I want use service principal which is the use of client_id and client_secret to get token and then pass this token to another api that get groups but i am getting 403.
I have created service principal group with name POWERBI_API_036 which contains my application with the name SystemServer
Now i have a server side application (SystemServer) This is also because i dont want to use username and password to get token because i want to create a way many customers to be able to authenticate without giving there password.
This is what i have now i succesfully generate a token but i am not able to use it to get groups or reports. -- client-id and secret have been changed for privacy
Added the token in header but i get 403. I am lost at this point on how service principal helps authenticate without password or what am i doing wrong ? Please
Related
I've reset the user password and set it as temporary in keycloak.
Is there some REST API to change temporary password to regular when user will log in? It is important not to use keycloak's user interface. I've heard about experimental API but I can't find any of its documentation. Thanks for help
I've heard about experimental API but i can't find any its
documentation.
I think you are referring to this Keycloak Admin API
Assuming that:
I've reset user password and set it to new temporary in keycloak.
is done via endpoint already, then what you can do is to get the ID from that user, which you can get by using the endpoint:
curl -X GET <KEYCLOAK_HOST>/auth/admin/realms/<REALM_NAME>/users/?username=<USER_NAME>
From the JSON response, extract the user ID. Then you call the following endpoint:
PUT <KEYCLOAK_HOST>/auth/admin/realms/<REALM_NAME>/users/<USER_ID>/reset-password
with the request payload:
{"type":"password","value":"<THE_PASSWORD_THAT_YOU_WANT_TO_SET>","temporary":false}
If what you want is to first set the password as temporary, and then when the user logs in for the first time, force the user to set to a new non-temporary password, then you need to call the following endpoint:
PUT <KEYCLOAK_HOST>/auth/admin/realms/<REALM_NAME>/users/<USER_ID>
with the request payload:
{"requiredActions":["UPDATE_PASSWORD"]}
In Spring, to verify the user credentials, 'authorization' header is used. Usually, user name and password are encoded using some algorithm(commonly base 64) and passed in this header. But, validating user name and password comes under authentication, does n't it? It means, this 'authorization' header is not appropriate. It should have been called 'authentication' header.
Read https://howtodoinjava.com/spring-boot2/security-rest-basic-auth-example/
With OAuth the Authorization header is used to send a JSON Web Token (jwt).
This token is the result of a authentication process and holds user's data like username, the issuer of the token and roles like admin. It should never contain sensitive data like password. Furthermore the token is signed by the issuer with a rsa key.
Spring uses this token for authorization. The signature is verified, so no one can claim roles by creating a fake token.
The roles eg can than be uses grant/deny access to certain methods.
This article shows an example application that might help you understand the concept:
https://www.baeldung.com/rest-api-spring-oauth2-angular
We are trying to implement Oauth2 on our app, in our App we are login using Sign In with Google, and this returns a lot of stuff like : UID, ACCESS_TOKEN, REFRESH_TOKEN, etc.. we are thinking to send from APP to server-side the UID and store it to DB linked with user like if it was its password.
From server side we want to on each call for instance : get_products, we are thinking to use an access_token but we don't know if it's the UID from user itself or we have to create another access_token with its refres_token with expiration time. So we have one UID from user and another access_token and refresh_token from oauth.
I'm not sure about the value you refer by UID. May be it's something that I haven't come across before.
But if it stands for USER IDENTIFIER, then you should not use it to identify the end user and maintain a session. UID could be a public identifier so anyone who knows will be able to communicate to your server. Also, think about user login through multiple devices. Your server won't be able to identify the correct session.
User access_token to initiate a session. In your server, use user-information endpoint to obtain validity details and end user information. Alternatively you may choose OpenID Connect.
I am stucking with the following problem like one month already, I am trying to verify an inapp purchase by using the following api :https://developers.google.com/android-publisher/authorization
I followed every step from the documentation(doing everthing with Postman Rest Client from Chrome), I can retrieve an accesstoken and a refresh token, but whenever when I try to query a purchase it results in error code 403 access not configured, BUT I CONFFIGURED IT IN THE SETTINGS!
anybody with an idea maybe?
It is far from straightforward to get an accesstoken for this API. This blog post helped get me started in the right direction, but I've outlined my own process that does not depend on using any external scripts to work. The steps are:
Obtain a client ID and secret (one-time)
Obtain a Refresh Token (one-time)
Use the Refresh Token to obtain an Access Token (once per hour)
4 Use the access token to access the API
Each of these steps are detailed below:
Obtaining Client ID and Secret
Go to the the Google Developer's console
Go to your project page
Select "Consent Screen" on the left side and make sure that the email address and Product name fields are set
Select "Credentials" from the left menu, and select "create a new client id"
Leave Application type set to "Web application" and set "Authorized redirect URI" to https://localhost. You do not need to change the Authorized JavaScript Origins.
Click "Create Client ID" and record the Client ID and Client secret that result.
Obtaining a Refresh Token
In web browser, enter the following URL (substituting correct value for client_id):
https://accounts.google.com/o/oauth2/auth?scope=https://www.googleapis.com/auth/androidpublisher&response_type=code&access_type=offline&redirect_uri=https://localhost&client_id=XXXX
Accept any requests for authorization that appear
You will then be redirected to a URL like this:
https://localhost/?code=4/k0TenvwICIgmBoQOazJy4_EnJr6-.clLqtp_vVAIbEnp6UAPFm0GASPqQigI
Copy the code from the latter part of this URL
Use wget to convert this code into refresh token; substitute CODE, CLIENT_ID, and CLIENT_SECRET
wget --debug --post-data="grant_type=authorization_code&code=CODE&client_id=CLIENT_ID&client_secret=CLIENT_SECRET&redirect_uri=https://localhost" https://accounts.google.com/o/oauth2/token
The resulting JSON file will contain an access_token and a refresh_token. Record the refresh_token value
Obtaining an Access Token
send a POST request to https://accounts.google.com/o/oauth2/token with the following fields set (substitute REFRESH_TOKEN, CLIENT_ID, CLIENT_SECRET)
grant_type=refresh_token
refresh_token=REFRESH_TOKEN
client_id=CLIENT_ID
client_secret=CLIENT_SECRET
You will get back a JSON string containing an access_token that will be good for one hour.
Using the Access Token to make API request
Fetch from
https://www.googleapis.com/androidpublisher/v1.1/applications/PACKAGENAME/inapp/SKU/purchases/PURCHASETOKEN
with an Authorization header containing the access token, e.g:
Authorization: Bearer ya29.1.AADtN_WoM4-4Fb1voFL-emcUWluijCzwvc9Z-FYM9SPvK03HCbGkdROJTVVPSLHK2IlVJQ
You may also be able to pass the access token as an HTTP query parameter, e.g.
https://www.googleapis.com/androidpublisher/v1.1/applications/PACKAGENAME/inapp/SKU/purchases/PURCHASETOKEN?authorization_token=AUTHTOKEN
I had a similar problem as you. Answer by mmigdol is helpful, but it didn't help me. I finally managed to solve it by looking at links generated here: https://developers.google.com/oauthplayground/
Apparently, Android publisher scope
https://www.googleapis.com/auth/androidpublisher
needs to be added into the link requesting authorisation code (before even generating refresh token) by adding:
&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fandroidpublisher
to get this:
https://accounts.google.com/o/oauth2/auth?redirect_uri=<YOUR_REDIRECT_URI>&response_type=code&client_id=<YOUR_CLIENT_ID>&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fandroidpublisher&approval_prompt=force&access_type=offline
My application uses 3-legged authentication (OAuth).
I have the token (user was redirected to google login page to log in)
How can I get the e-mail address he used to authenticate?
you should look up user data using the access token. in facebook, the access token starts with user serial, so you can identify user from token directly. (ex. 123456-someStrangeStringBlahBlah...)
so if exposure of user serial is not problem, make token like facebook.
I think you want to use OpenID attribute exchange. (not OAuth, but Google has a bridge between the two).
See Google's page on their federated login API.
If you are using OAuth1.0 you can extract user email from the contactService by making a request to get for example contact group id. The returned response contains the user email encoded:
"http://www.google.com/m8/feeds/groups/user_email_here%40gmail.com/base/5f062e1e08cb3123"