I'd like to assign multiple user assigned managed service identities to a VM Scale Set in Azure. I can do so by following the the docs.
What I have not figured out yet is how I can request a token for a specific identity.The docs for requesting a token via the IMDS endpoint do not mention any request parameters for specifying e.g. a clientId.
Any clues?
Christian,
You can request tokens for a particular managed identity, by passing in the client_id or object_id in the request. For example: curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/&object_id=<USERASSIGNED_OBJECT_ID>' -H Metadata:true -s
Our docs are being updated right now to properly include this info. Thanks for the note! :)
-Arturo
Previous answers provide the right pointer.
If you are using Azure SDKs to write your code, then you can use Azure.Identity library and the DefaultAzureCredential object as described here - https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme#specifying-a-user-assigned-managed-identity-with-the-defaultazurecredential
Related
I am trying to verify a HS256 JWT Token generated with locally ran KeyCloak Authentication Provider on https://jwt.io.
The KeyCloack instance is running on my local machine inside a docker container. I have applied almost the same steps as described in this answer (which on contrary applies the RS algorithm instead, and works as described): https://stackoverflow.com/a/55002225/1534753
My validation procedure is very simple:
1.) Request the token (with Postman) from my local docker KeyCloak instance with:
POST requesting http://localhost:8080/auth/realms/dev/protocol/openid-connect/token
2.) Copy the token contents inside the jwt.io's "Encoded" section
3.) I verify that the header and payload are as expected and correct
4.) I copy the client secret from my KeyCloak instance admin dashboard, you can see the reference on the image below:
5.) I paste the secret into the "VERIFY SIGNATURE" section on jwt.io and the "Encoded" token section changes, hence resulting with an invalid signature and a invalid (i.e. different) token.
My core question is what am I missing here? Why does the token change when I apply the expected secret!? Am I applying the right secret, the one from the client? If I understand JWT infrastructre and standard correctly then It should stay the same if the secret (with the expected algorithm applied) is valid. My reasoning is that something with JWT creation on KeyCloak is specific. I have not touched the HS256 algorithm provider on KeyCloak, everything is used as default with the docker installation guide on using KeyCloak. The settings related to the token and algorithm are setup to use HS256, and the algorithm is specified as expected in the JWT's header section correctly which can be verified after the encoded token is pasted into the jwt.io's page.
I need this to work as I am trying to apply the same JWT validation process inside a .NET Core web API application. I have encountered this whole issue in there, i.e. inside the System.IdentityModel.Tokens.JWT and the JwtSecurityTokenHandle.ValidateSignature method which results with an invalid signature and finally resulting in an exception.
On side note, I am accessing the token with Postman and its Authorize feature the configuration can be seen on the image below:
One more side note is I have a user "John" which belongs to my "Demo" realm. I use him to request an access token from KeyCloak.
To get the secret used for signing/verifying HS256 tokens, try using the following SQL:
SELECT value FROM component_config CC INNER JOIN component C ON(CC.component_id = C.id) WHERE C.realm_id = '<realm-id-here>' and provider_id = 'hmac-generated' AND CC.name = 'secret';
If you use the resulting secret to verify the tokens, the signature should match. I’m not sure if this secret is available through the UI, probably not.
Source: https://keycloak.discourse.group/t/invalid-signature-with-hs256-token/3228/3
you can try using Keycloak Gatekeeper.
If you want to verify that token in that way you need to change the Client Authenticator to "Signed JWT with client secret", otherwise you can use this "Gatekeeper" option. Here you can read more about it.
I'm trying to use the MS Academic Knowledge API. I signed up for keys here as per the docs
https://labs.cognitive.microsoft.com/en-US/sign-up
When I use the key I get errors as follows
api.labs.cognitive.microsoft.com:
Endpoint api.labs.cognitive.microsoft.com is not supported
westus.api.cognitive.microsoft.com:
'Access denied due to invalid subscription key. Make sure you are subscribed to an API you are trying to call and provide the right key.'
I'm not sure what is going on here and which endpoint I need to use
The following works for me:
https://api.labs.cognitive.microsoft.com/academic/v1.0/interpret?query=darrin%20eid&complete=1&count=10&model=latest&subscription-key=your_key
(replace "your_key" with your labs subscription key)
Additionally, you can see the URL you need to use for each different API when you use the "try it" test site
I am trying to set up my LUIS app in luis.ai (because it seems like I can't set it up in Azure directly?). Anyway, I have created a Language Understanding Intelligent Service (LUIS) (preview) resource, but when I enter one of the keys from that resource into "My Keys" in luis.ai, I get this error: "Bad Argument, Invalid Subscription Key"
Also, I just tried to publish an app with the bootstrap key and got the following errors:
{ "statusCode": 401, "message": "Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription." }
As provided in comments, the solution is to use a correct end-point. This is not clear anywhere, but for the luis.ai portal, I have to use WestUS endpoint.
If I change to useing eu.luis.ai, I have to use the WestEU end-point.
To use european LUIS endpoint within Bot Builder C# SDK, just modify Luis Model parameters as follows:
[LuisModel("YOUR-LUIS-APP-ID", "YOUR-LUIS-EUROPEAN-KEY", domain:
"westeurope.api.cognitive.microsoft.com")]
Note that you'll need to export your LUIS app over EU.LUIS in order to access the correct endpoint.
Hope it helps.
I have been reading about creating an API which can be used to upload objects directly to S3. I have followed the guides from Amazon with little success.
I am currently getting the following error:
{"message":"Missing Authentication Token"}
My API call configuration:
The role ARN assigned is not in the image, but has been set up and assigned.
The "Missing Authentication Token" error can be interpreted as either
Enabling AWS_IAM authentication for your method and making a request to it without signing it with SigV4, or
Hitting a non-existent path in your API.
For 1, if you use the generated SDK the signing is done for you.
For 2, if you're making raw http requests make sure you're making requests to /<stage>/s3/{key}
BTW, the path override for s3 puts needs to be {bucket}/{key}, not just {key}. You may need to create a two-level hierarchy with bucket as the parent, or just hardcode the bucket name in the path override if it will always be the same. See: http://docs.aws.amazon.com/apigateway/latest/developerguide/integrating-api-with-aws-services-s3.html
for HERE REST api I have registered app_id and app_key and appended them in url but it is giving me this "error"Unauthorized","error_description":"Unauthorized. The request is not from an authorized source "
Also, the FAQs page mentions the following:
How do I generate an app_id and app_code for my application?
To generate an app_id and app_code for an application, you need to
sign in then go to https://developer.here.com/plans to select and
register for the appropriate plan.
At the final step in the registration process, an app_id and app_code
is automatically generated for your application.
Please note, it can take up to an hour for a new app_id to be whitelisted against all services.
So if you had just created your credentials when you got this error, you may want to try again.
Looking back at the error I received when I attempted to access the API, however, I got the following response:
{"details":"invalid credentials for I5zJljd5cZyOx5SyROKT","additionalData":[],"type":"PermissionError","subtype":"InvalidCredentials"}
So it may be that Jason's comment above is more appropriate but I'll leave this answer for other users who may come searching after creating new credentials.
A good way to check your credentials would be to make a valid URL call to any of the REST APIs - e.g. the Geocoder API: https://geocoder.cit.api.here.com/6.2/geocode.json?searchtext=London&app_id={YOUR_APP_ID}&app_code={YOUR_APP_CODE} - it gives an error response for an invalid pair.
As mentioned in the answer : Need separate credentials for WSE API? - you may need to request additional access for the HERE Platform extensions
selfservesupport#here.com here is the support. Describe ur problem and attach an snapshot where you get error at what request. (URL)