I am writing one app which does authentication using keystone v2.0 APIs, now while authentication /v2.0/tokens, I get the token for all the projects which the user does have access to.
Now when a project is added using horizon how I can get the token for that project, as I am not storing userid/password for the logged in user, and to get the token for the project, I need to send the /v2.0/tokens with the below POST data,
{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "user", "password": "password"}}}
But as I am not storing the userid/password, once user is logged in, then after wards how I can get token for the new project?
Is it necessary to store the user id/password somewhere which can be used later? If yes, then usually what is the best way to store user credentials?
Regards,
-M-
After looking into the keystoneclient code of v2, I got the answer, we can get the token of a new project using existing token itself
data = {"auth": {"token": {"id": token}}}
data['auth']['tenantName'] = tenantName;
Regards,
-M-
There are various modes of authentication , it can be token , password , oauth etc.
If you have requested unscoped token previously then you can use the unscoped token to get a scoped one (for a project/tenant).
Related
I am working on project using Next JS + NextAuth package. For user authentication we are using NextAuth with Custom Credentials provider. I am making a sign in REst API request to Firebase to get the user logged in and saving all necessary bits like Firebase tokens(access and refresh) in JWT.
The flow works.
Where i am stuck: Changing user password.
Password change is pretty straight forward using firebase client SDK. But I am using Firebase API:
https://firebase.google.com/docs/reference/rest/auth#section-change-password
the flow to change password requires:
Provide latest access token in API request above.
If the latest Access token is not provided, the API would send back error like: TOKEN TOO OLD or RE AUTHENTICATE
So this to work, we need to reauthenticate the user prior to making that change password request.
What I have managed to do:
When user request password change, user needs to provide current password.
Using the current password, i would re sign in user using API end point:
https://firebase.google.com/docs/reference/rest/auth#section-sign-in-email-password
This would work but now I need to update the latest access token in the JWT using NextAuth.
At this point i am stuck:
Refreshing the JWT using Next Auth; as soon as the user is re-signed-in and again when password is changed and new access token is sent back from Firebase.
When I try to refresh the JWT with new access token (etc) token using NextAuth client side callback: https://next-auth.js.org/tutorials/refresh-token-rotation
The application breaks due to access tokens are not synced on JWT and on firebase.
Questions:
Is my flow correct changing the user password?
Is there better way of doing this?
Any help is appreciated. Thanks
i know how to use Azure API in following way.
go to app registration and create new app
get "client id", "Directory (tenant) ID" and secret.
go to "API permission" section and add what API you want to access.
OR
use app-id as SP and add it to role like "billing reader" and it will work too.
then use /oauth2/token pass client_id and client_secret and get bearer token.
then use any API by passing "Bearer {{access_token}}" in header and everything works.
But
what if i want to use API like billing or Cost Management or "Microsoft.Storage/storageAccounts" but by my ID? what will be the flow? how to get bearer token from /oauth2/token by using my ID (my AD email)?
AND
is it possible to use my privilege but without me passing my password? can i authorize some app_id to emulate as me for like an hr ?
To generate bearer token in non-interactive way, Client credentials flow is mostly recommended.
If you want to get bearer token using your ID, you can make use of OAuth 2.0 ROPC grant flow.
I tried to reproduce the same in my environment and got the below results:
I generated access token via Postman by providing parameters like below:
POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token
client_id : xxxxxx-xxx-xxx-xxxx-xxxxxxxx
grant_type : password
scope : https://management.azure.com/.default
username : sri#xxxxxxxxxxxx.onmicrosoft.com
password : xxxxxxx
client_secret : xxxxxxxxxxxxxxx
Response:
Using the above token, I'm able to call API to get list of storage accounts (Microsoft.Storage/storageAccounts) successfully like below:
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Storage/storageAccounts?api-version=2021-09-01
Response:
Please note that, password parameter is mandatory for this flow.
Reference:
Resource owner password credentials grant | Microsoft Docs
I need to use the authentication service from firebase. but use my existing authorization service.
Can i use user token, sessions info from firebase.auth().onAuthStateChanged(function(user) {})
what is the best way/ways to manage these kind of use cases.
Should i also store my user details cookies, token etc?
You can implement a custom provider for Firebase Authentication. In this process:
You sign the user in to your service with their credentials as usual.
You then mint a token based on the user's profile.
The user then uses that token to sign in to Firebase.
The entire process is quite well documented on the links I included above.
In the Symfony Lexik JWT Authentication bundle, It is explained how to authenticate users using a table in the database.
In my case, My users aren't in the database but are in another application that I can access via API calls.
Also, to retrieve the users from this API, all I have to do is send a token associated with every user and get his information.
This token is well handled and is unique for each user.
How can I change the way LexikJWTAuthenticationBundle authenticate users using this API instead of the database.
And after this authentication, I want the JWT token to contain all the user information so I won't have to call this API each time a request is made to my application.
I made this diagram to explain my situation:
I tried from my side building a custom ApiUserProvider and an ApiUserAuthenticator but I am struggling to get this working.
Any help?
Here's described how to manually create JWTs for users: https://github.com/lexik/LexikJWTAuthenticationBundle/blob/2.x/Resources/doc/7-manual-token-creation.md you should be able to use that in your endpoint which authenticates the user, and return your own JWT.
After authenticating the user, I save the authorization token insidea database. Than I save his Id inside a cookie. Each time he accesses a page I check to see if the cookie is there. If it s not there, I try to get another authorization cookie and replace the old in the database, and create that cookie.
I have a deep feeling I am wrong:0 Can you tell me how should I handle this?
You should not deal directly with cookies but use a SDK that do it for you. For C#, you can use the Facebook C# SDK. Check out the API Quickstart guide if you want to have a good overview.
You should store the token in you database only if you ask the offline_access permission when you get the access token because token expires after a few hours.
If you do ask for the offline_access permission when you get the token, then you can store it in your database and make API calls with that token anytime you want (without having to check the user session or cookie).
Hope that helps !