I'm trying to use DialogFlow REST API with api key auth method. For example
https://dialogflow.googleapis.com/v2/projects/projectId/agent?key=[YOUR_API_KEY]
but It desn't work. This is the result
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
Related
Keycloak:token issue
Token API:
http://localhost:8081/auth/realms/zyter-api/protocol/openid-connect/token
Response:
{
"error": "invalid_grant",
"error_description": "Invalid user credentials"
}
in Keycloak server ,identity provider is OKTA . after login in redirecting URL , user created in Keycloak. same user is used to retrieve the access token but not able to get .got below error.
{
"error": "invalid_grant",
"error_description": "Invalid user credentials"
}
I am following the documentation posted here (https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops).
I have a react-based webapp and a powershell-based function app, both in Azure. My function app is presently using a personal access token created with my work account (AAD) credentials, which is not desirable. My goal is to use OAuth2 to authorize my function app to make code changes to a GIT repository on behalf of a webapp user. When I follow the instructions above, I am able to acquire what appears to be a valid authorization code, access token, and refresh token, I receive the following error message from Azure DevOps:
TF400813: The user 'ffffffff-ffff-ffff-ffff-ffffffffffff' is not authorized to access this resource.
…
401 - Uh-oh, you do not have access.
The request requires authentication.
4/21/2021 12:04:16 AM (UTC)
ffffffff-ffff-ffff-ffff-ffffffffffff
Sign out and login with different account
I have obscured the guids in the example above, but the user GUID appears to match the GUID I find for my work account when I call the legacy identity APIs (https://learn.microsoft.com/en-us/rest/api/azure/devops/ims/identities/read%20identities?view=azure-devops-rest-6.0).
I created my application (https://app.vsaex.visualstudio.com/app/register) with the same scopes that I used to create my personal access token. I verified in my dev.azure.com profile that my application is listed as an authorized OAuth app, as expected after creating the authorization request and receiving the authorization code.
The error message above is confusing to me. It says that the user (me) is not authorized to access the resource but also says that the authentication failed. Which is it?
Is this a problem with how I am acquiring my authorization/access tokens? Am I somehow using the wrong account? Are my scopes wrong?
Reproduction of Problem
Here is the state from my registered application:
My application state:
{
"scopes": "vso.code_full vso.code_status vso.graph_manage vso.identity_manage vso.threads_full vso.tokens",
"tokenUrl": "https://app.vssps.visualstudio.com/oauth2/token",
"state": "foo",
"authCallback": "https://myapp.azurewebsites.net/oauth-callback",
"clientSecret": "S.S.S-S-S",
"authUrl": "https://app.vssps.visualstudio.com/oauth2/authorize",
"appWebsite": "https://myapp.azurewebsites.net/",
"appSecret": "S",
"appId": "FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF"
}
Step 1. Authorize the application.
I invoke the following auth URI from an in-private browser.
I authenticate my work account, and authorize the application for the requested scopes.
I can verify the app is an authorized oauth app in my dev.azure.com profile.
https://app.vssps.visualstudio.com/oauth2/authorize?client_id=FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF&response_type=Assertion&state=foo&scope=vso.code_full%20vso.code_status%20vso.graph_manage%20vso.identity_manage%20vso.threads_full%20vso.tokens&redirect_uri=https://myapp.azurewebsites.net/oauth-callback
I receive an authcode, "A.A.A-A-A-A" (shown decoded/obfuscated below):
{
"typ": "JWT",
"alg": "RS256",
"x5t": "....."
}
{
"cid": "ffffffff-ffff-ffff-ffff-ffffffffffff",
"csi": "ffffffff-ffff-ffff-ffff-ffffffffffff",
"nameid": "ffffffff-ffff-ffff-ffff-ffffffffffff",
"iss": "app.vstoken.visualstudio.com",
"aud": "app.vstoken.visualstudio.com",
"nbf": 1618438026,
"exp": 1776204426
}
Step 2. Request the access token and refresh token from my powershell function app:
I make a rest api call to the token endpoint:
"Uri": "https://app.vssps.visualstudio.com/oauth2/token"
"Method": "POST"
"ContentType": "application/x-www-form-urlencoded"
"Body": "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=S.S.S-S-S&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=A.A.A-A-A-A&redirect_uri=https://myapp.azurewebsites.net/oauth-callback"
…and I get the following JSON response:
Token Response:
{
"access_token": "X.X.X-X-X-X-X-X-X",
"token_type": "jwt-bearer"
"expires_in": 3599,
"refresh_token": "R.R.R-R-R-R",
"scope": "vso.code_full vso.code_status vso.graph_manage vso.identity_manage vso.threads_full vso.tokens vso.authorization_grant"
}
Yielding the following JWT for the access token:
{
"typ": "JWT",
"alg": "RS256",
"x5t": "....."
}
{
"nameid": "ffffffff-ffff-ffff-ffff-ffffffffffff",
"scp": "vso.code_full vso.code_status vso.graph_manage vso.identity_manage vso.threads_full vso.tokens",
"aui": "ffffffff-ffff-ffff-ffff-ffffffffffff",
"appid": "ffffffff-ffff-ffff-ffff-ffffffffffff",
"iss": "app.vstoken.visualstudio.com",
"aud": "app.vstoken.visualstudio.com",
"nbf": 1618963456,
"exp": 1618967056
}
Step 3. Make a DevOps REST API call.
In this case, I am requesting a list of respositories in my org/project:
"Uri": "https://dev.azure.com/myorg/myproj/_apis/git/repositories?api-version=6.0"
"Method": "GET"
"Headers": {"Authorization": "Bearer X.X.X-X-X-X-X-X-X"}
This is where things go wrong. DevOps returns a 401 error indicating that my account is not authorized.
TF400813: The user 'ffffffff-ffff-ffff-ffff-ffffffffffff' is not authorized to access this resource.
If I make the exact same http GET from Step 3, but I substitute my PAT with identical scopes as the registered application, the call succeeds. The PAT seems to be created with the exact same profile/account that is authorized in Step 1.
This behavior can be observed when the organization admins have disabled OAuth in the settings. The relevant option can be viewed by any member of the org at e.g. https://dev.azure.com/contoso/_settings/organizationPolicy
Sadly there is no better indication of this for the app or the user, as far as I can see.
Your app can still ask the user for authorization, all OAuth operations succeed, a seemingly valid access token gets returned, but then it simply does not work and returns 401 from all APIs, even if a PAT with the same scope(s) works fine.
i have created a google service account, created a keyfile (key.json) and now I want to create a googlesheet using postman
https://sheets.googleapis.com/v4/spreadsheets?scope=https://www.googleapis.com/auth/spreadsheets&private-key-file=c:\temp\key.json
But I keep getting a 401 error - missing required credential
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid
authentication credential. See
https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
what's the syntax to pass the key file in the url/header or body ?
thanks !
just goto authorization header and add the key and value as api key and select add in as "query parameter"
You can also manually add key and value as query parameter
Both does the exact same thing
I have successfully installed Documentum REST API in my environment. When I go to http://localhost:8080/dctm-rest/repositories I am able to see the repositories successfully. But when I when I try to open any cabinet URL there, it prompts for username password.
I put a password there and it works fine.
But when I send the request using Postman it shows this error
"status": 401,
"code": "E_GENERAL_AUTHENTICATION_ERROR",
"message": "Authentication failed.",
"details": "Full authentication is required to access this resource"
and when sending with Authorization in the format
Authorization : Basic (base64 value of "username:password")
it shows
"status": 400,
"code": "E_INPUT_ILLEGAL_ARGUMENTS_PARAM",
"message": "Illegal argument {0} provided with value {1}.",
"details": "Parameter conditions \"dql\" not met for actual request
parameters: "
You Have to turn on the Interceptor to make proxy-authenticated request so that it has the same request context as of browser.
I tried few links and used Basic Auth, which worked!
I am new to Google Cloud. I want to upload an image to my Bucket.
I did it successfully from the GCP Console and GCP Shell. However, I am unable to do it using REST Endpoint using API-KEY.
Here is my URL.
https://www.googleapis.com/upload/storage/v1/b/[MY_BUCKET]/o?uploadType=media&name=myhero&key=[MY_API-KEY]
I am getting the following message
{
"error": {
"errors": [
{
"domain": "global",
"reason": "required",
"message": "Anonymous caller does not have storage.objects.create access to [MY_BUCKET]/myhero.",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Anonymous caller does not have storage.objects.create access to [MY_BUCKET]/myhero."
}
}
This is because the bucket currently does not allow any way to allow users with the API-KEY even though the API-KEY allows the user of this key to upload an object to the bucket.
What should I do
1) if I want to go with the API-key way.
2) if I want to go with service-account way. What is the best way to generate Authorisation token? I have come till this point
{"alg":"RS256","typ":"JWT"}.
{
"iss":"761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5#developer.gserviceaccount.com",
"scope":"https://www.googleapis.com/auth/prediction",
"aud":"https://www.googleapis.com/oauth2/v4/token",
"exp":1328554385,
"iat":1328550785
}.
But I am unable to generate {Base64url encoded signature} as I am unable to figure out the private and public keys...
You are getting “anonymous caller” because you are not properly authenticated. You can authenticate using a bearer token instead of the API-KEY.
You can run the following script:
BUCKET=<BUCKET_NAME>
OBJECT=<OBJECT>
TOKEN=$(gcloud auth print-access-token)
curl "https://www.googleapis.com/upload/storage/v1/b/$BUCKET/o?uploadType=media&name=$OBJECT" -H"Authorization: Bearer $TOKEN" -H'Content-Type: image/jpg' --data-binary #$OBJECT