as fortumo documentations says:
JWT based authentication Before using the JWT based authentication,
you will need to add a public key under "API keys" section in your
Fortumo Dashboard. Refer to Preparing SSH keys guide on how to
generate the public and private key pair.
https://merchants.fortumo.com/integration-and-testing/hosted-dcb/hdcb-security/
but i cant find it on dashboard. but on General Section we have "Secret" down side. is that it? where can i set the fortumo public key?
As noted in Fortumo's documentation:
Hosted DCB is an on demand payment product. In order to gain access to the product, please contact your account manager.
If you don't have an account manager, you can get in touch with them here.
Related
I created a user with username:aggr1. When I log in to the dev portal with aggr1 credentials, I can access all of the published APIs. How can I force this particular user to only see two or three APIS in Dev Portal?
Thanks
You can maange access to APIs through roles.
When creating an API, on the first page you have a dropbox "Access" (or "Visibility" orsomething like that) with default value All.
You can list roles, which are required to see the Api in the dev portal. And then assign (or not) the roles to the user.
By default APIs are set to public and any user who logs into the devportal can see the APIs. You can set role-based visibility or based on domain. Please refer the documentation - https://apim.docs.wso2.com/en/latest/learn/design-api/advanced-topics/control-api-visibility-and-subscription-availability-in-developer-portal/#control-api-visibility-in-the-developer-portal
When I create a Firebase service account for the admin SDK, I retrieve credentials that include the service account name and private key to authenticate.
I'm managing the private key as a "secret" environment variable in my build tool, i.e. it won't be exposed to other users of the build tool.
Is it advised to also maintain the service account name as a secret or is it safe to expose it to other developers? I'm kind of comparing it to accessing an email account, where the email address is publicly known (compare: account name), but the password to the account stays secret (compare: private key), but I may be wrong here.
No, there is no need to worry about that name of the service account that you use. It's just the key that is used to help you identify the credentials, and has no meaning in securing those credentials.
If someone would be able to retrieve your full credentials based on the service account name, I'd say the problem is much bigger than just those credentials.
We are transitioning to using Terraform to create our architecture on Google Compute, and part of it utilises Firebase for the front-end. So far, I have managed to get this all working fine, but have hit a snag on Firebase Auth. Essentially, I want to allow 'Email/Password' authentication on a Firbase project programmatically.
The above shows where you find the setting in the UI console, but I want to be able to do that via an API/CLI, and also set the 'Authorised Domain'.
Yes, as of November 2022, this is now possible, either using Terraform, or the gcloud CLI and a bit of scripting. Both methods make use of the REST Identity Toolkit API.
If using Terraform: Your config file needs to specify a google_identity_platform_project_default_config resource: the documentation for it is available here. By way of example – assuming you've already declared a google_project resource called my_project, you could add the google_identity_platform_project_default_config resource as follows:
resource "google_identity_platform_project_default_config" "myconfig" {
project = google_project.myproject.project_id
sign_in {
allow_duplicate_emails = false
anonymous {
enabled = false
}
email {
enabled = true
password_required = false
}
}
}
This would enable email+password authentication, disallow anonymous access, and disallow duplicate email addresses.
If using the gcloud CLI: This would be a good deal fiddlier. I haven't tested it out completely, but it is presumably equivalent to what Terraform is doing behind the scenes. You need to obtain a service account access token, then use cURL (or a similar tool/API) to amend the Identity Toolkit configuration using the PATCH method (documentation here), supplying the token in the "Authorization" header.
gcloud lets you get an access token using the command gcloud auth print-access-token, but according to this 2021 blog post1 by #DazWilkin, the token obtained using your regular human credentials can't perform the necessary PATCH operation; you need to use a token backed by a service account that has the correct permissions.
The blog post gives further details, but roughly, the steps are:
Create a service account and give it the correct permissions. (Not necessary if you already have an appropriate service account; such an account can be created either using the Firebase console or Terraform's google_service_account resource.)
Create a JSON service account key file. (Not necessary if you already have a key created, plus a JSON file for it. These JSON files contain an object with the keys "project_id", "private_key_id", and "private_key", and are exactly the same sort of file as gets generated from the Firebase console if you go to "Project Overview" / "Project Settings" / "Service Accounts" / "Generate new private key". They can also be created programmatically using Terraform's google_service_account_key resource.)
Allow gcloud to perform operations using the service account's permissions, by running gcloud's "auth activate-service-account" subcommand: something like
$ gcloud auth activate-service-account --key-file=/path/to/key-file.json EMAIL_ADDRESS_OF_SERVICE_ACCOUNT
Obtain an access token for the service account by running gcloud auth print-access-token EMAIL_ADDRESS_OF_SERVICE_ACCOUNT.
Supply that token in the header of an HTTP PATCH request using cURL.
For more details, see the blog post; it's concerned with amending the "authorized domains" list for a Firebase project, but enabling email/password authentication would be very similar.
1 Also mentioned in this stackoverflow answer.
I am attempting to validate an email but when I follow the mailgun docs and have code such as follows
https://documentation.mailgun.com/en/latest/user_manual.html#email-validation
EMAILPUBLICVALIDATIONKEY = 'my sexy key'
def validateemail(emailaddress):
return requests.get(
"https://api.mailgun.net/v3/address/validate",
auth=("api", EMAILPUBLICVALIDATIONKEY ),
params={'address': emailaddress}
)
I get the response
["{"Error":"exposed account credentials"}"]0: "{"Error":"exposed account credentials"}"length: 1__proto__: Array(0)
I haven't actually gotten this error in MailGun before. But I'm assuming exposed account credentials means that your API key got exposed and they deactivated it in order to try to protect you.
Kinda unrelated, but GitHub recently released a feature where they will scan commits for API keys and tokens and notify the company that it was exposed. Doesn't look like as of posting this MailGun is on that list, but there is also a slim chance since it's in beta that list hasn't been updated. https://help.github.com/articles/about-token-scanning/
This is most likely due to exposing a Mailgun API key on Github. I had the API key in a file and commented it out but still got flagged. If you file a ticket on Mailgun, a reply will be sent with these instructions:
Due to the compromise, you will need to take a few steps to secure your Mailgun account:
- Remove the repository from Github or making the repository private. A new commit will not overwrite the previous commit history which contains the password.
- Please log in to the Mailgun Control Panel and reset your Mailgun account password. Click your email address in the top right, "Edit Account Info" -> "Password Change" section.
- Enable 2 Factor Authentication. Click your email address in the top right > Security > Two-Factor Authentication section.
- Reset your Mailgun API key. Under "Account Settings" -> "Security" click the refresh symbol to generate a new API key.
- Reset your SMTP credentials. Go to the "Domains" tab and repeat the following process for each domain listed in this view.
I don't THINK Mailgun was on that list. But they could have been added.
It is official now (May 23rd, 2019): "Token scanning"
Token scanning is now generally available in all public repositories.
Additionally, token scanning now supports detection of new token types from Alibaba Cloud, Mailgun, and Twilio.
The full list is on "About token scanning".
See more at "Token scanning".
You need to go to your Mailgun account, a banner will say that your account has been suspended, then you have to contact support to unlock it
I'm using oauth to authenticate in google calendar, but i'm trying to send user and password to avoid open the authentication popup.
I'ts like automatic authentication.
Is it possible?
Thanks.
Since you want your application to always create events in a single calendar that is under your control, here is how I would do it:
Create a service account in Google Cloud Console - recent instructions on how to do so can be found here: google oauth2 how to get private key for service account
Share your calendar with that service account: https://support.google.com/calendar/answer/37082?hl=en
Write your code to use the service account credentials (private key downloaded in step 1).
I didn't post any sample code, as I'm not sure what language you are using. The following has some discussion of this use-case in PHP: Access Google calendar events from with service account: { "error" : "access_denied" }. No google apps