I have a Scala rest service on Finatra and would like to authenticate users accessing my rest service using Azure Active Directory.
Currently, I can do a curl to get the access token:
curl -s -X POST https://login.microsoftonline.com/tenant id/oauth2/token -d grant_type=password -d username=$username -d password=$pass -d resource=$resID -d client_id=$id -d client_secret=$key
But it requires the user to pass his password as a parameter which is a security concern.
Is there a way to authenticate the user using Azure AD with taking in the password (I am pretty sure this is not possible) or asking him to sign in?
It is not recommended to use your user and password to login Azure account. You had better create service principal to sign in your Azure account. Please refer to this link: Use portal to create an Azure Active Directory application and service principal that can access resources.
Also, you could use Azure CLI 2.0 to create this.
az ad sp create-for-rbac --name {appId} --password "{strong password}"
Example:
az ad sp create-for-rbac --name shuiexample --password "Password012!!"
You could get result like below:
{
"appId": "bca24913-026d-4020-b9f1-add600bf9045",
"displayName": "shuiexample1234",
"name": "http://shuiexample1234",
"password": "*******",
"tenant": "*******"
}
Sign in using the service principal.
APPID="bca24913-026d-4020-b9f1-add600bf9045"
PASSWORD="******"
TENANTID="*******"
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=$APPID&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=$PASSWORD&grant_type=client_credentials' 'https://login.microsoftonline.com/$TENANTID/oauth2/token'
Related
How can I create a Azure AD client secret with the cli the following command seems to delete the already existing "client secret".
az ad sp credential reset --name {name} --end-date 2025-03-04 --credential-description {credential-name}
I was able to use AZ rest in the bash shell
az rest --method POST --headers "Content-Type=application/json" --uri 'https://graph.microsoft.com/v1.0/myorganization/applications/{id}/addPassword' --body '{"passwordCredential":{"displayName":"test","endDateTime":"2032-05-11T07:29:41.763Z","startDateTime":"2021-11-11T08:29:41.763Z"}}'
I am checking the Keycloak documentation.
I am trying to figure out which endpoint should I use for deleting specific user from KeyCloak. I am using it within my Symfony project on REST Api..
Could someone clearfy that for me?
First you need to get an access token from a user with admin-alike permission, for instance:
curl -d "client_id=admin-cli" \
-d "username=$ADMIN_NAME" \
-d "password=$ADMIN_PASSWORD" \
-d "grant_type=password" \
<YOUR_KEYCLOAK_DOMAIN>/auth/realms/master/protocol/openid-connect/token
From that response (i.e., a Keycloak Token Object), extract the access token. Then you need to use that access token, to call the following endpoints:
To delete a user you need to use the endpoint:
DELETE <YOUR_KEYCLOAK_DOMAIN>/auth/admin/realms/<YOUR_REALM>/users/{USER_ID}
to get the USER_ID you can call the endpoint:
GET <YOUR_KEYCLOAK_DOMAIN>/auth/admin/realms/<YOUR_REALM>/users/?username=<THE_USERNAME>
or you can copy and paste from the Keycloak Admin Console, under the tab users:
As a federated user, it must use an API key or one-time passcode to authenticate. I have tried to execute that the below curl request:-
Example :-
Input :-
curl -s -u 'bx:bx' -k -X POST --header 'Content-Type: application/x-www-form-urlencoded' --header 'Accept: application/json' -d "grant_type=password&response_type=cloud_iam,ims_portal&username=${1}&password=${2}&ims_account=${3}" https://iam.ng.bluemix.net/oidc/token
Output :-
"errorMessage":"You cannot authenticate with user name and password, as you are a federated user","errorDetails":"Your user id '<<><><>>' is federated and must use an API key or one-time passcode to authenticate"
But how we authenticate the user to generate the iam_token and iam_user_id?
Reference :-
https://softlayer.github.io/rest/IBMidtoSLKey/
The code snippet you reference from the SoftLayer guide has the result of setting the SoftLayer Username and API key:
echo "SL_USERNAME: $SL_USERNAME"
echo "SL_API_KEY: $SL_API_KEY"
This is a roundabout way to find the same information that is listed as API Username and Authentication Key seen in your User Profile. If you do not see an API username and Authentication Key, you can create one on the Actions menu next to your name in the User List.
You can then execute Infrastructure APIs, which I expect is the ultimate goal.
export IAAS_USERNAME=<API Username>
export IAAS_KEY=<Authentication Key>
curl -u $IAAS_USERNAME:$IAAS_KEY https://api.softlayer.com/rest/v3/SoftLayer_Account/getAllBillingItems
It's unclear if the discussion around IAM tokens is necessary. Please provide more guidance on what you're trying to achieve if the above suggestion is insufficient.
I am using IBM Cloud App ID for user management / authentication and Continuous Delivery with a toolchain to deploy the app to IBM Cloud. There is an API to configure App ID, e.g., to set the password strength or to disable email verification for signup.
How can I use that API within the deploy script of the toolchain?
This can be done by using an IAM (Identity and Access Management) token for the IBM Cloud platform to login, then obtain the App ID credentials to make the API call for the configuration itself.
#!/bin/bash
echo Login IBM Cloud api=$CF_TARGET_URL org=$CF_ORG space=$CF_SPACE
bx login -a "$CF_TARGET_URL" --apikey "$IAM_API_KEY" -o "$CF_ORG" -s "$CF_SPACE"
# Set up App ID service
#
# Create service key from which to obtain managementUrl
bx service key-create ${PREFIX}insurance-bot-appid for-pipeline
# managementUrl includes tenantId
APPID_MGMT_URL=`bx service key-show ${PREFIX}insurance-bot-appid for-pipeline | grep "\"managementUrl\"" | awk '{print $2}' | tr -d '","'`
# We need the IAM token
IAM_OAUTH_TOKEN=`bx iam oauth-tokens | sed -n 1p | awk 'NF>1{print $NF}'`
# Now configure App ID for Cloud Directory
FILENAME=".bluemix/appid-config.json"
curl -v -X PUT --header 'Content-Type: application/json' --header 'Accept: application/json' \
--header "Authorization: Bearer $IAM_OAUTH_TOKEN" \
-d #$FILENAME $APPID_MGMT_URL/config/idps/cloud_directory
I found the code above in this deploy script which is part of a demo with multiple services and microservice architecture.
I am trying to get started using IBM Bluemix and want to use the Cloud Foundry CLI to login and manage my applications. But I cannot figure out how to login using the cf command. I think what I am missing is the API endpoint I need to provide for the cf login command:
cf login -a [API_URL] -u [USERNAME] -p [PASSWORD]
I suspect I use my IBM ID username and password, but I'm not sure about the API_URL. Seems like this should be an easy question to search, but I have not been able to find an answer.
You set the api endpoint like this:
cf api https://api.ng.bluemix.net
and then you login with cf login.
Alternatively you can use the European endpoint:
cf api https://api.eu-gb.bluemix.net
EDIT:
Alternatively, as you were implying, you can pass the API endpoint to cf login directly via the -a option:
cf login -a https://api.ng.bluemix.net -u <ibm.com id>
Found the answer to my question. The API endpoint for IBM bluemix is https://api.ng.bluemix.net. That was the key piece of information I was missing to login to IBM Bluemix using the Cloud Foundry CLI:
cf login -a https://api.ng.bluemix.net -u <IBM ID Name> -p <IBM ID Password>
I'm impressed with how easy the rest of the cf command is to manage apps.