Using wso2am 2.1.0 - is it possible to disable / skip the OAuth auhtorization approval (the screen where user confirms using API by specific application and scope) ? I am almost sure I've seen such an option (parameter), but I cannot recall where..
Ok, I've found it by myself, in the identity.xml there are options:
OpenIDSkipUserConsent
and
SkipUserConsent
Related
We've got Auth0 and aws-amplify working separately for our React Native App. But, going the next step (even following the Auth0 and AWS docs) for getting the authentication to flow from Auth0 to Cognito/User-Pools has not been working.
Yet, we've not found discussion on stack overflow, or Auth0 or others with the same problem. Is it possible that we are missing something?
aws-amplify does imply that OpenID Connect and Federated Identities are working, but its possible that the library is not yet supporting this flow.
refs: https://github.com/aws/aws-amplify/issues/58
https://auth0.com/docs/integrations/integrating-auth0-amazon-cognito-mobile-apps
https://docs.aws.amazon.com/cognito/latest/developerguide/open-id.html
Does anyone have a working example or other docs that we could use to debug the flow? Right now it defaults to the guest/unauth route after Auth0 and aws-amplify communicate, rather then enabling authentication to flow and our policies to be applied for the user.
Hi we have this feature request in the repo. https://github.com/aws/aws-amplify/issues/239
I was wondering if there is an option for users who want to use the store but have forgotten their password
Currently the WSO2 sign-in page looks like this:
I have set the following in < APIM_HOME >/repository/conf/identity/identity-mgt.properties:
Identity.Listener.Enable=true
Notification.Sending.Enable=true
Notification.Expire.Time=3
Notification.Sending.Internally.Managed=true
UserAccount.Recovery.Enable=true
Captcha.Verification.Internally.Managed=true
I'm assuming the email settings for the same are in < APIM_HOME >/repository/conf/email/email-admin-config.xml
Anyhow, after applying the above settings and restarting the server, the sign-in page remained the same.
Is there some configuration to enable an option on the sign-in page (eg. Forgot password/Reset password)?
Also, are there any additional settings that need to be configured for it to work as expected?
API Manager Store/Publisher UIs do not support this out-of-the-box. But you can achieve this with WSO2 Identity server. (You can use the same identity server, as key manager node of the APIM setup)
Please refer to IS docs. A sample webapp also available here.
Is there a way to pass Windows Authentication with postman?
I have added this in header but still 401 Unauthorized.
Authorization: NTLM TkFcYWRtaW46dGVzdA==
As suggested by this link. I've encrypted as Unicode (UTF-16, little-endian) but of no use.
Any Ideas?
I got this working by running Fiddler first.
Run Fiddler (I'm using 4.6.2.3)
Fiddler Menu: Rule -> Automatically Authenticate = true
Postman: Check that Authorization type = No Auth
Browse api.
you can use the the NTLM authorization exist in the Authorization tab same as this photo
I don't think there is a way to do that. But, you are not alone in wanting it...
https://github.com/postmanlabs/postman-app-support/issues/1137
[EDIT]
As of the addition of this edit, Postman has NTLM Authentication in beta in their most recent release.
https://www.getpostman.com/docs/v6/postman/sending_api_requests/authorization
I suggest using insomnia. It's free and you can see the documentation on how to add NTLM Auth here: https://insomnia.rest/documentation/authentication/
NTLM authentication does work with the Chrome plugin version of Postman, as the built-in Chrome NTLM authentication can be used with the plugin. However, plugins are no longer supported by Chrome, so this version can no longer be installed and used.
The current app version of Postman (both the Chrome app and native app versions) does not support NTLM authentication.
This was added to the Postman application in 5.3.0. However, this support was broken in 5.4.1 and remained broken until 7.14.0 per Postman App issue #4355. Updating the app to a newer version of Postman should therefore allow using NTLM authentication.
Note that Postman currently only supports NTLMv1 authentication but not NTLMv2 per Postman App issue #8038.
I will improve upon Hala's answer as it is problematic due to storing credentials in the request and these might get persisted in a shared repository if one is used.
Clear credentials once a request has been successfully issued
One way is to enter the credentials - username, password and domain - make the request and remove them. Subsequent requests will work, probably due to using the same NTLM authentication header, as Postman will add a temporary Authorization header (blurred) that has a value like the following: NTLM some_base64_content
Use environment variables (or better global ones as suggested by SSS) to store sensitive data
Define an environment to use and configure it similar to this:
Use configured environment variables in the request:
You can also change internet options and set Logon to:
Automatic logon with current user name and password
taken from:
https://sysadminspot.com/windows/google-chrome-and-ntlm-auto-logon-using-windows-authentication/
if the website uses https you can add it to Trusted Sites and set it there, otherwise you can add it to local intranet sites and set Custom level... there.
Open internet options:
Click Custom level... and scroll to bottom:
Postman now does NTLM on their desktop apps only.
If you develop your API in C# you can use the following on your Base Controller
#if !DEBUG
[Authorize]
#endif
I've created a simple API and I'm trying to publish it using WSO2's API Publisher (aka API Cloud). I've gone through all the steps, but it seems to require an Authorization header to access my endpoint. In older documentation, it says that I can change the "Auth Type" at the resource level.
https://docs.wso2.com/display/AM160/API+Resources
However, this option doesn't seem to be there in the current version. I tried to make it so the Authorization header was not required. Unfortunately, I still get the following error:
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>900902</ams:code>
<ams:message>Missing Credentials</ams:message>
<ams:description>Required OAuth credentials not provided</ams:description>
</ams:fault>
Is it possible to disable authentication for my API? I don't need it at this point in my project.
The document you have referred is from APIM 1.6. From APIM 1.7, the APIM team changed the API creation process to a 3-step process. It involves API Design, Implement and Manage. I think you have experienced this by now. In the Manage section, at the very bottom, it lists down the available resources of the API, their auth type, allowed tier and the scope allowed.
Default auth type is application & application user. If you click on that, you will get a drop down where you will see "None" as an option. If you set the auth type as none, you will be able to invoke the API without providing the OAuth token.
See the following screenshot where I have selected different Auth types when creating an API.
Open the configuration related to your API in ${AM_HOME}/repository/deployment/server/synapse-configs/default/api/ and remove the following part.
<handler class="org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler"/>
Does the Google Apps Email Migration API v2 support 2 legged oAuth1?
I've looked at this answer, but I believe it refers to the older version of the Email Migration API: Does Google Apps Email Migration API support 2 legged oAuth?
I have been able to authenticate an Email Migration API request using OAuth1 w/ tokens, but all of my 2 legged OAuth 1 attempts have failed. I have tried including xoauth_requestor_id and it has not had an effect.
There is some hinting in the docs that OAuth1 w/ tokens may be required, but I was hoping to confirm that that is the case.
For example the docs say: "If your application has certain unusual authorization requirements, such as logging in at the same time as requesting data access (hybrid) or domain-wide delegation of authority (2LO), then you cannot currently use OAuth 2.0 tokens. In such cases, you must instead use OAuth 1.0 tokens and an API key."
It seems clear there that "tokens" are referenced, however the word "token" is also used to describe the Authorization request header, so it is less clear that this means OAuth1 request tokens.
Any help is greatly appreciated. Thanks!
The section you are referring to doesn't seem up to date. You can have domain-wide delegation of authority using OAuth 2.0. It's called Service Account. Once authenticated, you do exactly the same that you used to do with 2-legged OAuth 1.0.
Here are the steps you need to get started:
Go to Google Developer Console
Create a project if you don't already have one
Go to APIs & auth --> APIs and activate the Admin SDK
Go to APIs & auth --> Credentials and click CREATE NEW CLIENT ID
Select Service Account and click Create Client ID
Download the p12 private key file (and keep it safe !)
Go to your Google Apps Admin Panel
Go to Security --> Advanced Settings --> Manage OAuth Client Access (Direct URL: https://admin.google.com/AdminHome?#OGX:ManageOauthClients)
Enter the Client Id you just created along with the scopes you'll need, separated with commas (In your case, https://www.googleapis.com/auth/email.migration)
Go to your favorite language client library documentation and find how to authenticate using the private key file you downloaded earlier and also impersonate your domain users.
Hope that helps.