We want to disable UI access for our build users.
They can not use plain-text password for REST APIs for security reasons.
I am trying following to get encrypted password without allowing Build users UI access.
- I created one build user(Non admin with UI disabled)
- Created access token for that build user using admin account.
When I try to use Token to fetch encrypted password of build user I get following error.
ANYBRIDGEBUCK:~ jainish.shah$ curl -H "Authorization: Bearer $TOKEN" http://jainish.artifactory.com/artifactory/api/security/encryptedPassword
{
"errors" : [ {
"status" : 404,
"message" : "User not found: token:automation"
} ]
Is there any other way to get encrypted password without using plain-text password or via UI.
The Get User Encrypted Password REST API requires that the request needs to be authenticated using a clear-text password. i.e. when submitting the request to Artifactory, the password provided for authentication needs to be in clear-text.
Related
I'm working in an instance of AppDynamics where we enter using SSO, so we just type the name of our account and enter without an user/password.
I need to create a custom event and, according to this documentation https://docs.appdynamics.com/display/PRO43/Alert+and+Respond+API#AlertandRespondAPI-CreateaCustomEvent
what I would need is to run a curl like curl -X POST --user user1#customer1:secret 'http://demo.appdynamics.com/controller/rest/applications/5/events?severity=INFO&summary=test1&eventtype=CUSTOM&customeventtype=mycustomevent&propertynames=key1&propertynames=key2&propertyvalues=value1&propertyvalues=value'
Problem is, I don't have an user/password. If I don't type them I get a 401 as expected.
I can see in My Preferences my username, but I can't find any password in the application.
Is there something I could do to find that password or something that would work for that POST to work?
The credentials for an SSO user reside with the Identity Provider (on your side) not the Service Provider (AppDynamics).
So there are two options here:
Create (or ask an admin to create) an AppDynamics user in the Controller Administration UI. Then use the username / password from this user in your requests.
Create (or ask an admin to create) and API Client configuration in the Controller Administration UI. Then use the Access Token in your requests (Docs: https://docs.appdynamics.com/appd/22.x/latest/en/extend-appdynamics/appdynamics-apis/api-clients)
i know how to use Azure API in following way.
go to app registration and create new app
get "client id", "Directory (tenant) ID" and secret.
go to "API permission" section and add what API you want to access.
OR
use app-id as SP and add it to role like "billing reader" and it will work too.
then use /oauth2/token pass client_id and client_secret and get bearer token.
then use any API by passing "Bearer {{access_token}}" in header and everything works.
But
what if i want to use API like billing or Cost Management or "Microsoft.Storage/storageAccounts" but by my ID? what will be the flow? how to get bearer token from /oauth2/token by using my ID (my AD email)?
AND
is it possible to use my privilege but without me passing my password? can i authorize some app_id to emulate as me for like an hr ?
To generate bearer token in non-interactive way, Client credentials flow is mostly recommended.
If you want to get bearer token using your ID, you can make use of OAuth 2.0 ROPC grant flow.
I tried to reproduce the same in my environment and got the below results:
I generated access token via Postman by providing parameters like below:
POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token
client_id : xxxxxx-xxx-xxx-xxxx-xxxxxxxx
grant_type : password
scope : https://management.azure.com/.default
username : sri#xxxxxxxxxxxx.onmicrosoft.com
password : xxxxxxx
client_secret : xxxxxxxxxxxxxxx
Response:
Using the above token, I'm able to call API to get list of storage accounts (Microsoft.Storage/storageAccounts) successfully like below:
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Storage/storageAccounts?api-version=2021-09-01
Response:
Please note that, password parameter is mandatory for this flow.
Reference:
Resource owner password credentials grant | Microsoft Docs
I am using AAM Plugin in our Wordpress instance to be able to use JWT tokens for authentication. We are currently blocked by limited permissions for user roles other than administrator to refresh its token.
In Detail, when calling wp-json/aam/v2/authenticate for user with role administrator and body:
{
"username": "Sampleusername",
"password": "Samplepassword",
"issueJWT": true,
"refreshableJWT": true
}
everything works fine and refreshable token is returned, which can be used with endpoint wp-json/aam/v2/jwt/refresh to refresh the token without the need to provide username and password again.
When using a user with any other role than administrator, and the same body parameters (obviously username and password for that respective user), 400 response is returned with message:
{
"reason": "Current user is not allowed to issue refreshable JWT token"
}
We are trying to search for the respective capability to add to the user role in order to enable refreshable tokens, can anyone help ?
Many thanks in advance
Dirk
I work on Drupal8 project and created Rest API, everything works fine until I want to add Oauth2 when I try to get a token I got an invalid grant type error.
This is the error code:
{
"error": "invalid_grant",
"message": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.",
"hint": "Check the configuration to see if the grant is enabled."
}
This is the url that i called:
http://myserver/oauth/token?grant_type=password&client_id=6db9da8d-b831-4381-b279-381bc5a57e90&scope&username=webmasterrest&password=webmasterrest&client_secret=$S$EamACyfemGWic74kmkwUvphMmr9FL132KC297mI1GEkTKhyBJyAo
I added a client, but I can't add a grant type "password" to this client, any help please?
To add Oauth 2 authentification
Install the module using Composer: composer config repositories.drupal composer https://packages.drupal.org/8 && composer require drupal/simple_oauth:^2. You can use any other installation method, as long as you install the OAuth2 Server composer package.
Generate a pair of keys to encrypt the tokens. And store them outside of your document root for security reasons.
openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout > public.key
Save the path to your keys in: /admin/config/people/simple_oauth.
Go to REST UI and enable the oauth2 authentication in your resource.
Create a Client Application by going to: /admin/config/services/consumer/add.
Create a token with your credentials by making a POST request to /oauth/token. See the documentation about what fields your request should contain
(Not shown) Permissions are set to only allow to view nodes via REST with the authenticated user.
Request a node via REST without authentication and watch it fail.
Request a node via REST with the header Authorization: Bearer {YOUR_TOKEN} and watch it succeed.
From this
NOTE: I user drupal/simple_oauth version 2.x because i got an exception n version 3.x
Generated the token Using this file for authentication.
After that, I generated a rest url by reading this document
I hit from my terminal curl "https://sampleproject-763e9.firebaseio.com/USERS.json/?auth=my generated token from above file".
For the generation of my token, I used these two things:
Enter User ID:userM1
My Jason which I got from firebase by going into project settings->serviceaccounts->adminsdk and clicking generate new private key.
I got this error
{ "error" : "Invalid claim 'kid' in auth header: '5e3994c7ce7839ecbe22b9c01e0cc0e1db2593b1' with iat: '1505402027'" }.
This is how my database looks like
These are the rules for my private database.My output.
This not the way to get authentication to firebase secret database.
After generating the token from json you have to generate access token by signing in.