How to self revoke token via vault api? - hashicorp-vault

When i try to revoke a self token using api method i'm getting permission denied error
curl -H "X-Vault-Token: s.XXXXXXXXXXXXXXYYYYYYYYYYYY" -X GET $VAULT_ADDR/v1/auth/token/revoke-self
{"errors":["1 error occurred:\n\t* permission denied\n\n"]}
But if i login using same token and try via cli it is working as expected
$ vault token revoke -self
Success! Revoked token (if it existed)
Is it working as expected? or am i trying to use in a wrong way?

Use the "POST" request instead of the "GET" one:
curl -H "X-Vault-Token: s.XXXXXXXXXXXXXXYYYYYYYYYYYY" -X POST $VAULT_ADDR/v1/auth/token/revoke-self

Related

Can I check if the userid and password are valid in Keyclock?

The user sends me its id and password.
Then I want to check if it is valid on the keycloak.
I can try to log in, but the session is created in keycloak.
I even thought about to log out after logging in.
But this is very inefficient.
Is there a way to check if id and passwd are valid without creating a session?
If there was such a way, my task will be very easy.
If there is no way, I have to log in instead of my user and manage the token instead.
This is relatively more complex to implement.
As far as I know out-of-the-box there is no way to avoid creating the session.
If there is no way, I have to log in instead of my user and manage the
token instead. This is relatively more complex to implement.
Not really, since, the password and username are handed to your application, you can use the following approach:
Create in Keycloak a client (in the appropriate Realm) with direct grand access flow enabled (know as Resource Owner Password Flow in OAuth2);
Set the Access token for that client to be very short living (e.g., one minute).
Make a POST request with the username and password to the client, something as follows:
curl --request POST \
--url "http://$KEYCLOAK_HOST/auth/realms/$REALM_NAME/protocol/openid-connect/token" \
--data client_id=$CLIENT_ID \
--data username=$USERNAME \
--data password=$PASSWORD \
--data grant_type=password
If you get back as a response a token, then it means that the user credentials are valid, if not then those credentials are invalid.
In case you get back the token, you can explicitly logout the session, for instance as follows:
ACCESS_TOKEN=$(echo $TOKEN | jq -r .access_token)
SESSION_STATE=$(echo $TOKEN | jq -r .session_state)
curl -k -X DELETE "http://$KEYCLOAK_HOST/auth/admin/realms/master/sessions/$SESSION_STATE" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN"
Or since the access token is very short living, let Keycloak eventually clean up the session.

Issue of Authentication using GitHub API

I am trying to authenticate a user by GitHub API.
I've tried on two methods, Authentication via username and password and via personal access token(PAT) like this;
curl -u devmania1223 https://api.github.com/user /*via username and password*/
curl -u ghp_I60uniHdf6UKDCkyde1InP7kwRwsw2fD0wx https://api.github.com/user /*via personal access token*/
Inputted username and password, PAT correctly, but the response is not right.
{
"message": "Requires authentication",
"documentation_url": "https://docs.github.com/rest/reference/users#get-the-authenticated-user"
}
So, What's wrong with curl command?
Try and use the token as password:
curl -i -u your_username:$token https://api.github.com/users/octocat
Don't forget the other option: gh (the GitHub cli/cli), using gh auth login
# authenticate against github.com by reading the token from a file
$ gh auth login --with-token < mytoken.txt
Let's say that your personal access token is 55a6f290558d11ecbeaf787b8ab956b4. Now, make a request using the GitHub API, put the token into the "Authorization" header:
/usr/bin/curl -H "Authorization: Bearer 55a6f290558d11ecbeaf787b8ab956b4" https://api.github.com/user
Why? Well, the type of token that GitHub gives to you is called "OAuth 2.0" token, and you just have to use it this way.

Keycloak Offline Access token with 'refresh_token' grant_type

I'm trying to get an Offline Access from Keycloak, with the following request:
curl -X POST https://<domain>/auth/realms/public/protocol/openid-connect/token
-H "Content-Type: application/x-www-form-urlencoded"
-d 'grant_type=refresh_token'
-d "refresh_token=<token>"
-d 'scope=offline_access'
-d 'client_id=<id>'
-d 'client_secret=<secret>'
The scope in the response isn't offline_access as I expected, but openid, and also the number of Offline Tokens is not updated in the admin console.
{
"access_token": <access token>,
"expires_in": 3600,
"refresh_expires_in": 84884,
"refresh_token": <refresh token>,
"token_type": "bearer",
"id_token": <id token>,
"not-before-policy": 0,
"session_state": <state>,
"scope": "openid"
}
How can I get Offline Access tokens using grant_type 'refresh_token'?
Note that I'm able to get them using grant_type password, but would prefer not to use that, because:
I'm already using a refresh token in my app, but I don't have access to the password
I'm not sure how that would even work with Social Login and 2FA
Usually offline_access needs to be specified in the original authorization request - at the time of the delegation - which in some setups also involves user consent to use tokens offline.
Try getting the refresh token like this, when completing authorization:
curl -X POST https://<domain>/auth/realms/public/protocol/openid-connect/token
-H "Content-Type: application/x-www-form-urlencoded"
-d 'grant_type=authorization_code'
-d 'code=<code>'
-d "redirect_uri=<uri>'
-d 'scope=openid offline_access'
-d 'client_id=<id>'
-d 'client_secret=<secret>'
Then omit the scope parameter in the refresh token grant request that you posted. The scope parameter is not usually specified in this message. If it is then it can only be used to reduce scopes in the delegation. That is, you cannot silently get new scopes that a user did not consent to.

Upload SSH public key to bitbucket cloud using curl/REST and token

I have a bitbucket cloud account. Under: https://id.atlassian.com/manage/api-tokens I have generated an API Token which I am trying to use in a REST call to upload
a public SSH key to my account. Based on:
https://docs.atlassian.com/bitbucket-server/rest/5.6.2/bitbucket-ssh-rest.html?utm_source=%2Fstatic%2Frest%2Fbitbucket-server%2F5.6.2%2Fbitbucket-ssh-rest.html&utm_medium=301#idm45427244388592
https://community.atlassian.com/t5/Answers-Developer-Questions/Bitbucket-REST-API-POST-using-token-instead-of-basic-auth/qaq-p/474823
I have tried:
curl -X POST -d '{"text":"ssh-rsa AAAAB3... me#127.0.0.1"}' -H "Authorization: Bearer ADasdaEeasAsd..." https://bitbucket.org/[my-account]]/rest/ssh/latest/keys
But when I run that I get:
{"type": "error", "error": {"message": "Access token expired. Use your refresh token to obtain a new access token."}}
I have tried to re-create the token and re-run the above command again - with the new token - but I get the same error.
Any suggestions?
Based on below answer and link I have now tried:
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer wxdrtblabla..." \
-d '{"key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqP3Cr632C2dNhhgKVcon4ldUSAeKiku2yP9O9/bDtY myuser#bitbucket.org/myuser"}' \
https://api.bitbucket.org/2.0/users/myuser/ssh-keys
But I get the exact same error:
{"type": "error", "error": {"message": "Access token expired. Use your refresh token to obtain a new access token."}}
So still no luck. Also if I access:
https://api.bitbucket.org/2.0/users/[myuser]/ssh-keys
directly in a browser I get:
type "error"
error
message "This API is only accessible with the following authentication types: session, password, apppassword"
EDIT/ANSWERED: Based on the updated answer below I have no tried to create an app password and grant it account: read/write in bitbucket and it works. I run it with:
curl -v -u myuser:my-generated-app-password -X POST \
-H "Content-Type: application/json" \
-d '{"key": "ssh-rsa AAA....ro"}' \
https://api.bitbucket.org/2.0/users/myuser/ssh-keys
You're looking at Bitbucket Server documentation but using Bitbucket Cloud. (The giveaways: the "bitbucket-server" part of the doc path, and the "bitbucket.org" in the path where you're pushing your key.)
Check out https://developer.atlassian.com/bitbucket/api/2/reference/resource/users/%7Busername%7D/ssh-keys#post instead - that's the Bitbucket Cloud documentation to do what you're trying to do. Your URL will be more like https://api.bitbucket.org/2.0/users/[your-account]/ssh-keys.
EDIT: The error you received indicates the problem: you either need to make that call from within an existing session (i.e. from the GUI), use your password, or use an app password. I'd recommend the app password, since it's scoped, meant to be disposable, and won't let you log onto the GUI. Your curl call then becomes something like curl -u myuser:myapppassword -X POST -H "Content-Type: application/json" -d '{"key": "key content goes here"}' https://api.bitbucket.org/2.0/users/myuser/ssh-keys.

Getting a 403 - permission denied when using aws client to set the acl to public-read

I am attempting to change the asl of a file (100KB.file) I have within IBM COS: bucket: 'devtest1.ctl-internal.nasv.cos' and am receiving the following message:
An error occurred (AccessDenied) when calling the PutObjectAcl
operation: Access Denied
It seems like my AWS credentials (or call) do not have the correct permissions to allow the ACL update.
Command:
aws --endpoint-url=https://s3.us-south.objectstorage.softlayer.net
s3api put-object-acl --bucket devtest1.ctl-internal.nasv.cos --key
100KB.file --acl public-read
Return:
An error occurred (AccessDenied) when calling the PutObjectAcl
operation: Access Denied
You haven’t mentioned that you have configured hmac credentials on your bucket, so I’ll assume you haven't. I'm also assuming that operations other than PutObjectAcl do not work for you.
Try adding hmac credentials:
Then ...
Source: https://console.bluemix.net/docs/services/cloud-object-storage/hmac/credentials.html#using-hmac-credentials
I am having the same issue as well using the AWS CLI. However, you can do the same operation using cURL and providing your IBM Cloud IAM token.
curl -X "PUT" "https://{endpoint}/{bucket-name}/{object-name}?acl" \
-H "x-amz-acl: public-read" \
-H "Authorization: Bearer {token}" \
-H "Content-Type: text/plain; charset=utf-8" \