authlib: some client_kwargs in config are not used - authlib

Love authlib overall. Question about client_kwargs described in
https://docs.authlib.org/en/latest/client/frameworks.html
and https://docs.authlib.org/en/latest/client/django.html
Problem statement: I tried to pass "scope" and "audience" key/value pairs in the client_kwargs dict, but only "scope" key/value is used for generating URI for authorization.
I need to pass "audience" for Atlassian OAuth2.0 https://developer.atlassian.com/cloud/jira/platform/oauth-2-authorization-code-grants-3lo-for-apps/
Workaround found after some tinkering by passing "audience"="api.atlassian.com" to oauth.atlassian.authorize_redirect.
Question: Is client_kwargs in oauth.register/AUTHLIB_OAUTH_CLIENTS intended only for certain keyword arguments? If so, would be great to share it in the documentation; otherwise it would be convenient to set it in config together with everything else.
This behavior was found in 0.12.1 and 0.13.dev0.
Thanks!

Because OAuth 1.0 and OAuth 2.0 are different, this client_kwargs are designed to pass extra parameters to either OAuth1Client/OAuth1Session or OAuth2Client/OAuth2Session.
For your case, there is a authorize_params. You can put audience in your authorize_params:
oauth.register(
....
authorize_params={'audience': '...'},
....
)

Related

Exposing verificationToken in built-in user model - Loopback 3

Subject says it all really. Just trying to figure out how to expose the verficationToken property of the default built-in user model in Loopback 3.
I've tried adding it to the "scope" definition in users.json, it works for other fields but not for verificationToken. I've also made sure to remove it from the "hidden" array in users.json.
I've read the very limited information provided on white-listing here (https://loopback.io/doc/en/lb3/Model-definition-JSON-file.html) and it talks about overwriting the toJSON method of the model, but I'm not seeing much info on how to do that, particularly for a built-in model.
Anybody every dealt with this before? Thanks in advance for any tips you might provide!
To access verification token,If you are using User.json by default it hides the password and verificationToken from accessing in rest api
By Default
"hidden": ["password", "verificationToken"],
change it to
"hidden": ["password"],

nginx: rewrite a LOT (2000+) of urls with parameters

I have to migrate a lot of URLs with params, which look like that:
/somepath/somearticle.html?p1=v1&p2=v2 --> /some-other-path-a
and also the same URL without params:
/somepath/somearticle.html --> /some-other-path-b
The tricky part is that the two destination URLs are totally different pages in the new system, whereas in the old system the params just indicated which tab to open by default.
I tried different rewrite rules, but came to the conclusion that parameters are not considered by nginx rewrites. I found a way using location directives, but having 2000+ location directives just feels wrong.
Does anybody know an elegant way how to get this done? It may be worth noting that beside those 2000+ redirects, I have another 200.000(!) redirects. They already work, because they're rather simple. So what I want to emphasize is that performance should be key!
You cannot match the query string (anything from the ? onwards) in location and rewrite expressions, as it is not part of the normalized URI. See this document for details.
The entire URI is available in the $request_uri parameter. Using $request_uri may be problematic if the parameters are not sent in a consistent order.
To process many URIs, use a map directive, for example:
map $request_uri $redirect {
default 0;
/somepath/somearticle.html?p1=v1&p2=v2 /some-other-path-a;
/somepath/somearticle.html /some-other-path-b;
}
server {
...
if ($redirect) {
return 301 $redirect;
}
...
}
You can also use regular expressions in the map, for example, if the URIs also contain optional unmatched parameters. See this document for more.

Linkedin API oAuth 2.0 REST Query parameters

I'm running into a problem with adding a query to the callback URL. I'm getting an invalid URI scheme error attempting to authorize the following string:
https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=75df1ocpxohk88&scope=rw_groups%20w_messages%20r_basicprofile%20r_contactinfo%20r_network&state=7a6c697d357e4921aeb1ba3793d7af5a&redirect_uri=http://marktest.clubexpress.com/basic_modules/club_admin/website/auth_callback.aspx?type=linkedin
I've read some conflicting information in forum posts here. Some say that it's possible to add query strings to callbacks, and others say that it results in error.
If I remove ?type=linkedin, I can authorize just fine and receive the token. It would make my life so much easier if I could use a query string on the callback url, as I need to do some additional processing in the callback.
In short, can I append a query string to the end of the callback url?
For fun, I tried encoding the callback url in the request (obviously this is a no-no according to their documentation):
https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=75df1ocpxohk88&scope=rw_groups%20w_messages%20r_basicprofile%20r_contactinfo%20r_network&state=5cabef71d89149d48df523558bd12121&redirect_uri=http%3a%2f%2fmarktest.clubexpress.com%2fbasic_modules%2fclub_admin%2fwebsite%2fauth_callback.aspx%3ftype%3dlinkedin
This also resulted in an error but was worth a shot.
The documetation here: https://developer.linkedin.com/forum/oauth-20-redirect-url-faq-invalid-redirecturi-error indicates that you CAN use query parameters. And in the first request, it appears that I'm doing it correctly. Post #25 on this page - https://developer.linkedin.com/forum/error-while-getting-access-token indicates that you have to remove the query parameters to make it work
Anyone have experience with successfully passing additional query paramaters in the callback url for the linkedin API using oAuth2.0? If so, what am I doing wrong?
I couldn't wait around for the Linkedin rep's to respond. After much experimentation, I can only surmise that the use of additional query parameters in the callback is not allowed (thanks for making my application more complicated). As it's been suggested in post #25 from the question, I've tucked away the things I need in the "state=" parameter of the request so that it's returned to my callback.
In my situation, I'm processing multiple API's from my callback and requests from multiple users, so I need to know the type and user number. As a solution, I'm attaching a random string to a prefix, so that I can extract the query parameter in my callback and process it. Each state= will therefore be unique as well as giving me a unique key to cache/get object from cache..
so state="Linkedin-5hnx5322d3-543"
so, on my callback page (for you c# folks)
_stateString=Request["state"];
_receivedUserId = _stateString.Split('-')[2];
_receivedCacheKeyPrefix = _stateString.Split('-')[0];
if(_receivedCacheKeyPrefix == "Linkedin") {
getUserDomain(_receivedUserId);
oLinkedIn.AccessTOkenGet(Request["code"],_userDomain);
if (oLinkedin.Token.Length > 0) {
_linkedinToken = oLinkedin.Token;
//now cache token using the entire _statestring and user id (removed for brevity)
}
You not allowed to do that.
Refer to the doc: https://developer.linkedin.com/docs/oauth2
Please note that:
We strongly recommend using HTTPS whenever possible
URLs must be absolute (e.g. "https://example.com/auth/callback", not "/auth/callback")
URL arguments are ignored (i.e. https://example.com/?id=1 is the same as https://example.com/)
URLs cannot include #'s (i.e. "https://example.com/auth/callback#linkedin" is invalid)

How to configure Custom Attributes in SP metadata

I came to know that in any SSO Solution if SP needs any additional attributes it can publish them in its metadata using AttributeConsumingService argument. The required attributes can now be added like as below:
<md:AttributeConsumingService index="0"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<md:ServiceName xml:lang="en">ABC</md:ServiceName>
<md:ServiceDescription xml:lang="en">ABC</md:ServiceDescription>
<md:RequestedAttribute isRequired="true"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:2.5.4.42"
FriendlyName="FirstName"/>
</md:AttributeConsumingService>
Now, if I want to add a custom attribute in my SP metadata, lets say "Role" of a user, how should I add it in the metadata? I mean, what would be its Name(this is what I'm unable to find!), NameFormat(is it urn:oasis:names:tc:SAML:2.0:attrname-format:uri?) and FriendlyName(can I give it as "Role" here?). I've not found anything related to this in the SAML2Core document.
Any suggestions please!
Thanks,
Abhilash
There is no universal answer as it depends on which IDP/federation you use and what is supported by it.
Generally, the friendly name is just a human-readable identifier for the attribute and the value can be freely defined.
The NameFormat and Name are defined based on Attribute Profile used by your IDP (e.g. Basic profile, X.500/LDAP Profile, ...). The expected values can be found in SAML 2.0 profiles document chapter 8.
You can find an example of how this is employed in practice for e.g. inCommon federation in their documentation.

Cannot use REST comments in Swagger

I have downloaded swagger ui and experimenting it locally. It works fine in scenarios like "path", "body" , and "query" . But most of my use cases use rest comments.
i.e /resourcePath/;tags
URI to retrieve the tags of a specific resource.
When I try this the the UI gets jumbled when adding the semi colon and malformed the sorted UI and cannot go beyond this.
So is this a known limitation ? Is there a workaround to accomplish this target ?
Appreciate any input to this..
Swagger is expecting you to specify path params in curly-brackets like {tags} and query params as comma-delimited, such as id=1,2,3,4. Some frameworks use semi-colons as delimiters but swagger likes commas.
Can you describe more what you're looking to do, with a more concrete example? Per design, comments on the api belong in the description and notes fields for operations, please see swagger-core wiki for details.
The Swagger codegen project has a validator which can be used to verify that your spec is properly formatted.