Is there a way to authenticate heroku HTTP Post deploy hooks? - deployment

Heroku lets you ping a URL after deploying an application:
https://devcenter.heroku.com/articles/deploy-hooks#http-post-hook
However, I see no mention of these requests being signed or otherwise authenticated.
Is there any way to authenticate these, beyond using an obscure url?
-Nick

You can and should use HTTP Basic Auth.

Related

OAuth2 redirect URI for enterprise application

I'm working on an enterprise application and our UI is a web application. We are looking to add OAuth2 support and I don't understand what to provide for the redirect URI field to the OAuth provider.
For example, I have registered my app in github OAuth provider.
Homepage URL: https://localhost:7980/index.html
Authorization callback URL: https://localhost:7980/oauth_callback
Now this works fine with localhost as the hostname. But, when this application gets used by the customers they can install it on any of their boxes and invoke the web app from any device connected to our server via https://[hostname]:7980/index.html. In this case, if the customer wants to use OAuth2 authentication option, then I don't understand what should be the redirect URL. Obviously I cannot use localhost for redirect URL as the customer can access the web app from any machine. I wouldn't know the machine ip/hostname where the customers are going to be installing our server beforehand.
One suggestion was to use a server from our company which would handle redirect URLs for the OAuth2 authentication. Is this a good idea? Is there a standard way for handling the use case I have narrated above in OAuth2?

Need to provide both Basic Authorization and SSO on Bluemix Liberty server

I have a Java app running under Websphere Liberty on IBM Bluemix. I need to be able to authenticate users 3 different ways - Basic Auth, SAML SSO, and OpenAuth SSO, in that order.
I can set up the app to do Basic Auth (using custom code) or SAML SSO (using the Bluemix Single Sign On service), but can't figure out a way to configure it to handle both at once. (I haven't even looked into how to do OpenAuth yet.) If I configure the app to use the Bluemix SSO service, then my app never sees the incoming requests to check for a userid and password to try Basic Auth before the SSO service grabs it.
I tried changing the redirect URL in the SSO service to an endpoint inside my app, but then all I get is
CWOAU0062E: The OAuth service provider could not redirect the request because the redirect URI was not valid. Contact your system administrator to resolve the problem.
I can't be the only one that needs to do this. Can anyone tell me how they did it?

Account Linking - OAUTH2 auth code exchange using Basic HTTP Auth?

Our OAuth 2.0 server expects the client credentials for the auth-code-to-token exchange to be in a Basic HTTP Auth header, a common strategy detailed in the OAuth 2.0 RFC. Is there a flag that can be set on our account to enable this?
It does not appear we are exposing this setting via the Actions Console, but we do support this for properly configured clients.
I have reached out to the team responsible for Actions Console and will update this answer with instructions once we support this option.
We are also facing similar issue. Our OAuth 2.0 server expects client credentials should be coming in Basic HTTP Auth header, but looks like from the Actions console it is coming as a part of request body. As you have mentioned that provision is there in your infrastructure, so if you can have that provision in Actions console as well to send client credentials in Basic Auth header it would be great !

How to make exceptions for url securing app with Keycloak?

We have an app on Wildfly Server, secured with keycloak, everything works fine, but now we have to make an access for an app, deployed on the same server. I don't want to write a "complex" code with all certificates for https and OAuth2, we use for it, but I would like to grant an access for the second app from localhost, to make request on the first one (via rest-api) and get an response. When I check with curl from terminal of the server - I get also an Unathorized-Error, so I need to do all the same operations as for public access (take Token for access from OAuth provider). How could I set up Keycloak, to grant an access from localhost, for example. I haven't found smth. equal neither in Keycloak nor in standalone-full.xml (there are no any properties for this), where I could put exclusions.
I appreciate your help!
Add localhost to Valid Redirect Uris and Web Origins of Keycloak's client or you can simply use * for development purposes so that all Uris are valid.

Can i use localhost as a URL Callback in a messenger webhook

Good evening, just saw that Facebook released his messenger bot toolkit and i immediately jumped right into it to learn more about it and maybe try to do my own.
My problem is that i don't have a https website running and it requires a https valid url. I tried to use my local web-server that has a certificate but it doesn't work.
My question is if this is possible to be done using a localhost url at all.
Thank you in advance
Actually this is possible with localhost. Use ngrok. It allows you to open localhost to the public web, over http or https. This should only be used for testing however.
If you want to test webhooks on your local environment, I would try ultrahook.com, you can get an API Key for free and the tool creates a tunnel from a public URL to your computer. This is from their FAQs page:
You download and run the UltraHook client on your computer. It
connects to UltraHook servers in the cloud and creates a tunnel from a
public endpoint on our servers to your computer. Any HTTP POST
requests sent to the public end point will be sent through the tunnel
an delivered to a private endpoint accessible from your computer.
I have used it to test webhooks from different providers (like payment gateways). In your computer, you can run something like:
ultrahook <subdomain> http://localhost:8000/webhook/
and then configure the webhook URL in your external service to something like <subdomain>.ultrahook.com
My question is if this is possible to be done using a localhost url at all.
No, of course it isn’t – because what such a “callback” actually means, is that Facebook makes a request to your server – and that is hardly possible with localhost.
A valid SSL certificate for your website is easy to get for free these days, via LetsEncrypt. And even if that is not available on your server, there’s still StartSSL, that provide basic certificates for free. All you need is a server you can install them on, or upload them to, or whatever mechanism your hoster provides for it. (And if they don’t provide any, then it might be time to switch.)