ServiceBusConfiguration.configureWithSASAuthentication(config.getSbNamespace(), "RootManageSharedAccessKey", SAS_KEY, ".servicebus.windows.net");
ServiceBusContract service = ServiceBusService.create();
service.getTopic(topicID);
This code snippet is used to connect to Service Bus using SAS Key. I'm looking for possibility of connection with SAS token which looks like this:
SharedAccessSignature sr=https%3a%2f%2fmynamespace.servicebus.windows.net%2fMyTestQueue&sig=fFWmdMmWjsdTqPyhyvRS9LQqLjJNPc87xhInhYai9OM%3d&se=1453286209&skn=MyQueue_Listen
I receive 401 Unauthorized using this code. I don't have possibility to go back to SAS key. Does Azure SDK for Java support this? Is there different way to connect?
The ".servicebus.windows.net" looks a bit off (the . in the beginning).
FYI: There's an ASB Java client repository repository with issue tracker. You could check there as well.
It sounds like you want to use Azure Service Bus SDK for Java to do something like to get a topic via topic id, but you didn't know how to pass the shared access key to the method configureWithSASAuthentication.
I suggested that you need to follow the offical tutorial How to use Service Bus topics and subscriptions carefully to know how to get the shared access key for a service bus instance and to use it via SDK.
The SharedAccessSignature sr=https%3a%2f%2fmynamespace.servicebus.windows.net%2fMyTestQueue&sig=fFWmdMmWjsdTqPyhyvRS9LQqLjJNPc87xhInhYai9OM%3d&se=1453286209&skn=MyQueue_Listen that you were looking for is for calling the related REST APIs, not directly used in the code with SDK.
Hope it helps.
Related
Please help me to find out the documentation on how to use java MASL SDK to get access_token for a service principal.
I am looking to find the documentation or GIT links which can guide me how to use the MASL library including the code samples.
I have gone through this link but it does not help me much : https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows
And, I am not expecting code samples to be shared here. I just want to find out where to find such data. I am struggling a lot when it comes to finding the right knowledge with respect to azure learning. What am I missing here? Is there any azure reference link available to find such information at a centralized place?
Note that, based on your requirement you can make use of Authorization code Flow if you want the user to sign-in and authenticate and if you want to access API using Application then make use of Client Credential Flow.
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application and added API permission:
For Client-Credential Flow, refer this GitHub blog by siddhijain.
Use the MASL java SDK to authenticate user in azure function developed in java.
Assuming that you want to authenticate user, you can make use of Authorization code Flow to generate access token.
I generated the Authorization code by using below endpoint:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=RedirectUri
&response_mode=query
&scope=https://management.azure.com/user_impersonation
&state=12345
A sign-in screen will appear for authenticating the user:
To generate the access token, I used below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://management.azure.com/user_impersonation
grant_type:authorization_code
redirect_uri:RedirectUri
code:code
I am able to call the Function by using above generated access token:
To implement the above in MSAL Java library, refer the below GitHub Blogs:
Microsoft-authentication-library-for-js/msal-node/auth-code AzureAD by derisen
Microsoft-authentication-library-for-js/samples/msal-node AzureAD by rgins16
I am using Google Cloud Translate v3 API Java Client. The Java Client code samples work great. The authentication of the code samples is done using the GOOGLE_APPLICATION_CREDENTIALS environment variable.
I need to develop code that will run in an application server that I have no control over the environment variables. So I need to use another way to get the call authenticated.
Setting Up Authentication for Server to Server Production Applications, under "Passing the path to the service account key in code" has a code sample (choose the JAVA tab) that works for the Storage service, but I can't find a similar way to pass the GoogleCredentials to Translation v3 API Java Client. Does anyone know?
Also, I can't find the Java doc for v3 API. https://googleapis.dev/java/google-cloud-clients/latest/index.html shows version "0.119.0-alpha" and it does not list the package com.google.cloud.translate.v3. Is there a separate java doc page ?
I think I found a solution.
The client API javadoc doesn't list com.google.cloud.translate.v3 but it does list com.google.cloud.translate.v3beta1. In the javadoc for TranslationServiceClient, i.e. https://googleapis.dev/java/google-cloud-clients/latest/com/google/cloud/translate/v3beta1/TranslationServiceClient.html
there's a mention of setting credential, and this method worked!
TranslationServiceSettings translationServiceSettings =
TranslationServiceSettings.newBuilder()
.setCredentialsProvider(FixedCredentialsProvider.create(myCredentials))
.build();
TranslationServiceClient translationServiceClient =
TranslationServiceClient.create(translationServiceSettings);
I'm trying to set up Microsoft Translation API (part of MS Cognitive Services) in my Android app (using Java). I'm relatively new to Android programming and authentication methods, and I'm a bit confused with the those ones.
When I registered for an Azure account I created an Azure Directory, then created an Android App in the portal, configured it and got my auth_config.json .
Well, when I checked the MS translator API docs I saw that I can use it through a GET request and the API key provided. But also I saw I can authenticate by using a token, and that's where I'm stuck.
I've searching for days and I cannot find a clear and concise tutorial/guide/docs to Authenticate (no user context) from my Android app in order to use MS translate API by using tokens.
I found this link but it's only applicable when users have to sign in.
Any help related to auth tokens flow and conceptual design of them is also welcomed, but the main question would be "How to authenticate an Android App (no user context) by using tokens for accessing an Azure API?"
Thanks.
It sounds like you are trying to create a native Android Application using Java to get an access token in order to utilize the MS Translator API. But you would like to flow to be non-interactive.
You shouldn't need to get an access token in order to utilize the MS Translator API. Per the documentation you will only need to get the translator keys and then you will be able to use the Translator REST API using the Translator key.
The Translator Getting Started on how to setup and get keys can be found here :
https://learn.microsoft.com/en-us/azure/cognitive-services/translator/translator-text-how-to-signup
And the documentation on how to use the Translator API in Java can be found here :
https://learn.microsoft.com/en-ca/azure/cognitive-services/translator/quickstart-java-translate
In addition to that, I think it's important to understand the concepts of how to get access tokens from Microsoft for the future.
The v2.0(also referred to as converged) endpoint flows and explanation on how the authentication process works can be found here under "concepts > authentication > OAuth2 .... flow".
https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-scenarios
That being said, the MSAL library doesn't necessarily have all these flows implemented yet. To see more information on what MSAL libraries support what auth flows, you can find this information at the link here :
https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows
Unfortunately we don't support the non-interactive flow using the MSAL Android library yet. If you're interested in this feature please submit an issue against the MSAL Android Library here : https://github.com/AzureAD/microsoft-authentication-library-for-android/issues
And one of the engineers that handles the library will reach out and discuss it further.
All the Azure AD libraries have wikis that can be found on their respective github repos. The MSAL Android one can be found here : https://github.com/AzureAD/microsoft-authentication-library-for-android/wiki
Hopefully this has been helpful, and if you have anymore questions please leave a comment.
Essentially you won't need to use MSAL and you should be able to just use the translator key to make calls to the MS Translator API.
i want use azure Device Identities REST API to create devices identity :https://msdn.microsoft.com/en-us/library/azure/mt548489.aspx
but i don't know the syntaxe to set in header request ?
what is the key and how to generate value ?
here is the param :
Set the Authorization header to a SAS token created as specified in the service section of Using IoT Hub security tokens.
The Etag header is returned in all requests scoped to a single device identity, as per RFC7232 .
Thanks
As #DominicBetts said, you can refer to the referenced document to generate the SAS token by yourself.
As reference, there is not an existing sample code for Java, but I think you can try to refer to the offical sample for Python to knwo how to use the device identities REST API, please see the sample at https://azure.microsoft.com/en-us/documentation/samples/iot-hub-python-get-started/ and download the sample zip file to see the script service/deviceManager.py.
Meanwhile, you can also try to directly read the source code of IoTHub SDK for Java. For generating the SAS token, please see the code at https://github.com/Azure/azure-iot-sdks/blob/master/java/service/iothub-service-sdk/src/main/java/com/microsoft/azure/iot/service/auth/IotHubServiceSasToken.java.
Please take a look here: https://azure.microsoft.com/documentation/articles/iot-hub-sas-tokens/#using-security-tokens-from-service-components
This article explains how you can generate the security token you need - in particular the section "Using security tokens from service components".
I created endpoint apis but problem is anyone with my project id can go to api explorer and execute those apis. I have put only android client id (using debug keystore) on top of endpoint class declaration but still I can go to incognito mode and execute the apis. How can I restrict the apis so that only my android apps have access and all others will be thrown with some exception?
The APIs can be protected by adding a key parameter that has to be correct for API to be invoked. If the user of the API does not know the key, he won't be able to use the API even with API Explorer.
Advantages of this approach is that it is simple to do, allow you yourself to experiment with the API if you need.
Disadvantages include being very easy to circumvent by a determined user, just by looking at the traffic.
You need to make sure that you have coded your API/backend correctly to only accept the clientId for your app; make sure that you do not see com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID as one of the clientIds in your #Api annotation on the API class:
#Api(
name = "myApi",
version = "v1",
clientIds = {<your android clientId>},
)
public class myApi {
// your API code here
}
If the API Explorer client ID is present, it will allow it to execute your API from the API. I am not 100% sure, but I think you may still see your API form the explorer without the client ID, but execution will be prevented with an error.
This article has more info: https://cloud.google.com/appengine/docs/java/endpoints/auth#Specifying_authorized_clients_in_the_API_backend
You may want to think about putting proper auth around the endpoint calls (i.e. per-user auth checks around each method) if it is particularly sensitive. Just adding a User parameter to the #ApiMethod should be enough for force users to auth before executing each method.
Hope that helps.
You can use on each api allowed_client_ids to be ANDROID_CLIENT_ID only, can be a possible workaround.
I think this could help if you haven't followed it yet : https://cloud.google.com/appengine/docs/python/endpoints/auth#Python_Creating_OAuth_20_client_IDs
Use symmetric key cryptography along with digital signatures for this. However, you'll need to share the key with the Android app first.
Here's how it would work.
Whenever the Android app is making a network request, you take the URL & the parameters, then you Hash it and then encrypt it using the shared private key. You then append the signature as another parameter to the URL.
At the receiving end, your web API will validate whether the request came from your Android app ONLY.
Please note, that this will work ONLY for your app. It will not work as a way to catch all generic Android requests/
Here are some points for consideration :
Cloud Endpoints has been supporting the ANDROID CLIENT ID and
package signing, so that should atleast take care of the fact that
only a signed Android application from your side can access the
endpoint
.
If you wish to remove the Web Clients from access, then I would
probably look into the HTTP Headers and Agents to see if there is a
sure way of identifying these web clients.However, this would
require that you write your own Authorization logic in the method
since I do not believe that the endpoints infrastructure can take
care of this automatically for you
.
Remove access for everyone via the Annotations could be
problematic if you want a quick way to use the API Explorer to test
out the API. So do keep the API Explorer access available.