I'm using GitHub App to build an automation that processes requests to provide access to repositories for select users. The App is authenticated using an installation access token which expires after an hour of creation. I'm using org.kohsuke.github-api library. Is there a way to refresh this token ?
I have tried to schedule a job to run the code creating installation access token on an hourly basis. I would like to know if there is any other way to do this?
Related
I would like to have access to my OneDrive files using Microsoft Graph API in Java. I've tested this sample : https://learn.microsoft.com/en-us/graph/tutorials/java, and added a "getFiles" part to it which displays informations about my files. For the moment, this works perfectly.
But I would like to avoid user sign-in each time I run the sample. Indeed, in the authentication part of the code, a DeviceCode is used to acquire the token, and I'm redirected to a Microsoft web page where I sign-in and authorize the application to have access to my account.
I tried to replace the DeviceCode with IntegratedWindowsAuthenticationParameters (I got this from here : https://github.com/Azure-Samples/ms-identity-java-desktop/blob/master/Integrated-Windows-Auth-Flow/src/main/java/IntegratedWindowsAuthFlow.java (line 73)) using my scopes and email address as parameters, but I got the error below :
"com.microsoft.aad.msal4j.MsalServiceException: WsTrust endpoint not found in metadata document"
Edit : IntegratedWindowsAuthenticationParameters isn't suitable for personal accounts like mine (xxxxx#hotmail.com), is there another way to acquire token with this type of account ?
Is it the right solution to access personal accounts ? Or did I miss something in the App configuration in AAD ? Are there any other solutions ?
Thank you for your help :)
Using a global tenant administrator account, which is your .onmicrosoft.com account.
Please verify and make sure you have logged in with the proper account for the App you registered.
username = xxxx#xxxx.onmicrosoft.com
Update
Integrated Windows Authentication (IWA) supports federated users only - users created in Active Directory and backed by Azure AD. Users created directly in Azure AD without Active Directory backing (managed users) can't use this authentication flow.
Please refer to this doc.
I'm trying to create a dataflow in Java with Gradle. I've created a gradle task to upload the job to GCP via the DataflowRunner and set my credentials via environment "GOOGLE_APPLICATION_CREDENTIALS", "....json", but when I view the job, all I see is:
Workflow failed. Causes: There was a problem refreshing your credentials. Please check:
1. Dataflow API is enabled for your project.
2. There is a robot service account for your project:
service-[project number]#dataflow-service-producer-prod.iam.gserviceaccount.com
should have access to your project.
If this account does not appear in the permissions tab for your project, contact Dataflow support.
I've already made sure the dataflow API is enabled for my project and that the service account exists and has editor and Cloud Dataflow Service Agent roles. I've tested with my code and the sample code on the getting started page, same issue.
This issue can be triggerd if the Compute Engine default service account in the Google Cloud project is disabled:
The status should show a green tick.
When you first use Dataflow in a new GCP project, you need to enable the API (Step 3 in the Quickstart), it could take few minutes. During this step a couple of service accounts are created:
Cloud Dataflow service account: service-<project-number>#dataflow-service-producer-prod.iam.gserviceaccount.com.
Controller service account: <project-number>-compute#developer.gserviceaccount.com.
The first account is the one in the error. I would think that you have not enabled the Dataflow API or you executed the job while the API was being enabled. As you mentioned you verified this, the nex step is checking if the default service accounts were modified, let's say, they were recreated or the default permissions changed. These revisions also apply for the Controller service account.
In addition, please don't forget to assign the proper permissions to the account that execute the Dataflow job.
UPDATE:
If the issue persists, it is probable that the service accounts were corrupted somehow, in which case, it is recommended to create a new GCP project with fresh service accounts or Contact Cloud Support.
I know that to deploy onto app-engine you can run the maven command:
mvn appengine:update
Which then prompts for the auth code and launches a browser to confirm you want to publish onto the app engine. I'm looking to automate this fully so it can just be run as a command from maven. I have the appengine-maven-plugin setup but there doesn't seem to be any functionality to skip the manual step.
Has anyone managed to solve this? I know you can deploy right from Jenkins but we're looking for a solution that could be automates if our Jenkins server was down
Thanks
The authentication flow which redirects you to the browser for login and consent is call three-legged Oauth because it involves three steps: 1) request for a token 2) login and consent 3) API call with token.
An authentication flow which does not involve user login and consent is called two-legged Oauth (server to server): 1) request for a token, signed with a private key 2) API call with token. Server to server auth requires that you setup a service account with appropriate permissions (scopes). You must also safely distribute the private key for that service account so that you can sign your requests. See the OAuth2ServiceAccount instructions
The Bitnami Jenkins image actually does quite a bit for you out of the box. When you setup Push-to-Deploy you launch an instance with gcloud. That launch command specifies the scopes you want that images to have access too with the --scopes parameter, including "https://www.googleapis.com/auth/appengine.admin". Permission to these scopes is given to the default project service account. When Jenkins deploys your code, the service account credentials are made available through the Jenkins Google Oauth Plugin.
You can build another tool that will push code programatically. You will need to create a service account which generates a JSON Web Token (JWT) Again see the Outh2ServiceAccount instructions. The JWT is your private credential and you need to find a secure place to store it. The App Engine SDK knows how to use JWTs to get auth tokens.
During runtime you can pass the path to the JWT file as the --service_account_json_key_file parameter to appcfg.py. To plumb that parameter through the Maven plugin you'll have to use -DadditionalParams="--service_account_json_key_file " which is available on the tip of github.com/GoogleCloudPlatform/appengine-maven-plugin/master. (Will be in App Engine release 1.9.27, but you can pull from Github until then.)
I've worked through the examples for performing OOB OAuth2 connections and it works fine from my laptop.
The challenge I'm having is that it fires up a browser, asking me to verify if I want to grant access for my app to the documents in question. From then on it stores my credential set in a local file and continues to work just fine.
The use case I have is that I have a number of departments in my company that want to leverage Google Docs spreadsheets for reporting. I then want to be able to run a program on a server (from a cron job) that can scrape this data and build an aggregated report for all departments.
I had intended on creating a "reporting user" that is granted read access to all of the documents in question, then run the report process using that identity.
I tried running it on my laptop, then copying the stored credentials to my server for it to use. But it seems those credentials are tied to the machine and so it forces a new verification flow via browser.
Any suggestions on how to work with the auth flow for Google Drive to allow me to do what I need?
TIA
Rather than needing to grant some user read-only access to all docs, I'd suggest using a service account which has been granted read-only access to all of your Google Apps domain user's docs:
https://developers.google.com/drive/delegation
use:
https://www.googleapis.com/auth/drive.readonly
as the OAuth scope that you grant the service account access to in the Control Panel. That way if the server is compromised you've limited access to read-only.
Create GoogleCredential with p12 file from API console (API Access > Create Another Client ID > Service Account etc):
GoogleCredential.Builder#setServiceAccountPrivateKeyFromP12File(File)
more info on Service Accounts
The other answers are better than this, but you can always get a set of credentials and save them in a file for reuse. Getting the credentials could be done with a web browser, but only once, and then your server could use them forever (as long as you request offline access and get a refresh token).
I'm currently developing an application that essentially perform background fetch of reports from a salesforce account and save them into a db, the flow goes more or less like this:
-A user logs-in in my app.
-Selects add salesforce connection.
-He is presented with a form to provide consumer key (client_id in some docs) and consumer_secret as shown in Develop-Remote Access (in a salesforce account).
-Then the app initiates web server flow as described here and the salesforce login form is presented so user can authorize my app, app get access token, then request refresh token.
-Once the app goes through all this process it obtaines the refresh token to update the access token once it expires so it can make subsequent call to API functions. Once the refresh token is get, the user doesn't have to go through all the flow, just log-in to my app and see his data updated.
This refresh token is obtained to perform updates of reports even when the user is not logged into the system.
However, before doing all that user has to go to the Develop - Remote Access section to get consumer and secret and provide it to the app. Average user don't get this easily, is there any way to simplify this? Any experience on how to simplify the process, am I looking at the wrong flow? Btw I'm working with java.
Thanks.
You can create one remote access setting in your own developer org and then re-use that, it's automatically shared, you don't need to have your customers create their own ones.