We are trying to implement the "Password" grant type through Express-Gateway in our Microservices. But we could not find any documentation on the Express-Gateway and the global endpoint "/oauth2/token" gives an "unauthorised" error when we try to access it through postman.
Any reference document or suggestions here will be appreciated.
Let me know if any informaton is required.
Amit
Try basic auth with user's login and secret from oauth credentials, and pass json in body:
{
"grant_type": "password",
"username": "<login>",
"password": "<password>"
}
Related
I am using App Engine Standard with the Python 2 runtime and Endpoints Frameworks.
When making a request, the app just returns "Successful" if the request was completed. I am trying to implement authentication so unauthenticated users are not able to complete the request. I've done the following:
Modified my main.py decorator to include issuers and audience:
issuers={'serviceAccount': endpoints.Issuer('[MYSERVICEACCOUNT]', 'https://www.googleapis.com/robot/v1/metadata/x509/[MYSERVICEACCOUNT]')},
audiences={'serviceAccount': ['[MYSERVICENAME]-dot-[MYPROJECT].appspot.com']}
Modifed my main.py method to check for a valid user:
user = endpoints.get_current_user()
if user is None:
raise endpoints.UnauthorizedException('You must authenticate first.')
Regenerated and redeployed my openAPI document. It now has security and securityDefinitions sections.
Updated my app.yaml to reference that Endpoints version.
Redeployed my app
To make an authorized request to my app, I have done the following:
I gave the service account the Service Consumer role on my Endpoints service.
Generate a signed jwt using the generate_jwt function from Google's documentation. I am passing in credentials using the service account's json key file.
payload = json.dumps({
"iat": now,
"exp": now + 3600,
"iss": [MYSERVICEACCOUNT],
"sub": [MYSERVICEACCOUNT],
"aud": [MYSERVICENAME]-dot-[MYPROJECT].appspot.com
})
Make the request using make_jwt_request function from Google's documentation.
headers = {
'Authorization': 'Bearer {}'.format(signed_jwt),
'content-type': 'application/json'}
I am getting 401 Client Error: Unauthorized for url error. Am I missing something?
Your audiences don't match; in your code, you are requiring an audience of [MYSERVICEACCOUNT], but when generating the JWT, your audience is [MYSERVICENAME]-dot-[MYPROJECT].appspot.com. These need to match.
There are few details, which might be worth checking:
The list of allowed audiences should contain the value of aud claim of a client-generated JWT token. This is what Rose has pointed out.
All of the JWT claims presented in sample client documentation are present. Your code is missing the email claim in the JWT payload dictionary.
The method you're accessing requires no specific OAuth scopes. The scopes are set as the scopes field of #endpoints.method decorator.
After opening a support ticket with Google, it turns out Google's documentation was incorrect. The main.py function needs to check for an authenticated user in the below manner:
providers=[{
'issuer': '[YOUR-SERVICE-ACCOUNT]',
'cert_uri': 'https://www.googleapis.com/service_accounts/v1/metadata/raw/[YOUR-SERVICE-ACCOUNT]',
}]
audiences = ['[YOUR-SERVICE-NAME]-dot-[YOUR-PROJECT-NAME].appspot.com']
user = endpoints.get_verified_jwt(providers, audiences, request=request)
if not user:
raise endpoints.UnauthorizedException
After making that change, I got the following error when trying to make an authenticated request:
Encountered unexpected error from ProtoRPC method implementation: AttributeError ('unicode' object has no attribute 'get')
This was caused by how I was generating the payload with json.dumps(). I generated without json.dumps() like below:
payload = {
"iat": now,
"exp": now + 3600,
"iss": [MYSERVICEACCOUNT],
"sub": [MYSERVICEACCOUNT],
"aud": [MYSERVICENAME]-dot-[MYPROJECT].appspot.com
}
These two changes fixed my issue.
I'm using boto3 on a lambda create a Facebook Identity Provider using:
response = client.create_identity_provider(
UserPoolId='us-east-2_asqweo3',
ProviderName='MyAppProviderName',
ProviderType='Facebook',
ProviderDetails={
'app_id': 'xxxxxxxx',
'app_secret': 'xxxxxxxx'
}
)
...but I'm getting an error saying
Identity provider cannot be of type 'Facebook'
What am I doing wrong?
ProviderName and ProviderType must have same value i.e. 'Facebook'
Also ProviderDetails for Facebook should be like
"ProviderDetails": {
"client_id": "xxxxxxxx",
"client_secret": "xxxxxxxx",
"authorize_scopes": "public_profile, email"
}
I know it's a late reply, but posting anyway for anyone who is facing this issue.
I tried to add Twitter as Identity Provider for User Pool, I tried to add it Twitter as OpenID Connect with below information:
{
"client_id": "Consumer Key",
"client_secret": "Consumer Secret",
"authorize_scopes": "openid email profile",
"attributes_request_method": “POST”,
"oidc_issuer": "https://api.twitter.com/",
"authorize_url": "https://api.twitter.com/oauth/authorize",
"token_url": "https://api.twitter.com/oauth/request_token",
"attributes_url": "https://api.twitter.com",
"jwks_uri": "https://api.twitter.com"
}
Below message is displayed.
Is there any missed setting? If you have any
information, please teach me.
Thanks.
Via the cognito admin API how do I set a users password? When a user is created I can set a temporary password, I need to be able to do this to an existing user.
The newest version of the cognito api adds an action AdminSetUserPassword which has a request syntax like the following
{
"Password": "string",
"Permanent": boolean,
"Username": "string",
"UserPoolId": "string"
}
and will allow you to set a permanent or temporary password for a given user.
EDIT-2: The newest version of cognito API now supports AdminSetUserPassword.
You can't set a users password, the only thing you can do is use AdminResetUserPassword.
EDIT: You can call ForgotPassword too. But as the name suggests this is supposed to be called by a user, not an admin.
The latest of the Cognito API gives us AdminSetUserPassword which has a body of this kind
{
"Password": "string",
"Permanent": boolean,
"Username": "string",
"UserPoolId": "string"
}
using this you can set a password for a user considering yourself as an admin. You can get the UserPoolId from the Cognito user pools home page.
Headers goes as this :
X-Amz-Target: AWSCognitoIdentityProviderService.AdminSetUserPassword
Content-Type: application/x-amz-json-1.1
If you face any errors, kindly refer to this page for available headers: Making API Requests
When initializing an authentication to AWS Cognito, the API is rejecting my request:
InvalidParameterException: Missing required parameter UserName
status code: 400,
Here is the content of the request (yes, I tried putting it everywhere, no success).
params := &cognitoidentityprovider.InitiateAuthInput{
AuthFlow: aws.String("USER_SRP_AUTH"), // Required
ClientId: aws.String("xxxxxxxxxxxxxxxx"), // Required
AuthParameters: map[string]*string{
"username": aws.String("myUser"), // Required
"UserName": aws.String("myUser"), // Required
},
ClientMetadata: map[string]*string{
"username": aws.String("myUser"), // Required
"UserName": aws.String("myUser"), // Required
},
}
Any idea about what would be the problem please?
Considering to the doc (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-dg-pdf.pdf), username should be in AuthParameters along with srpA. Would it be possible that the problem comes from srpA? If so, what is this? It looks like that it is the password.
It should be in AuthParameters, not ClientMetadata.
I believe the expected values are USERNAME and SRP_A.
SRP_A is a large integer as defined by the Secure Remote Password Protocol. Are you trying to do SRP or just authenticate with username and password. For username/password authentication you should use the AdminInitiateAuth operation.