We Keep Coding

Power BI API Admin Scopes 401 Unauthorized

I'm trying to get the Tenant.Read.All and Tenant.ReadWrite.All scopes when authorizing with the PBI REST API but I can't figure it out. I can get a token using Postman that contains every other scope but the two required for Admin calls to the API. I'm not using a service principal, just signing in when Postman gets a new token.

WSO2-AM 3.2.0 - OAuth token - Hash type

I'm making a request to WSO2-AM to get the OAuth Token to access the api published in the API Manager on behalf of the user. Everything is working with the big string returned in access_token but I'd like to use the short one version, probably encoded.
Request:
curl -X POST -H 'Content-Type:application/x-www-form-urlencoded' -u
<consumer-key>:<consumer-secret> -k -d
'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=<id_token>'
https://<apim>:8243/token
Response:
{"access_token":"eyJ4NXQiOiJNell4TW1Ga09HWXdNV0kwWldObU5EY3hOR1l3WW1NNFpUQTNNV0kyTkRBe
lpHUXpOR00wWkdSbE5qSmtPREZrWkRSaU9URmtNV0ZoTXpVMlpHVmxOZyIsImtpZCI6Ik16WXhNbUZrT0dZd01XSTBaV05
tTkRjeE5HWXd....bZ-CD_r-2qkypeER7f8QMrLpozRipgHeCkpIKXx5PzSM6zBq5VjMW4EXSRg7LSu0JAJfD2UD6H4bqAiZPNiGy9vTLXc
Zr4g8WNzfKkr...
-hiAOt4SauSZxB1WWCFEZ0xyHVhbx7nAFzBVzfssF0DOYGXkc9hRJZGbG8VfiXb6PWtSfEjqJTSSY_aZWXw",
"refresh_token":"d3062fa0-1132-3532-b1b2-83c3c66136ff","token_type":"Bearer","expires_in":3600}
Expected:
{"access_token":"400f2a54-53d8-3146-88e3-be1bf5e7450d",
"refresh_token":"c2656286-449f-369f-9793 2cee9132de9f",
"scope":"default","token_type":"Bearer","expires_in":3600}
What I'm doing wrong that is not returning the short one?

I assume, that the expected by you access_token is the Opaque(Reference) Access Token, described in this WSO2 API Manager 3.1.0 documentation: Secure APIs using OAuth2 Opaque(Reference) Access Tokens.
But, according to the Release notes, from WSO2 API Manager 3.2.0, they removed this type of access token:
Out-of-the-box support to generate an opaque access token via the Developer Portal has been removed. Application Developers can create applications that only generate a JWT type access tokens.
So, the big string, you get is nothing more, like this JWT token, described here in documentation: JWT (Self Contained) Access Tokens, which you can decode on jwt.io site.

You can decode your long JWT from https://jwt.io/ and get the JTI value of it as the short one which will look similar to 400f2a54-53d8-3146-88e3-be1bf5e7450d.
Refer to the example shown below.
.

As you were referring to the short token. It is the opaque token and APIM 3.2.0 It is not shown while you creating the Application. You can get the default Token (opaque) By the WSO2 carbon management console.
Change Token Issuer to Default from JWT in ISP list for particular Application that you need to use.
enter image description here
Where I am generating opaque (Short) Token in APIM 4.0.0
enter image description here

Keycloak REST API 401 when using custom client with service account

we want to access the Keycloak (Version 10) REST API from one of our backend services. To authenticate, we have setup the followings:
new clients within our realm
enabled service account for that client
assigned all [1] roles of “realm-management” to the services account
Accessing the API, e.g. fetching a selected user always results in a 401 response.
Steps to make the requests are:
Retrieve access_token from https://my-keycloak.com/auth/realms/my-realm/protocol/openid-connect/token using grant_type=client_credentials + Client ID + Client Secret
Fetch user from https://my-keycloak.com/auth/realms/my-realm/users/some-user-id-4711
using the Authorization: Bearer $ACCESS_TOKEN with the Token from step 1.
My Question: Is it even possible to use a custom client or do we have to stick to login via admin-cli? How would we need to configure the custom client, to grant access to the REST API.
Thanks,
Martin
[1] Simply setting all roles for the sake of testing, regardless that we only want to read data in the end.

How to get rid of this error fetched while authenticating with JWT token at WSO2 IS?

I am trying to enable JWT authentication for my backend java microservice which is deployed locally and all the requests to the microservice is gated through WSO2 apim 2.6 .The JWT token provider is used as WSO2 IS 5.6 .
I have placed all required configurations both at WSO2 IS and WSO2 apim on my machine.Since both are on same machine I have configured an offset of 1 too.
I created a fresh user in apim store and used it to create application and subscribe api for the same user.The Token type configured is JWT .I used Postman as client for fetching the access token and the access token gets fetched as expected.Thereafter when I use the same token to access the required resource through api gateway it gives me back "Unclassified Authentication Failure" with code as "0" and description as "Access failure for API: /notification/1.0, version: 1.0 status: (0) - Unclassified Authentication Failure"
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>0</ams:code>
<ams:message>Unclassified Authentication Failure</ams:message>
<ams:description>Access failure for API: /notification/1.0, version: 1.0 status: (0) - Unclassified Authentication Failure</ams:description>
</ams:fault>
I am expecting the resource to get created as it is a post request via WSO2 apim to backend service.Please share any available insights on this

The token type JWT can only be used with api manager micro-gateways. You create OAuth application and try using the JWT grant type for it. You can find more information about the JWT grant type in
https://docs.wso2.com/display/AM260/JWT+Grant#JWTGrant-JWTBearerGrant

Validate oAuth 2 access token in APIGEE without VerifyOAuthTokens policy

We are using Apigee as our Authorization Server (AS) and we have a few Spring Restful services deployed in IBM Bluemix public cloud which acts as our Resource server (RS).
Each of the services has an equivalent proxy service configured in Apigee. For the proxy services, we have configured the VerifyOAuthTokens policy to verify the token passed by the user and return an error if invalid token is passed
The problem is, since our RS is in the public cloud (no plans or need of moving to a dedicated or private cloud) the api endpoints are open and can be invoked by anyone who knows the url.Though the expectation is everyone should call the apis via APIGEE proxies but we cannot force that since we are in public cloud and there are no options of opening ports coming from apigee or something. We would like to take the following approach to secure the api endpoints.
Accept the Authorization header for each call
Take the token and call a validate token service in Apigee
For 2, We are not able to find an APIGEE api which can validate an access token similar to say googles
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=1/fFBGRNJru1FQd44AzqT3Zg
or Github's
GET /applications/:client_id/tokens/:access_token
Is there actually an external APIGEE service to validate a token?
If not, what would be the best way to make sure that only valid users with valid tokens can access the apis?
Thanks,
Tatha

Did you look at this post in the Apigee Community: Using third-party OAuth tokens
We did something similar to this but not using oauth tokens. We used Apigee to do a callout to a third party IDP (identity provider). The 3rd party IDP wasn't able to generate tokens but exposed a web service to authenticate the user. If the user was authenticated successfully (based on interpreting the result received back from the target endpoint webservice), then you tell Apigee that it was successful by setting the external authorization status to true (step #2 in the link).
NOTE: this has to be done inside an Assign Message Policy step PRIOR to the GenerateAccess token operation. Apigee interprets this as a successful authorization and then can generate a valid oauth token that the caller can then send along to access the protected API.