We are using UAA's Multitenancy Functionality to our customers.
As such, we required to create an identity zone for each customer to manage individual customers' information.
However, based on the documentation, I'm unable to locate how could I create an identity zone admin with the scope of zone.<zoneid>.admin and obtain this admin token.
Name Description
Authorization Access token with scim.write or uaa.admin scope required
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.
Create User API Reference Link
Is there any guideline or guidance that we could reference?
Thank you
Here are the steps:
Target and get a token as the admin client
uaac target http://localhost:8080/uaa
uaac token client get admin -s adminsecret
Update your admin client
This is to make sure it has the correct scopes, you'd only need to do this once.
uaac client update admin --authorities "uaa.admin,clients.read,clients.write,clients.secret,scim.read,scim.write,clients.admin,zones.write"
Then get a new token, which will have the scopes just added.
uaac token client get admin -s adminsecret
Create the zone and add the admin client to the zone:
uaac -t curl -X POST -H "Content-Type:application/json" -H "Accept:application/json" --data '{ "id":"testzone1", "subdomain":"testzone1", "name":"The Twiglet Zone[testzone1]", "version":0, "description":"Like the Twilight Zone but tastier[testzone1]."}' /identity-zones
uaac -t curl -H "X-Identity-Zone-Id:testzone1" -X POST -H "Content-Type:application/json" -H"Accept:application/json" --data '{ "client_id" : "admin", "client_secret" : "adminsecret", "scope" : ["uaa.none"], "resource_ids" : ["none"], "authorities" : ["uaa.admin","clients.read","clients.write","clients.secret","scim.read","scim.write","clients.admin"], "authorized_grant_types" : ["client_credentials"]}' /oauth/clients
Target the zone & get a token as the admin client in that zone:
uaac target http://testzone1.localhost:8080/uaa
uaac token client get admin -s adminsecret
uaac token decode
Reference: https://github.com/cloudfoundry/uaa/blob/develop/docs/UAA-APIs.rst#sequential-example-of-creating-a-zone-and-creating-an-admin-client-in-that-zone
Related
Hy Everyone, I was stuck while authorizing the service provider after its successful creation. Let me explain to you I created the service provider using this API set( https://is.docs.wso2.com/en/latest/apis/application-rest-api/#/Applications/createApplication).
I added users to it. Once the successful creation of the service provider I get the clientId and secret key. After that I use that clientId and secret key to get the access and refresh token (cool so far), to get the access token and refresh token I use this curl request.
curl -u <client_id>:<secret_id> -k -d "grant_type=password&username=admin#easybazaar.co&password=admin" -H "Content-Type:application/x-www-form-urlencoded" https://<ip>/oauth2/token
once I have the access token I give it to the user (frontend team) to store it in his/her storage session. Now user wants to access some resources like the list of activities, he/she also sends that access token in the header of that request as a bearer token like;
curl -k http://localhost:8080/activities -H "Authorization: Bearer <access-token>
Now I want to authenticate that access token and check its validation and expiry. I explore the introspection API which requires the username and password, but the client doesn’t provide it in each request.
curl -k -u <USERNAME>#<TENAND_DOMAIN>:<PASSWORD> -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=<ACCESS_TOKEN>' https://<IS_HOST>:<IS_PORT>/t/<TENANT_DOMAIN>/oauth2/introspect
So How can, I achieve it, is there any set of APIs available for this task?
Any help will be appreciated.
I am not taking any username and password from the user to apply introspect APIs, should I take email in the token while creating the service Provider, so by using this email I will look into user inside my database and fetch the credentials and then hit the introspection APIs.
Seems like this is not there in older versions of IS and was introduced from IS 6.0.0 onwards. Found this migration issue.
If you are unable to migrate to IS 6.0.0, what I could recommend you is that, create a user with the permissions to introspect tokens only (this user will only be used for token introspection) and use that username and password to authenticate the introspect request.
Edit:
For IS 6.0.0 you can use the following basic config.
[[resource.access_control]]
context="(.*)/oauth2/introspect(.*)"
secure = "true"
http_method = "all"
cross_tenant = true
allowed_auth_handlers="BasicClientAuthentication"
Or you can use the advanced configurations as follows.
[[resource.access_control]]
context="(.*)/oauth2/introspect(.*)"
secure = "true"
http_method = "all"
cross_tenant = true
cross_access_allowed_tenants="carbon.super"
allowed_auth_handlers="BasicClientAuthentication"
permissions=["/permission/admin/manage/identity/applicationmgt/view"]
scopes=["internal_application_mgt_view"]
As per google's docs, I'm generating my oauth access token like this:
export TOKEN=$(~/go/bin/oauth2l fetch -jwt -json ~/.google/my-service-key.json cloud-platform)
I'm then doing requests to Google's REST API like this:
curl -v -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d (...) $URL
The response I'm getting back from Google is that I'm not providing an OAuth token, when I clearly am:
Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
Other posts suggest to use gcloud auth application-default print-access-token instead of the OAuth token, but I know this to be the incorrect approach, as Google's API responds back that it wants a service account OAuth token and not an identity.
Any idea what's happening here?
Sometimes an old (bad) token gets cached from before you rotated the service_account.json.
Delete Cache
Try this:
rm ~/.oauth2l
Token vs JWT
And try getting an API token before you sign the JWT:
oauth2l fetch cloud-platform
Scope vs Audience
Also, the API token requires a scope (shown above), whereas the JWT requires an audience aud, which is a URL:
oauth2l fetch --jwt https://www.googleapis.com/auth/cloud-platform
ENVs
You may also want to make sure that you don't have competing configuration, see if GOOGLE_APPLICATION_CREDENTIALS is set.
echo $GOOGLE_APPLICATION_CREDENTIALS
unset GOOGLE_APPLICATION_CREDENTIALS
Or potentially use it instead of --json ./service_account.json:
export GOOGLE_APPLICATION_CREDENTIALS=$HOME/.config/google/service_account.json
HTH
I have a WSO2 Identity Server with PostgreSQL, i work in node and i already use a SCIM 2.0 api for create new users, my question is, how i use SCIM to create a authentication user for my app, in my app how i know when the user have a valid token.
to create a new user i use this:
curl -v -k --user user:pass --data '{"schemas":[],"name":{"familyName":"nae","givenName":"name",},"userName":"newuser","password":"newpassword","emails":[{"primary":true,"value":"data","type":"home"},{"value":"data","type":"work"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users
To get a valid token for the user you have to invoke oAuth flow.
Create SP in the IS with oAuth configurations.
Use the client id and secret to get the access token using the created user credentials.
curl -v -X POST -H "Authorization: Basic <base64 encoded client id:client secret value>" -k -d "grant_type=password&username=<username>&password=<password>" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token
Refer : https://docs.wso2.com/display/IS530/Resource+Owner+Password+Credentials+Grant
Using wso2am-2.1.0 we'd like to create an API using the REST services, such as
/api/am/publisher/v0.11/apis
To use the services to search, create and publish an API the access token needs scope apim:api_view apim:api_createapim:api_publish
Seeing the publisher-api.yaml seems the full admin role is required to access these services.
We woudn't like to use the main admin user used by the services risking compromise of a user account with all privileges and mainly the admin user.
Assigning a different user to the admin role doesn't seem to work, tokens created don't hold necessary requested scopes (subsequence calls to the publisher's servicess causes 401 Unauthenticated request). Im I missing something?
It should work. I just did it and here is the output.
bhathiya#bhathiya-x1:/data/products/am/resources$ curl -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d #payload.json https://localhost:9443/client-registration/v0.11/register -k
{"clientId":"ryUqrib4UAiKtbEt8_HxadTcubYa","clientName":"admin_rest_api_publisher","callBackURL":"www.google.lk","clientSecret":"Q1sTqqd175da8fLaESY6z9h5nuca","isSaasApplication":true,"appOwner":"admin","jsonString":"{\"grant_types\":\"password refresh_token\",\"redirect_uris\":\"www.google.lk\",\"client_name\":\"admin_rest_api_publisher\"}"}
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 22:29:11
bhathiya#bhathiya-x1:/data/products/am/resources$ curl -k -d "grant_type=password&username=bhathiya&password=admins&scope=apim:api_view apim:api_create" -u ryUqrib4UAiKtbEt8_HxadTcubYa:Q1sTqqd175da8fLaESY6z9h5nuca https://localhost:8243/token
{"access_token":"1e3f7460-e186-3ded-b4d9-c093e1ceb9df","refresh_token":"be66fe42-2d34-3a34-8576-f7e24388be00","scope":"apim:api_create apim:api_view","token_type":"Bearer","expires_in":3600}
And you can also change roles in publisher-api.yaml.
Im using django-oauth2-provider to build a authorization server. When i try to get access_token by using this command:
curl -d "client_id=513204402d4b4f4d62e2&grant_type=authorization_code&response_type=code" http://127.0.0.1:8000/oauth2/access_token
i get an error: invalid_client
I have been created my client with client_type is Confidential
How can i fix it?
If your client is confidential, you must authenticate to issue an access token.
I suppose that it is a password client. You just have to add the client_secret=CLIENT_SECRET_HERE parameter in your POST request or set your client credentials in the authorization header.
Example:
curl -d "client_id=CLIENT_ID_HERE&client_secret=CLIENT_SECRET_HERE&...
or
curl --user CLIENT_ID_HERE:CLIENT_SECRET_HERE -d "...
The authorization code grant type is a two step flow.
You get an authorization code just after the resource owner allowed your client.
You get an access token using the authorization code.
You are trying to send a POST request so I suppose that if you already have an authorization code.
You get an invalid_request because you do not set the code parameter in your curl command:
curl -X POST -d "client_id=CLIENT_ID_HERE&client_secret=CLIENT_SECRET_HERE&grant_type=authorization_code&code=AUTHORIZATION_CODE_HERE&redirect_uri=REDIRECT_URI_HERE" http://127.0.0.1:8000/oauth2/access_token