i created a custom tensorflow model and deployed to google cloud AI platform
however, when i sent a post request to online prediction api (https://ml.googleapis.com/v1/projects/my-project/models/my-model/versions/my-version:predict). i got back 401 Request is missing required authentication credential. Expected OAuth 2 access token my understand that by deploying model is its API already available online, so is there away to make API public? if not how i can make api authentication through bearer token?
You can get the auth token using gcloud:
access_token=$(gcloud auth application-default print-access-token)
and then embed it into the header:
curl --silent \
-H "Authorization: Bearer $access_token" \
-H "Content-Type: application/json" \
-X POST \
etc.
Related
I am using wso2 API manager 3.1.0
I am using REST APIs for creating the subscriptions for the application. I am using the REST API
https://x.x.x.x:9443/apis/api/am/store/v1.0/subscriptions
I am using basic auth for the authentication of the API. My request body is as follows.
{
"applicationId": "6451faaa-65aa-48dc-8655-2ffb623fc441",
"apiId": "ed94f936-7e8a-4c62-92e6-92991aca4348",
"throttlingPolicy": "Unlimited"
}
When I send this request I am getting the 200 OK response but the content of the 200 OK is the management console login page. This is one issue I am facing. Another issue is a very basic one- I am trying to get the applications created in the system for that I am using below API
https://x.x.x.x:9443/api/am/store/v1.0/applications?limit=25&offset=0
again with basic authorization. for this request I am getting the 404 response. Same response I get if I change the authentication to Oauth token.
I tried these APIs with multiple tenant users credentials but for all I am getting the same response.
UPDATE:
I have obtained the access token like below:
1. curl --insecure -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d #payload.json https://localhost:9443/client-registration/v0.16/register
I got the response
{"clientId":"MPPomfxrQ_ZReRlHz0x70pU6yLca","clientName":"rest_api_store","callBackURL":"www.google.lk","clientSecret":"dQrYXtwMG8fB4Qhu7NfC1uqLAkwa","isSaasApplication":true,"appOwner":"admin","jsonString":"{\"grant_types\":\"password refresh_token\",\"redirect_uris\":\"www.google.lk\",\"client_name\":\"rest_api_store\"}","jsonAppAttribute":"{}","tokenType":null}
2. curl -k -d "grant_type=password&username=admin&password=admin&scope=apim:subscribe" -H "Authorization: Basic TVBQb21meHJRX1pSZVJsSHoweDcwcFU2eUxjYTpkUXJZWHR3TUc4ZkI0UWh1N05mQzF1cUxBa3dh" https://10.57.8.36:9443/oauth2/token
and I got the response
{"access_token":"194d3a3c-8f37-3459-a909-f1f871f096dc","refresh_token":"be7bfcb5-970d-3a8b-8f0a-d69fb7ea53fb","scope":"apim:subscribe","token_type":"Bearer","expires_in":3600}
using the obtained token if I place the API request I get still 404
I'm trying to send a request to https://{identity-server}:9443/oauth2/token. And the request is redirected to Location: https://{identity-server}:9443/carbon/admin/login.jsp. The version I'm using is IS 5.7.0 and deployed on Kubernetes as a clustered setup.
You are missing the authorization header in the request. That's why you are getting redirected to the login page.
Try to provide the authorization header like this
Authorization: Basic [Base64encode(Client-ID>:<ClientSecret>)]
Final request should be similar to this
curl -X POST \
https://localhost:9443/oauth2/token \
-H 'Authorization: Basic Zkd2ZlhiQ05VeUFmd2ltQW9HSWYycXZDakdFYTpFb1NOWDdHNFQ2NGZjcVFyZTVIX2NPR01CS2Nh' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'username=admin&password=admin&grant_type=password&scope=bearer'
I have successfully configured the API Manager, ID and IS according to the documentation: https://docs.wso2.com/display/AM260/JWT+Grant#JWTGrant-UsingtheJWTgrant.
I invoke the WSO2 token endpoint to exchange an external JWT for a WSO2 access token:
curl -i -X POST -k -d 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6WyJ3c28yIl0sImVudmlyb25tZW50Ijp7InByb2ZpbGVzIjpbImRldiJdfSwiYXV0aCI6eyJyb2xlcyI6WyJVU0VSIiwiQURNSU4iXX0sInVzZXJfbmFtZSI6IjAwMDAwMDk5Iiwic2NvcGUiOlsib3BlcmF0ZSJdLCJpc3MiOiJQQVMiLCJleHAiOjE1NDUzNDgyODcsImdlbmVyYXRlZEJ5IjoiUEFTIiwianRpIjoiOWQ4ZWU3ZTgtNDBlZS00MTZjLTlkYjgtYjU2NDZhYTZhN2JmIiwiY2xpZW50X2lkIjoiZnJvbnQtcG9saXphcyJ9.Ccs1OxjteRsvHTump-ZTawEsqlTrIeO0LJUzt5Ita8udvMOa_tB1rHOtI8GAa2mDCPMD_Z_jtZ2SlXPs10GvsYlF4jS_wcCVAPtHsoigzuNtg5t7CVfeCI2Bzhak721LdYBcjB9s0Jn24G9eb2jqx8NF0RPlKgmhbxwdY0b8XeigLp-kGCsFKY_fDIjFUM0oifzCWOmtaCRMtMx3CKVZOWq9dBIokheCi2foL8YkBCz57yo4vb782AYWXdiHj38TPPe4IguARuoc9FSymyiL1gWHJmyMZFvAeAJkDnHHEnnezqPmcWQweC1ylLwUYGNVLM8YSfuBDtcGBWSO0F-WKw' -H 'Content-Type: application/x-www-form-urlencoded' https://localhost:9443/oauth2/token -d 'client_id=w_paekjnDDY8zcCfCRgj_81g2eYa'
This answers successfully with an access token, a refresh token etc etc.
I have created an application in the WSO2 APIM store. In the production/sandbox tabs, the only checked Grant Type item is JWT.
The point is, I use the previously gotten access token (which is itself an JWT token) to invoke an API subscribed with the above application:
curl -k -X GET "https://192.168.179.129:8243/myapp/api/v1/customers" -H "accept: application/json;charset=UTF-8" -H "Authorization: Bearer eyJ4NXQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJraWQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6IndfcGFla2puRERZOHpjQ2ZDUmdqXzgxZzJlWWEiLCJuYmYiOjE1NDUzNDgxOTgsImF6cCI6IndfcGFla2puRERZOHpjQ2ZDUmdqXzgxZzJlWWEiLCJzY29wZSI6ImRlZmF1bHQiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iLCJleHAiOjE1NDUzNDgyODcsImlhdCI6MTU0NTM0ODE5OCwianRpIjoiNjRlM2I5N2UtOTNlNC00YzQ2LThlNmQtMzlmZjQzOWQxM2Y0In0.UBLOsCCD3t4Wf8nXBnDkkGXxefYySelDzEcs1F_IrbshMJXohxcL92Av1nmcpdNdjin7GdC8Y305rrkBt9T1L_cMAHLYYcI5cI1J7wmAgEd1CEv9gI7IUYfAdbga2AeV4kIlNsgiV6PKnU34WnY7rEVqXD908eEHY5UvaNXc0Bz6C8d-p39-SqKUblGHPh9vdkpcCGcK0CgGKjtiU2lai_JkRALdgEgonT37R5eqmuxPxUouWNz9TCJgTuonKPA-9bYOsMvbzGlm--0m0j9gdxnv-3N1Kv_2JqSCR4pToDClhSKgFCE1L025LIICM-sLd_PDU5pwYge_iKseiIDZfA" -d 'client_id=w_paekjnDDY8zcCfCRgj_81g2eYa'
I get the following error (900908) - Resource forbidden:
<ams:fault xmlns:ams="http://wso2.org/apimanager/security"><ams:code>900908</ams:code><ams:message>Resource forbidden </ams:message>
<ams:description>Access failure for API: /myapp/api/v1, version: v1 status: (900908) - Resource forbidden </ams:description></ams:fault>%
I must be missing the final step which is how to allow those access tokens gotten in the JWT grant to be used to access an API subscribed by an application.
The error code 900908 means the API is not subscribed by the application. Please double check.
Technically Bee was right in his answer, but I would like to point specifically at what I was doing wrong in case it happens to others:
The problem was that the client_id/client_secret I was using when exchanging the JWT to get the access token were the ones from the Service Provider I had created. WRONG!
The ones was that need to be sent are those from the subscribed application. With that the resource forbidden error doesn't show up anymore.
I tried to access Google's Datastore through their REST Api. It says that they allow authentication through the API-key. However it doesn't seems that I can get it to work any where. I copied the snippet generated from their Try this API page.
curl --request POST \
'https://datastore.googleapis.com/v1/projects/PROJECT_ID:runQuery?key=[YOUR_API_KEY]' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--data '{"query":{"filter":{"compositeFilter":{"op":"AND","filters":[{"propertyFilter":{"property":{"name":"id"},"op":"EQUAL","value":{"stringValue":"ID"}}}]}},"kind":[{"name":"NAME"}]},"partitionId":{"namespaceId":"NAMESPACE_ID","projectId":"PROJECT_ID"}}' \
--compressed
But it keeps returning me an 401 error.
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
It looks like it require me to use OAuth instead, which is not what their documentation says. Anyone experienced something similar?
You are using an API key which is incorrect.
This link details which services support API Keys. Cloud Datastore is not one of them.
Using API Keys
You want to use an Access Token which is derived from Service Account credentials.
Review this document.
Using OAuth 2.0
The steps to generate an Access Token:
Load the service account credentials json file.
Extract the client_email, private_key and private_key_id.
Create a json payload.
Call the authorization URL: https://www.googleapis.com/oauth2/v4/token
This returns a json object. Extract the access_token.
Use the access_token instead of an API Key.
There are examples on the Internet in various languages. The link will get you started. The process appears complicated, and it is, but once you understand it, generating Access Tokens is easy and they can be reused until they expire (typically 60 minutes which you control).
This document on Google Cloud Storage authentication is the same for Cloud Datastore. The key is understanding "Authorization: Bearer" which is a header you need to include with your curl request.
Authentication
I have a WSO2 Identity Server with PostgreSQL, i work in node and i already use a SCIM 2.0 api for create new users, my question is, how i use SCIM to create a authentication user for my app, in my app how i know when the user have a valid token.
to create a new user i use this:
curl -v -k --user user:pass --data '{"schemas":[],"name":{"familyName":"nae","givenName":"name",},"userName":"newuser","password":"newpassword","emails":[{"primary":true,"value":"data","type":"home"},{"value":"data","type":"work"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users
To get a valid token for the user you have to invoke oAuth flow.
Create SP in the IS with oAuth configurations.
Use the client id and secret to get the access token using the created user credentials.
curl -v -X POST -H "Authorization: Basic <base64 encoded client id:client secret value>" -k -d "grant_type=password&username=<username>&password=<password>" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token
Refer : https://docs.wso2.com/display/IS530/Resource+Owner+Password+Credentials+Grant