I am getting this rather unhelpful error and it seems to occur for a large variety of things based on the SO posts. So here I am.
I went here https://apps.dev.microsoft.com, logged in and created a new App. I generated a secret and stored it for later on a post-it note... I granted "Group.ReadWrite.All" under "Delegate" as the create channel API doc says I should. I left everything else in the App as default.
I then do a token request like so:
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" \
"https://login.microsoftonline.com/$TENANT/oauth2/v2.0/token" \
-d "client_id=$APP_ID" -d "scope=https%3A%2F%2Fgraph.microsoft.com%2F.default" \
-d "client_secret=$PASSWORD" -d "grant_type=client_credentials"
which gives me this mess:
{"token_type":"Bearer","expires_in":3600,"ext_expires_in":0,"access_token":"BIG_LONG_TOKEN"}
I then take that token and stuff it into my Authorization header and make the call to create the channel:
curl "https://graph.microsoft.com/beta/groups/$TENANT/channels" \
-H "Content-type: application/json" \
-H "Authorization: Bearer $BIG_LONG_TOKEN" \
-d '{
"displayName": "mynewchannel",
"description": "Channel Description"
}'
But this results in tears and this:
{
"error": {
"code": "",
"message": "Authorization has been denied for this request.",
"innerError": {
"request-id": "c572f6df-7537-4a53-aefc-fcc8c71e2037",
"date": "2018-04-17T23:46:50"
}
}
}
I am not sure what I'm missing, but hopefully it's obvious to someone else...
EDIT: Interestingly, if I set TOKEN to garbage, I get a more helpful answer, but this indicates my TOKEN is at least mostly ok and it is more of a authorization rather than an authentication issue
TOKEN=garbage
curl -X GET "https://graph.microsoft.com/beta/groups/$TENANT/channels" -H "Content-type: application/json" -H "Authorization: Bearer $TOKEN"
Results in
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "CompactToken parsing failed with error code: 80049217",
"innerError": {
"request-id": "166cb22b-c135-45e9-9f23-0e73bc68475d",
"date": "2018-04-18T00:20:47"
}
}
}
I went here https://apps.dev.microsoft.com, logged in and created a new App. I generated a secret and stored it for later on a post-it note...
According to Create Channel Rest API document, Application type permission is not supported. So you get the error information Authorization has been denied for this request.
Delegated permissions are used by apps that have a signed-in user present. For these apps either the user or an administrator consents to the permissions that the app requests and the app is delegated permission to act as the signed-in user when making calls to Microsoft Graph. Some delegated permissions can be consented to by non-administrative users, but some higher-privileged permissions require administrator consent.
As Wajeed - MSFT mentioned that you could use Graph explorer with your account login to have a try.
Note: APIs under the /beta version in Microsoft Graph are in preview and are subject to change. Use of these APIs in production applications is not supported.
Related
In order to transmit HL7v2 messages over TCP/IP connections using the minimal lower layer protocol (MLLP) I'm following this guide. When I get to the part where I create an HL7v2 store configured with a Pub/Sub topic (here) I get an error.
This is what I typed in my terminal:
curl -X POST \
--data "{
'notificationConfigs': [
{
'pubsubTopic': 'projects/PROJECT_ID/topics/PUBSUB_TOPIC',
'filter': ''
}
]
}" \
-H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
"https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/hl7V2Stores?hl7V2StoreId=HL7V2_STORE_ID"
This is the error I get:
{
"error": {
"code": 403,
"message": "Permission healthcare.hl7V2Stores.create denied on resource projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID (or it may be malformed or not exist)",
"status": "PERMISSION_DENIED"
}
}
The Dataset projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID exists, I double checked it.
So, is this somehow related to my permissions (IAM policy) ? I don't understand because I am Administer HL7v2 Stores.
How can I create my Datastore without getting this error ?
I found out that the command gcloud auth application-default print-access-token was not returning the correct token but gcloud auth print-access-token is.
So with the right auth token, the command works and I get the correct response:
{
"name": "projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/hl7V2Stores/HL7V2_STORE_ID",
"notificationConfigs": [
{
"pubsubTopic": "projects/PROJECT_ID/topics/PUBSUB_TOPIC"
}
]
}
I'm setting up Keycloak as an authentication server https://github.com/keycloak/keycloak/releases/download/12.0.0/keycloak-12.0.0.zip
Java 11
Documentation: https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/oidc-generic.adoc
I can generate the access_token via /realms/{realm-name}/protocol/openid-connect/token
but I cannot call the userinfo endpoint /realms/{realm-name}/protocol/openid-connect/userinfo using a valid access_token which I get from the first API.
POST http://127.0.0.1:8080/auth/realms/test/protocol/openid-connect/token
{
client_secret: ...,
grant_type: ...,
client_id: ...,
}
response
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxOE..."
"expires_in": 3600,
"refresh_expires_in": 0,
"token_type": "Bearer",
"not-before-policy": 0,
"scope": "create"
}
But here is the result when I call the get user info API
GET http://127.0.0.1:8080/auth/realms/test/protocol/openid-connect/userinfo
Header: Bearer ${access_token}
Are there any suggestions?
Thank you
Post man test
Keycloak server's log is same
Keycloak bug
I think this is an issue on KC 12.0
When I use KC 11.0.3, above APIs work fine
https://github.com/keycloak/keycloak-community/issues/224
The Jira story:
https://issues.redhat.com/browse/KEYCLOAK-17217
Make sure you are calling the endpoint as follows.
First getting the token:
curl -d "client_id=$YOUR_CLIENT_ID" \
-d "client_secret=$YOUR_CLIENT_SECRET" \
-d "grant_type=client_credentials" \
http://127.0.0.1:8080/auth/realms/test/protocol/openid-connect/token)
Extract from the JSON response the access_token field (e.g., jq -r .access_token)
Then call the userinfo as follows:
curl -X GET http://127.0.0.1:8080/auth/realms/test/protocol/openid-connect/userinfo \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN"
With Postman:
For a setup with Realm Name = "test", client_id = "test", client_secret = "63b61af0-5a99-41d7-8f9b-4e3059b8b9ab" and using client_credentials grant_type.
Getting the token:
and getting the userinfo:
EDIT
The approach below works with Keycloak 10.0.x, and 11.0.x, but gets exactly the same issues as OP's for the version Keycloak 12.0.x (including the latest release Keycloak 12.0.2).
This seams to be regression added with Keycloak 12.0.0 follow this issue for update information.
I am working with Prime Trust's API and I'm unable to create a JWT token. I am following the documentation which states the following:
Getting Started with the Custody APIs - (Sandbox Specific)
You need totake the current steps to get started via the APIs
Create a new User
Authenticate with the APIs by getting a JWT.
Create an Account.
Test Mode APIs - Approve the owner of the account for CIP and AML.
Test Mode APIs - Open an Account for Funds
I was able to create a user following the documentation, but I'm stuck on the creation of the JWT Token. According to the documentation I should create the token using the below:
JSON Web Tokens (JWTs)
JSON Web Tokens or JWTs are the preferred method of authentication for all requests besides actually generating a JWT. Since JWTs are not persisted server resources, they are not created using a JSONAPI style request or response.
Creating a new JWT
A new JWT can be created by passing a user's credentials using HTTP
Basic Authorization to the following endpoint. Any special settings on
the JWT such as IP whitelisting, expiration time or TOTP MFA must be
passed in as form values during creation.
POST /auth/jwts
Here's the example call they give:
curl --location --request POST "https://sandbox.primetrust.com/auth/jwts" \
--header "Content-Type: application/x-www-form-urlencoded" \
--form "expires_at=2019-06-06T07:30:40Z" \
--form "otp=382948" \
--form "cidr[]=192.168.1.213/32" \
--form "cidr[]=127.0.0.1/32"
I've tried a combination of different calls with the details outlined below, but have the below error on all of my attempts:
401 Unauthorized
{
"errors": [
{
"status": 401,
"title": "Not authenticated."
}
]
}
Bodies
POST https://sandbox.primetrust.com/auth/jwts
POST https://sandbox.primetrust.com/auth/jwts
{
"email": "email#email.com",
"password": "123abc"
}
POST https://sandbox.primetrust.com/auth/jwts
{
"data": {
"email": "email#email.com",
"password": "123abc"
}
}
POST https://sandbox.primetrust.com/auth/jwts
{
"name": "name",
"email": "email#email.com",
"password": "123abc"
}
POST https://sandbox.primetrust.com/auth/jwts
{
"id": {guid},
"name": "name",
"email": "email#email.com",
"password": "123abc"
}
POST https://sandbox.primetrust.com/auth/jwts
{
"id": {guid},
"password": "123abc"
}
Headers
Content-Type: application/json
expires_at: 2019-12-31T11:59:59Z
alg: HS256
typ: JWT
I recognize that my calls don't line up with the example call exactly, but my understanding from the documentation is that all that should be required is a name & password to generate the JWT token. What am I missing?
Update 1
Based on reaching out to Prime Trust support the username/email need to be included as parameters rather than in the body of the url. I tried the below URLs without success
https://sandbox.primetrust.com/auth/jwts?email=email#email.com&password=123abc&id={guid}
https://sandbox.primetrust.com/auth/jwts?email=email#email.com&password=123abc
https://sandbox.primetrust.com/auth/jwts?password=123abc&id={guid}
https://sandbox.primetrust.com/auth/jwts?name=name&password=123abc
According to docs:
Creating a new JWT
A new JWT can be created by passing a user's credentials using HTTP Basic Authorization to the following endpoint. Any special settings on the JWT such as IP whitelisting, expiration time or TOTP MFA must be passed in as form values during creation.
So basically all you need is create an Authorization header set to Basic Auth with your credentials:
curl -X POST \
https://sandbox.primetrust.com/auth/jwts \
-H 'Authorization: Basic YOUR_BASE64_ENCODED_EMAIL_AND_PASSWORD' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'cache-control: no-cache'
I have created a Watson data science experience (DSX) account, created a catalog into it and added data assets to it.
I am trying to use the REST APIs as documented at: https://developer.ibm.com/api/view/id-1084:title-Watson_Data_Platform_Core_Services#id36962
... to retrieve the assets using curl.
curl -H "Authorization: Bearer <---stripped the auth token --->" -X GET 'https://api.dataplatform.ibm.com/v2/assets?catalog_id=bd2b56c3-091f-4ff5-beab-b3a1da85488d'
I get the following response:
{
"errors": [
{
"code": "invalid_parameter",
"message": "COMSV3006E: Missing or Invalid 'asset' id",
"target": {
"name": "asset",
"type": "parameter"
}
}
],
"trace": "e7b07khusvkj7s0ymgrggm6si"
}
How do I specify the asset id to retrieve the same?
Also, I am looking to upload assets, assign metadata/tags to existing assets using REST APIs. Is there any documentation/tutorial available, which can help explain me that?
One option is the search api, although it is listed as deprecated:
curl -X POST -d '{"query":"asset.asset_state:available"}' -H "Content-Type: application/json" https://api.dataplatform.ibm.com/v2/catalogs/<catalog_guid>/types/<type>/search -H "Authorization: Bearer ...."
https://developer.ibm.com/api/view/id-1084:title-Watson_Data_Platform_Core_Services#id37001
For <type>, you probably want data_asset, but you can also look up all existing types:
curl -X GET https://api.dataplatform.ibm.com/v2/catalogs/<catalog_guid>/types -H "Authorization: Bearer ...."
https://developer.ibm.com/api/view/id-1084:title-Watson_Data_Platform_Core_Services#id36916
As per Couchbase Sync-Gateway REST API documentation here below mentioned cURL should create a document in the specified database.
Below is the generated cURL from Postman.
curl -X PUT -H "Cache-Control: no-cache" -H "Postman-Token: 498d0fb6-77ac-9335-2379-14258c6731c7" -d '' "http://192.168.244.174:4984/db/"
I also tried adding JSON to the body of the request.
But when I send the put request through Postman, instead of creating a new document, it tries to create a new database and the JSON response is
{
"error": "Precondition Failed",
"reason": "Database already exists"
}
Am I missing something or it was a bug? Is there any other way to create a document to sync gateway?
There is a mistake in the documentation.
As per documentation,
You can either specify the document ID by including the _id object in the request message body, or let the software generate an ID.
But Couchbase REST API does not seem to work like that (may be they are not updating their documentation regularly). You need to provide the id in the URL like /{db}/{id}.
The below cURL worked for me.
curl -X PUT -H "Content-Type: application/json" -H "Cache-Control: no-cache" -H "Postman-Token: 75ab844e-5130-708e-69e9-e87f878108b4" -d '{"name": "xxx",
"full_name": "xxx yyy"}' "http://192.168.244.174:4984/db/123"
JSON response is
{
"id": "123",
"ok": true,
"rev": "1-9324dabc947fc963a754b113d1215ac3"
}