I am having an issue in that I am able to authenticate into my instance's Looker API endpoint (:19999), but on subsequent requests to pull data I get failed auth message.
How does Looker know then that I am authenticated if I'm not passing the client/secret keys on subsequent requests?
Looker's API authentication endpoint returns an access token to use on subsequent API requests. Access tokens expire after 1 hour, at which point a new access token must be obtained.
Example:
$ curl -X POST "https://mylookerhost:19999/api/3.0/login?client_id=myclientid&client_secret=myclientsecret
{"access_token":"someaccesstoken","token_type":"Bearer","expires_in":3600}
someaccesstoken is then passed as a header on each API call:
$ curl --header "Authorization: token someaccesstoken" https://mylookerhost:19999/api/3.0/user
Or as a URL parameter:
$ curl https://mylookerhost:19999/api/3.0/user?access_token=someaccesstoken
Related
I'm trying to get info from google analitics from api but always get this error:
I've made OAuth2 and got token, but I don't know where to put it.
Can someone explain what have I done wrong?
The issue you are having is that the call has not bee authorized. To access private user data you need permission which means you need to send a properly authorized access token along with your request
This is sent as an Authorization header, something like this.
curl -X POST -H "Authorization: bearer xxxxxxxxxxxxxx" "https://analyticsreporting.googleapis.com/v4/reports:batchGet"
I am using WSO2 Identity Server 5.10 and API manger 3.2.
When I generate JWT access token, it does not contain required scopes wrt to the roles assigned to the user.
Role validation of the user is not happening during JWT token generation. All the scopes passed during token generation are been granted to the user without validating user roles.
When we generate JWT access token for a user say "operator" with only "view_role" by passing all the created scopes in the token api body like 'scope=openid,create_scope, view_scope, edit_scope'.
In token api response able to see all the scopes which are passed during token generation.
The issue is seen only on a HA setup not on single node setup.
Token Api curl:
curl --location --request POST 'https:///oauth2/token'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'grant_type=password'
--data-urlencode 'password=xyz#123'
--data-urlencode 'username=abc#tenant.com'
--data-urlencode 'client_id=xxxxxx'
--data-urlencode 'client_secret=xxxxxx'
--data-urlencode 'scope=openid operator_access_scope admin_access_scope creater_access_scope
adaptor_admin_access_scope
Steps to reproduce:
Create different scopes associated with Roles(Ex: "create_scope" with "create" role associated, similarly edit_scope, view_scope) in publisher portal( APIM 3.2).
Assign the scopes to some resources.
Create new user with only "view" role assigned.
Generate JWT access token by passing all the scopes in the body (scope = openid, create_scope edit_scope view_scope)
Notice that all the scopes passed during token generation are granted even though user has only "view" role expected is only view_scope has to granted for the user.
My Requirement is: I need to pass all the scopes created under publisher portal to the token api but token should be granted with only those scopes which are relevant to roles assigned to the user. This behavior is working fine in one of our single node setup. Did I miss any configuration changes for HA setup. Please assist.
I'm trying to refresh the users auth token on the server in NextJS, currently I have the token set in cookies that I access like this:
export async function getServerSideProps(ctx) {
const cookies = nookies.get(ctx);
try {
const client = useClient(cookies.token);
// etc
}
}
unfortunately if the token has expired this will fail with the token has expired error.
I do have access to the refresh token but not sure how to use it, firebase.auth().currentUser is undefined in getServersideProps as well
I had similar issue using NuxtJS and the easiest way is to redirect user to a different page where you can get a new Firebase ID Token on client side and then refresh the cookie. For example, you may redirect to a page something like https://domain.tld/auth/refresh?redirect_uri=/dashboard. The query parameter redirect_uri tells where the user was and must be redirected back after refreshing the token.
If you want to avoid the redirect, you would have to store the "Refresh Token" on your server side. I am not sure how secure that will be but don't store refresh token in cookies. But just in case you are wondering how to get new Firebase ID Token using the refresh token, you can make a POST request to this URL:
https://securetoken.googleapis.com/v1/token?key=FirebasePublicAPIKey
The API key is available in your Firebase Config. The body for this POST request seems to be URL encoded and has grant_type and refresh_token fields.
Here's a cURL request for the same:
curl "https://securetoken.googleapis.com/v1/token?key=firebaseAPIKey" \
-H 'Content-Type: application/x-www-form-urlencoded' \
-X POST \
-F 'grant_type=refresh_token' \
-F 'refresh_token=firebaseRefreshToken'
I just used Chrome DevTools to check how tokens are refresh and found that.
The first method sounds safer to me and I personally use it over storing refresh tokens somewhere on server or cookies. In fact, I use custom JWT tokens from my server in cookies instead of Firebase ID Tokens themselves.
I've enabled events for my project in the Device Access Console and provided a Pub/Sub topic, but I'm not receiving them. I am able to successfully authorize accounts and list devices for the authorized user.
After events are enabled through the Device Access Console, you must initiate them using a one-time call to list devices after you receive an access token for each authorized account. This initial call finishes the authorization process and enables events to be sent to your Pub/Sub subscription.
For example, a simple cURL call like this will initiate events:
curl -X GET 'https://smartdevicemanagement.googleapis.com/v1/enterprises/[project-id]/devices' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer my-access-token'
I'm trying to test my application that uses Firebase for push notifications using postman.
I'm specifically testing the Http v1 Api, and looking how to authorize the request.
What I need to get right is getting the OAuth2 token to use in Postman, which I should be able to do on the OAuth 2.0 playground although I'm not sure how.
I have my privatkey.json file that I've downloaded from the firebase console, I just need to know how to use it to get the token that I would add as a bearer authorization header for my POST requests
I was able to send a message through the FCM v1 HTTP API by requesting the following scopes in the OAuth2 playground:
email, https://www.googleapis.com/auth/firebase.messaging
After authorizing this, I exchanged the authorization code for refresh and access tokens.
I then passed the resulting access token into the call with FCM:
curl -X POST -H "Authorization: Bearer MY_ACCESS_TOKEN" -H "Content-Type: application/json" -d '{"message":{
"notification": {
"title": "FCM Message",
"body": "This is an FCM Message",
},
"token": "MY_DEVICE_TOKEN"
}
}' https://fcm.googleapis.com/v1/projects/MY_PROJECT_ID/messages:send
In the above CURL request replace the following placeholders with the relevant values for you:
MY_PROJECT_ID is the Firebase project ID, which you can get from the project settings page in the Firebase console
MY_DEVICE_TOKEN is the registration token of the device that you want to send the message to. For a web client, see how to get the current registration token.
MY_ACCESS_TOKEN is the OAuth2 access token that you got from the OAuth2 playground using the steps outlined above.
The FCM documentation on authenticating FCM v1 requests may be confusing since it only calls out the OAuth2 token. It actually first generates a self-signed JWT (JSON Web Token) by calling new google.auth.JWT(...). This involves downloading a private key, and generating the JWT locally through a JWT library.
The self-signed JWT is then passed to jwtClient.authorize(...), which gives back tokens including an access_token. The latter is an OAuth2 access token, similar to the one we got above.
I created a small project on hithub that includes both a postman collection and environment and nodejs project that uses the downloaded service-key.json to generate an access token which solves my problem above. It's not as elagent as using only postman (which to me seems impossible), but it works well enough since the access tokens live for about an hour.