Is it possible to generate a standard key from a "main" key?
I'm trying to generate dynamic keys via api and using it instead of using the account token.
// Generate the key form the main "master" key
$sid = "key sid";
$token = "key secret";
$twilio = new Twilio($sid, $token);
$new_key = $twilio->newKeys->create(["friendlyName" => "Some name"]);
/* For testing */
echo "<br>This is the new key that was generated - " . $new_key->sid;
echo "<br>This is the new key secret - " . $new_key->secret;
Basically, I'm trying to avoid using the account token to generate keys and hopefully using some sort of master key.
When I try to use the main key for authentication, I get the following error message
[HTTP 400] Unable to create record: The request body violates the API contract
It seems like I figured it out. From what I understand is, that you first have to create a sub account and then created a "Main" token and use that token instead of the root account's token.
Related
First question - is it possible to access Deputy Payroll API with only the permanent/anonymous token? If not, probably don't need to read the rest.
I have been tasked with moving data from a Deputy Payroll API to an Azure SQL DW.
I am trying to accomplish this without OAuth2.0 or Azure/Deputy Integration
According to Deputy's documentation you can connect via Permanent Token.
I have used permanent tokens before and REST but I am getting different behaviour.
When I ping the Subdomain for the base deputy URL (https://business.na.deputy.com/) it returns an object with 2 points that look like the following;
"Noshido__LK":"Ad8f......yd78y="
(128/256 key?)
When I ping the payroll api (https://business.na.deputy.com/api/v1/resource/TimesheetPayReturn) using the token it, Data Factory tells me that I 'need to use Login, OAuth2.0, or Bearer'.
I am not familiar with these type of connections, and am hoping to work within the parameters.
Thank You!
The short answer is yes. Permanent tokens is the easier way to access the data. The instructions on how to generate the permanent token is found in the GIF animation here:
https://www.deputy.com/api-doc/API/Authentication/
This is the code I use in Excel VBA to read the data
Sub Get_Data()
Dim request As New WinHttpRequest
Dim url As String, parameters As String
Dim permanentAccessToken As String
'Demo credentials
permanentAccessToken = "892******************b3e05f0df0"
url = "https://business.na.deputy.com/"
url = url & "api/v1/resource/TimesheetPayReturn"
request.Open "GET", url
request.SetRequestHeader "Authorization", "OAuth " + permanentAccessToken
request.Send
' Check the result is valid
If request.Status <> 200 Then
MsgBox "Error: " & request.ResponseText
Exit Sub
End If
End Sub
The permanent token is added to the header and that should work.
I'm trying to create a new API that allows me to automatically check session status from an external application (SSO) based on the presence of a cookie (cross-domain),
following moodle's logic (code), I found that you key session key by just calling sesskey() function (based on $_SESSION['USER'] )
but when I call this function in externallib file every time it gives me a new random session key
The problem was call sessKey() from an external lib get an empty $_SESSION['USER']
any help would be greatly appreciated
Is it possible with any secret engine to have a "single use" password?
I have a command that generates an rsa keypair for users, and would like them to retrieve their private key. I can obviously print it out, or write to file etc, but thought it would be nice if it was stored in a "single use" place in vault? Then the user could retrieve it via the UI, and know that no-one else has viewed it. If someone else viewed it they would need to regenerate.
Basically can we have a vault key that can only be read once?
You can create a policy that only has access to that secret, for example
# policy: rsa
path "secret/rsa" {
capabilities = ["read"]
}
and then create a wrapped token for that policy, for example
$ vault token create -policy=rsa -num_uses=1 -wrap-ttl=120
Key Value
--- -----
wrapping_token: s.9QFJ8mRxGJD0e7kFfFIbdpDM
wrapping_accessor: S0zKNUr2ENbnCtj0YyriO31b
wrapping_token_ttl: 2m
wrapping_token_creation_time: 2019-12-17 09:45:42.537057 -0800 PST
wrapping_token_creation_path: auth/token/create
wrapped_accessor: VmBKXoc19ZLZlHGl0nQCvV6r
This will generate a wrapped token.
You can give that to your end user and they can unwrap it with
VAULT_TOKEN="s.3Kf3Xfn58Asr3bSDkRXATHrw" vault unwrap
which will generate a token.
With that token, the user will be able to login to vault and retrieve the rsa creds only once since the token will be invalid afterwards.
You can now guarantee that the creds have only been used from the target user as the wrapped token can be unwrapped only once.
Note: you might need to adjust num_uses when you create the token if your end user goes through the UI as the UI might use the token to perform more than one actions.
more info
I am using Flutter as front end and Django for back end purpose. I am trying to integrate Google and Facebook OAuth in the app and using some flutter libraires I am able to fetch user details and access token in front end. Now the question is how do I handle users and access tokens for them and verify them through drf. I could totally depend on drf for OAuth and create users using http request in front end using OAuth toolikt for Django but is there a way that I handle incoming auth tokens in front end and verify them in drf so as to register them in backend.
#api_view(http_method_names=['POST'])
#permission_classes([AllowAny])
#psa()
def exchange_token(request, backend):
serializer = SocialSerializer(data=request.data)
if serializer.is_valid(raise_exception=True):
# This is the key line of code: with the #psa() decorator above,
# it engages the PSA machinery to perform whatever social authentication
# steps are configured in your SOCIAL_AUTH_PIPELINE. At the end, it either
# hands you a populated User model of whatever type you've configured in
# your project, or None.
user = request.backend.do_auth(serializer.validated_data['access_token'])
if user:
# if using some other token back-end than DRF's built-in TokenAuthentication,
# you'll need to customize this to get an appropriate token object
token, _ = Token.objects.get_or_create(user=user)
return Response({'token': token.key})
else:
return Response(
{'errors': {'token': 'Invalid token'}},
status=status.HTTP_400_BAD_REQUEST,
)
There’s just a little more that needs to go in your settings (full code), and then you’re all set:
AUTHENTICATION_BACKENDS = (
'social_core.backends.google.GoogleOAuth2',
'social_core.backends.facebook.FacebookOAuth2',
'django.contrib.auth.backends.ModelBackend',
)
for key in ['GOOGLE_OAUTH2_KEY',
'GOOGLE_OAUTH2_SECRET',
'FACEBOOK_KEY',
'FACEBOOK_SECRET']:
# Use exec instead of eval here because we're not just trying to evaluate a dynamic value here;
# we're setting a module attribute whose name varies.
exec("SOCIAL_AUTH_{key} = os.environ.get('{key}')".format(key=key))
SOCIAL_AUTH_PIPELINE = (
'social_core.pipeline.social_auth.social_details',
'social_core.pipeline.social_auth.social_uid',
'social_core.pipeline.social_auth.auth_allowed',
'social_core.pipeline.social_auth.social_user',
'social_core.pipeline.user.get_username',
'social_core.pipeline.social_auth.associate_by_email',
'social_core.pipeline.user.create_user',
'social_core.pipeline.social_auth.associate_user',
'social_core.pipeline.social_auth.load_extra_data',
'social_core.pipeline.user.user_details',
)
Add a mapping to this function in your urls.py, and you’re all set!
I'm trying to figure out how to create a new appRoleAssignment using the Azure AD Graph API. (It appears that the newer Microsoft Graph does NOT support creating app role assignments just yet). I want to use the default role.
var assignment = new Dictionary<string, string>();
assignment["id"] = "00000000-0000-0000-0000-000000000000";
assignment["principalId"] = "user-guid";
assignment["resourceId"] = "service-principal-guid";
var url = "https://graph.windows.net/{tenant.onmicrosoft.com}/servicePrinciapls/{service-principal-guid}/appRoleAssignments";
I also tried posting to:
var url = "https://graph.windows.net/{tenant.onmicrosoft.com}/appRoleAssignments";
I'm POSTing the data in the hopes to create the assignment but it is giving a 404 error.
The assignment dictionary gets converted to JSON and posted.
In this answer we discussed the endpoint to GET app role assignments for a user. The same endpoint is the one you would POST to to create a new app role assignment:
POST https://graph.windows.net/{tenant-id}/users/{id}/appRoleAssignments?api-version=1.6
...
{
"principalId":"{user-object-id}",
"resourceId":"{service-principal-object-id}",
"id":"00000000-0000-0000-0000-000000000000"
}
(In the example above, we use 00000000-0000-0000-0000-000000000000 as the app role ID because we want to create a default assignment (i.e. "no role"). This would correspond to the id of an AppRole in the ServicePrincipal object if we wanted to assign the user to a specific app role.)
Instead of using the servicePrincipal collection, we need to use the user entity to create the appRoleAssignment for the users. Here is an example for your reference:
POST:https://graph.windows.net/{tenant}/users/{userObjectId}/appRoleAssignments?api-version=1.6
authorization: Bearer {access_token}
Content-Type: application/json
{
"id":"00000000-0000-0000-0000-000000000000",
"resourceId":"{servicePrincipId}",
"principalId":"{userObjectId}"
}