I am trying to follow the tailscale documentation to list all devices on my network using exposed API here
In the example it says that I need to provide tailnet name
GET /api/v2/tailnet/example.com/devices
curl 'https://api.tailscale.com/api/v2/tailnet/example.com/devices' \
-u "tskey-yourapikey123:"
when I replace example.com with my tailnet name I got from DNS tab on my admin page I am getting this error response
403 Forbidden
{
"message": "user tailnet does not match"
}
I am not sure what I am doing wrong and how shall I get my list of devices to see which of them is online/offline?
The name that's displayed on the DNS settings page is for hostnames (it's of the form something.ts.net), it is not meant for API calls.
The tailnet name for API calls is the identifier for your user (for single-person tailnets) or domain -- it't shown on the General settings page as the "Organization".
Even simpler, you can use - as a shorthand for the requesting user's default tailnet. The documentation covers some of this, but it could be made clearer.
Related
I have keycloak on docker (v20.0.2) and as you know some versions change some or good part of the UI, so is hard to follow tutorials around the web...
I am trying to follow this particular tuto
https://developers.redhat.com/blog/2020/11/24/authentication-and-authorization-using-the-keycloak-rest-api#keycloak_sso_demo
that seems the more updated. My keycloak is actually behind traeffic and thomseddon/traeffic-fordward-auth with a docker-compose file (but the connection through traeffic is good and I have acces to admin UI)
So on step 10 of the tutorial things change for me, I have to look for that particular view inside:
Click on lateral menu Client Scope
Click on button Create client scope
Give a name to the scope, and click on Tab Mapper
All mappers are predefined... so there is no "New mapper" don't understand this bit
then just follow the tuto
With that series of steps I get an error when retriving the token...
https://keycloak:8443/realms/education/protocol/openid-connect/token
enter image description here
(this are fake local data from the realm I created for testing)
that responds with a or something similar I have also tried to change the grant_type to password, and the same happens can not query the token....
{
"error": "invalid_client",
"error_description": "Invalid client or Invalid client credentials"
}
But if I do not link a user with an scope/role as in the tuto suggest then I get the token, but of course I want to use the role or scope to limit who can see which endpoint and who can not
Any step that I'm missing from this update, do you have the same error?
Thank you in advance
I have tried to run it with different combinations of options to see if there is a toggle that actually allows me to fetch the token
Also with different types of grant_type
I will build an API in Python (I don't know Java and prefer Json instead of XML) that connect to this keycloak to allow users or not based on their scope/role/permission or something
I need to be able to block user so if user Student try to access an url from another Student he get blocked that url. So is based on the role or scope or I don't know which is prefered or easer to accomplish, the mission is to block users or not based on a factor that could be used for this in keycloak.
I am using the Google GTMAppAuth with my swift project for authorisation. The thing is, I don't know what to put as a Rediret URL. I couldn't find anything on stack or anywhere else about what it is supposed to be. I am new to the google api so help would be appreciated.
After Successful creation of oauth2 credentials (https://console.developers.google.com/projectselector/apis/credentials) you will get client ID for your project.
Follow the below instructions...
kRedirectURI is reverse DNS notation form of the client ID. For example, if the client ID is YOUR_CLIENT.apps.googleusercontent.com, the reverse DNS notation would be com.googleusercontent.apps.YOUR_CLIENT. A path component is added resulting in com.googleusercontent.apps.YOUR_CLIENT:/oauthredirect.
Finally, open Info.plist and fully expand "URL types" (a.k.a. "CFBundleURLTypes") and replace com.googleusercontent.apps.YOUR_CLIENT with the reverse DNS notation form of your client id (not including the :/oauthredirect path component).
Once you have made those three changes, the sample should be ready to try with your new OAuth client.
I'm testing the REST API,
I successfully called to https://naxx.salesforce.com/services/data/v29.0/sobjects/
It returns the expected result.
When I call to https://naxx.salesforce.com/services/data/v29.0/sobjects/Account/
It returns a (404) Not Found response.
I have replaced the "Account" placeholder with the logged user's email, nickname, email , also I have tried with access_token.id value but nothing works. The answer is always 404.
What should I use as "Account" value, and where can I get that information?
I'm following this documentation:
http://www.salesforce.com/us/developer/docs/api_rest/index_Left.htm#CSHID=quickstart_oauth.htm|StartTopic=Content%2Fquickstart_oauth.htm|SkinName=webhelp
Specifically the subtitle called "Get Basic Object Information".
I have the same problem with:
https://naxx.salesforce.com/services/data/v29.0/sobjects/Account/describe/
https://naxx.salesforce.com/services/data/v29.0/query?q=SELECT+name+from+Account
I have not the problem with:
https://naxx.salesforce.com/services/data/
https://naxx.salesforce.com/services/data/v29.0/
https://naxx.salesforce.com/services/data/v29.0/sobjects/
Thank you in advance.
Account is not placeholder text it is the actual name of an SObject type. That it returns a 404 response means your user account does not have access to Account records. You should check your users profile & license settings. The services/data/v29.0/sobjects/ request will return details of all the SObject types your user has access to. (so you'll find that Account is not in this list in your case)
I had a similar issue. I was able to access the object Account in the list of objects but was not able to retrieve the metadata. Seems that the documentation misses the parameter "sobjects" in the path. The correct URL is:
https://na1.salesforce.com/services/data/v20.0/sobjects/Account/describe/ -H "Authorization: Bearer token"
This can be confirmed through by trying the url:
https://na1.salesforce.com/services/data/v20.0/sobjects/Account
which lists the uses such as records, describe, listviews, etc. It may vary based on organization and if the user has permission, it is ideal that the developer hit the second URL and then obtain the correct base url to retrieve the metadata.
Unfortunately I keep getting this error:
{
"error": {
"message": "Invalid redirect_uri: Given URL is not allowed by the Application configuration.",
"type": "OAuthException",
"code": 191
}
}
Login works however when my /etc/hosts file is set to: 127.0.0.1 [mysite].rhcloud.com, it only fails when I view the actual [mysite].rhcloud.com.
I am running the exact same application (on a different server) locally as the one I'm running on rhcloud. Specifically the local<->remote web-application directories are synced.
URL information
When attempting login remotely the URL looks like this; and fails with aforementioned error:
https://graph.facebook.com/oauth/authorize?scope=user_photos%2Cfriends_photos&redirect_uri=http%3A%2F%2F[mypublicipaddress]%2Fuser%2Flogin&response_type=code&client_id=[hidden]
Whereas attempting to login locally the URL looks like this; and works:
https://www.facebook.com/dialog/permissions.request?app_id=[hidden]&display=page&next=http%3A%2F%2F[hidden].rhcloud.com%2Fuser%2Flogin&response_type=code&perms=user_photos%2Cfriends_photos&fbconnect=1
OK, you seem to be doing this right, but there's one thing that sometimes trips people up, do both your redirect_uri and 'Website URL' field have a trailing '/'?
In particular, if the redirect_uri doesn't have the trailing '/' (or a filename, etc) after the domain name it doesn't always work
did you set your canvas URL/secure canvas URL in facebook app configuration. IF so, retry after removing them. Or try after making sure canvas URL should be correct.
Yes. The trailing / matters. Just check your these fields, and add that trailing / if it's not there.
But, to be honest, this is the first time I've seen something like this. Usually, we see Facebook logins failing on a local environment, but working just fine in production.
I was able to overcome exactly the same problem by accessing my facebook developer application account and changing the domain from localhost to the url of my application
I'm creating a webapp with this combination of tools. I'm authenticating with App Engine in the following manner:
class googleLogin(webapp.RequestHandler):
def get(self):
callbackURL = 'http://%s/googleLoginCallback' % getHost()
#Create a client service
gdClient = gdata.docs.service.DocsService()
gdata.alt.appengine.run_on_appengine(gdClient)
gdClient.SetOAuthInputParameters(gdata.auth.OAuthSignatureMethod.HMAC_SHA1,
_GoogleConsumerKey,
consumer_secret=_GoogleConsumerSecret)
#Get a Request Token
requestToken = gdClient.FetchOAuthRequestToken(scopes=_GoogleDataScope,
extra_parameters={'xoauth_displayname': APP_NAME})
#Persist token secret
self.session = Session()
self.session[TOKENSECRETKEY] = requestToken.secret
gdClient.auto_set_current_token = True
gdClient.SetOAuthToken(requestToken)
authUrl = gdClient.GenerateOAuthAuthorizationURL(callback_url=callbackURL)
self.redirect(authUrl)
I authenticated my domain with Google at https://www.google.com/accounts/ManageDomain, entering a target URL and am using the given Consumer Key/Secret. For instance, if my domain was 'juno.appspot.com', I am using http://juno.appspot.com as the target url path prefix.
The process is working; however, Google presents this message to the user in a yellow security box:
"The application that directed you
here claims to be 'xxxxxx'. We are
unable to verify this claim as the
application runs on your computer, as
opposed to a website. We recommend
that you deny access unless you trust
the application."
I don't think I should be getting this error, since my server is getting the request token and creating the authorization URL. Does anyone have any insight on how to get rid of this warning?
Google's domain registration has an option to upload a certificate, but I shouldn't need to do that because I'm using OAuth with the HMAC_SHA1 signature method.
Also, not that it should matter, but I'm doing all this through a UIWebView on the iPhone. I'm specifically trying to do all authentication server-side to avoid exposing my Consumer Key/Secret.
Thank you for any tips :)
Solved.
The culprit is this line from above:
extra_parameters={'xoauth_displayname': APP_NAME})
Setting this value for a registered application intentionally triggers a warning to users, as indicated by the Google documentation:
xoauth_displayname:
(optional) String identifying the
application. This string is displayed
to end users on Google's authorization
confirmation page. For registered
applications, the value of this
parameter overrides the name set
during registration and also triggers
a message to the user that the
identity can't be verified. For
unregistered applications, this
parameter enables them to specify an
application name, In the case of
unregistered applications, if this
parameter is not set, Google
identifies the application using the
URL value of oauth_callback; if
neither parameter is set, Google uses
the string "anonymous".
Removing this line no longer allows me to use a 'nice' name in place of the domain, but it gets rid of that annoying yellow box :)
I'm not sure exactly where the issue may be in your code, but I've got a one page oauth/appengine/gdata example which may at least set you in the right direction. Have you tried to navigate to the site directly from the iPhone/desktop browser to see what message is delivered?
Hope it helps.
Alternatively, is it possibly to do with the user agent the UIWebView sets?