Currently, I am trying to integrate the airflow with google authentication.
I am able to open the login page, but every time I try to login, I always get this error:
"You don't seem to have access. Please contact your administrator."
I have created user in airflow, the username is same with my email that will be authenticated.
Do I miss something? Any other configuration needed?
For configuration settings, I followed everything stated in this link: https://airflow.apache.org/security.html#google-authentication
Thanks,
Maria
I solved this issue by removing quotes from the value of domain in airflow.cfg
So I changed my config from:
[google]
client_id = google_client_id
client_secret = google_client_secret
oauth_callback_route = /oauth2callback
domain = "example1.com,example2.com"
to:
[google]
client_id = google_client_id
client_secret = google_client_secret
oauth_callback_route = /oauth2callback
domain = example1.com,example2.com
The documentation is misleading
The mistake was I set the domain to alias domain, not using the original domain.
After I changed to the original domain, it works.
Related
i am new to grafana and i want to use a JWT authentication as described in grafana docs : https://grafana.com/docs/grafana/latest/auth/jwt/ how can i use generally the JWK to authenticate with external Identity provider ?
specifically, which jwts endpoint i have to use, is it my main base url for my provider? and then the provided http auth header?
my grafana.ini configuration file :
[auth.jwt]
enabled = true
header_name = X-JWT-HEADER
cache_ttl = 60m
jwk_set_url = https://$AUTH-PROVIDER-URL/
username_claim = user
email_claim = email
after restarting the grafana server i see no changes for my grafana login page and i can still login only with the admin user. should this works with such configuration or I have missed something?
Note that the auth.jwt is currently broken by design:
https://github.com/grafana/grafana/issues/8198
Even if you get everything else right it requires you to have prepopulated all accounts in grafana. It should provide similar functionality to auto-sign-up provided in auth.proxy The whole argument for auth.jwt is to provide something similar to, but safer to auth.proxy:
https://cloud.google.com/iap/docs/identity-howto
#Ying.Zhao
the authentication with JWT didn't work due to missing some claim properties in the json web endpoint (JWKs url)..
alternatively you can use the "auth generic" or proxy-auth for your OAuth Login.
[auth.proxy]
enabled = true
# HTTP Header name that will contain the username or email
header_name = X_HEADER_NAME
header_property = username
I am trying to email EML files via Gmail SMTP server using MailKit. I followed example provided by jstedfast to build MimeMesage and send via Gmail SMTP server. I am able to send email using both the simple authentication using (user account, user password) and using OAUTH2. I followed example how to Setting up OAuth2 for use with Google Mail and all works fine, except that it seems that I have to configure access Scopes to include "https://mail.google.com/"
var accessScopes = new[]
{
"https://mail.google.com/",
"https://www.googleapis.com/auth/gmail.send"
};
otherwise sending fails with the following error:
535: 5.7.8 Username and Password not accepted. Learn more at
5.7.8 https://support.google.com/mail/?p=BadCredentials c5sm231676iod.25 - gsmtp
I assumed that I need to configure access scope with the gmail.send only but it doesn't seem to work.
"https://www.googleapis.com/auth/gmail.send"
I don't want to configure "https://mail.google.com/" which implies full access to the gmail account. When the consent screen is presented to users, users may hesitate to accept all access scopes which seems to be required otherwise sending of mails fails.
I tried to configure some of the read only scopes instead of "https://mail.google.com/" but it doesn't seem to work.
What I am missing?
Thank you
The "https://mail.google.com/" scope is the only scope that works with SMTP, POP3 and/or IMAP.
All of the other scopes are only available to use with the Google REST APIs.
I have deployed keycloak on my EKS cluster and able to access dashboard successfully and created a new realm already.
So I thought of testing my keycloak, and went to https://www.keycloak.org/app/ for testing.
I have created a client with the root URL "https://www.keycloak.org/app/" and created one User also.
I have tested successfully my user using account login of my realm.
then I went to https://www.keycloak.org/app/ entered my keycloak URL as https://keycloak.test.nip.io , the realm as Test(same name of my realm), and then client name as a portal(same name client created on keycloak).
When I hit Sign in, it redirects to my keycloak URL but shown We are Sorry... Page not found
Anyone knows why I am receiving this error and how can I avoid that.
Issue fixed. So there is a catch My realm name was Test. So I was entering the same and it was not working and then I tried writing in lowercase as a test. Boom It worked.
TIP: No matter what case your realm name is there, if facing this issue try in Lowercase it solved for me and hope for others also it should work.
Thanks, guys...
I too had this error. I followed instructions somewhere for configuring the keycloak client application's url, realm, and clientId properties. In the instructions it said to configure the url to http://localhost:8080/auth. I think this must have changed somewhere along the way.
Changing the url property to http://localhost:8080 fixed the error :)
I am trying to authenticate a java app into the google photos api, using my own account, which doesn't support service_account as per documentation. The problem is that the file generated by the google-console for OAuth2 authentication doesn't contain a type field, that only the file generated by creating credentials for a service account will work.
I tried authenticating the web-app through gcloud auth application-default login with/without reading the generated file, which does contain a type/client_id/client_secret/refresh_token.
E.G.:
PhotosLibrarySettings settings =
PhotosLibrarySettings.newBuilder()
.setCredentialsProvider(FixedCredentialsProvider.create(
GoogleCredentials.fromStream(
new FileInputStream("credentials.json")
)))
.build();
Any ideas that might help?
I had the same issue when trying to use Google API for Calendar.
As explained here, your json file is invalid. He explains how to generate the correct json, using the "Service Account key" credential.
I don't know if this solves your problem, but it didn't for me. This type of credential requires a G Suit account, which wasn't what I was looking for. I was using the GoogleCredentials for OAuth2 authentication and in my json file, the only things it requires is type, client_id, client_secret and refresh_token.
The type accepts "service_account" (for G Suit) and "authorized_user" (for OAuth2).
I am trying to link my Github account to my Namecheap account so I can use a custom domain for my Github page, but when I try to login this happens:
A few notes that might be handy:
I use 2 factor authentication on GH
I tried using my regular password but it told me to use my 2FA OTP code
I generated a personal token on GH and used that instead of my password to login (which produced the error)
Any help would be much appreciated!
I chatted with the helpdesk and he said that you have to create the cname record pointing to your github account manually.
http://davidensinger.com/2013/03/setting-the-dns-for-github-pages-on-namecheap/