I have configured wso2am-2.6.0 using SAML with wso2is-5.7.0 following the example https://wso2.com/library/articles/2017/03/use-cases-of-utilizing-saml-with-wso2-api-manager/
Both app is installed on same server with Port Offset=3.
In the IS is added the second store from Active Directory.
I have defined an API with some scopes.
Any "scope" I would use, after going through the Authentication process the APIM returns the access_token with scope = default.
Example below:
{
"access_token": "8f1cbaf3-6858-327e-9410-5210a1413e92",
"refresh_token": "27cf0b3a-a3af-3826-94f3-9a0fd8518d33",
"scope": "default",
"token_type": "Bearer",
"expires_in": 1024
}
What can be wrong?
I found the problem.
Because I did not define any Role for the Scopes, to generate a token using my Scopes, it was necessary to add in the file <dir>/wso2am-2.6.0/repository/conf/api-manager.xml the list of Scopes in the tag ScopeWhitelist:
<OAuthConfigurations>
<ScopeWhitelist>
<Scope> news_read </ Scope>
<Scope> news_write </ Scope>
</ ScopeWhitelist>
After that, access tokens were generated for my Scopes.
Related
when I authorize myself in Swagger UI, I have to write "Bearer {then I write JWT} here"
How can I add the string "Bearer" automatically before the JWT token in swagger UI?
Here is my Swagger Settings:
SWAGGER_SETTINGS = {
"SECURITY_DEFINITIONS": {
"JWT [Bearer {JWT}]": {
"name": "Authorization",
"type": "apiKey",
"in": "header",
}
},
"USE_SESSION_AUTH": False,
}
FORCE_SCRIPT_NAME = "/"
I recommend you to migrate from drf-yasg to drf_spectacular, it already includes JWT authentication automatically and without so many complications, it even uses OpenAPI 3 (drf-yasg uses OpenAPI 2 and is becoming obsolete)
Automatic Generation
Authenticate with JWT
See this From drf-yasg to OpenAPI 3
Its only one solution simple add Bearer and space before paste the token in value field where you add token simple
I am new to WSO2 Identity Server-5.11.0 , I want to search user based on username using scim api however nothing works for me
https://localhost:9443/wso2/scim/Users?userNameEqadmin#wso2.com
https://localhost:9443/wso2/scim/Users?filter=userNameEqadmin#wso2.com
https://localhost:9443/wso2/scim/Users?filter=userName=admin#wso2.com
https://localhost:9443/wso2/scim/Users?filter=userName Eq admin#wso2.com
https://localhost:9443/wso2/scim/Users?filter=username=admin#wso2.com
https://localhost:9443/wso2/scim/Users?filter=usernameEqadmin#wso2.com
Can anyone suggest proper search criteria to use ?
Seems you have used SCIM 1.0 protocol.
It's better to use SCIM 2.0 because latest versions of IS supports SCIM 2.0
Refer: https://is.docs.wso2.com/en/latest/develop/scim2-rest-apis/
So the correct SCIM request for user filtering based on exact username match is:
https://localhost:9443/scim2/Users?filter=userName eq admin#wso2.com
Even if the above request doesn't satisfy your query,
Please verify whether you have followed all the steps in https://is.docs.wso2.com/en/latest/learn/using-email-address-as-the-username/#using-email-address-as-the-username in the same order.
Especially, if you have missed this step you won't be able to filter from username by giving the email.
Login to the management console and configure the Mapped Attribute property of the http://wso2.org/claims/username claim ID that is under Dialect dialectURI http://wso2.org/claims to mail.
You can try this with POSTMAN and I'm getting data
URL
https://{your host here}/t/{tenant domain}/scim2/Users/.search
Authorization
You can give basic Auth for now
body
You can give search variable like this
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:SearchRequest"
],
"attributes": [
"userName"
],
"filter": "userName Eq SigningOfficer",
"domain": "PRIMARY",
"startIndex": 1,
"count": 10
}
It is a POST method.
For more reference you can try this link
https://is.docs.wso2.com/en/latest/develop/scim2-rest-apis/#/Groups%20Endpoint/getGroupsByPost
As the title mentions, I would like to have a #api.response(401, 'Unauthenticated') response added to the documentation of all APIs which require authentication.
flask-resplus/restx displays a lock icon, so the user should expect a 401 if not authenticated, but I would like this response to be explicit without having to explicitly write that decorator on every method or resource.
Is this possible with some global setting?
+1 on that. I'm facing a somewhat similar challenge.
Also opened this issue on their GitHub repo with hopes to get an answer.
Would be awesome if someone could suggest a solution 🙏🏼
you don't need to have a special decorator for it.
you just need the following code in you endpoints init.py file. Swagger will automatically support authorization and will through 401 with any decorator.
from flask_restx import Api
blueprint = Blueprint("api", __name__)
authorizations = {
"Authorization": {
"description": "Inputs: Bearer \\<jwtToken\\>",
"type": "apiKey",
"in": "header",
"name": "Authorization",
}
}
api = Api(
blueprint,
title="Dummy API",
version="1.0",
authorizations=authorizations,
security="Authorization",
)
I am using App Engine Standard with the Python 2 runtime and Endpoints Frameworks.
When making a request, the app just returns "Successful" if the request was completed. I am trying to implement authentication so unauthenticated users are not able to complete the request. I've done the following:
Modified my main.py decorator to include issuers and audience:
issuers={'serviceAccount': endpoints.Issuer('[MYSERVICEACCOUNT]', 'https://www.googleapis.com/robot/v1/metadata/x509/[MYSERVICEACCOUNT]')},
audiences={'serviceAccount': ['[MYSERVICENAME]-dot-[MYPROJECT].appspot.com']}
Modifed my main.py method to check for a valid user:
user = endpoints.get_current_user()
if user is None:
raise endpoints.UnauthorizedException('You must authenticate first.')
Regenerated and redeployed my openAPI document. It now has security and securityDefinitions sections.
Updated my app.yaml to reference that Endpoints version.
Redeployed my app
To make an authorized request to my app, I have done the following:
I gave the service account the Service Consumer role on my Endpoints service.
Generate a signed jwt using the generate_jwt function from Google's documentation. I am passing in credentials using the service account's json key file.
payload = json.dumps({
"iat": now,
"exp": now + 3600,
"iss": [MYSERVICEACCOUNT],
"sub": [MYSERVICEACCOUNT],
"aud": [MYSERVICENAME]-dot-[MYPROJECT].appspot.com
})
Make the request using make_jwt_request function from Google's documentation.
headers = {
'Authorization': 'Bearer {}'.format(signed_jwt),
'content-type': 'application/json'}
I am getting 401 Client Error: Unauthorized for url error. Am I missing something?
Your audiences don't match; in your code, you are requiring an audience of [MYSERVICEACCOUNT], but when generating the JWT, your audience is [MYSERVICENAME]-dot-[MYPROJECT].appspot.com. These need to match.
There are few details, which might be worth checking:
The list of allowed audiences should contain the value of aud claim of a client-generated JWT token. This is what Rose has pointed out.
All of the JWT claims presented in sample client documentation are present. Your code is missing the email claim in the JWT payload dictionary.
The method you're accessing requires no specific OAuth scopes. The scopes are set as the scopes field of #endpoints.method decorator.
After opening a support ticket with Google, it turns out Google's documentation was incorrect. The main.py function needs to check for an authenticated user in the below manner:
providers=[{
'issuer': '[YOUR-SERVICE-ACCOUNT]',
'cert_uri': 'https://www.googleapis.com/service_accounts/v1/metadata/raw/[YOUR-SERVICE-ACCOUNT]',
}]
audiences = ['[YOUR-SERVICE-NAME]-dot-[YOUR-PROJECT-NAME].appspot.com']
user = endpoints.get_verified_jwt(providers, audiences, request=request)
if not user:
raise endpoints.UnauthorizedException
After making that change, I got the following error when trying to make an authenticated request:
Encountered unexpected error from ProtoRPC method implementation: AttributeError ('unicode' object has no attribute 'get')
This was caused by how I was generating the payload with json.dumps(). I generated without json.dumps() like below:
payload = {
"iat": now,
"exp": now + 3600,
"iss": [MYSERVICEACCOUNT],
"sub": [MYSERVICEACCOUNT],
"aud": [MYSERVICENAME]-dot-[MYPROJECT].appspot.com
}
These two changes fixed my issue.
I am using Django Rest Framework Token authentication and if i do curl http://localhost:8000/api/v1/users/?format=json -H 'Authorization: Token 0a813fdcd3f8846d6fa376f2592bbc678b0b8e85' everything works fine.
But when i try to achieve that with Postman chrome client it nothing happens. What am i doing wrong??
You are setting the header to Authorization: Token when it really should just be Authorization. The header is actually just Authorization, but the value is Token [token_string], where [token_string] is the authorization token that you have obtained.
For the new version of postman it is necessary to choose Auth 2 type authentication in the left panel, then in the right panel, specify the DRf key which is "Token" and in the value the token itself.
In addition to the above answer, make sure to enable "Follow Authorization header" under setting (See below screenshot)
After Specifying Authorization and Token value try to add the token in an environment so that every time you don't have to copy the token value.
After get access token from http://127.0.0.1:8000/accounts/login/
such this :
{
"email": "user#example.com",
"tokens": {
"refresh": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl90eXBlIjoicmVmcmVzaCIsImV4cCI6MTY2NjI2NTAxMSwiaWF0IjoxNjY2MTc4NjExLCJqdGkiOiJjZWM3MzJmNDZkMGE0MTNjOTE3ODM5ZGYxNzRiNzMxZCIsInVzZXJfaWQiOjcwfQ.5Rd25s6msp72IHyU1BxE4ym24YIEbhyFsBdUztGXz0I",
"access": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNjY2MjY1MDExLCJpYXQiOjE2NjYxNzg2MTEsImp0aSI6IjgyOWFmZGE5MWY2ODRhNDZhMDllZGMzMmI0NmY0Mzg5IiwidXNlcl9pZCI6NzB9.TYhi0INai293ljc5zBk59Hwet-m9a1Mc1CtA56BEE_8"
},
"id": 70
}
copy content of "access" key in response, then in post man in Headers add new item by key : Authorization and value such this:
Bearer eyJ0eXAi....
that eyJ0eXAi.... is value of access key.
then send the request.