IBM Cloud User Management API - Invite users - Forbidden - ibm-cloud

i'm getting an error while trying to invite a user to an ibm cloud account by REST API.
The error says that the IMS account is not valid.
Does anyone know whats an IMS Account?
here is my request:
curl -X POST \
https://user-management.cloud.ibm.com/v2/accounts/&MYACCOUNT/users \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"users": [
{
"email": "myuser#ibm.com",
"account_role": "Member"
}],
"iam_policy": [
{
"roles": [
{
"id": "crn:v1:bluemix:public:iam::::role:Viewer"
}]
}]
}'
And the respsonse:
{
"trace": "558156745",
"errors": [
{
"code": 9999,
"message": "Not Authenticated.",
"more_info": "IMS account id from token is incorrect."
}
]
}
Any ideas how to handle this ?

API keys on IBM Cloud are tied to either a user or can be for a service ID, a specific service and more. The API keys for user IDs and service IDs can be used to generate an IAM (authentication) token.
When you call into a REST API and use a token, it is checked that the token is not expired, belongs to a valid user and if the required privileges are held to execute that desired function.
If you want to invite a user to an account and want to grant privileges as part of that invitation process, you would need to use a user ID with the privilege to invite to that specific account. It can be different for any account in an enterprise hierarchy, including the enterprise account. On top of that, the privileges to grant the desired roles or resource access is needed. If one is missing, it gives an error message (not always the best).

Related

Personal access tokens with Keycloak

Is there way to create user-specific (aka. personal) access tokens in Keycloak?
So, our goal would be that a user creates one or more personal access tokens (like in GitHub or GitLab) and he/she uses these tokens for authentication.
Any idea how to achieve this using Keycloak?
Keycloak have no short size of personal API key
But you can use full size of JWT.
It is getting Access Token with password grant type.
This is demo
localhost:8180 – is a host and a port number on which the Keycloak server is running,
test – is a Keycloak Realm,
admin-cli – one of default client,
user: user name
1234: password
password : grand_type
The Grant Type is a way to exchange a user’s credentials for an access token.
$ curl -v -d "client_id=admin-cli" -d "username=user" -d "password=1234" -d "grant_type=password" -X POST "http://localhost:8180/auth/realms/test/protocol/openid-connect/token" | jq '.access_token'
result in terminal
"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ6Q0hvYVhPX2hqbXFRTnNYOVlacnhkZmpUdk1sbWozUFNkSXpTWUJjMzRFIn0.eyJleHAiOjE2NjAzMzU4ODIsImlhdCI6MTY2MDMzNTU4MiwianRpIjoiYmFkMmFlNjktMWNiYS00NGMyLWEyZDctYzdhOWQ5YjQ4OGI4IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MTgwL2F1dGgvcmVhbG1zL3Rlc3QiLCJzdWIiOiIzOTRiNjcwOS0zOGEyLTRhYTAtYTg0OS1mZTRjODFlNDA2MjQiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJzZXNzaW9uX3N0YXRlIjoiZGM5YjI1YzEtOTRlMy00MTlhLTliOGQtMjYwZTVkMmY3MzcxIiwiYWNyIjoiMSIsInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsInNpZCI6ImRjOWIyNWMxLTk0ZTMtNDE5YS05YjhkLTI2MGU1ZDJmNzM3MSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IlRvbSBDdXJpZXMiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIiwiZ2l2ZW5fbmFtZSI6IlRvbSIsImZhbWlseV9uYW1lIjoiQ3VyaWVzIiwiZW1haWwiOiJ1c2VyQHRlc3QuY29tIn0.Gnx6WwpsUxQM990H89BBYi_Kiy3BdAQcCYFRknDJ9qpkGAZSYrAAjjEeEBA5ZXKIUzu0O2trly0iWVW1r4Lb5ihiqSva1BaR42v5WWXHL9gpeS-ttsoKP6N1x74msHXssRmjN5vZG_dwXF-gpKhhJmXI0fLW3-_uuH3LZ9Ar-4zNliVLjJGmePtzq74nn7WbwhggiWDQu2_mQFBnf9vJvcxn6jY9TX5oxppn4BNcvXrChAZyDXLt7RW32ud3p1Cs7Jn360Vg6cRo4wq7-Mams8hhnonhDEaakJtcin7gLK6jwFC7f2ND8banDYL3CEsem4HpmxSRX43UBhfyO64Z8A"
API call for getting user information with this access_token
$ curl --location --request GET 'http://localhost:8180/auth/realms/test/protocol/openid-connect/userinfo' --header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ6Q0hvYVhPX2hqbXFRTnNYOVlacnhkZmpUdk1sbWozUFNkSXpTWUJjMzRFIn0.eyJleHAiOjE2NjAzMzU4MjMsImlhdCI6MTY2MDMzNTUyMywianRpIjoiYjc3MjMzY2ItYTI2Zi00ZGNiLWJkZTktNjRiNzhiMmQzZTM2IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MTgwL2F1dGgvcmVhbG1zL3Rlc3QiLCJzdWIiOiIzOTRiNjcwOS0zOGEyLTRhYTAtYTg0OS1mZTRjODFlNDA2MjQiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJzZXNzaW9uX3N0YXRlIjoiNjg2Y2EyNDctMzZjYS00MTNiLWE4M2YtODUyZjJmNWY3YWVmIiwiYWNyIjoiMSIsInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsInNpZCI6IjY4NmNhMjQ3LTM2Y2EtNDEzYi1hODNmLTg1MmYyZjVmN2FlZiIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6IlRvbSBDdXJpZXMiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIiwiZ2l2ZW5fbmFtZSI6IlRvbSIsImZhbWlseV9uYW1lIjoiQ3VyaWVzIiwiZW1haWwiOiJ1c2VyQHRlc3QuY29tIn0.KNioWAOTl7S5bYi303ZWkYRnTv4BnH9B7Q-Oe6j5nO5g_QD2RrWhMO1bUXA3uHdj5P3Y9Mk3vWYfsOlacVfYGmuYmGYhTD6LhbCILPf1r4qMBHUnAtPmWBUmLPNy1XQc-PPjVU6I0FzwW4-UoHCmrqgpDvSoarxf3PiUgwaYzPGm6IeAaHw-ndSO0vkhue2j2s8eVfiiH6TExkngq3zc8E1Y0WK3EM_LxcoDbfrRTNROYDqjK6Bi6_jIECjuRRC6E4ies1svMd8XGwS8iYuHB62hX7_rEBT4PmCwddjfE-IO6XoPy970gdWFUZfiRxbz1Orh-6SySVaeEPdskTGb2Q' | jq
result in terminal
{
"sub": "394b6709-38a2-4aa0-a849-fe4c81e40624",
"email_verified": false,
"name": "Tom Curies",
"preferred_username": "user",
"given_name": "Tom",
"family_name": "Curies",
"email": "user#test.com"
}
You can get the token end point by curl commend.
It is not necessary the access token.
curl --location --request GET 'http://localhost:8180/auth/realms/test/.well-known/openid-configuration' | jq
It will give a full list of result OIDC Discovery
{
"issuer": "http://localhost:8180/auth/realms/test",
"authorization_endpoint": "http://localhost:8180/auth/realms/test/protocol/openid-connect/auth",
"token_endpoint": "http://localhost:8180/auth/realms/test/protocol/openid-connect/token",
"introspection_endpoint": "http://localhost:8180/auth/realms/test/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "http://localhost:8180/auth/realms/test/protocol/openid-connect/userinfo",
"end_session_endpoint": "http://localhost:8180/auth/realms/test/protocol/openid-connect/logout",
>>> deleted here next lines
I think you can customize the authentication flow using a custom Keycloak authentication SPI in that propagates passed personal token to the same 3-rd service that returns if the user is authenticated or not (see https://wjw465150.gitbooks.io/keycloak-documentation/content/server_development/topics/auth-spi.html for details)
Of course, you also need to create some web UI for token creation that will be then stored and verified with this custom SPI.

PayPal API returns RESOURCE_NOT_FOUND / INVALID_RESOURCE_ID but the transaction is listed in the Sandbox Business account

I have a similar issue.
Setup
PayPal Sandbox environment
Two test accounts (Personal and Business account). During the tests the personal account buys a product. The transaction goes to the Business account.
I created REST API app which is connected to the Sandbox Business account above.
I logged in to: https://www.sandbox.paypal.com/ with the credentials of the Business account to generate a PayPal button. The HTML code of the button is added to my website.
Steps
I open the website and click the PayPal button.
I log into PayPal Sandbox with the credentials of the Personal account.
I complete the payment process.
I log into the Business account and I see that the transaction (order) is listed there. I can see the Transaction ID.
Issue
In all requests to the API I use the Client ID and the Secret of the REST API app which I already created for the purposes of the tests.
After that I opened Postman and I sent the following request to PayPal API to generate an access token (Doc: https://developer.paypal.com/docs/api/get-an-access-token-curl/).
curl -v https://api.sandbox.paypal.com/v1/oauth2/token \
-H "Accept: application/json" \
-H "Accept-Language: en_US" \
-u "client_id:secret" \
-d "grant_type=client_credentials"
So far, so good. Then I send an API request to PayPal APIv1 to get more details about the order. I use the Transaction Id which according to what I read is identical to Order ID.
curl -v -X GET https://api.sandbox.paypal.com/v1/checkout/orders/TRANSACTION_ID \
-H "Content-Type: application/json" \
-H "Authorization: Bearer Access-Token"
and I get this:
{
"http_code": 404,
"body": {
"name": "INVALID_RESOURCE_ID",
"message": "INVALID_RESOURCE_ID",
"information_link": "https://developer.paypal.com/docs/api/orders/v1/#error-INVALID_RESOURCE_ID",
"debug_id": "c02871817abba"
}
}
I tried APIv2:
curl -v -X GET https://api.sandbox.paypal.com/v1/checkout/orders/ORDER_ID \
-H "Content-Type: application/json" \
-H "Authorization: Bearer Access-Token"
and I get this:
{
"http_code": 404,
"body": {
"name": "RESOURCE_NOT_FOUND",
"details": [
{
"issue": "INVALID_RESOURCE_ID",
"description": "Specified resource ID does not exist. Please check the resource ID and try again."
}
],
"message": "The specified resource does not exist.",
"debug_id": "c2c24f91a44fd",
"links": [
{
"href": "https://developer.paypal.com/docs/api/orders/v2/#error-INVALID_RESOURCE_ID",
"rel": "information_link",
"method": "GET"
}
]
}
}
Confusion
The transaction is clearly listed in the Business account but the API says that there no such transaction.
Suggestions/Solutions?
Solution
The default behaviour of the payments initiated via PayPal button (generated with the Business account) is Sale but not Order. For more details about the differences between the two, read here - https://www.paypal.com/us/smarthelp/article/what-are-the-differences-between-the-express-checkout-payment-actions-ts1501
The solution is to make a request to another PayPal API method (check: https://developer.paypal.com/docs/paypal-plus/germany/how-to/show-sale/?fbclid=IwAR30yROZMjKT2LlRgSRuVBMGrjdmN1MGbuJ50rUiUBWwW11FSpGdxk5JNpY#show-sale-details)
Here is the request returning correct data.
curl -v -X GET https://api.sandbox.paypal.com/v1/payments/sale/TRANSACTION_ID \
-H "Content-Type: application/json" \
-H "Authorization: Bearer Access-Token"
Solution
The default behaviour of the payments initiated via PayPal button (generated with the Business account) is Sale but not Order. For more details about the differences between the two, read here.
The solution is to make a request to another PayPal API method check this
Here is the request returning correct data.
curl -v -X GET https://api.sandbox.paypal.com/v1/payments/sale/TRANSACTION_ID \
-H "Content-Type: application/json" \
-H "Authorization: Bearer Access-Token"
v2/orders objects are for payment approval only, they are not transactions. Their IDs should only be persisted about a month for debugging purposes, as they serve no accounting purpose and are not referenceable in PayPal.com
A PayPal transaction on the other hand is represented by a v2/payments object, returned when you capture a v2/order. You can get a capture's details again with the appropriate GET call: https://developer.paypal.com/docs/api/payments/v2/#captures_get
It is very likely something is broken on PayPal server. It is happening quite often.
They usually fix it, some time it takes longer than reasonable.
In any way to make sure you are doing everything correctly, and to check if they have problems at the time of your experiments, you can contact paypal support
https://www.paypal-support.com/

IBM Cloud User Management API - Invite users - User status doesn't become Active

I tried to invite a user to my IBM Cloud account by the REST API.
The user is successfully registered but its status didn't become Active, so that he can't use the account in my IBM CLoud account env.
How can I make the user status Active? When I invited a user by ibmcloud cli, the user is registered and becomes Active immediately without any additional operation.
Has anyone invited a user to IBM Cloud account and succeeded?
I ran the REST API and invited a user to my IBM CLoud account.
I got the response from the REST API.
{"resources":[{"id":"xxxx","email":"myuser#ibm.com","state":"PROCESSING"}]}
I checked the user status many times over 4 hours but its status remains PENDING. it didn't become Active.
"state": "PENDING",
I checked by ibmcloud cli. Then the status remains PENDING.
$ ibmcloud account users
Getting users under account $MYACCOUNT...
OK
User ID State Role
myuser#ibm.com PENDING MEMBER
user1#jp.ibm.com ACTIVE PRIMARY_OWNER
user2#jp.ibm.com ACTIVE MEMBER
Invite a user by the REST API
curl -X POST \
https://user-management.cloud.ibm.com/v2/accounts/&MYACCOUNT/users \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"users": [
{
"email": "myuser#ibm.com",
"account_role": "Member"
}],
"iam_policy": [
{
"roles": [
{
"id": "crn:v1:bluemix:public:iam::::role:Viewer"
}]
}]
}'
CHecked the user status
{
"id": "xxxx142ad70df5fd5a1f72",
"iam_id": "BSS-xxxxad70df5fd5a1f72",
"realm": "BSS",
"user_id": "myuser#ibm.com",
"firstname": "",
"lastname": "",
"state": "PENDING",
"email": "myuser#ibm.com",
"phonenumber": "",
"altphonenumber": "",
"photo": "",
"account_id": "$MYACCOUNT"
},
When I invited a user via the ibmcloud CLI, a user becomes ACTIVE immediately. How can I do the same operation by the API?

Azure isMemberOf api gives "Insufficient privileges to complete the operation." error when trying to access from Azure Virtual Machine

So my requirement is for the application running on Azure Machine to check if a particular Azure user logged in belongs to an assigned Azure group.
I have enabled Managed Service Identity for the said virtual machine.
MSI
I get the token for the VM by making a call to the metadata service running locally using the following command for the graph resource on the VM:
curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fgraph.windows.net' -H Metadata:true
Once I get the token I make a POST request to the graph API of isMemberOf with that newly acquired token:
curl -i -H "Authorization: Bearer <token-value>" -H "Content-Type: application/json" --data '{"groupId":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","memberId":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"}' https://graph.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/isMemberOf?api-version=1.6
I get the following response
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
I have assigned the resource group the VM belongs to with IAM as a owner to the resource
Am I missing something that I should have it configured or I am doing something wrong here?
So I dug around a little bit and found that Microsoft prefers us developers using Microsoft Graph rather than the Azure AD Graph
Microsoft Graph vs Azure AD Graph
I found a similar call in Microsoft Graph API to get member of information User list member of call
This call requires the following scope:
Directory.Read.All
Directory.ReadWrite.All
And these are the steps I followed:
Application would need to fetch the token for making the Microsoft graph API call.
POST https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
HEADER
Content-type: application/x-www-form-urlencoded
BODY:
client_id=&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=&grant_type=client_credentials
RESPONSE:
{
"token_type": "Bearer",
"expires_in": 3600,
"ext_expires_in": 0,
"access_token": "<token-value>"
}
Client secret is generated at app registration time.
Application would make the call to microsoft graph API to fetch
POST https://graph.microsoft.com/v1.0/users/{user-object-id}/checkMemberGroups
HEADERS: Authorization: Bearer {token-value}
Content-Type: application/json
BODY:
{
"groupIds":["xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"]
}
RESPONSE:
200 OK - if user belongs to the group
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(Edm.String)",
"value": [
"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
]
}
404 Not found - if user does not exist
{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"date": "2018-05-23T02:54:47"
}
}
}
This would help application identify if the Azure user belongs to the assigned group or not.
You are calling Azure AD Graph API, not ARM API.
The IAM blade only gives access rights for the ARM API.
You'll need to assign the necessary rights to the service principal kinda manually.
I actually wrote an article on this a while back: Calling your APIs with Azure AD Managed Service Identity using application permissions.
You will need:
Your MSI service principal object id (you can see how to find this in my article)
The target service principal object id (in this case Azure AD Graph API)
Id of the app permission you want to assign (you can use e.g. https://graphexplorer.azurewebsites.net to find these, they are under appRoles on the service principal)
Once you have these, then you can run this PowerShell cmdlet (using the AAD v2 cmdlets):
Connect-AzureAD
New-AzureADServiceAppRoleAssignment -ObjectId msi-sp-id -Id app-permission-id -PrincipalId msi-sp-id -ResourceId aad-graph-sp-id
Then everything should work.

Uber GET requests 403

I am trying
curl -X GET -H "Authorization: Bearer <TOKEN>" "https://api.uber.com/v1.2/requests/<REQUEST_ID>"
and response is 403
{"message":"Forbidden","code":"forbidden"}
But the https://developer.uber.com/docs/riders/guides/scopes says that
The good news is you currently have access to these scopes when authorizing your own account or those of the developer accounts you list in your application dashboard (Limited Access). This allows you to start building an app immediately.
I've got token via OAuth using my own account
I've set param "scope=request" to https://login.uber.com/oauth/v2/authorize
And I've set "scope=request" when did https://login.uber.com/oauth/v2/token
Also I've trying to do request to https://sandbox-api.uber.com, it responds
{ "message": "cannot find trip", "code": "not_found" }
But I think it's ok, because sandbox doesn't contain my own account data, right?
Where is my fault could be?