I am using azure managed identity and below code generates the required token to authenticate the api's. I am using <PackageReference Include="Azure.Identity" Version="1.4.0" />
var credential = new ManagedIdentityCredential();
var accessToken = await credential.GetTokenAsync(new Azure.Core.TokenRequestContext(new[] {"my_scope"}));
return accessToken.Token;
Now in each api call I am calling above method to get token. Question is what are the ways to cache this token and refresh automatically? Is this something inbuild available?
Latest SDK release (August 2022) mentions that caching is now enabled for both DefaultAzureCredential and ManagedIdentityCredential. No code changes required.
https://devblogs.microsoft.com/azure-sdk/azure-sdk-release-august-2022/
Unfortunately, there is no inbuilt caching within the Azure identity library for ManagedIdentityCredential available today. The caching is implemented within the other SDKs (such as Azure storage, KeyVault etc) when they call getToken.
However, you may want to evaluate if the token caching that already exists within the Managed identity endpoint on the App service/Functions/VM where your code is running is sufficient for your purpose.
It is a local endpoint, so the latency may meet your needs, even though a local cache within your code will certainly be faster. And you may also want to evaluate how often your code makes the token request, since I hear that if you have too many requests within a second, the managed identity endpoint may throttle those requests.
Related
I'm trying to generate access token to access google APIs without the google consent screen. It will enable us to implement code which can automate certain actions in GCP like stopping a VM and lots more. I prefer to use dotnet core for this implementation.
I except to generate a bearer auth token through which I can access Google rest APIs without any environment setup or Google OAuth consent screen.
I have found answer for this question and it will be useful for the community members who are working on GCP or google APIs.
First you have to download json credentials for your gcp account, please refer to this documentation Download service account keys
Please refer to this git repo gcp-auth , it's dotnet core class library which contains static method to GenerateJwt, ExchangeTokenAsync and GetAccessTokenAsync.
Let me explain each method for better clarity.
GenerateJwt - this method generates a signed JWT token from PrivateKey, PrivateKeyID, ServiceAccountEmail which are present in downloaded json from previous step and scope which will be different for different api endpoint like we have https://www.googleapis.com/auth/compute for google apis under compute.
ExchangeTokenAsync - this method need the generated JWT from previous step to generate the actual access token from google which will be valid to access google apis under that scope.
GetAccessTokenAsync - this is combination of above two methods, here you've pass parameters same as passed in GenerateJwt.
Please let me know if it requires any further explanation.
With there being rate limits should I ask for an increase when trying to get all access approval? Since my app asks the driver/ rider to sign in using their uber credentials will this help limit the calls to the API?
Thanks in advance.
Probably not, but it depends entirely on your purpose.
Calls to an API are usually done to get or update data on the home servers, in this case Uber's servers. As such, any Uber specific information you require will likely need to be accessed through their API.
Now, I've not reviewed Uber's API so if you can use the return from the login request to resolve all your needs then great. However, if you need to get data from their servers it would only reduce calls to the API if they require data returned on the login which can only otherwise be retrieved by making another call to their API.
I'm currently trying to make a website that allows users to host files, so I intend on buying a business Dropbox account for this purpose, generate an Access Token so the app don't go through OAuth authentication and internally serve and upload files to this single account.
Could it be done using a single Dropbox account? What are limits on calling from a single account. All access token logic would be hardcoded.
The Dropbox API does have a rate limiting system, but we don't have any specific numbers documented. It is only designed to prevent abuse though, and is accordingly very generous. Further, the limits operate on a per-user basis. That being the case, you generally don't need to worry about hitting it in normal use. The Dropbox API rate limiting system operates the same regardless of account type.
Also note that not all 429s or 503s indicate rate limiting, but in any case that you get a 429 or 503 the best practice is to retry the request, respecting the Retry-After header if given in the response, or using an exponential back-off, if not.
The API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. However, it is technically possible to connect to just one account. The SDKs don't offer explicit support for it and we don't recommend doing so, for various technical and security reasons. Most of these concerns are allayed for server-side apps though.
So, if you did want to go this route, instead of kicking off the authorization flow, you would manually use an existing access token for your account and app, as you mentioned. (Just be careful not to revoke it, e.g. via https://www.dropbox.com/account/security .)
I'm trying to Enable/Disable a logic app on Azure using the management APIs. I always get a 403 saying the client: with object id does not have authorization to perform 'Microsoft.Logic/workflows/disable/action' ...
I do use the authentication token in my request and so far have been able to use the API to list all workflows, get trigger histories and in/out messages using the same method.
Any suggestion?
I've seen this issue a lot before if you are calling the http:// instead of https:// - we are looking into automatically redirecting, but for now you will need to make sure you are calling the https:// endpoint with the correct method (in this case a PUT)
EDIT: We discovered the issue was the account being used to perform the enable/disable didn't have contribute permissions.
I am working on a webapi project which of course is supposed to be stateless.
The point is that it requires authetication and the majority of it's services is available to logged in users.
The catch is that there are several pieces of information about that user which should be used on all subqsequent calls to the legacy backend.
Should I force the clients to send back all those parameters on each request? (doesn't seem fair)
Should I use a caching on the webapi side - this is tricky as currently there is no out-of-memory distributed cache in use in the deployment environment....
What options do you see?
You could choose to issue the user some kind of session token on the first call. The server could then use the session token to authenticate the user and remember the settings for that session on subsequent calls.
You can read more about managing sessions in a stateless environment here:
http://en.wikipedia.org/wiki/Session_management