Creating public action does not add to sequence - ibm-cloud

I am a new user following this tutorial provided by IBM.
I am up to this step:
For Cloudant Instance, select Input your own credentials and fill in the following fields with the credentials information captured for your cloudant service: Username, Password, Host and Database = guestbook and click Add and then Save.
After following the instruction to 'Add', I am returned to the sequence view (with the list of actions representing the sequence I'm working on).
Expected: The newly created public action w/ binding should appear in the list.
Instead: The newly created public action is not in the list. There is no evidence of it having been created at all. There is no option to 'save'.
Am I doing something wrong? This seems like an enormous bug.
Attempted solutions (unsuccessful):
Log out and back in.
Create new Cloudant service credentials.
Enter service credentials manually vs via dropdown.
Create action in a named package rather than default package.
Create new Cloudant service credentials, selecting a specific service ID.
PS
Attempted to create support ticket but needed to upgrade account by adding credit card. Filled in card information. Card rejected: "Error: Could not place order. Unable to verify the credit card. Declined due to Risk management". I use this card successfully all the time.
In actions UI, selected a sequence, added an action to the sequence, 'reset' sequence to discard changes, began to add yet another action, cancelled that new action, returned to sequence view and the previously created action that I had discarded was there. Ie seems like some backend / database propagation issues on IBM's end?

The steps have been updated in https://cloud.ibm.com/docs/tutorials?topic=solution-tutorials-serverless-api-webapp#sequence-of-actions-to-save-the-guestbook-entry.
To create the new Cloudant binding:
Set Name to binding-for-guestbook.
Set Instance to Input your own credentials.
Set Username, Password, Host and IAM API Key from the values found in the Cloudant credentials for-guestbook created earlier.
Set Database to guestbook.
Set whiskoverwriteLabel to true.
Save

Related

How to add dedicated scope to Keycloak via kcadm

I'd like to add dedicated scopes to a client so that it can access information from other clients.
Turning full access on works but grants too many permissions.
The scopes are already created with their respective clients. It is “only” a matter of assigning scope from client a to client b. I have a list of names and client ids available locally. How can I efficiently assign them via kcadm.sh?
I already tried with the network tab open but I couldn't wrap my head around what the logic behind assigning scopes is.
E.g., there is a
POST /admin/realms/master/clients/968c7b36-95dd-4121-b92b-37b324298890/scope-mappings/realm with an empty array as payload
POST /admin/realms/master/clients/968c7b36-95dd-4121-b92b-37b324298890/scope-mappings/clients/74cb7b05-34d5-4657-8fe6-bb19a7c8a07f from the APIDOC it just says client. But I don't know what that client should be.
How to reproduce on Keycloak (X) 20.0.3
Login to the Keycloak Admin Console
Click on the client tab
Click createClient
Create client id and click next.
Click save.
On the new client. Click on the upper tab 'Client scopes'.
Click on the first blue item.
Click on the upper tab 'scope' and turn off full scope allowed.
Click assign role and add one of the items.
This is what I want to achieve with the help of the kcadm.sh as clients are added dynamically. You can't even export the client from Actions->Export and Import it again from the UI. Every scope is lost when imported again.
To assign role from client A to client B at the bear minimal you need the following Rest Full API call:
POST /admin/realms/ <REALM NAME> /clients/< ID OF THE CLIENT >/scope-mappings/clients/< ID OF THE CLIENT where the role comes from>
so in your case /admin/realms/ <REALM NAME> /clients/< ID OF CLIENT B >/scope-mappings/clients/ < ID OF CLIENT A>
the payload should be [{"id":"<ID OF ROLE>","name":"<ROLE NAME>"}]
You will need the call to get the id of the client for that you can call:
GET /{realm}/clients
with clientId as query parameter.
And then you will need the call to get the ID of the role, for that you can use:
GET /{realm}/clients/{id}/roles/{role-name}
id is the id of the client.

What is the workflow for a basic Auth OIDC with Keycloak

I have keycloak on docker (v20.0.2) and as you know some versions change some or good part of the UI, so is hard to follow tutorials around the web...
I am trying to follow this particular tuto
https://developers.redhat.com/blog/2020/11/24/authentication-and-authorization-using-the-keycloak-rest-api#keycloak_sso_demo
that seems the more updated. My keycloak is actually behind traeffic and thomseddon/traeffic-fordward-auth with a docker-compose file (but the connection through traeffic is good and I have acces to admin UI)
So on step 10 of the tutorial things change for me, I have to look for that particular view inside:
Click on lateral menu Client Scope
Click on button Create client scope
Give a name to the scope, and click on Tab Mapper
All mappers are predefined... so there is no "New mapper" don't understand this bit
then just follow the tuto
With that series of steps I get an error when retriving the token...
https://keycloak:8443/realms/education/protocol/openid-connect/token
enter image description here
(this are fake local data from the realm I created for testing)
that responds with a or something similar I have also tried to change the grant_type to password, and the same happens can not query the token....
{
"error": "invalid_client",
"error_description": "Invalid client or Invalid client credentials"
}
But if I do not link a user with an scope/role as in the tuto suggest then I get the token, but of course I want to use the role or scope to limit who can see which endpoint and who can not
Any step that I'm missing from this update, do you have the same error?
Thank you in advance
I have tried to run it with different combinations of options to see if there is a toggle that actually allows me to fetch the token
Also with different types of grant_type
I will build an API in Python (I don't know Java and prefer Json instead of XML) that connect to this keycloak to allow users or not based on their scope/role/permission or something
I need to be able to block user so if user Student try to access an url from another Student he get blocked that url. So is based on the role or scope or I don't know which is prefered or easer to accomplish, the mission is to block users or not based on a factor that could be used for this in keycloak.

Preventing user from modifying their name in Keycloak

In Keycloak, by default, users are able to change their first and last name in the account manager page. However, is it possible to disable this behavior?
Removing both fields in the theme results in those values not being sent and the form failing, and a hand-crafted POST request would defeat this method anyway.
I came across a similar problem and after reading this SO post, came to know that although you can disable/hide fields in ftl, you cannot disable form validation
For e.g I hid firstname field , but still cannot submit. Same was the result with disable as well:
I am not aware about disabling a particular field in some other way. However there is a workaround in which you can disable the entire account modification flow (Password can still be changed by Forgot Password option).
Bu default, account modification is enabled, but you can disable it for a particular realm by going to Realms -> Clients -> Account.
The result of this will be, the account page will be inaccessible:
You can remove the client role 'manage_account' for client 'account'.
In Keycloak, by default, users are able to change their first and last
name in the account manager page. Is it possible to disable this
behavior?
That can be done out-of-the-box (since Keycloak 14) by using the user profile functionality. First, the preview feature declarative-user-profile has to be enabled. For that start the server with:
--features=declarative-user-profile.
for the Quarkus version, or with
-Dkeycloak.profile.feature.declarative_user_profile=enabled
for the Wildfly version.
Bear in mind that:
Declarative User Profile is Technology Preview and is not fully
supported.
After starting the server with the aforementioned option, go to the Keycloak Admin Console and:
Go to the according Realm;
Go to the tab General;
Set User Profile enabled to ON
A new tab named User Profile (top right) will show up; click on it, and a set of configurable attributes will be shown.
Click on firstName, and then go to Permissions
In that section the permissions can be changed, accordingly. For example, if one sets Can user edit? to OFF, then when the user tries to change the firstName field in the account UI, that UI throws the following warning message:
The field First name is read only.
The same configuration can also be applied to the lastName attribute.
For the new Keycloak UI the workflow is exactly the same as the one I have just described. More information about the feature can be found in the official keycloak documentation (link)
You can use readonly property to disable email you can just change the following line:
<input type="text" class="form-control" id="email" name="email" readonly autofocus value="${(account.email!'')}"/>

SuiteCommerce Advance: Unable to get the Free Shipping Rule Rate 'Insufficient permissions' for Custom Service

We tried loading shipping item data with 'nlapiLoadRecord', Currently we have two methods available Standard & Express. We tried to load data for standard method as below in Script Debugger.
​var standard = nlapiLoadRecord('shipitem',3);
We are getting all fields of standard shipitem in Script Debugger, then we are fetching shipping rule value with
var standard_amount = standard.getFieldValues('freeifordertotalisoveramount');
Then we tried to load these same data using nlapiLoadRecord in our custom SuiteScript Model, we tried to call this method in our custom ShippingDetails.Model, and tried to fetched the data on cart page but it is giving us 'Insufficient permissions' error massage. Please see below attached screenshot. nlapiLoadRecord('shipitem',3); does not allow us to load data on front end.
Basically this is not case with your code, as you are trying to load shipping rate using SuiteScript Service and model this is perfect.
​var standard = nlapiLoadRecord('shipitem',3);
var standard_amount = standard.getFieldValues('freeifordertotalisoveramount');
This is completely related with user's permission i.e Roles Under Setup-->User/Roles-->Manage Roles you are trying to fetch data of 'shippingitem' in this case you must need to check different permission
Check your Script Service is enabled, enabled for with out login in NS back end
Most Imp:
2. Check shipping item is added in permission under List i.e the role which you are using for Service, for that role you must need to set shipping item See below screen shot you will get more idea.

ServiceNow REST API with Table name for Alert

I have gone through the below link to know about Table REST API of ServiceNow:
https://express.servicenow.com/support/documentation/r_TableAPIGETRecordMethod/
My requirement is to obtain all the record from Alert table
using Table REST API i.e. 'GET /api/nowv1/table/(tableName)'.
Now my question is , what will be the name of the (tablename) for Alert in the API itself to get the alerts which are already created in the table and can be seen using via "manage the alert life cycle feature" by navigating "Event Management > Active Alerts" (See : http://wiki.servicenow.com/index.php?title=Managing_Alerts#Managing_the_Alert_Life_Cycle) ?
If you're an administrator, you can get the table name from the table label (e.g. "Alert") by going to the sys_db_object table (via "Tables" entry in the left nav).
Just search for the row with the label you want, and the table name will be the name of that row.
As any other user, you can just open any record in the table in a new tab/window (i.e. outside of the usual frameset) and look at the URL.
For your case, I opened "All Alerts", then opened an arbitrary record, which took me to this url suffix:
/em_alert.do?sys_id=df7a6f00d72321008de76ccf6e610322
This tells us that the table name for "All Alerts" is em_alert
I got the answer.
In order to work with servicenow event/alert, you need to plugin the Event Management module in your PaaS developer instance, if you are new in ServiceNow.
This link (https://developer.servicenow.com/app.do#!/home ) is for applying for new developer instance. First you need to register and then you will be getting the instance. Once you have the instance allocated, you are provissioned to add "Event Management" plugin and then your developer instance (so far free) is a place for you to learn about ServiceNow Event Management system for doing research & development on event/alert table API etc. Note : The developer instance may not support real monitoring features e.g. : (1) detect an event; (2) send an alert of an event;
The API for getting alert info will be :
GET https://.service-now.com/api/now/v1/table/em_alert with basicauth credential
regards
SK