In my backend service, I require a token that contains the "roles" claim in the client credentials flow. So I've tried to setup App ID as described in the article about Assigning roles to an application, unfortunately, I didn't succeed in this.
Steps were done for setup:
Register the application with a "regular web application" type
Create a role
Assing role to the application like described in docs
Extend token config with
"accessTokenClaims": [
{
"source": "roles"
}
]
Retrieve token for by Postman
Used parameters:
URL: https://eu-de.appid.cloud.ibm.com/oauth/v4/{tenantid}/token
Body: form data and form data encoded(tried both)
grant type: client_credentials;
Basic auth: username: client_id; password: client_secret
I also tried to use the body with form data and form data encoded(tried both)
grant type: client_credentials;
client_id: client_id
client_secret: client_secret
Related
I want to connect to SharePoint by using username#company.com and password instead of client id and client secret. Do I need to get any authorization for my ID? If yes, how to get? I know the process for fetching authorization for client ID and client secret.
In this URL: https://{tenant}.sharepoint.com/sites/{sitename}/_layouts/15/user.aspx
I add my user id and password with permission levels as "Full control".
But in this URL: https://{tenant}.sharepoint.com/sites/{sitename}/_layouts/15/appprincipals.aspx
I am able to see only client id and client secret. Not my user id.
When I send POST request using Postman it is giving me "error": "unsupported_grant_type".
Postman Inputs:
POST https://accounts.accesscontrol.windows.net/{tenant_id}/tokens/OAuth/2
Headers
Content-Type : application/x-www-form-urlencoded
Body (x-www-form-urlencoded)
grant_type: password
username: username#company.com
password: password
resource:00000003-0000-0ff1-ce00-000000000000/{tenant}.sharepoint.com#{tenant_id}
SharePoint rest api does not support "Password Grant Flow". You can either use "Client Credentials Flow" or "Implicit Flow".
If you want to allow users to use their username & password, Use implicit flow.
NOTE: User will always require to sign in to get access token. You can not simply pass username and password with post request.
Here is the complete guide for configuring azure ad app for implicit flow : https://frankchen2016.medium.com/how-to-access-the-spo-rest-api-using-implicit-authentication-flow-40d65750554f
As a newbie of Keycloak, I try to configure a client with a "Password" grant type. I know that this is not the preferred solution in most cases.
I created a realm 'realm2' with a client 'myclient2' and a user.
When trying to get the token with Postman, I get this error:
{
"error": "unauthorized_client",
"error_description": "Client secret not provided in request"
}
When I add the client_secret, I get the token. I tried to provide a username and password and no secret.
Via the Keycloak user interface I can also login as 'johan' in the 'realm2'.
This is my request in Postman:
In Keycloak I configured the 'realm2' with no special properties set:
The client 'myclient2' is:
I can see on the Credentials tab of the client:
I configured 1 user in the realm2 with just 'password' as a password:
How can I configure my Keycloack settings so I don't need the 'secret' but the username and password?
You could disable authentication for the client, making it public. You can do this by turning off "Client authentication" under the settings tab of your client.
EDIT: I just realized your keycloak version seems different to mine. This configuration is likely under the Access Type selector in your settings tab, by changing it from confidential to public
#Haf answer is right to the point; TL;DR: In the client Access Type dropdown menu select public instead of confidential.
Nonetheless, I want to add a bit more information behind the scenes since you stated that:
As a newbie for Keycloack I try to configure a client with a
"Password" grant type.
First, you should know that Keycloak implements OpenID Connect, which
is a simple identity layer on top of the OAuth 2.0 protocol.
According to the OAuth 2.0 protocol clients can be either confidential or public.
The main difference relates to whether or not the application is able
to hold credentials (such as a client ID and secret) securely.
Regarding the confidential clients:
Because they use a trusted backend server, confidential applications
can use grant types that require them to authenticate by specifying
their client ID and client secret when calling the Token endpoint.
Armed with this knowledge you can easily figure it out how to create a client that will not have a client secret.
I'm using keycloak to get access tokens but I need those jwt tokens to have a 'policy' attribute/claim that MinIO requires.
Now, I can get those by calling the token endpoint with grant_type = password, plus username and pass.
I know that that policy attribute is mapped from the user, but, is there any possibility that I could get client creds (grant_type = client_credentials) including that attribute? or any other type of grant?
you can add Mapper to the client
Mapper Type: "hardcoded claim"
Token Claim Name: <token body key>, in your case is 'policy'
Claim value : <the value>
call back for access tokenI am searching for a solution to implement passport jwt authetication strategy for hyperledger composer REST API. I have followed this link for setting up passport authetication https://www.codementor.io/gangachris125/passport-jwt-authentication-for-hyperledger-composer-rest-server-jqfgkoljn.
Generating hyperledger composer API,creating composer rest server docker container , API's are protected everything seems working except the access token generation , how to retrieve that token.
Also i created another nodejs application with passport jwt, mongodb with few users added. I was able to succesfully generate token from that application and protect any express routes using that token.
But my struggling point is how to generate token for the composer rest server API
As explained in many articles i have created custom jwt , environment varibales as follows
custom jwt
const passportJwt = require('passport-jwt');
const util = require('util');
function CustomJwtStrategy(options, verify) {
options.jwtFromRequest = passportJwt.ExtractJwt.fromAuthHeaderAsBearerToken();
passportJwt.Strategy.call(this, options, verify);
}
util.inherits(CustomJwtStrategy, passportJwt.Strategy);
module.exports = {
Strategy: CustomJwtStrategy
};
Environment variables
COMPOSER_CARD=admin#tutorial-network
COMPOSER_NAMESPACES=never
COMPOSER_AUTHENTICATION=true
COMPOSER_MULTIUSER=true
COMPOSER_PROVIDERS='{
"jwt": {
"provider": "jwt",
"module": "/home/composer/node_modules/custom-jwt.js",
"secretOrKey": "admin",
"authScheme": "saml",
"successRedirect": "/",
"failureRedirect":"/"
}
}'
COMPOSER_DATASOURCES='{
"db": {
"name": "auth",
"connector": "mongodb",
"host": "mongo"
}
}'
composer rest server logs on startup
Now from where should i generate the token, how to retrive that token so that i can capture and pass it in headers for the hyperledger composer business API's.
Please help with details.
You can use the token generated by node js. One thing you need to take care is you have to use same here "secretOrKey": "admin" customkey with which you are generating token in node js
Make request as shown in an image as you are using options.jwtFromRequest =passportJwt.ExtractJwt.fromAuthHeaderAsBearerToken(); . It will store the access_token in cookie. Then you can retrieve it from cookie for further use.
I have been successfully using Service Integration Authentication to create an envelope. Here are the steps I have made to authenticate the user.
Granting consent individually for Organization Admin A by redirecting them to this URL:
https://account-d.docusign.com/oauth/auth?
response_type=code&scope=signature%20impersonation&client_id=7c2b8d7e-83c3-4940-af5e-cda8a50dd73f&redirect_uri=https://client.example.com/callback
After Organization Admin A clicked "Accept" the consent is granted
Create the JWT using code provided in the SDK, here's the information I have provided in the JWT:
{
"iss": {integrator key},
"sub": <user ID of Organization Admin A>,
"iat": <timestamp when issued>,
"exp": <expiration date>,
"aud": "account-d.docusign.com",
"scope": "signature impersonation"
}
Using this generated Jwt I made a POST request to https://account-d.docusign.com/oauth/token?grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion={JWT} to exchange for an Access Token
Use that generated access token I have successfully created an envelope
So at this stage I have confirmed that I have generated the JWT correctly, created Integrator Key correctly, I have also provided the right information in the create JWT request.
Then I realized from my application it would be ideal if I don't have to do step 1 above all the time. I would like to grant consent without the UI (redirect URL) and be able to impersonate everyone in the organization. So here's what I did:
Created another organization admin: Organization Admin B. Since Admin A has already granted his consent hence no longer suitable for my test. Both of these users are Organization Admin with Permission Set "Organization".
I then went to Application and clicked "Authorize Application" and linked it to the correct Integrator Key, permission: "signature impersonation"
From here I created the JWT, the only information changed in the payload now is the userId pointing to Organization Admin B:
{
"iss": {integrator key},
"sub": <user ID of Organization Admin B>,
"iat": <timestamp when issued>,
"exp": <expiration date>,
"aud": "account-d.docusign.com",
"scope": "signature impersonation"
}
JWT generated I went ahead to make a POST request to https://account-d.docusign.com/oauth/token?grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion={JWT} to exchange for an Access Token and here's what I got:
{
"error": "consent_required"
}
If I have already "Authorize Application", how could consent be required?
I have also tried omitting the userId in the JWT request because according to this blog post
The user id of the principal you are requesting a token for. If
omitted a token will be issued to represent the application itself
instead of a user in the system.
and that essentially what I want. But when I got the JWT generated and successfully generated an Access Token like below:
{
"access_token":"",
"token_type":"Application",
"expires_in":28800
}
Notice the token_type is now "Application" not "Bearer"
, I will then get "either username or password" is not corrected when I tried to create an envelope with that Access Token.
{
"errorCode":"USER_AUTHENTICATION_FAILED",
"message":"One or both of Username and Password are invalid. Invalid access token"
}
This is so confusing as there isn't an article showing step by step on how to use the Organization Admin Tool to grant consent on the app and impersonate everyone. Most of the articles only address individual granting consent. Could someone please help me with this?
Thanks.
At this time, you can only grant Org Authorization to an integrator key owned by your Organization, and that consent only applies to users that are within a claimed domain.
So, if your Organization has claimed example.com, you can grant consent for user#example.com, but not for user#gmail.com.
To grant Organization consent, navigate to the Org Admin dashboard > Applications > Authorize Applications. From the 'Select an Application' dropdown, you'll see all integrator keys that are associated with accounts within your Organization. From there, you can grant org-wide consent.