I'm using wso2 IS version 5.3.0. How do I block user from listing users, but allow retrieving data of a single user and creating users?
An example for list user operation mentioned above:
curl -X GET \
https://some.domain:9443/wso2/scim/Users \
-H 'accept: application/json' \
-u <user>:<password> \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
Here is documentation : https://docs.wso2.com/display/IS530/Authenticating+and+Authorizing+REST+APIs
But it can a pain and can lack granularity (Disable for everybody including Super Tenant admin or not). Usually WSO2 Professional Services recommend to use WSO2 API Manager (or any other) in front of it to manage more granular permissions.
Jeff
Related
I was hoping to see some examples on how to implement Dynamic client registration that generates client credentials for an OAuth2 flow on AWS.
Any references?
DCR generally works like this, but can vary quite a bit depending on the client scenario. Hopefully this gives you the general flavour of things:
STEP 1: GET A DCR ACCESS TOKEN TO USE FOR REGISTRATION
Typically this involves an initial OAuth flow with a dcr scope, to get a DCR access token, needed to register:
curl -X POST https://login.example.com/oauth/v2/token \
-H: "Content-Type: application/x-www-form-urlencoded" \
-H: "Authorization: some-credential" \
-d client_id=initial_client
-d scope=dcr
STEP 2: REGISTER AND GET A UNIQUE CLIENT
This involves a POST with a JSON request and response, simplified below:
curl -X POST https://login.example.com/oauth/v2/registration \
-H: "Authorization: dcr-access-token" \
-H: "Content-Type: application/json" \
-d grant_types=[client_credentials] \
-d scope='openid profile transactions'
The response then typically has quite a large payload, but in particular a unique client ID and secret are returned:
client_id: cj348034t534tu90
client_secret: h7890g723470fghfgh42rt
other-fields: ...
STEP 3: USE THE UNIQUE CLIENT
From that point onwards the client just uses the client ID and secret to get application level tokens:
curl -X POST https://login.example.com/oauth/v2/token \
-u "cj348034t534tu90:h7890g723470fghfgh42rt" \
-H: "Content-Type: application/x-www-form-urlencoded" \
-d scope='openid profile transactions'
DYNAMIC BUSINESS
DCR is quite a powerful concept and one scenario that showcases it is Open Banking, where approved merchants can automatically onboard and start calling bank APIs. In this case the initial DCR access token is retrieved based on Mutual TLS trust and other regulatory checks.
PROVIDERS
DCR features are provided by more advanced OAuth providers and I doubt it is supported by Amazon. Curity has plenty of resources on the design patterns though, so if you want more info, see these resources:
Curity Website - with a search for DCR
Introductory Video
I'm trying to send a request to https://{identity-server}:9443/oauth2/token. And the request is redirected to Location: https://{identity-server}:9443/carbon/admin/login.jsp. The version I'm using is IS 5.7.0 and deployed on Kubernetes as a clustered setup.
You are missing the authorization header in the request. That's why you are getting redirected to the login page.
Try to provide the authorization header like this
Authorization: Basic [Base64encode(Client-ID>:<ClientSecret>)]
Final request should be similar to this
curl -X POST \
https://localhost:9443/oauth2/token \
-H 'Authorization: Basic Zkd2ZlhiQ05VeUFmd2ltQW9HSWYycXZDakdFYTpFb1NOWDdHNFQ2NGZjcVFyZTVIX2NPR01CS2Nh' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'username=admin&password=admin&grant_type=password&scope=bearer'
i created a custom tensorflow model and deployed to google cloud AI platform
however, when i sent a post request to online prediction api (https://ml.googleapis.com/v1/projects/my-project/models/my-model/versions/my-version:predict). i got back 401 Request is missing required authentication credential. Expected OAuth 2 access token my understand that by deploying model is its API already available online, so is there away to make API public? if not how i can make api authentication through bearer token?
You can get the auth token using gcloud:
access_token=$(gcloud auth application-default print-access-token)
and then embed it into the header:
curl --silent \
-H "Authorization: Bearer $access_token" \
-H "Content-Type: application/json" \
-X POST \
etc.
We are developing an application and we are using google API shorter URL to reduce very long URL.
This was working fine until a week ago. The API started to return 403 Unauthorized.
The problem appeared when we switched API key. It was working fine when we were testing but failed in production.
We checked that the API keys are correct, and they are. We are testing request with postman. Credit card is also correct but we are still under the free plan, so nothing wrong with payment.
API key is not restricted, and registered for the for the Google Shorter API.
The dashboard is showing our requests but all are in error.
The request we made :
curl -X POST \
'https://www.googleapis.com/urlshortener/v1/url?key=TheApIKeyStaNDshEre' \
-H 'Accept: application/json' \
-H 'Accept-Encoding: gzip, deflate' \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-d '{
"longUrl": "http://example.com/foo/bar/log/url/with?params=true"
}'
Someting the team hasn't see is that the API key has been regerated AFTER the limit.
From google blog post :
Starting May 30, 2018, only projects that have accessed URL Shortener APIs before today can create short links.
We missed this part when they decided to regenerate the key, and now we are locked out.
So we'll go for an hot fix to switch to firebase.
Don't regenerate your keys or you will be locked out forever.
(sorry #Ricky, we missed the part, you were right)
Google is shutting down the service. This could be the reason if your code worked properly before.
https://developers.googleblog.com/2018/03/transitioning-google-url-shortener.html
Greetings!!
The goal is to get Amazon Marketing service(AMS) sponsored product campaigns through Sponsored products API(If possible).
And please suggest if there is any different set of apis for AMS sponsored campaigns.
I have follow all the instruction given on this site.
https://advertising.amazon.com/API
I have follow all the instruction given in the guidelines but with that I am not getting campaigns for AMS sponsored product.
currently I am using "scope:cpc_advertising:campaign_management" to
get campaigns but with that I am not getting campaigns for AMS.
Do I pass different scope to get AMS campaigns? And if yes what should be the parameters?
Is that any way to get AMS sponsored products campaigns?
PS : I am using login details of AMS account only. And I am also aware with sponsored products and AMS sponsored products.
Could you please help me to get some information for AMS sponsored campaigns?
Thanks,
James
Downloading campaigns report using curl call is here.
curl -X POST \
https://advertising-api.amazon.com/v1/campaigns/report \
-H 'Amazon-Advertising-API-Scope: REPLACE_YOUR_PROFILE_ID' \
-H 'Authorization: REPLACE_YOUR_ACCESS_TOKEN' \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-H 'Host: advertising-api.amazon.com' \
-H 'cache-control: no-cache' \
-d '{
"campaignType": "sponsoredProducts",
"reportDate": "20181205"
}'
Hope this helps to download.