I'm trying to use the REST API for retrieving the GSuite Alert Center alerts - doc
I've been doing the calls via the Java SDK (artifact google-api-services-alertcenter, version v1beta1-rev20190725-1.30.1).
I have a GCP Service Account, to which I gave the https://www.googleapis.com/auth/apps.alerts OAuth scope, yet the API returns error 401 Unauthorized.
Are there any additional scopes that I'm missing?
How can I find which?
You can go here on the G Suite administration panel to authorize wit your client id and scopes : https://admin.google.com/AdminHome?chromeless=1#OGX:ManageOauthClients
Related
There is an API hosted in WSO2 APIM 4.1.0 and there are two different App subscribed to that API.
Before Unsubscribe:
I just unsubscribed one of App to delete the API subscription by follows wso2 doc
After Unsubscribe:
After unsubscribed , I can able to invoke WSO2 API by using unsubscribed Application token
It should now allow that unsubscribed app to invoke API. OR correct me if my understanding is wrong.
Postman :
Note: In above API Hit, I passed unsubscribed APP token as Authorization
In your case, you should not be able to invoke the API without a proper subscriptions. Although the token is valid, you should get a 403 HTTP code saying subscription validation has failed.
You can check whether the events are propagated successfully to your gateway node from the control plane node. This is basically when you have a distributed setup. If you have a HA setup, verify both nodes are working properly when it comes to event distribution.
Are you using the GA release of APIM 4.1.0? If so, this could be a bug in that was fixed later through U2 updates. When an application subscription is deleted, any API invocations done using the tokens of that application should fail due subscription validation with an error similar to the one below with a 403 HTTP code.
{"code":"900908","message":"Resource forbidden ","description":"User is NOT authorized to access the Resource. API Subscription validation failed."}
If you have a paid WSO2 subsciption, please try this scenario by taking the latest U2 updated/patched version of APIM 4.1.0 by referring this.
I tried the GA APIM 4.1.0 and this usecase worked as expected. Shall we verify the subscription delete event flow in the API gateway by enabling debug logs for gateway and keymanagement components?
Add the following configurations in the <APIM_HOME>/repository/logs/log4j2.properties
logger.gateway-component.name = org.wso2.carbon.apimgt.gateway
logger.gateway-component.level = DEBUG
logger.keymgt-component.name = org.wso2.carbon.apimgt.keymgt
logger.keymgt-component.level = DEBUG
make sure to add the newly created loggers as below.
loggers = gateway-component,keymgt-component, AUDIT_LOG, trace-messages, org-apache-coyote, ....
With these, subscribe and unsubscribe events should be displayed in the terminal. You can use them to verify the event flow.
In the AWS cognito - In sinup and sigin actions we are doing using amazon-cognito-identity-js
I've done all the sign up and sin in steps as per npm docs.
I configure open ID OIDC link and I'm trying to get the user info by passing access token through end point
https://<your-user-pool-domain>/oauth2/userInfo
Authorization: Bearer <access_token>
But it throwing an error
{
"error": "invalid_token",
"error_description": "Access token does not contain openid scope"
}
I'm not able to figure what is the issue exactly behind this error
Go into Federation -> Identity Providers. In the "Authorize scope" field, add "openid". Note that scopes are separated by spaces, for example "openid email".
Go into App Integration -> App Client settings. Find the App Client you are connecting to, in "Allowed OAuth Scopes" tick "openid".
I am currently building an Alexa skill backed by Azure Functions (.NET Core/C#) and Azure AD B2C for authentication.
For the initial setup, I used mostly used the instructions found in this arcticle. Since, the article was written a couple of years ago, I had to make a few changes. In the end, I landed on the following configuration:
Azure Active Directory B2C
As I mentioned, we are using AAD B2C for authentication. Users of a related application are able to sign-up and sign-in to a React application. The idea is to provide an alternative interface for said users through Alexa intents + utterances.
I created an application for Alexa in AAD B2C with the following settings:
Properties
Web App / Web API: Yes
Allow implicit flow: Yes
Reply URLs: I entered the values provided by the Alexa skill setup (e.g. https://pitangui.amazon.com/api/skil/link/...); there are three different ones. I also added one for my azure function app (this is something that could be incorrect. It was part of what I did while diagnosing other earlier problems); it's in the format: https://myfuncname.azurewebsites.net/.auth/login/aad/callback (Do I even need this???)
App ID URI: https://myorg.onmicrosoft.com/alexa
Include native client: No
Keys
I generated a single App Key, which I'm using as the Secret in the Account Linking section in the Alexa Developer Console.
Many of the examples online mention setting an explicit expiration date here of 1 or 2 years; however, I am not presented with any options at all (i.e. no expiration option), just the code. Could this be part of the problem???
API Access
In the Published scopes section, the Scope's name is user_impersonation. The description is "Access this app on behalf of the signed-in user". The full scope value is: https://myorgsname.onmicrosoft.com/alexa/user_impersonation.
For API Access, I have to API entries here:
One that uses the user_impersonation scope mentioned above.
The second, titled "Access the user's profile", uses:
Acquire an id_token for users (openid)
Acquire a refresh_token for users (offline_access)
AAD B2C User Flow
The user flow that I'm using allows signing up and signing in, it utilizes the following configuration:
Properties
Misc
Enable JavaScript enforcing page layout (preview): On
Token lifetime
Access & ID token lifetimes (minutes): 60
Refresh token lifetime (days): 14
Refresh token sliding window lifetime: "Bounded".
Lifetime length (days): 90
Token compatibility settings
Issuer (iss) claim: https://<domain>/<b2c-tenant-guid>
Subject (sub) claim: ObjectID
Claim representing user flow: tfp
Session behavior
Web app session lifetime (minutes): 1440
Web app session timeout: Rolling
Single sign-on configuration: Tenant
Require ID Token in logout requests: No
Azure Function Authentication Middleware
For the authentication layer within the Azure Function, I'm utilizing the method described in the article mentioned above.
Alexa Developer Console
On the Alexa side of things, I have a really simple skill setup with the following settings:
Endpoint
My endpoint uses the HTTPS option with the default region set to the fully-qualified HTTPS endpoint of my Azure Function App's handler function.
The certificate set to "My development endpoint is a sub-domain of a domain that has a wildcard ..."
Account Linking
The account linking settings are as outlined below:
Do you allow uses to create an account or link to ...: Toggled On
Allow users to enable skill without account linking: Toggled On
Allow users to link their account to your skill from within your application or website: Toggled Off
Auth Code Grant: On
Authorization URI: https://myorg.b2clogin.com/myorg.onmicrosoft.com/oauth2/v2.0/authorize?p=<sign-in-user-flow-policy-name>
Access Token URI: https://myorg.b2clogin.com/myorg.onmicrosoft.com/oauth2/v2.0/token?p=<sign-in-user-flow-policy-name>
Your Client ID: AAD B2C App GUID
Your Secret: Key generated in App settings in AAD B2C for my Alexa Skill App (mentioned in the AAD B2C setup info above).
Your Authentication Scheme: HTTP Basic
Scope: openid and https://myorg.onmicrosoft.com/alexa/user_impersonation
Domain List: login.microsoftonline.com and myorg.b2clogin.com Note: This is probably wrong as I didn't know what to put here. The article above doesn't mention this setting at all
Default Access Token Expiration Time: 3600
Note: The Alexa Redirect URLS at the bottom are what I put in AAD B2C for the Reply URL section.
The Problem
Now for the most important part, The Problem. Everything seems to work at first...I'm able to go to alexa.amazon.com and utilize Link Account (which redirects me to and from my AAD B2C-driven login screen). Once I link accounts, I'm able to successfully utilize an utterance and receive a reply.
The problems starts when I wait an hour (I believe it's an hour). Attempting to initiate the Intent after an hour yields an error on the Azure Function app side of things when it tries to validate the Auth Token.
Can anyone provide me some guidance as to what I may have setup incorrectly or at least some things that I should look into? As I mentioned at the start of this question, many of the references that I'm finding online are out-of-date and do not cover all of the settings that I'm expected to utilize. Many of them are still using microsoftonline.com authority vs. b2clogin.com.
At a glance, I would assume that the problem is that the Alexa skill is failing to refresh its token after it expires after an hour. What do I need to do to ensure that it refreshes correctly?
I think that I have enough information at this point to go ahead and answer my own question. What I found was that the offline_access scope is necessary for Token Refresh to be possible.
Per Microsoft, "The offline_access scope gives your app access to resources on behalf of the user for an extended time. On the consent page, this scope appears as the "Maintain access to data you have given it access to" permission. When a user approves the offline_access scope, your app can receive refresh tokens from the Microsoft identity platform token endpoint. Refresh tokens are long-lived. Your app can get new access tokens as older ones expire.".
You can read more about it here.
To resolve the issue, I ensured that this scope was available in AAD B2C and added it as a referenced scope in the Alexa developer console.
Thanks for giving insight on offline_access. It took few hours to figure out how to implement offline_access. Interestingly offline_access works only with Azure AD, OAuth 1.0 endpoint and not with 2.0.
While trying with 2.0 it kept failing while account linking when multiple scopes were mentioned in Alexa configurations. The scopes I tried were as follows.
https://samplealexabackendapi/
https://graph.microsoft.com/offline_access
Finally I ended up working with OAuth 1.0 endpoint and using the scope https://samplealexabackendapi/.default which considers all scopes available to the app registered.
In my service broker's catalog endpoint, I have defined a dashboard_client like below.
"dashboard_client":{
"id":"test-client-id",
"secret":"test-client-secret",
"redirect_uri":"https://dashboard.cf.myorg.com"
}
In my service dashboard application I am using the client id defined above to initiate the OAuth Authorization Code Grant flow as prescribed in CF Dashboard SSO documentation.
Everything works fine (CF authorization_endpoint redirects to dashboard with auth code and dashboard gets access token from token_endpoint) if the client requests for the minimum scopes cloud_controller_service_permissions.read and openid. e.g.
https://login.cf.myorg.com/oauth/authorize?
response_type=code&
client_id=test-client-id&
scope=openid%20cloud_controller_service_permissions.read&
redirect_uri=https://dashboard.cf.myorg.com/auth
However, if the client requests for additional scopes cloud_controller.read and/or cloud_controller.write (which is also mentioned in the Dashboard SSO documentation), authorization_endpoint redirects to dashboard with an error cloud_controller.read is invalid. Please use a valid scope name in the request.
CF version 2.80.0.
Any idea what is going wrong?
It is this line in UAA which is the show stopper here:
Adding cloud_controller.read,cloud_controller.write to the authorities (must be in authorities and scope) of the client and then updating the service broker via cf update-service-broker should fix that.
When I publish an API in the WSO2 API Manager, the following error occurs:
Gateway Failures
Failed to Publish Environments
Production and Sandbox
Error while obtaining API information from gateway. Error while obtaining API information from gateway. Authentication failure
This could be due to an authentication failure. Please check whether username/password within <Environments> content element of root <APIGateway> element in api-manager.xml (<APIM_HOME>/repository/conf/api-manager.xml) is correct
I've had this issue.
When checking the logs I saw this:
URL context: /hrs/admihrsd/osb/documentWS/2.0.0 is already registered with the API: novakgo--hrs-admihrsd-osb-document-service:v2.0.0
The issue was someone was trying to publish a new API with the same context as another one. They should change the context and publish again, and the error is fixed. Context have to be unique.