While trying to use encryption/decryption feature of spring cloud config server with Pivotal Cloud Foundry's p-config-server service which is configured with a symmetric key for encryption, I am getting a 403 forbidden response which calling /decrypt on config server .
I am able to call the /encrypt endpoint successfully for encrypting values using below sample curl -
curl --location --request POST 'https://config-xxxx.apps.xxx.com/encrypt' \
--header 'Authorization: bearer <cf oauth_token here>' \
--header 'Content-Type: text/plain' \
--data-raw 'sample data'
But when trying to decrypt those values using /decrypt, I am getting 403 Forbidden error -
{
"error": "access_denied",
"error_description": "invalid issuer"
}
Sample curl for decryption -
curl --location --request POST 'https://config-xxxx.apps.xxx.com/decrypt' \
--header 'Authorization: bearer <cf oauth_token here>' \
--header 'Content-Type: text/plain' \
--data-raw '<encrypted value from previous step>'
In pivotal's config server documentation though there are reference to /encrypt but nothing related to /decrypt pivotal config server
Any pointers ?
In the Pivotal/Tanzu Spring Cloud Services (commercial product), the /encrypt API is exposed to anyone with the admin scope or to anyone that is a Space Developer in the space of the service.
The /decrypt endpoint is not exposed specifically, so you're not allowed to access with the same credentials, hence why you're seeing a 403.
My quick read of the code is that you'd need a token with scope config_server_<guide>.read to access that endpoint. Where <guid> is the config server's service guide (run cf service --guid <name> to obtain the guide).
To make that work, you'd need to get a token from the bound service or a service key, the latter is easier:
Run cf create-service-key <service_instance> decrypt-key
Run cf service-key <service_instance> decrypt-key
Run export TOKEN=$(curl -vv <access_token_uri> -d 'grant_type=client_credentials' -d 'client_id=<client_id>' -d 'client_secret=<client_secret>' | jq -r .access_token) where the values in <...> are from the output of #2.
Run curl -vv '<uri>/decrypt' -H "Authorization: bearer $TOKEN" -H 'Content-type: text/plain' -d '<encrypted-value>'
These depend on a Bash shell. You can do them on Windows, but the commands will vary. It also uses jq to make extracting the token easier. You could split the command in step #3 into two steps, fetching with curl and manually exporting TOKEN.
Related
How I can set user attribute value using Keycloak Rest API?
Update: The /auth path was removed starting with Keycloak 17 Quarkus distribution. So you might need to remove the /auth from the endpoint calls presented on this answer.
To set a user attribute using the Keycloak Admin REST API; you use the endpoint:
PUT <KEYCLOAK_HOST>/auth/admin/realms/<YOUR_REALM>/users/<USER_ID>
with the payload
{"attributes":{"<ATTRIBUTE_NAME>":["<ATTRIBUTE_VALUE>"]}}
the <USER_ID> you can get it using the endpoint:
GET <YOUR_KEYCLOAK_DOMAIN>/auth/admin/realms/<YOUR_REALM>/users/?username=<THE_USERNAME>
from the JSON response, extract the field id.
Step-by-Step:
You can get that information using the Keycloak Admin REST API; to call that API, you need an access token from a user with the proper permissions. For now, I will be using the admin user from the master realm:
curl https://${KEYCLOAK_HOST}/auth/realms/master/protocol/openid-connect/token \
-d "client_id=admin-cli" \
-d "username=$ADMIN_NAME" \
-d "password=$ADMIN_PASSWORD" \
-d "grant_type=password"
You will get a JSON response with the admin's token. Extract the value of property access_token from that response. Let us save it in the variable $ACCESS_TOKEN for later reference.
To get the user id from your realm $REALM_NAME:
curl -X GET https://${KEYCLOAK_HOST}/auth/admin/realms/${REALM_NAME}/users/?username=${USERNAME}&exact=true \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN"
From the response extract the user id for example as follows
jq -r .[].id
Or even cleaner is to passed to the
To set the user attribute:
curl -X PUT https://${KEYCLOAK_HOST}/auth/admin/realms/${REALM_NAME}/users/${USER_ID} \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN" \
-d '{"attributes":{"<ATTRIBUTE_NAME>":["<ATTRIBUTE_VALUE>"]}}'
You can also have a look at setUser script on my GitHub repo.
I've built an Action on Google using the Actions SDK. I want to be able to update the actions.json programmatically on my server. I don't want to have to use the Assistant CLI. Is there a REST API or some other way of updating that file?
I was able to sniff the communication between Google and the actions cli.
Updating the action
Here is the curl request which you can use. Don't forget to add your Bearer (authorization) and after --data-binary you will include your actions.json. The last thing is, to change the endpoint URL at the end with your action id (replace testskill).
curl
-H 'Host: actions.googleapis.com'
-H 'content-type: application/json'
-H 'authorization: Bearer AuthorisationKeyAsRandomStrings'
-H 'user-agent: Gactions-CLI/2.2.4 (darwin; amd64; dev/NsZwRCulTKhlPxMfp)'
--data-binary '{"localizedActionPackages":{"de":{"actions":[{"description":"Default welcome intent","fulfillment":{"conversationName":"testskill"},"intent":{"name":"actions.intent.MAIN","trigger":{"queryPatterns":["sprechen mit test skill"]}},"name":"MAIN"},{"description":"test intent","fulfillment":{"conversationName":"testskill"},"intent":{"name":"test_intent","parameters":[{"name":"color","type":"org.schema.type.Color"}],"trigger":{"queryPatterns":["suchen ein $org.schema.type.Color:color schuhe","kaufen ein $org.schema.type.Color:color shuhe","kaufen"]}},"name":"Test"},{"description":"ciao","fulfillment":{"conversationName":"testskill"},"intent":{"name":"ciao_intent","trigger":{"queryPatterns":["ciao","bye","pa"]}},"name":"Ciao"}],"conversations":{"testskill":{"name":"testskill","url":"https://ae8e6xx.ngrok.io/testskill"}},"locale":"de"}},"name":"agents/testskill"}'
--compressed 'https://actions.googleapis.com/v2/agents/testskill:batchUpdateAllDraftActionPackages'
But there is no guarantee, that this will work in the future because Google can change the endpoint without notifying anybody. So I recommend to stick with actions cli.
Obtaining token without gactions CLI
You need to visit this url:
https://accounts.google.com/signin/oauth/oauthchooseaccount?access_type=offline&client_id=237807841406-o6vu1tjkq8oqjub8jilj6vuc396e2d0c.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Factions.builder&state=state&o2v=1&as=ZmeGyvTUA3FLgRPS1_rd1A&flowName=GeneralOAuthFlow
After authorization you will get the token. This needs to be send with another curl request. You need to replace PlaceYourUrlEncodedTokenHere with your token, but it needs to be url encoded.
curl
-H 'Host: accounts.google.com'
-H 'content-type: application/x-www-form-urlencoded'
-H 'authorization: Basic MjM3ODA3ODQxNDA2LW82dnUxdGprcThvcWp1YjhqaWxqNnZ1YzM5NmUyZDBjLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tOjZ1TlVQakZvd3pVRThTbGlWWlg2a2VZMA=='
-H 'user-agent: Go-http-client/2.0'
--data-binary "code=PlaceYourUrlEncodedTokenHere&grant_type=authorization_code&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob"
--compressed 'https://accounts.google.com/o/oauth2/token'
After that you will receive json response from google which conatins access_token. This you will add to your request as Bearer.
Since yesterday i'm having a problem with actions cli, when i try to update my actions.json i have this error with oauth
Error 401: disabled_client
The OAuth client was disabled.
enter image description here
I have to use thingsboard by rest API as it is showed on the guide https://thingsboard.io/docs/reference/rest-api/
In particular, I have a live-demo server and a custom user with administration permission.
I can authenticate it with the username/password on the thingsboard interface
Unfortunately, when I try the following command
curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{"username":, "password":}' 'https://THINGSBOARD_URL/api/auth/login'
I receive the following output:
{"status":401,"message":"Authentication failed","errorCode":10,"timestamp":"..."}
Anybody can help me?
I will glad,
Gianluca
Solved
It was certifciate problem,
I bypass it by the following command:
tokenAuthResp = requests.post(url, headers=headers, json=loginJSON, verify=False).json()
I have a bitbucket cloud account. Under: https://id.atlassian.com/manage/api-tokens I have generated an API Token which I am trying to use in a REST call to upload
a public SSH key to my account. Based on:
https://docs.atlassian.com/bitbucket-server/rest/5.6.2/bitbucket-ssh-rest.html?utm_source=%2Fstatic%2Frest%2Fbitbucket-server%2F5.6.2%2Fbitbucket-ssh-rest.html&utm_medium=301#idm45427244388592
https://community.atlassian.com/t5/Answers-Developer-Questions/Bitbucket-REST-API-POST-using-token-instead-of-basic-auth/qaq-p/474823
I have tried:
curl -X POST -d '{"text":"ssh-rsa AAAAB3... me#127.0.0.1"}' -H "Authorization: Bearer ADasdaEeasAsd..." https://bitbucket.org/[my-account]]/rest/ssh/latest/keys
But when I run that I get:
{"type": "error", "error": {"message": "Access token expired. Use your refresh token to obtain a new access token."}}
I have tried to re-create the token and re-run the above command again - with the new token - but I get the same error.
Any suggestions?
Based on below answer and link I have now tried:
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer wxdrtblabla..." \
-d '{"key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqP3Cr632C2dNhhgKVcon4ldUSAeKiku2yP9O9/bDtY myuser#bitbucket.org/myuser"}' \
https://api.bitbucket.org/2.0/users/myuser/ssh-keys
But I get the exact same error:
{"type": "error", "error": {"message": "Access token expired. Use your refresh token to obtain a new access token."}}
So still no luck. Also if I access:
https://api.bitbucket.org/2.0/users/[myuser]/ssh-keys
directly in a browser I get:
type "error"
error
message "This API is only accessible with the following authentication types: session, password, apppassword"
EDIT/ANSWERED: Based on the updated answer below I have no tried to create an app password and grant it account: read/write in bitbucket and it works. I run it with:
curl -v -u myuser:my-generated-app-password -X POST \
-H "Content-Type: application/json" \
-d '{"key": "ssh-rsa AAA....ro"}' \
https://api.bitbucket.org/2.0/users/myuser/ssh-keys
You're looking at Bitbucket Server documentation but using Bitbucket Cloud. (The giveaways: the "bitbucket-server" part of the doc path, and the "bitbucket.org" in the path where you're pushing your key.)
Check out https://developer.atlassian.com/bitbucket/api/2/reference/resource/users/%7Busername%7D/ssh-keys#post instead - that's the Bitbucket Cloud documentation to do what you're trying to do. Your URL will be more like https://api.bitbucket.org/2.0/users/[your-account]/ssh-keys.
EDIT: The error you received indicates the problem: you either need to make that call from within an existing session (i.e. from the GUI), use your password, or use an app password. I'd recommend the app password, since it's scoped, meant to be disposable, and won't let you log onto the GUI. Your curl call then becomes something like curl -u myuser:myapppassword -X POST -H "Content-Type: application/json" -d '{"key": "key content goes here"}' https://api.bitbucket.org/2.0/users/myuser/ssh-keys.
I am writing an application to fetch query logs from google cloud sql using stack driver monitoring. I am able to retrieve the logs using API explorer. I will be using a curl call to download the logs.
curl --header "Authorization: Bearer ACCESS_TOKEN" --header
'Content-Type: application/json' --header 'x-referer:
https://developers.google.com' -X POST --data
'{"resourceNames":["projectname"],"filter":"logName=logname"}'
"https://content-logging.googleapis.com/v2/entries:list?fields=entries(jsonPayload%2ClogName%2Coperation%2CreceiveTimestamp%2CtextPayload%2Ctimestamp)&key=APIkey"
API key is available in the interface. I have downloaded the json with client details. But I am not able to find any documentation on how to generate ACCESS_TOKEN in this case. Can someone please help me on this?
You can try:
curl -H "Authorization: Bearer "$(gcloud auth application-default
print-access-token) ...
or set:
ACCESS_TOKEN="$(gcloud auth application-default print-access-token)"
and then:
curl --header "Authorization: Bearer ${ACCESS_TOKEN}" ...