I have having a very strange issue Using Eclipse With the Amazon Integration.
If i right click on an item in my bucket and generate a presigned URL and then use this URL in a browser i will get the following error:
SignatureDoesNotMatch
The request signature we calculated does not match the signature you
provided. Check your key and signing method.
I have tried changing the keys in my amazon configuration, I have also tried with my server generating the key for the item but the access is also denied.
The credentials im using are the ones with the highest authority.
Is this a bug or is some special configuration needed? Like enabling the generation of presigned URLs or something.
If anyone has any experience on this it will be greatly appreciated.
This is quite normal situation for Eclipse. I would suggest you to use SDK for that.
Related
Trying to configure the salesforce connector to read data from salesforce using Google Data Fusion, but can't connect to Salesforce.
I keep getting "Connection to salesforce with plugin configurations failed" error message when hitting the "get schema" button on the connector. My guess is that this related to my salesforce connected app, but can't really tell. Is it related to the callback URL setting in the connected app? Did anyone succeed connecting to Salesforce using Data fusion?
It looks like the error is coming from https://github.com/data-integrations/salesforce/blob/abc563938e837b3bcfc42dbd4b26c0c6ef347451/src/main/java/io/cdap/plugin/salesforce/authenticator/Authenticator.java#L57.
Unfortunately it looks like the error message doesn't include anything from the root cause, but most likely it's failing during the oauth login, which makes a POST request to:
[login url]?grant_type=password&client_id=[client id]&client_secret=[client secret]&username=[username]&password=[password]
You could try making that request manually and see if you get an error back.
I was getting the same error, but I managed to solve it.
First things first, even though the Security Token is optional, I did not manage to make it work without it.
Apparently, depending on how your Salesforce instance is configured, if your password is mypassword, and your security token is XXXXXXXXXX, then the plugin uses mypasswordXXXXXXXXXX during the authentication.
Secondly, and most important, for the login URL field, this field is the oauth2 url. Therefore where before I was putting https://test.salesforce.com, I had to put https://test.salesforce.com/services/oauth2/token. With this final step, it worked. Below a screenshot of the field.
The problem is that I've gone through the API documentation of authy. Now there can be trust issues with the users to provide me their PII.
So I tried the Non-PII approach. For which I need a QR code to be scanned by my users.
Even though I've followed the exact process mentioned in the documentation after doing a test-drive of my application I tried scanning the QR code which gets generated in a php file that I've made. However the authy app after scanning the QR code says:
Account couldn't be added. Please contact your service provider
P.S. I will provide the PHP code that I've made which generates the QR code. However I just want to know if this is a known issue about Not being able to add an account to my Twilio authy application.
I'm seeing the same error. Have not been able to get a response from Authy dev support on what the error means (if it's a config issue, or issue with my code, etc). But, https://jwt.io/ says the token is correct, so I'm assuming it's an Authy config issue.
Ensure you have expiration date <= (issuing date + 15 minutes) on your JWT token.
That was a reason I had an error 'Account couldn't be added. Please contact your service provider'.
We're using ruby-saml to establish our app as a service provider while using Google as an identity provider, though I do not think this question is specific to Ruby or that project.
I have seen this answer from the point of view of an IdP, but I'm hoping to see one from the point of view of an SP, because I have a hard time believing Google is getting the signature on the response wrong.
On top of that, we have successfully integrated with other Google accounts, and they work at the same time this one is broken.
As the service providers, how can we figure out the source of an Invalid Signature on SAML Response from the identity provider?
We had same error, but different solution. Our problem was invalid characters in the xml response. Both parsing and validation failed. We could substitute the chars before parsing, but then the validation would still fail because of the changed content. The solution was to base64 decode the response, and open the xml response in an editor (or online xml validator) to find the problematic data. In our case: attribute name "objectSid" from AD. We then changed the simplesamlphp config so that it sent only the data we needed. Now the response validates and parses without problems. Btw in "settings.idp_cert" (using ruby-saml gem) we include both the "begin certificate and end certificate headers".
Also there are browser add-ons that will intercept the saml conversations for debugging purposes.
Also check this for online troubleshooting:
validate response:
https://www.samltool.com/validate_response.php
(be careful not to paste your private keys online. only public cert is needed for response validation)
validate xml:
https://www.xmlvalidation.com
online base64 decode:
https://www.samltool.com/base64.php
I ended up using the suggestion to use XMLSec in the answer I referenced in the question, and ran through the decoded base 64 response and the certificate(s) in the metadata file from Google.
That gave me the confidence that there was indeed something wrong with the certificates in the IdP metadata XML file that Google provided.
I then noticed that my working accounts only had 1 certificate in the file, while this one had two. So I removed one, and it did not work. Then I replaced it and removed the other, and it worked.
Then I found out that I could place both certs in the file as long as the working one was first.
I am not sure why there was a difference, and I do not know why Google outputs the certs in an order that XMLSec cannot use to verify the signature.
Perhaps someone with more knowledge than myself can chime in on that, but for now, I'm happy to report that simply reversing the order in which the certs appeared in the IdP metadata file from Google allowed the signature to be verified.
I needed to include this setting as well. YMMV, seems like the default algo is sha1, but the key and output that i was calculating using the openssl utility was using sha256:
settings.idp_cert_fingerprint_algorithm = "http://www.w3.org/2000/09/xmldsig#sha256"
I followed up this tutorial to allow upload of files from GWT frontend directly to Google Cloud Storage using signed URLs. I've extended the Java example by specifying content type which worked just fine. Then, I saw that files uploaded this way weren't publicly readable. To get this working I've tried:
I've set up default ACL for newly uploaded objects gsutil defacl set public-read gs://<bucket>. Uploaded file again - no luck, stil not visible.
Then tried to set ACL on that object directly gsutil acl set public-read gs://<bucket>/<file> but it gave me AccessDeniedException: 403 Forbidden. It makes sense since gsutil is authenticated with my Google account and signed URL is being created with service account and it's P12 key.
I've tried to set up ACL at upload phase therefore added "x-goog-acl:public-read\n" canonicalized extension headers and appropriate query string param to pass signature check. Damn, stil no luck!
My assumption is that maybe this extension header I'm using is wrong? Then according to documentation all authenticated requests to GCS will apply private ACL by default.
Anyway - why I can't make these files publicly readable from Google Console when I'm logged in as project owner? I can make so for all files uploaded through console (I know that in that case the owner is project owner and not the service account).
What I'm doing wrong? How can I make them publicly readable by anyone?
Thanks in advice!
I think if you gone through the given docs. It clearly mention that, if you need the user to download the object without using the google account then this method provides an assigned URL for specific time to the User to download the object. I am assuming that might be its not possible to make those objects publicly available as they are signed. If still you need that functionality I would recommend you to go through the resumable upload or simple upload of the object.
Also try to put the service account of your project as the owner in the "Edit default permission of Object" in the developer console on the right side of your bucket name.
I have developed a app for using aws services, but i could not.I have "access key" and "secret key".But when go for s3 uploader i found error "No such bucket" and you are not sing up. I think , when i created the account i was not complete the "payment method" process.
So aws not provide the test mode . I am confuse please suggest me right way to do it.
Thanks in advance
I help maintain the AWS SDK for iOS. Building off the suggestions from Brad:
Make sure you can access the S3 console from AWS website. This will ensure you have an active and valid account
Make sure you have copied the access and secret keys correctly into the S3_Uploader sample application Constants.h correctly
The sample creates a unique name based on your access key. If this is failing for some reason you can update Constants.m in the sample to use your own custom name (or use a bucket that you've already created via the console)
It sounds like you don't have an active AWS account.
Do you have one? Can you access your bucket from a regular PC? I am guessing you don't. Make sure you can access your account and bucket from a regular dekstop before doing it on your iPhone. You need to go into the management console and create an S3 bucket, if not -you will get that error. (Either that, you are trying to access the wrong one).