let me know and I can update this):
"aud": "api://<api-clientid>",
"appid": "<webapp-clientid>",
"hasgroups": "true",
"oid": "<userid">,
"tid": "<tenantid>"
I need to get to the groups that the user is a part of, and as the user is part of more than 6 groups, I need to make a call to the Graph API in order to return all groups for the user. This is documented in the description of the access tokens here, which states I should make a call to https://graph.microsoft.com/v1.0/users/{userID}/getMemberObjects.
I have tried using Postman to create a token to authenticate with the Graph API through the on-behalf-of flow, but I get the below error (removed irrelevant parts):
{
"error": "invalid_grant",
"error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID '<api-clientId>' named '<api-displayName>'. Send an interactive authorization request for this user and resource...",
"error_codes": [
65001
],
"suberror": "consent_required",
...
}
I've tried following the web API that calls web APIs guide which seems to do exactly what I want to, using the Microsoft.Identity.Web. When I have tried this, I run into a similar issue with a MicrosoftIdentityWebChallengeUserException saying that I require more consent from the user. I tried changing the audience of the token to be for https://graph.microsoft.com/ but this then fails the authorisation to my web API, and I cannot have multiple endpoints in the audience of the JWT. I also tried using ITokenAcquisition as described here, but this did not work either, with a similar error to Postman.
Finally, I tried following this sample which also appears to do what I require, where I made sure my web API and my web client were set up in the same way that they do. The only change I had to make was a small change to the manifest of the API to include the client application Id in the "knownClientApplications", but this doesn't seem to have made any difference.
I feel like I'm missing something simple here, where either my web application needs to know that my web API might need permission to the Graph API, or I'm missing more configuration on my Azure AD. Any help would be greatly appreciated, and if more information is needed I'll provide as much as I can!
The error message says that admin has didn't consent the application.
Login to Azure AD as Global Administrator and Grant admin consent API permission via App registrations -> API Permissions -> Add a permission -> My APIs -> A -> Application permissions to fix this issue.To fix this issue.

LinkedIn V2 Profile API not properly returning email

I am attempting to use the LinkedIn V2 Profile API to aid in signups for my website.
I have properly implemented the "Sign in with LinkedIn" button on my website, set up the OAuth 2.0 callback, and my server properly swaps the OAuth 2.0 Access Code for the user's Access Token.
To do this, I am using the Python linkedin_v2 library linked here.
I am then attempting to grab the user's profile, and obtain their first name, last name, and email, to store in my database as a method of signup. I have confirmed that my application requests r_emailaddress, r_liteprofile, and r_member_social accesses.
To obtain their profile, I have attempted the following methods:
Using the Python Library linked above to create an application with the users access token and request the profile as follows:
application = linkedin.LinkedInApplication(token=accessToken)
profile = application.get_profile()
Unfortunately, this method only returns the user's first name, last name, and id, even when I include selectors=['email-address'] as a parameter to the get_profile() function, as specified by the library documentation.
Sending a GET request using the Python requests library https://api.linkedin.com/v2/people/(id:{person ID}) with headers that include Authentication: Bearer {user access token}.
Unfortunately, this method results in a 403 (forbidden) error.
I am curious of the following things:
Why do I obtain a 403 when querying the Profile API using the request library, when the same access token works to query the API through the Python linkedin_v2 library?
Does anyone know of how to use the python_linkedin_v2 library to obtain an email address with the profile?
Does anyone know of a better library to use in order to accomplish my goal of obtaining profile information regarding users whom are logging into my product using linkedin?
Do I need any additional permissions in order to access my users' emails from LinkedIn?
Thank you so much for your help, and I look forward to discussing potential solutions with all of you.
-Rob

How to get an accessToken by linkedin

A client wants me to integrate his News from LinkedIn to his TYPO3 site.
Yes, I am one of more admins of the company page on linkedin, the app is verified by the client.
I have client_id and client_secret
When i do the request to get an accessToken, something like:
https://www.linkedin.com/oauth/v2/accessToken?grant_type=client_credentials&client_id=&client_secret=
the answer is
error "access_denied"
error_description "This application is not allowed to create application tokens"
I have no clue, what the necessary permissions are and where to set them.
Neither the linkedin backend nor the developers shows up with any proper link.
I know, this question has been asked before, but its about the permissions.
Please set me on the rail...
You are trying to use the 2-legged OAuth process which is by "client credentials" unfortunately that process is not available by default to all applications which is probably why you are receiving that message.
This is mentioned in the first paragraph of the documentation of the 2-legged OAuth process.
Your application cannot access these APIs by default
https://learn.microsoft.com/en-us/linkedin/shared/authentication/client-credentials-flow?context=linkedin/context
Your application needs access to enterprise linkedin products that can perform API requests that are not member specific in order to be able to use that process.
By default the application only have access to the 3-legged process which involve a GET https://www.linkedin.com/oauth/v2/authorization before making a request to get access tokens.
More information about the 3-legged process can be found here
https://learn.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin/context
I use the .net Packages CodeHelper.API.LinkedIn
.NET
using CodeHelper.API.LinkedIn;
LinkedInHelper _helper = new() {AccessToken = "{ACCESSTOKEN}" };
string _id = await _helper.GetAuthorID();
CURL
curl -H "Authorization: Bearer "
"https://api.linkedin.com/v2/me?projection=(id)"
More Information
CodeHelper.API.LinkedIn
Nuegt Pakcage

How to read the saml response that comes to the "../adfs/ls/"?

I am new to the SSO and SAML . We have to set up Single sign on the our customer site using ADFS 2.0 and we did that successfully and when we try to access ../adfs/ls/idpinitiatedsignon.aspx and it redirects to the customer site and if we enter the user name and password and it brings back to the idpinitiatedsignon.aspx page with you are signed in label. When i check the http transactions using SAML Tracer firefox plug in , i can see the <samlp:Response> is coming to our_site_name/adfs/ls/ and when i tried to access Request["SAMLResponse"] in idpinitiatedsignon.aspxpage , it shows as nothing.
how do i read the samlp:responsethat comes to my server and not
to particular page ?
I can see in the SAML Tracer that i'm getting <EncryptedAssertion>.How can i read the assertion values?
I'm answering from SAML and not from ADFS. Regarding question 2, i would expect that you would have received a block of XML called SAML Metadata that describes your customer's IDP. In that metadata, i would expect that you would receive your customer's public key (2.4.1.1 Element KeyDescriptor). I don't think it's possible to decrypt in SAML Tracer unless there is a way to install the encryption cert in the tool. My team has used the XmlSecTool, available from https://wiki.shibboleth.net/confluence/display/SHIB2/XmlSecTool, for verifying an XML signature pulled out of SAML tracer, but i don't know if anyone has a way to decrypt at the browser. Forgive me if you are asking more specifically at the ASDF level.

Resources