I am in the process of authenticating my application users using djangosaml2.
Using NAMEID_FORMAT_TRANSIENT in my SAML_CONFIG dict like this:
'service': {
# My SP SP
'sp': {
'name': 'My local SP',
'name_id_format': NAMEID_FORMAT_TRANSIENT,
'endpoints': { ... }
The user is authenticated, but the user name is received encrypted. This is a requirement from the SP. I see in the documentation for pysaml(https://github.com/onelogin/python-saml) that there is a "security" set of settings and one of the parameters there is
"nameIdEncrypted": False
My question:
How to include the "security" parameters in the SAML_CONFIG dictionary in settings.py?
The following does not seem to work:
'service': {
'sp': { ... }
}
'metadata': {
....
}
'security': {
# The nameID of the <saml:logoutRequest> sent by the SP will be encrypted
"nameIdEncrypted": True,
# Indicates whether the <samlp:AuthnRequest> messages sent by this SP
# will be signed. [Metadata of the SP will offer this info]
"authnRequestsSigned": False
}
Edit: Correcting myself: Working with my SP i have made sure that metadata and certificates are correct and my user can authenticate if security is turned off on the SP side. However, when they correctly activate security for my site I see the following in my logs when the initial SAML request goes over:
INFO 2015-10-13 10:00:43,478 response status_ok 3188 Not successful operation:
Signature required
ERROR 2015-10-13 10:00:43,478 client_base parse_authn_request_response 3188 SAML status error: Signature required from urn:oasis:names:tc:SAML:2.0:status:Requester
Still the problem remains how to pass the security settings in the SAML_CONFIG dictionary. I have tried to put them at root level, or under 'sp' to no avail. Another way could be putting them in a separate json file and have djangosaml2 use that file somehow, but I do not see how to do that either.
Take a look on this specific django-saml-extension(https://github.com/KristianOellegaard/django-saml-service-provider).
But at python-saml you can find a django-demo that show you how handle that settings:
https://github.com/onelogin/python-saml/tree/master/demo-django
You can see how settings are read from the saml folder.
nameIdEncrypted false means that the NameID sent from the SP is not sent encrypted.
If you want to throw an exception if a NameID received is from IdP is not encrypted you may set wantNameIdEncrypted to true.
Please read the documentation:
https://github.com/onelogin/python-saml#settings
And if you find any issue, please report it at github :)
as smartin
mentioned, you are looking at the wrong package documentation.
pySAML2 documentation here.
To answer your question:
"service": {
"sp": {
"authn_assertions_signed": "true",
}
}
You need to set authn_assertions_signed to true/false so the IDP knows this sp preference.
Related
I am using App Engine Standard with the Python 2 runtime and Endpoints Frameworks.
When making a request, the app just returns "Successful" if the request was completed. I am trying to implement authentication so unauthenticated users are not able to complete the request. I've done the following:
Modified my main.py decorator to include issuers and audience:
issuers={'serviceAccount': endpoints.Issuer('[MYSERVICEACCOUNT]', 'https://www.googleapis.com/robot/v1/metadata/x509/[MYSERVICEACCOUNT]')},
audiences={'serviceAccount': ['[MYSERVICENAME]-dot-[MYPROJECT].appspot.com']}
Modifed my main.py method to check for a valid user:
user = endpoints.get_current_user()
if user is None:
raise endpoints.UnauthorizedException('You must authenticate first.')
Regenerated and redeployed my openAPI document. It now has security and securityDefinitions sections.
Updated my app.yaml to reference that Endpoints version.
Redeployed my app
To make an authorized request to my app, I have done the following:
I gave the service account the Service Consumer role on my Endpoints service.
Generate a signed jwt using the generate_jwt function from Google's documentation. I am passing in credentials using the service account's json key file.
payload = json.dumps({
"iat": now,
"exp": now + 3600,
"iss": [MYSERVICEACCOUNT],
"sub": [MYSERVICEACCOUNT],
"aud": [MYSERVICENAME]-dot-[MYPROJECT].appspot.com
})
Make the request using make_jwt_request function from Google's documentation.
headers = {
'Authorization': 'Bearer {}'.format(signed_jwt),
'content-type': 'application/json'}
I am getting 401 Client Error: Unauthorized for url error. Am I missing something?
Your audiences don't match; in your code, you are requiring an audience of [MYSERVICEACCOUNT], but when generating the JWT, your audience is [MYSERVICENAME]-dot-[MYPROJECT].appspot.com. These need to match.
There are few details, which might be worth checking:
The list of allowed audiences should contain the value of aud claim of a client-generated JWT token. This is what Rose has pointed out.
All of the JWT claims presented in sample client documentation are present. Your code is missing the email claim in the JWT payload dictionary.
The method you're accessing requires no specific OAuth scopes. The scopes are set as the scopes field of #endpoints.method decorator.
After opening a support ticket with Google, it turns out Google's documentation was incorrect. The main.py function needs to check for an authenticated user in the below manner:
providers=[{
'issuer': '[YOUR-SERVICE-ACCOUNT]',
'cert_uri': 'https://www.googleapis.com/service_accounts/v1/metadata/raw/[YOUR-SERVICE-ACCOUNT]',
}]
audiences = ['[YOUR-SERVICE-NAME]-dot-[YOUR-PROJECT-NAME].appspot.com']
user = endpoints.get_verified_jwt(providers, audiences, request=request)
if not user:
raise endpoints.UnauthorizedException
After making that change, I got the following error when trying to make an authenticated request:
Encountered unexpected error from ProtoRPC method implementation: AttributeError ('unicode' object has no attribute 'get')
This was caused by how I was generating the payload with json.dumps(). I generated without json.dumps() like below:
payload = {
"iat": now,
"exp": now + 3600,
"iss": [MYSERVICEACCOUNT],
"sub": [MYSERVICEACCOUNT],
"aud": [MYSERVICENAME]-dot-[MYPROJECT].appspot.com
}
These two changes fixed my issue.
I have been successful in creating a new Account User from following this tutorial: https://forge.autodesk.com/en/docs/bim360/v1/reference/http/users-POST/#example, and have used the PATCH method to set their status to active on Postman.
I would like to set their role and access_level but I am having trouble doing so. I have followed the link below to try and perform this function, but it requires the user to already be a BIM 360 Project Admin for it to work.
https://forge.autodesk.com/en/docs/bim360/v1/reference/http/projects-project_id-users-user_id-PATCH/
I also tried following the next link below to add a User to a project, but I am getting errors that I am unsure how to fix.
https://forge.autodesk.com/en/docs/bim360/v1/reference/http/projects-project_id-users-import-POST/
URI: https://developer.api.autodesk.com/hq/v2/accounts/:account_id/projects/:project_id/users/import
Method: PATCH
Authorization: *******************************************
Content-Type: application/json
x-user-id: {{user_id}}
Body:
{
"email": "john.smith#mail.com",
"services": {
"document_management": {
"access_level": "account_admin"
}
},
"company_id": ************************************,
"industry_roles": [
************************************
]
}
(The id for industry_role is IT).
Error:
{
"code": 1004,
"message": "this user doesn't exist."
}
I am unsure how I am getting this error since the User Id used for x-user-id is the same user_id associated with the email given in the request body. Is there a way to fix this or another method I can use?
The x-user-id header is not for specifying the user to import but rather:
x-user-id
string
In a two-legged authentication context, the app has access to all users specified by the administrator in the SaaS integrations UI. By providing this header, the API call will be limited to act on behalf of only the user specified.
Remove this field if that's not what you intended.
Verify the user id and email match each other via /GET users and /GET users:userid.
And be sure to provide either the user's email or the user ID and don't provide them both:
Note that you need to specify either an email, or a user_id. However, you cannot specify both.
See doc here
I am trying to setup emails with my own website. Let's say the domain name is example.com.
The name server in use is digital ocean and I also have a gmail account linked to the same (say using contact#example.com).
While setting up things with mailgun, I used mg.example.com (as they said it would also let me email using the root domain). The verification step is done and I can send email using contact#mg.example.com.
However, trying to use the root domain (contact#example.com) gives the following error:
AnymailRequestsAPIError: Sending a message to me#gmail.com from contact#example.com
ESP API response 404:
{
"message": "Domain not found: example.com"
}
How do I resolve this issue?
I got the same error when I copy-pasted the curl example from Mailgun help page.
My domain was set to EU region, and I had to set the api domain to api.eu.mailgun.net instead of api.mailgun.net.
Boom! Working! :)
I am using the EU region with Mailgun and have run into this problem myself. My implementation is a Node.js application with the mailgun-js NPM package.
EU Region Implementation:
const mailgun = require("mailgun-js");
const API_KEY = "MY_API_KEY"; // Add your API key here
const DOMAIN = "my-domain.example"; // Add your domain here
const mg = mailgun({
apiKey: API_KEY,
domain: DOMAIN,
host: "api.eu.mailgun.net" // -> Add this line for EU region domains
});
const data = {
from: "Support <support#my-domain.example>",
to: "recipient#example.com",
subject: "Hello",
text: "Testing some Mailgun awesomness!"
};
mg.messages().send(data, function(error, body) {
if (error) {
console.log(error);
} else {
console.log(body);
}
});
Further options for the mailgun() constructor can be found here.
Thought I'd share a full answer for anybody that's still confused. Additionally, Mailgun Support was kind enough to supply the following table as a reference guide:
IF:
your domain is an EU domain AND
you're using django-anymail as in Rob's answer above
THEN the ANYMAIL setting (in your Django project settings) should specify the API_URL to be the EU one, example:
ANYMAIL = {
'MAILGUN_API_KEY': '<MAILGUN_API_KEY>',
'MAILGUN_SENDER_DOMAIN': 'example.eu',
'MAILGUN_API_URL': 'https://api.eu.mailgun.net/v3' # this line saved me!
}
Before adding the MAILGUN_API_URL I was getting this error:
AnymailRequestsAPIError: Sending a message to xxx#example.com from noreply#example.eu <noreply#example.eu>
Mailgun API response 404 (NOT FOUND):
{
"message": "Domain not found: mailgun.example.eu"
}
Update 8/22/16:
Anymail has been updated to take a new MAILGUN_SENDER_DOMAIN in settings.py. See version .5+ docs.
--
Original Answer
You did not post your code for how you're sending your email, but you are probably trying to send using the simple send_mail() function:
from django.core.mail import send_mail
send_mail("Subject", "text body", "contact#abc.example",
["to#example.com"],)
When you use this method, Anymail pulls the domain out of your From address and tries to use this with Mailgun. Since your From address (abc.example) doesn't include the subdomain mg., Mailgun is confused.
Instead, you need to send the email using the EmailMultiAlternatives object and specify the Email Sender Domain like so:
from django.core.mail import EmailMultiAlternatives
msg = EmailMultiAlternatives("Subject", "text body",
"contact#abc.example", ["to#example.com"])
msg.esp_extra = {"sender_domain": "mg.abc.example"}
msg.send()
Don't forget the brackets in your To field, as this needs to be a tuple or list even if you're only sending it to one recipient.
For more information, see Anymail docs on esp_extra.
Struggled for days with correct DNS settings and finally found as #wiktor said, i needed to add "eu" to api endpoint to make it work. Its actually also documented here: https://documentation.mailgun.com/en/latest/api-intro.html#mailgun-regions
Sorry for replying as an answer, dont have enough rep to add comment :(
I had the same problem: 404 error, domain not found.
The cause
The EU region selection for the domain on Mailgun
The solution
Change the region from EU back to the default of US.
Since I had not used the domain at all up to this point, I simply deleted it, re-added it, then changed my TXT, MX and CNAME records (for example, mailgun.org instead of eu.mailgun.org) at the domain registrar (which was GoDaddy in my case).
I found my fix with this change:
ANYMAIL = {
...
'MAILGUN_SENDER_DOMAIN': 'example.com', # Using the sending domain in Mailgun
}
I am creating web service using silex micro framework. This is first time i am using it and I dont have prior knowledge on symfony. I could be able to understand how silex works and how to write controller providers , service providers etc ..
I couldnt work out authentication for my webservice.
I want to use JWT authentication and I found this cnam/security-jwt-service-provider extending firebase/php-jwt.
I set it up right and I get this output when I access protected resource
{"message":"A Token was not found in the TokenStorage."}
which is correct.
Question: I want to post the username , password to application and get token back. ( username=admin , password=foo )
I am using postman chrome extension ( also used Advanced rest client ) to post values to url ( http://silex.dev/api/login)
Post data I am sending
Key=> username Value=> admin
Key=> password Value=> foo
I also tried
Key=> _username Value=> admin
Key=> _password Value=> foo
Aldo tried key vaule pairs in basic auth headers.
response I get id
{
"success": false,
"error": "Invalid credentials"
}
When I debug the Application I see no post data at all.
$vars = json_decode($request->getContent(), true);
I get null $var.
PS: I know I will get a valid token back if I get these values posted correctly because I edited values from empty to correct values in breakpoint.
Apparently I should send data in json format and should set content-type appication/json
eg:
{
"_username":"admin",
"_password":"foo"
}
and response will something be like
{
success: true
token: "eyJ0eXAiOisKV1diLCJfbGgiOhJIjzI1NiJ9.eyJuYW1lIjoiYWRtaW4iLCJleHAiOjE0Mzk5MDUxMjh9.DMdXAv2Ay16iI1UQbHZABLCU_gsD_j9-gEU2M2L2MFQ"
}
I'm trying to use loopback angular SDK to login but instead I'm getting back a 401 unauthorized response.
User.login({ rememberMe: true }, {email: $scope.user.email, password: $scope.user.password})
.$promise
.then(function() {
var next = $location.nextAfterLogin || '/';
$location.nextAfterLogin = null;
$location.path(next);
})
.catch(function(x) {
$scope.authError = 'Wrong Credentials';
});
};
Also i can see the user with the given credentials in the datasource that I've defined for the User model.
So basically, I have a boot script that creates a default user
User.create([{
username: 'admin',
email: 'xxxx#gmail.com',
password: 'admin'
}], on_usersCreated);
And I also have created a custom User model that extends the built-in User model.
Why am I getting a 401 unauthorized response when trying to login? I have even tried to login via the explorer, but with no success.
Update:
I debugged the build-in User model and the login method; and it seems that it cannot find the user with the given email. I can see it though in the mongodb database.
Inspect the ACL records of User model, starting you app in debug mode and viewing console: DEBUG=loopback:security:acl slc run.
I don't see anything wrong with your code. Are you sure the values you're passing into the function are correct? Try logging $scope.user.email and $scope.user.password before calling User.login.
See my new example here: https://github.com/strongloop/loopback-getting-started-intermediate/blob/master/client/js/services/auth.js#L6-L15
The tutorial part is not complete, you can look around the source code to get an idea of what you're doing different.