I'm dealing with Google Enterprise reCaptcha v3 invisible mode inside an iframe with src equals to "about:blank".
The iframe is created empty, then the content is injected through our javascript library.
Now works perfect outside of iframe, but inside we're getting a very low score when sending the token to API, the response is this:
{
"name": "[hidden]",
"event": {
"token": "[hidden]"
"siteKey": "[hidden]",
"userAgent": "Mozilla/5.0 ([hidden]) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36",
"userIpAddress": "[hidden]",
"expectedAction": "[hidden]"
},
"score": 0,
"tokenProperties": {
"valid": false,
"invalidReason": "BROWSER_ERROR",
"hostname": "",
"action": ""
},
"reasons": []
}
The API docs explains the BROWSER_ERROR is related to internet failure or attacker but well is not our case.
Does someone know what can happen, it's a bug or I'm doing something too stupid?
Related
I am trying to follow StartContactChat & CreateParticipantConnection to initiate the chat from third party applications e.g. Postman.
i want to route the chat to agent on talk to agent message from API, the chat should be routed to the agent in amazon connect.
StartChatContact's Request Syntax is given like this:
PUT /contact/chat HTTP/1.1
Content-type: application/json
{
"Attributes": {
"string" : "string"
},
"ChatDurationInMinutes": number,
"ClientToken": "string",
"ContactFlowId": "string",
"InitialMessage": {
"Content": "string",
"ContentType": "string"
},
"InstanceId": "string",
"ParticipantDetails": {
"DisplayName": "string"
}
}
I have done with it using URL: PUT https://connect.us-east-1.amazonaws.com/contact/chat and got the ParticipantToken and now trying to create the participant connect using CreateParticipantConnection - https://connect.us-east-1.amazonaws.com/participant/connection but keep facing the error:
{
"message": "Unable to determine service/operation name to be authorized"
}
i have added the participant token generated by StartContactChat in Authorization --> AWS Signature --> Session Token as well as in Header but still the still getting the AccessDeniedExcetion.
The CreateParticipantConnection API does not belong to the same service as the StartChatContact API. As a result, https://connect.us-east-1.amazonaws.com/participant/connection is the wrong endpoint for the latter API. Instead, it should be https://participant.connect.us-east-1.amazonaws.com/participant/connection
I have set up an API gateway with a JWT authorizer (the one that is already built in), but I cannot get it to accept tokens generated by Twitch. This is my JWS auth settings in AWS: https://i.stack.imgur.com/WR6Vi.png
I'm a bit confused about what 'audience' means, but I figured that has to be my Twitch extension secret since that's what the token is signed with in the first place.
I tried verifying it on https://jwt.io/ against the secret and it says the token is valid after ticking the secret base64 encoded box.
Problem is that every time I try to pass it in the header to the API, I get error="invalid_token" error_description="signing method HS256 is invalid".
This is the payload AWS receives:
version: '2.0',
routeKey: '$default',
rawPath: '/',
rawQueryString: '',
headers: {
accept: '*/*',
'accept-encoding': 'deflate, gzip',
'authorization': 'Bearer <MYTOKEN>',
'content-length': '0',
host: '<SOMETHING>.us-west-2.amazonaws.com',
'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36',
'x-amzn-trace-id': '<SOME ID>',
'x-forwarded-for': '<SOME IP>',
'x-forwarded-port': '443',
'x-forwarded-proto': 'https',
'x-real-ip': '<SOME IP>'
},
requestContext: {
accountId: '<ID>',
apiId: '<APP ID>',
domainName: '<SOMETHING>.us-west-2.amazonaws.com',
domainPrefix: '<SOMETHING>',
http: {
method: 'GET',
path: '/',
protocol: 'HTTP/1.1',
sourceIp: '<SOME IP>',
userAgent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36'
},
requestId: '<SOME ID>',
routeKey: '$default',
stage: '$default',
time: '26/Feb/2021:17:48:04 +0000',
timeEpoch: 1614361684261
},
isBase64Encoded: false
}
As you can see, it receives the header and token just fine.
One thing I noticed is that when I decode the token, there is no issuer. How does AWS know that Twitch is the issuer?
"alg": "HS256",
"typ": "JWT"
}
{
"exp": 1614341073,
"opaque_user_id": "U<SOME ID>",
"user_id": "<SOME ID>",
"channel_id": "<SOME ID>",
"role": "broadcaster",
"is_unlinked": false,
"pubsub_perms": {
"listen": [
"broadcast",
"whisper-<SOME ID>",
"global"
],
"send": [
"broadcast",
"whisper-*"
]
}
}```
As per the exeception error="invalid_token" error_description="signing method HS256 is invalid", it is clear that either AWS services does not support this algorithm HS256or you've to change the configuration to inform the AWS services about the type of algorithm it should use in order to validate the token.
Two way to proceed on this:
Let AWS services informed about the algorithm being used while token creation so that AWS auth services use the same in order to verify/validate the token.
Change the algorithm on the token issuer service side if the service allows to do so.
Usually token issuer use one of the following algorithm while creation of JWT token
HS256 HS384 HS512 RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512 EdDSA
Audience Claim in Token
aud (audience): Recipient for which the JWT is intended.
How does AWS know that Twitch is the issuer?
You've already mentioned about JWS auth settings in AWS.
I am trying to retrieve the request body from API Gateway proxy request. When I pass a body, I am getting a random string. The request works fine in Tests in API gateway but not in actual API
the request I got was
{
"path": "/movie",
"headers": {
"sec-fetch-mode": "cors",
"sec-fetch-site": "none",
"accept-language": "en-US,en;q=0.9",
"postman-token": "e9f9216f-850d-1037-a2c9-d6a554f55813",
"origin": "chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36",
"X-Forwarded-Proto": "https",
"Host": "8cfsbr5d62.execute-api.us-east-1.amazonaws.com",
"X-Forwarded-Port": "443",
"X-Amzn-Trace-Id": "Root=1-5ed9e7b8-94f205f0fed74580d6bb5bf0",
"accept": "*/*",
"X-Forwarded-For": "49.206.4.254",
"content-type": "application/json",
"cache-control": "no-cache",
"accept-encoding": "gzip, deflate, br",
"sec-fetch-dest": "empty"
},
"resource": "/movie",
"queryStringParameters": {
"movie": "ddk"
},
"httpMethod": "POST",
"body": "ewoJIm1vdmllIjoiZ3BwIgp9"
}
It is base64 encoded:
base64 -d <<< ewoJIm1vdmllIjoiZ3BwIgp9
{
"movie":"gpp"
}
Thus you have to decode it in your lambda.
You can get more info about API gateway encoding/decoding into base64:
Content type conversions in API Gateway
The problem was that I had Binary Media Types configuration as '*/*' since one of the API had image payload. But that configuration affected JSON payload as well and the API started encoding any request body to encoded string. My case the string was not actually random one, it was Base 64 encoded String.
Two options:
1) If you want to keep generic Binary Media Type, then decode the Base64 string in Lambda
2) Keep specific Binary Media Type in API gateway settings ex. image/*
I did accidentally deploy api gateway with:
BinaryMediaTypes:
- '*~1*'
...and noticed the request body to be base64. In the API I was working with it was unnecessary and I removed it.
However it stays in AWS console, post request body is sill base64 even that I remove BinaryMediaTypes in AWS console.
I had to remove and re-deploy the whole stack to get rid of this
I have application that communicate with WSO2AM 2.1.0 using their Restful API.
Right now I'm working on the application subscription part, I need to create a feature that able to refresh accessToken, it's the keys[0].token.accessToken from json below.
GET https://localhost:9443/api/am/store/v0.11/applications/896658a0-b4ee-4535-bbfa-806c894a4015
Authorization: Bearer ae4eae22-3f65-387b-a171-d37eaa366fa8
HTTP/1.1 200 OK
Content-Type: application/json
{
"groupId": "",
"callbackUrl": null,
"subscriber": "admin",
"throttlingTier": "Unlimited",
"applicationId": "896658a0-b4ee-4535-bbfa-806c894a4015",
"description": null,
"status": "APPROVED",
"name": "DefaultApplication",
"keys": [ {
"consumerKey": "AVoREWiB16kY_GTIzscl40GYYZQa",
"consumerSecret": "KXQxmS8W3xDvvJH4AfR6xrhKIeIa",
"keyState": "COMPLETED",
"keyType": "PRODUCTION",
"supportedGrantTypes": null,
"token": {
"validityTime": 3600,
"accessToken": "3887da6d111f0429c6dff47a46e87209",
"tokenScopes": [
"am_application_scope",
"default"
]
}
}]
}
I ended up reading this documentation https://docs.wso2.com/display/AM210/Token+API and I think that is not the documentation I'm searching for. The token API there is used to refresh the access token to the WSO2, not for refreshing the application subscribtion token.
Is there any way to do this?
Store API uses client-credential grant type to generate an access token. That is why you don't get the refresh token in the response. You can do the following.
Used the API - https://docs.wso2.com/display/AM210/apidocs/store/
Create an application in APIM Store. (/applications)
Get consumerKey and consumer secret of the application by generating the keys. (/applications/generate-keys)
Use the password grant type and generate a token. https://docs.wso2.com/display/AM210/Password+Grant
If I want my Actionable Message to send a HttpPOST to an Azure Function or Azure logic app, how do I get this working?
I have tried the following two senario's with out any luck:
Azure function with Azure Active Directory Authentication. When I call it, I get the following response:
{
"innerErrorCode":"ProviderException",
"innerErrorMessage":null,
"authenticationUrl":null,
"displayMessage":"The action could not be completed."
}
This target URL is registered in the Actionable Email Developer Dashboard.
The function is not even triggered, so the error is coming from
/actions/userid/messages/.../executeAction
call.
Azure function with no authentication, I get the following response:
{
"innerErrorCode":"InvalidTargetUrlException",
"innerErrorMessage":null,
"authenticationUrl":null,
"displayMessage":"Target URL
'https://mysite.azurewebsites.net/api/ActionableMessage' is not allowed."
}
Thanks
Can you share the actionable message json which you are using to send mail?
you need to have a entry in potential action as a input along with followed action e.g. a options multi select represented as:
{
"#type": "ActionCard",
"name": "SelectResource",
"inputs": [
{
"#type": "MultichoiceInput",
"id": "<id_which_will_be_used_for_fetching_value>",
"isRequired": true,
"title": "Pick an option",
"style": "expanded",
"choices": $6
}
],
"actions": [
{
"#type": "HttpPOST",
"name": "Select one of the resource for booking",
"target": "your_azure_function_url",
"body": "{{<id_of_the_input>.value}}" //will be received in function
}
]
}