I am trying to create app with microservice architecture. I am using jhipster. I want to separate backend and frontend. So first i created jhipster uaa server for authorization named as uaa then i created a gateway with --skip-client and --skip-user-management options named as gateway. After running them both i can be login with postman with /auth/login api. But when i want to get account information i am getting api not found error. I am trying to get account information with /uaa/api/account link because microservices's name is uaa but no luck. Am i missing something or is there any other settings that forget?
Before /uaa is missing /services, on the end is gonna be something like /services/uaa/api/account .
Related
I have developed MS Teams Message Extension using Java[Spring Boot] and registered the bot in Botframework Development portal[https://dev.botframework.com/]. It is working fine in local. I tested in local environment using a tunneling application named localtunnel. I tested the extension in MS Teams.
I pushed the code to cloud[AWS] as it was working fine on local and also changed the message endpoint URL to point to our test server. But, unfortunately i am getting " Bot returned unsuccessful status code unauthorized."[You can see the screenshot]. Test server message endpoint doesn't require JWT token, I am able to call it successfully from postman with out giving token.
As per the documentation, this error occurs usually when:
The Messaging endpoint specified on the Settings page for your bot in the Bot Framework Portal is incorrect. Make sure you have included the proper path at the end of the URL (e.g., /api/messages).
The Messaging endpoint specified on the Settings page for your bot in the Bot Framework Portal does not begin with https or is not trusted by the Bot Framework. Your bot must have a valid, chain-trusted certificate.
The bot is configured with missing or incorrect values for app ID or password. Verify that the bot configuration settings specify valid values for app ID and password.
All the points are correct in my case.
In this documentation, It is mentioned about Azure Bot resources in the "Test your bot" section of "Step 4: Test your bot in the cloud".
https://learn.microsoft.com/en-us/azure/bot-service/bot-service-troubleshoot-authentication-problems?view=azure-bot-service-4.0&tabs=csharp#step-3
So in order to test the bot on cloud, is it necessary to register it on Azure Bot services instead of Botframework development portal? Can't we just test it just by registering it on Botframework development portal?
The dev.botframework.com portal is deprecated, so I'd advise against continuing to use it. The Azure Bot resource is the evolution and replacement of the Bot Channels Registration, so you will need to use it to test your bot in the cloud. It effectively does the same things, but it better handles various new security and tenancy features that the old portal did not.
Furthermore, the documentation you linked mentions that extra security configuration steps must be taken for non-Azure deployments to get your bot to use https. Ensure you do this before filling in the messaging endpoint in your Azure Bot configuration.
I figure out the issue. Even though message endpoint could be called without any JWT token of our app, code was verifying the token if in case it is present in Authorization header instead of ignoring it. MS Teams sends JWT token in Authorization header of every request to verify it is coming from teams, but extension app was comparing this token sent from teams against our app. Since this token is not created by our app but instead by bot framework, so it was throwing 401 unauthorized.
So make sure your app is in ignoring the token sent in Authorization header for message endpoint.
About the other doubts I had:
It is not mandatory to register bot in azure in order to test in cloud, you can register it in development portal as well. Since development portal is depreciated, I highly recommend to use azure as it is highly secure.
You can do non azure deployment as well. You can deploy your extension app or message API endpoint in any cloud provider of your choice. But you have to register the bot either in development portal or azure which will call your extension app.
I'm trying to develop a simple java client that needs to access Skype for Business APIs in order to setup an online meeting (i.e. I need to retrieve a simple setup meeting URL by invoking an UCWA API).
I followed this Microsoft tutorial step-by-step:
https://learn.microsoft.com/en-us/skype-sdk/ucwa/developingucwaapplicationsforsfbonline
I have an Office 365 Business Premium license and I configured a custom domain (correctly registered and added at the zone DNS file);
I configured and registered my java client app on Azure (taking care to assign required delegated permission for Skype for Business capabilities);
I performed the Sign-in phase and Azure is able to recognize me;
I performed the Autodiscovery phase in order to retrieve the user's UCWA home pool;
I sent a GET request to the Azure oauth2 endpoint with response 401 error (and this is the expected behaviour by the authentication handshake);
Unfortunately, I failed when I request an access token using implicit grant flow: Azure responds with a Sign-In HTML page rather than the json object containing the oauth2 access token.
What's wrong on this GET request?
GET https://login.microsoftonline.com/oauth2/authorize?
response_type=id_token
&client_id=my_application_client_id
&redirect_uri=configured_redirect_uri
&state=UUID_generated_code
&resource=UCWA_home_pool
HTTP/1.1
This GET URL looks like that one used for the Sign-In phase (step 3); I suspect that it isn't the right request URL.
I tryed to put my domain on the URL:
https://login.microsoftonline.com/my_domain_name/oauth2/authorize
and I tryed to put a common domain name (as reported on the documentation):
https://login.microsoftonline.com/common/oauth2/authorize
But Azure still reponds with a Sign-In page (and response code 200 OK).
Can someone help me please?
Please check the oauth2AllowImplicitFlow property in manifest of your application after downloading the latest manifest file. It should be set to true for this to wrok. If it's still false, only then I would expect the redirect to sign-in page as you're seeing.
More detailed steps here -
Configure your app for OAuth implicit grant flow
I'm evaluating Auth0 as an authentication/authorization service for our new project.
I would like to expose some REST APIs without UI at this point.
So I believe clients won't need to log-in but just send an authorization header with a JWT token (I'll send this token by e-mail at this point).
I understood that in Auth0 there are "non-interactive" clients for this (Am I right?)
In my understanding, every potential customer will be a client and I'll create a dedicated client configuration in Auth0 for it.
So I've created a client like this following the tutorial found here
(we've a java shop, so I've naturally opted for spring security) and it works.
Now I would like to put some metadata on such a client. I've tried to add the "Application Metadata".
I would like to access this metadata on server (from java Spring rest controller), but I see that its not in the JWT token
My question is what is the right implementation for this? How should I get this information on server?
Thanks in advance
I think you're mixing the notions of "Clients" and "Users". A Client in Auth0 is an access channel to the Auth0 back-end. In some (unusual) approaches to multi-tenancy you might go with multiple Auth0 clients, but I doubt it.
What I think you want is: One (1) Client and many Users.
The app_metadata are then associated with the User records.
I have created a simple application in Java which Connects to my Office 365 Account and retrieve the unread messages. I am performing some text matching and pattern matching to generate some reports which I receive via Email.
I am using the below url with basic Authentication to do so.
https://outlook.office365.com/api/v1.0/me/messages?$filter=IsRead%20eq%20false
However, I have read a couple of articles and most of them have suggested that Basic Authentication will not be supported and suggested to use OAUTH2.0.
I am not sure how to use OAUTH2.0. A couple of articles mention about registering the Application with AAD for which i need to have access to Azure Management Portal which i do not have. Please can any one guide me how this can be done.
PS: I am using my Corporate Domain Account to access Office
You are correct that Basic will not continue to be supported. You do not need the Azure management portal to register an application, you can use the App Dev portal (apps.dev.microsoft.com) to get a client ID and secret.
Here's a walkthrough for creating a Java web app from scratch: https://dev.outlook.com/restapi/tutorial/java. It shows how to register the app and do the authentication.
I'm developing a html5+jquery+phonegap application. Server side is written in java and Spring MVC.And I hope to implement an authentication model as follows.
client signs up using his email which would be used as his userID.
A token is sent to his email.
He is given a screen to enter the token.
That token is stored in the local storage of the client.
everytime the client calls a webservice, his userID and token is sent by the app over https.
Server authenticates him and responds.
What are the options available to implment this kind of security from the server side? can Spring-security be used in this way? I tried to find any implmentation with Spring-security, but couldn't find any implmentation other than basic authentication.
You can use PreAuthenticationProcessingFilter to achieve this requirement, have a look similar case and spring security doc