I am trying to refresh a PBI Data Flow using an ADF web activity by authenticating using the data factory's Managed Identity.
Here is my input to the activity:
{
"url": "https://api.powerbi.com/v1.0/myorg/groups/1dec5b21-ba60-409b-80cb-de61272ee504/dataflows/0e256da2-8823-498c-b779-3e7a7568137f/refreshes",
"connectVia": {
"referenceName": "My-AzureVM-IR",
"type": "IntegrationRuntimeReference"
},
"method": "POST",
"headers": {
"Content-Type": "application/json",
"User-Agent": "AzureDataFactoryV2",
"Host": "api.powerbi.com",
"Accept": "*/*",
"Connection": "keep-alive"
},
"body": "{\"notifyOption\":\"MailOnFailure\"}",
"disableCertValidation": true,
"authentication": {
"type": "MSI",
"resource": "https://analysis.windows.net/powerbi/api"
}
}
It generates the following error when doing a debug run:
Failure type: User configuration issue
Details: {"error":{"code":"InvalidRequest","message":"Unexpected dataflow error: "}}
I have tried this exact URL in Postman using Bearer Token Authentication and it works. Our AAD Admin group said they added our ADF's Managed Identity to the permission list for the PBI API, so I am not sure what is going on here.
Just an FYI, I was able to get the ADF Managed Identity working with data flow refreshes using the HTTP request in my original post.
The key was after having the Tenant Admins add the Managed Identity to a security group with API access, I then also had to add the Managed Identity to the PBI Workspace access list as a Member.
Then my API call worked from ADF using the MSI. No Bearer login token needed.
Related
I'm trying to redirect to client application login page when the user clicks on the Account Confirmation email link. The URL which i'm redirecting to is
https:///accountrecoveryendpoint/confirmregistration.do?confirmation=54166133-0e00-463a-9ecf-ce26b516190a&userstoredomain=USERS&username=user#xyz.com&tenantdomain=carbon.super&callback=http://(applicationdomain)/context/openid-connect/wso2_oauth
but actually i should be able to get the client id and state parameters in the email link.but these values are missing. Any help would be appreciated
If you are trying to invoke account confirmation using the default identity server UIs, you won't be able to send any additional query parameters in the email because the OOTB UIs does not support sending additional request parameters. Identity server UIs are designed to cater a specific userstories. But this can be easily done using customization.
Example: If you are trying self-registering using the REST API, instead of the default self-registration page, you can do this easily by making a small change to the request. Sample API request as follows. Note here that I have added a custom param to the request.
curl -L -X POST 'https://localhost:9443/api/identity/user/v1.0/me' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'Content-Type: application/json' --data-raw '{
"user": {
"username": "sominda",
"realm": "PRIMARY",
"password": "sominda!",
"claims": [
{
"uri": "http://wso2.org/claims/givenname",
"value": "sominda"
},
{
"uri": "http://wso2.org/claims/emailaddress",
"value": "user1#gmail.com"
},
{
"uri": "http://wso2.org/claims/lastname",
"value": "gamage"
}
]
},
"properties": [
{
"key": "callback",
"value": "<url_here>"
},
{
"key": "custom-param",
"value": "templated-custom-param"
}
]
}'
If you are making the above request, then you can edit the AccountConfirmation email template to have the above custom-param templated.
{{carbon.product-url}}/accountrecoveryendpoint/confirmregistration.do?confirmation={{confirmation-code}}&userstoredomain={{userstore-domain}}&username={{url:user-name}}&tenantdomain={{tenant-domain}}&callback={{callback}}&{{custom-param}}
Also, you can customize the existing self-registration page to send the above request (but I think this involves a little effort).
I am trying to follow StartContactChat & CreateParticipantConnection to initiate the chat from third party applications e.g. Postman.
i want to route the chat to agent on talk to agent message from API, the chat should be routed to the agent in amazon connect.
StartChatContact's Request Syntax is given like this:
PUT /contact/chat HTTP/1.1
Content-type: application/json
{
"Attributes": {
"string" : "string"
},
"ChatDurationInMinutes": number,
"ClientToken": "string",
"ContactFlowId": "string",
"InitialMessage": {
"Content": "string",
"ContentType": "string"
},
"InstanceId": "string",
"ParticipantDetails": {
"DisplayName": "string"
}
}
I have done with it using URL: PUT https://connect.us-east-1.amazonaws.com/contact/chat and got the ParticipantToken and now trying to create the participant connect using CreateParticipantConnection - https://connect.us-east-1.amazonaws.com/participant/connection but keep facing the error:
{
"message": "Unable to determine service/operation name to be authorized"
}
i have added the participant token generated by StartContactChat in Authorization --> AWS Signature --> Session Token as well as in Header but still the still getting the AccessDeniedExcetion.
The CreateParticipantConnection API does not belong to the same service as the StartChatContact API. As a result, https://connect.us-east-1.amazonaws.com/participant/connection is the wrong endpoint for the latter API. Instead, it should be https://participant.connect.us-east-1.amazonaws.com/participant/connection
Issue:
I would like to steer clear of using the traditional.
authenticationType: jwt
clientEmail: <Service Account Email>
defaultProject: <Default Project Name>
tokenUri: https://oauth2.googleapis.com/token
And use a service account json file from GCP. Is there anyway of doing this?
Environment:
OpenShift running in GCP. ServiceAccount key is mounted.
So if understand your comments correctly, you want to create a BigQuery data source using the Grafana API.
This is the JSON body to send with your request:
{
"orgId": YOUR_ORG_ID,
"name": NAME_YOU_WANT_TO_GIVE,
"type": "doitintl-bigquery-datasource",
"access": "proxy",
"isDefault": true,
"version": 1,
"readOnly": false,
"jsonData": {
"authenticationType": "jwt",
"clientEmail": EMAIL_OF_YOUR_SERVICE_ACCOUNT,
"defaultProject": YOUR_PROJECT_ID,
"tokenUri": "https://oauth2.googleapis.com/token"
},
"secureJsonData": {
"privateKey": YOUR_SERVICE_ACCOUNT_JSON_KEY_FILE
}
}
So there is no way to avoid the code snippet you wanted to "steer clear of", however there is no need to take the JSON key file apart, just provide it to privateKey. You only have to provide the service account email additionally to clientEmail and the project id to defaultProject. Otherwise not different than using the UI.
We are using WSO2 SCIM apis to define roles to user and update it.
For role update operation , we are currently adding the new user role(add user to new role group using SCIM api) , and then delete the existing user role (call users SCIM GET request under a GROUP, delete the existing user from the list and use the newly created list as body arguments to call SCIM PATCH request for the GROUP). With this approach , we were able to update roles. But as the user base increased , the above approach of PATCH operation is getting timeout error .(The new role gets updated to user, but the existing role persists as the 2nd api is getting failed).
Below is one solution which i tried out :
Add new role, delete the newly created role inside user details and call PATCH api with the updated roles of user. But then realized on further investigation that roles inside user is readonly and can't be updated using patch/put operations. So i failed in getting a proper solution .
Is there a way to update a single user's role inside the GROUP without using PATCH /Groups endpoint ?
As I have mentioned in the answer https://stackoverflow.com/a/64225419/10055162, the SCIM specification doesn't allow to update the user's group attribute using PATCH /Users/{userId}.
Also, PATCH /Groups/{groupId} may cause performance issues when the group's member count is too high.
WSO2 IS has improved the performance of PATCH /Groups/{groupId} to some extent.
https://github.com/wso2/product-is/issues/6918 - available 5.10.0 onwards
https://github.com/wso2/product-is/issues/9120 - available 5.11.0 onwards
So, if you are using an older version of IS, can you please try with the latest GA release(5.11.0). It may improve the performance.
UPDATED:
You can use SCIM POST /Bulk endpoint to update user's groups by single REST call, instead of having multiple PATCH /Groups/{group-id} calls.
Refer to https://anuradha-15.medium.com/scim-2-0-bulk-operation-support-in-wso2-identity-server-5-10-0-8041577a4fe3 for more details on Bulk endpoint.
example:
To assign two groups (Group1 and Group2) to a user, execute POST https://<host>:<port>/scim2/Bulk with payload similar to the following.
{
"Operations": [
{
"data": {
"Operations": [
{
"op": "add",
"value": {
"members": [
{
"display": "anuradha",
"value": "db15b161-a205-454d-9da1-4a2a0df0585e"
}
]
}
}
]
},
"method": "PATCH",
"path": "/Groups/f707b6cc-91f8-4b8a-97fb-a01c2a79515c"
},
{
"data": {
"Operations": [
{
"op": "add",
"value": {
"members": [
{
"display": "anuradha",
"value": "db15b161-a205-454d-9da1-4a2a0df0585e"
}
]
}
}
]
},
"method": "PATCH",
"path": "/Groups/8c91215f-1b7a-4cdb-87d9-ae29c60d70de"
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:BulkRequest"
]
}
I have application that communicate with WSO2AM 2.1.0 using their Restful API.
Right now I'm working on the application subscription part, I need to create a feature that able to refresh accessToken, it's the keys[0].token.accessToken from json below.
GET https://localhost:9443/api/am/store/v0.11/applications/896658a0-b4ee-4535-bbfa-806c894a4015
Authorization: Bearer ae4eae22-3f65-387b-a171-d37eaa366fa8
HTTP/1.1 200 OK
Content-Type: application/json
{
"groupId": "",
"callbackUrl": null,
"subscriber": "admin",
"throttlingTier": "Unlimited",
"applicationId": "896658a0-b4ee-4535-bbfa-806c894a4015",
"description": null,
"status": "APPROVED",
"name": "DefaultApplication",
"keys": [ {
"consumerKey": "AVoREWiB16kY_GTIzscl40GYYZQa",
"consumerSecret": "KXQxmS8W3xDvvJH4AfR6xrhKIeIa",
"keyState": "COMPLETED",
"keyType": "PRODUCTION",
"supportedGrantTypes": null,
"token": {
"validityTime": 3600,
"accessToken": "3887da6d111f0429c6dff47a46e87209",
"tokenScopes": [
"am_application_scope",
"default"
]
}
}]
}
I ended up reading this documentation https://docs.wso2.com/display/AM210/Token+API and I think that is not the documentation I'm searching for. The token API there is used to refresh the access token to the WSO2, not for refreshing the application subscribtion token.
Is there any way to do this?
Store API uses client-credential grant type to generate an access token. That is why you don't get the refresh token in the response. You can do the following.
Used the API - https://docs.wso2.com/display/AM210/apidocs/store/
Create an application in APIM Store. (/applications)
Get consumerKey and consumer secret of the application by generating the keys. (/applications/generate-keys)
Use the password grant type and generate a token. https://docs.wso2.com/display/AM210/Password+Grant