I have configured wso2am-3.1.0 with wso2is-km-5.10.0 using the following guide.
https://apim.docs.wso2.com/en/latest/install-and-setup/setup/distributed-deployment/configuring-wso2-identity-server-as-a-key-manager/#step-1-download-prepackaged-wso2-is-as-a-key-manager-wso2-is-km
Both of them are using the same LDAP as the secondary user store and I can authenticate both of them using the LDAP user without problem.
I have assigned "Internal/subscriber" role to user called "normal" and published an API with scope "am_subscribe" which requires role "Internal/subscriber".
However, when I try to request the access from APIM using the method provided in the guide below with "scope=am_subscribe", it always returns the access token with "default" scope only.
https://www.yenlo.com/blog/a-6-step-guide-for-jwt-exchange-with-oauth2
{
"access_token": "x",
"refresh_token": "x",
"scope": "default",
"token_type": "Bearer",
"expires_in": 3600
}
Is there something missing in order to request the scope?
Related
I've set up an OAuth consent screen for my app with user type external and myself as test user. I then set up an OAuth 2.0 Client ID for a web application. When I download the resulting JSON from here, it includes the following object, but no refresh_token. Why is that?
{
"web": {
"client_id": "...",
"project_id": "...",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_secret": "...",
"redirect_uris": [
"http://localhost/"
]
}
}
I can't find it in the docs:
https://developers.google.com/google-ads/api/docs/first-call/refresh-token#python
https://developers.google.com/identity/protocols/oauth2#5.-refresh-the-access-token,-if-necessary.
https://developers.google.com/identity/protocols/oauth2#expiration
The client secrets file identifies the OAuth Identity Provider. The refresh token is generated from the user's identity during the authentication (OAuth Flow). Think of it as two types of secrets: the provider and the user.
The original question—"Why doesn't the credentials.json I download from Google Cloud Platform include a refresh_token?"—was answered in a comment in the question Jake Nelson linked:
The Refresh Token is associated with the identity that authenticated and is not part of the client secret credentials.
And my underlying problem of not having the refresh_token was solved like this:
My user type in the consent screen used to be internal, but I changed it to external following the docs
After changing that, I had to force the API to ask me for consent again by adding prompt='consent' to my flow.run_local_server call (source)
I have setup a SuperSet with a Keycloak integrated as an authentication provider. In the official API documentation, we can get the access token by calling /security/login API with corresponding credential data provided. The example of the document is using "db" as provider. In my case, I believe I should change this option. However, I have tried to search for the suitable provider name in my scenario but no luck (i.g. ido,idoc,none of them works..)...
Does anyone know what provider name should I put in this case?
POST /security/login
Request body
{
"password": "complex-password",
"provider": "db",
"refresh": true,
"username": "admin"
}
we are using WSO2 API Manager version 2.5 and Identity Server 5.6 where the IS is the key manager for the API Manager.
I enabled JWT in the IS config.
Added a custom claim dialect with userid and roles (as we do not need everything the local claim includes and it leads to errors in backend because the header is to big)
When I call an API the JWT is generated and passed on. However - the roles claim is not working in my custom dialect.
When I use the local claim dialect for JWT the roles are included in the token.
My Config:
<JWTConfiguration>
<JWTHeader>X-JWT-Assertion</JWTHeader
<JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.JWTGenerator</JWTGeneratorImpl>
<ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
<ConsumerDialectURI>http://ourdomain.com/jwt</ConsumerDialectURI>
<SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
<EnableJWTGeneration>true</EnableJWTGeneration>
</JWTConfiguration>
The http://ourdomain.com/jwt dialect looks like this:
http://ourdomain.com/jwt/uid
Claim URI http://ourdomain.com/jwt/uid
Mapped Local Claim http://wso2.org/claims/our/uid
http://ourdomain.com/jwt/fullname
Claim URI http://ourdomain.com/jwt/fullname
Mapped Local Claim http://wso2.org/claims/fullname
http://ourdomain.com/jwt/accountNr
Claim URI http://ourdomain.com/jwt/accountNr
Mapped Local Claim http://wso2.org/claims/accountNr
http://ourdomain.com/jwt/role
Claim URI http://ourdomain.com/jwt/role
Mapped Local Claim http://wso2.org/claims/role
This is the resulting JWT content:
{
"http://ourdomain.com/jwt/version": "1.0.0",
"http://ourdomain.com/jwt/applicationid": "90",
"http://ourdomain.com/jwt/keytype": "SANDBOX",
"http://ourdomain.com/jwt/uid": "123",
"http://ourdomain.com/jwt/enduser": "mail.address#ourdomain.com#carbon.super",
"http://ourdomain.com/jwt/subscriber": "EXTERNAL/subscriber#ourdomain.com",
"iss": "wso2.org/products/am",
"http://ourdomain.com/jwt/fullname": "Mail Address",
"http://ourdomain.com/jwt/applicationtier": "Unlimited",
"http://ourdomain.com/jwt/applicationname": "application",
"http://ourdomain.com/jwt/enduserTenantId": "-1234",
"http://ourdomain.com/jwt/tier": "Unlimited",
"http://ourdomain.com/jwt/usertype": "APPLICATION_USER",
"http://ourdomain.com/jwt/accountNr": [
"123451",
"123452",
"123453"
],
"http://ourdomain.com/jwt/apicontext": "/heimdall/1.0.0",
"exp": 1541605849
}
Any leads where I'm mistaken? Do I have to write a custom token generator?
I am working with the Google Directory API to retrieve all of the groups that a person is part of for role based privileging in the app I'm working on.
https://developers.google.com/admin-sdk/directory/v1/guides/manage-groups#get_all_member_groups
Our Admin is able to successfully retrieve a list of groups that he is a part of, using the API Explorer, but I am not. I am getting the error below and I'm assuming it is because I am not an Admin.
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Not Authorized to access this resource/api"
}
],
"code": 403,
"message": "Not Authorized to access this resource/api"
}
}
How do we retrieve the groups a user belongs to? Is there any way to supply an Admin Credentials to retrieve the groups a user belongs to?
There's no way for regular users to programmatically retrieve their group membership. I'd recommend creating a delegated admin with priveledges to read groups via the API but nothing else. Also, when doing the OAuth 2.0 request, only the readonly groups scope is needed. Share these credentials with any users that need to get their group membership or have your app make the api call as the delegated user on their behalf.
Our organization uses SAML for SSO into Google Apps. In order to use SSO we must manage the change password functionality through APIs. Since the Provisioning API has been deprecated in favor of the Admin SDK Directory API, I am developing against this API.
The flow I am developing is that the end user will login using Google OAuth2 into my application. Then, using the users access token I am attempting to call the https://www.googleapis.com/admin/directory/v1/users/ API to put a new password, but I get an error 403 "Not Authorized to access this resource/api".
My question is, what privilege is required for the user to be able to update their own password? When calling this API with GET I am able to retrieve my user information successfully, but trying to put a new password (or any other field for that matter) fails.
Here is an example of my request and response:
Request:
PUT https://www.googleapis.com/admin/directory/v1/users/user%40domain.org?key={YOUR_API_KEY}
Content-Type: application/json
Authorization: Bearer ya29.AHES6ZT_7onp48edpClD72X-*************************
X-JavaScript-User-Agent: Google APIs Explorer
{
"password": "wlKsf.##2af"
}
Response:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Not Authorized to access this resource/api"
}
],
"code": 403,
"message": "Not Authorized to access this resource/api"
}
}
Only super admins, delegated admins and resellers can access the Admin SDK Directory API.
I suggest creating a delegated admin that only has access to update users via the API and then having your web application utilize an OAuth token created for this delegated admin.