I didn't find enough documentation and examples about prehook implementations in Oracle ORDS.
In the implementation I would like to know how to get a Http Header param, with user code and then to do a SELECT to verify the user can to be access (authorization).
When no access, it needs to return an error with code 403 (forbidden).
Related
I have configured my Azure Function with the out of the box Azure AD identity provider. When an unauthenticated request is made, it is returning the WWW-Authenticate header showing the realm, but missing the authorization_uri. This makes it impossible to use the function using Organization Credentials in Power BI, which requires authorization_uri to be present.
I believe this is an issue related to the "new" built-in EasyAuth, since the "classic" EasyAuth returned much more information, including resource_id. I have an older function to demonstrate:
The only workaround I have tried is to use Microsoft.Identity.Web in my Azure function code, but this is very hacky and adds a lot of complexity to otherwise simple code. EasyAuth keeps everything very simple and would work perfectly if it included more info in the WWW-Authenticate header.
How can I get a new Azure Function with EasyAuth enabled to return the authorization_uri in the WWW-Authenticate header in a 401 response?
Check your Authentication settings -> Unauthenticated requests, if it's not "HTTP 302", then Azure will not return authorization_uri and other data.
I am new to informatica. I am trying to create a swagger file to call rest API.
I have given following information and getting error. The same information I am passing in postman and getting resulsts. Not sure what mistake I have done. Could anyone help
Looking at the Screen shot and error highlighted, I can suggest to check the authentication.
In your screenshot, AuthenticationType is set to None, however the error clearly states that authentication required and is failing with 401 (Unauthorized Access) error.
To double check, you can try connecting the same url in postman and I am sure you will get same error.
So, choose Authentication Type to relevant one. Basic is the most common which works on username / password combination.
I'm trying to understand how to use accessTokens in Loopback. I'm reading Loopback docs. But there is a broken link for the document I'm keen on reading. Where can I find that document?
Here is the text:
Make subsequent API calls using the access token. Provide the access
token in the HTTP header or as a query parameter to the REST API call,
as shown in Making authenticated requests with access tokens.
Here is the link for Making authenticated requests with access tokens that follows nowhere:
https://docs.strongloop.com/display/public/LB/Managing+users#Managingusers-Makingauthenticatedrequestswithaccesstokens
Looks like the link has been malformed. The correct link is:
https://docs.strongloop.com/display/public/LB/Making+authenticated+requests#Makingauthenticatedrequests-Makingauthenticatedrequestswithaccesstokens
Hi I'll try and keep it brief, hope one of you guys knows the answer and I'm not duplicating content.
At the moment I'm using a bucket to take the strain off my server and upload large user files to amazon. This is then reserved to them when they want it via expiring URLs. When the URL expires the user is sent an XML response to say access is denied, and i want to show them a custom error page.
Here Create my own error page for Amazon S3
and Here http://docs.aws.amazon.com/AmazonS3/latest/dev/CustomErrorDocSupport.html
It says you must enable web hosting on the bucket for custom error pages...
So the question is if I do this then just grant any user permissions to access just the custom error pages will this mess anything up with my current usage scenario?
Or is it as simple as everything else stays the same? The docs seem vague and I dont want to mess up my current system...
Sorry if this is a noob question but everyone with the same problem in my research seems happy with the 'Enable hosting' answer and i just want to be sure...
Cheers all
Ed
It's not possible to combine the two things you're trying to combine: query string authentication and custom error pages.
S3 buckets can be made accessible by two different sets of endpoints, each providing a different set of front-end behaviors.
The REST endpoints provide authentication and private content (and SSL), while the Web site endpoints provide custom error (and index) documents, but the objects must be public in order to be accessible, since the web site endpoint does not support authentication (or SSL).
The differences are explained here:
http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteEndpoints.html#WebsiteRestEndpointDiff
In some environments, I use an intermediate reverse-proxy, hosted in EC2, acting as a front-end for S3 (which gives me the additional capability of rewriting portions of the request headers and capturing access logs in real-time) and I suspect this is the most viable mechanism for also providing "friendly" errors -- as my proxy does if the URL is completely missing elements like Signature= in the URL (since that can't possibly be anything but an error) but have not yet implemented anything to capture 403 Forbidden responses and style them up.
I did do some preliminary testing to add a Link: header to the error response (in the proxy), in an attempt to convince the browser to load an XSL stylesheet, but so far that has not proven viable.
Reading the API docs (https://developers.facebook.com/docs/reference/api/page/) I assumed that in order to read a public pages status updates, I would require "any valid access_token or user access_token" (quoting the docs here).
However, if I try to get the status updates for the public page, using my app access token, I receive the following response: "A user access token is required to request this resource"
GET 20531316728/statuses?access_token=myappaccesstoken
So, my question is if the docs are just plain wrong, I'm doing something wrong or whatever?
There is a clarification that needs to occur by Facebook [1]. The docs are either outdated or Facebook has changed their mind on handling these updates which is interesting seeing that
GET /PAGE_ID/feed?access_token=myappaccesstoken
Works (and holds all the statuses). I was told by someone in IRC #facebook that maybe the statuses call is more expensive (Not too bought on this idea).
My current stance is that either
any valid access_token or user access_token was supposed to imply those excluding app tokens
Facebook realizes that one can bypass the OAuth Flow by using an app token on pages when Facebook desired some form of authentication.
In the end, these are all assumptions.
I haven't been able to get a clear answer out of any Facebook employee as to whether this is indeed a bug or an intentional removal of this feature.
[1] - http://developers.facebook.com/bugs/480742545315442