The drag-drop pane widget documentation does not reference security policies or signatures.
I expected makeDropPane to take policy and signature options like the Javascript API.
Are secure uploads available via filepicker.makeDropPane()? If not, is it otherwise possible to have a standalone drag-drop pane that uses security policies?
Following up, this code has been pushed, and passing a security policy and signature are now possible for makeDropPane.
Related
I want to use custom claims in my Firestore security rules but I read that they can apparently be overwritten by users:
However, if the same custom user claims are defined on a user signed
in via custom authentication, the overlapping claims defined in the
custom token have higher priority and always overwrite the custom user
claims defined on a user via this API.
[https://firebase.google.com/docs/auth/admin/custom-claims][1]
Which defeats the purpose, so I guess I must be missing something?
EDIT: moved extra question to another post
A user cannot set custom claims on their own account. The only way to set custom claims on a user profile is through the Admin SDK, which requires that you have access to the project credentials of the Firebase project, something only collaborators on that project do.
I would like to let my users have a choice which authentication method to use. For example, they could be presented with a menu to pick an option (username/pass, username/pass+OTP, etc).
Then, Keycloak should, based on their choice, assign specific scope to the token.
Is this possible to do with Keycloak (probably by somehow utilizing auth methods chaining) and how? I couldn’t find this in the documentation but it seems as a reasonable use-case to me.
Here is my solution:
Circled authenticators are custom ones for which I provided a custom implementation.
I used the fall-through mechanism, which means I that first authenticator implements a custom form:
which lets the user choose authenticator and captures user's choice in a variable.
Later, this variable is used in the following authenticators to decide whether to do the authentication or to pass on control to the next authenticator.
You can read more about Authentication SPI in the following page: https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi
And here you can see how to implement custom authenticator.
Here is what i did and it works,
'My goal was give ability to client to choose authentication flow, choose between otp based email and sms.'
I created a new authentication flow, see screenshot :
select 'Alternative' on both flows.
On login form new link will appear 'try another way'
Now the client can choose between flows. see screenshot :
In my current project I'm working with StreamSets and I would like to use Hashicorp Vault as my credentials store, however I'm not able to use credential:get() function wherever I want to. E.g. in Shared Access Key in Azure IoT Hub Producer block. I know that I could use Runtime Properties but I don't think it solves my problem.
Am I missing something or I can use credential:get() only in fields marked with a key icon?
You can only use credential:get() in fields marked with a key icon. This is by design, to minimize the chance of leaking credentials. For example, if credential:get() was allowed in URL parameters, a pipeline designer could send a request to a web server under their control to discover the credential. It may make sense to allow Shared Access Key to receive credentials. Please file an issue at https://issues.streamsets.com with your enhancement request.
We use VSTS dashboards and like to use "embedded webpage" widget to display customized information. We do this by linking to a server where we put some code that calls the VSTS rest api. We authenticate using Personal Access Tokens stored on the server(PAT)
To simplify this process we could skip the server and PATs altogether by using the embedded webpage widget and point it to a html file. This html file would contain javascript and perform the api calls to VSTS and display the information. This however is not possible because of CORS restrictions. We would need to provide a PAT to perform CORS which complicates things.
One work around for this is to host the html page in git in VSTS. If we do this the CORS policy would match but it is not possible to get the file from git with content type as text/html so the html is not rendered when put in the widget.
I also tried the IFrame extension which allows iframe from data: URI but data URIs seems to have a different origin so it doesn't transfer the cookie which means it wont authenticate.
I understand there is a security risk that it would be possible to perform api calls on behalf on whoever is viewing the dashboard so it may be by design if it is not possible.
Is is possible to make a VSTS widget in pure html that calls VSTS api without using PATs?
No, you can't, you need to do it in extension html file directly.
I was under the impression that accessing elements from a site is Cross-Domain Access and unless the origin was allowed then you couldn't access those elements from the 'target'.
How is this different for example than loading SalesForce.com in an Iframe and trying to access the Login Page (Which you can't due to obvious reasons) vs how LastPass can access those elements to fill in my password and username? Or even Chrome form filler?
Does a browser extension actually have more control or power to do this? If so, what's the underlying geeky details?
Thanks!!
Yes, when someone writes an extension they create a manifest defining the required permissions. So when installing the extension, you explicitly have to agree with these permissions, especially ones like 'Access your data on all websites'.
Extensions are by default bound to the regular sandboxing rules of websites, unless they request more via the manifest, like LastPass does, and Chrome itself does implicitly.