exchange authorization code for tokens
gives { "error_description": "Unauthorized", "error": "unauthorized_client" } in google drive playground
and drive connectivity exception in mulesoft
OAuth authorization dance not yet performed for resourceOwnerId null
Related
I have an API Gateway fronted by CloudFront. The API Gateway has a regional endpoint with api key disabled. An Authorization header must be sent to the regional endpoint or the endpoint returns "Missing Authentication Token" as expected.
Using the same request on the CloudFront endpoint returns the following 403 Forbidden error:
{
"message": "The request signature we calculated does not match the signature you
provided. Check your AWS Secret Access Key and signing method. Consult the service
documentation for details.\n\nThe Canonical String for this request should have been\n'POST
// sensitive data here...
}
The Auth token is created from an AWS signature. The signature originates from an IAM role that allows invocation on the endpoint: "Action": "execute-api:Invoke"
Any ideas on why CloudFront isn't able to use these credentials to hit the API Gateway endpoint?
In summary,
"Postman w/ Authorization header -> API Gateway endpoint" works.
"Postman w/ Authorization header -> CloudFront -> API Gateway endpoint" returns the above 403.
UPDATE: Adding information on how I obtain the signature.
IAM Role:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-west-2:{ACCOUNT}:{ENDPOINT}",
"Effect": "Allow"
}
]
}
AccessKey, SecretKey, Session Token are obtained in CloudShell:
$ aws sts assume-role --role-arn arn:aws:iam::{ACCOUNT}:{ROLE} --role-session-name {SESSION_NAME}
These 3 keys are then used in Postman's Authorization tab. I select "AWS Signature" type and provide the AccessKey, SecretKey, and SessionToken.
From here, I can hit the API Gateway endpoint and receive 200 response. With the same request and headers, hitting the CloudFront endpoint results in the 403.
UPDATE #2: Adding information on CloudFront configuration.
The distribution behavior for the API GW origin is using the CachingOptimized policy. Its also allowing all HTTP methods.
i am trying to hit https://playdeveloperreporting.googleapis.com/v1alpha1/apps/com.example/anrRateMetricSet.
It returns 403: permission denied
Here i am trying to capture the health metrics for my android app from Google console.
Reference:https://developers.google.com/play/developer/reporting/reference/rest/v1alpha1/vitals.anrrate/get?hl=en_GB
So i have Service account created on google console under "I AM and Admin"
I am trying to hit "https://playdeveloperreporting.googleapis.com/v1alpha1/apps/com.example/anrRateMetricSet"
By using access token created from key.JSON downloaded from linked Service account to the project.
But i am getting
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
Could n't understand what might be the issue. Since the Service account is linked to project.
Your help is highly appreciated . Thank you
I have been developing some proof of concept project using the Google Fitness API v1 but suddenly, I cannot get access token anymore with a 401 response.
{
"error_description": "Unauthorized",
"error": "unauthorized_client"
}
What are some of the reason of this? I have checked that I am not reaching the quota yet.
I try to get list filesystems and their properties in the Azure Storage account using request:
https://<account_name>.dfs.core.windows.net/?resource=account
with one header Bearer
and get response
"error": {
"code": "AuthorizationPermissionMismatch",
"message": "This request is not authorized to perform this operation using this ******"
}
But when I make request for list paths:
https://<account_name>.dfs.core.windows.net/<filesystem>?recursive=true&resource=filesystem
I get a response with correct data.
Can you give me some advice on what is wrong?
P.s. My auth params.
enter image description here
I tested the same request in my environment by getting the token using client ID and secret. I received the same error as you are getting :
As a Solution ,
I added Storage Account Contributor role to the Service Principal
which I am using to get the bearer token as below:
Then , I get the bearer token using below client_credentials method:
After the above, When I perform the same request again then it gets
successful:
I am trying to enable JWT authentication for my backend java microservice which is deployed locally and all the requests to the microservice is gated through WSO2 apim 2.6 .The JWT token provider is used as WSO2 IS 5.6 .
I have placed all required configurations both at WSO2 IS and WSO2 apim on my machine.Since both are on same machine I have configured an offset of 1 too.
I created a fresh user in apim store and used it to create application and subscribe api for the same user.The Token type configured is JWT .I used Postman as client for fetching the access token and the access token gets fetched as expected.Thereafter when I use the same token to access the required resource through api gateway it gives me back "Unclassified Authentication Failure" with code as "0" and description as "Access failure for API: /notification/1.0, version: 1.0 status: (0) - Unclassified Authentication Failure"
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>0</ams:code>
<ams:message>Unclassified Authentication Failure</ams:message>
<ams:description>Access failure for API: /notification/1.0, version: 1.0 status: (0) - Unclassified Authentication Failure</ams:description>
</ams:fault>
I am expecting the resource to get created as it is a post request via WSO2 apim to backend service.Please share any available insights on this
The token type JWT can only be used with api manager micro-gateways. You create OAuth application and try using the JWT grant type for it. You can find more information about the JWT grant type in
https://docs.wso2.com/display/AM260/JWT+Grant#JWTGrant-JWTBearerGrant