Create subscription with URL including Bearer Token in the header - token

Hello FIWARE specialists,
I like to create a subscription, which pushes notifications to an external service.
The external service needs authorization with a barrier token.
If I use curl, I add "--header 'Authorization: Bearer XXX'".
How can I add a barrier token to the subscription request?
"notification": {
"attributes": [ "id", "type", "name", "location", "occupancy"],
"format": "normalized",
"endpoint": {
"uri": "http://a.b.c.de:1111",
"accept": "application/json"
}
},
Is there an option to add a header field to the "endpoint" setup in the subscription like:
"headers": "Authorization: Bearer XXX"
Hopefully, you can help me in that case.
Thanks, Knigge

In Orion Context Broker using the NGSIv2 API you can use custom notifications to achieve that. For example the following subscription:
...
"httpCustom": {
"url": "http://context-provider:3000/subscription/low-stock-store001",
"headers": {
"Authorization": "Bearer XXX"
}
}

Related

Send email for Graph Api works in Postman but not through App in Azure?

I am accessing the Graph Api endpoint:
https://graph.microsoft.com/v1.0/me/sendMail
I retrieve the access token from Graph Explorer and use it as a Bearer token in Postman.
I also set Content-Type in the header to "application/json".
I set the Body as
{
"message": {
"subject": "Meet for lunch?",
"body": {
"contentType": "Text",
"content": "The new cafeteria is open."
},
"toRecipients": [
{
"emailAddress": {
"address": "testuser#acme.com"
}
}
]
}
}
Through Graph Explorer I have given consent for Mail.Send
It works fine in Postman. I set the scope in my c# app as Mail.Send, but when i send the request it gives the error
{StatusCode: 403, ReasonPhrase: 'Forbidden'
What other permission do i need to set ?

Xero API fetch list of organization (all organization)

I have done OAuth2.0 using PKCE flow in .NET Framework (C# Winforms).
Now I have tokens_response in my hand.
But I'm wondering is it possible to fetch all of the organisation (not only one)?
You can check the organisations (tenants) that you can access with a given token using the /connections endpoint, like this:
GET https://api.xero.com/connections
Authorization: "Bearer " + access_token
Content-Type: application/json
Response:
[
{
"id": "e1eede29-f875-4a5d-8470-17f6a29a88b1",
"authEventId": "d99ecdfe-391d-43d2-b834-17636ba90e8d",
"tenantId": "70784a63-d24b-46a9-a4db-0e70a274b056",
"tenantType": "ORGANISATION",
"tenantName": "Maple Florist",
"createdDateUtc": "2019-07-09T23:40:30.1833130",
"updatedDateUtc": "2020-05-15T01:35:13.8491980"
},
{
"id": "32587c85-a9b3-4306-ac30-b416e8f2c841",
"authEventId": "d0ddcf81-f942-4f4d-b3c7-f98045204db4",
"tenantId": "e0da6937-de07-4a14-adee-37abfac298ce",
"tenantType": "ORGANISATION",
"tenantName": "Adam Demo Company (NZ)",
"createdDateUtc": "2020-03-23T02:24:22.2328510",
"updatedDateUtc": "2020-05-13T09:43:40.7689720"
}
]
If you need more information than the organisations' id and name, you'll need to call the /organisation endpoint individually for each.
The connections endpoint is described more in section 5 on this page of the docs: https://developer.xero.com/documentation/oauth2/auth-flow

Is Active Directory not supporting Authorization Code Flow with PKCE?

I tried to use the currently recommended Authorization Code Flow with PKCE to gather an access token from Active Directory. The client will be a public Angular SPA which is the reason for the chosen flow.
Gathering the openid-configuration form AD as well as the Authorization Code for a user worked well.
But I fail requesting the access token from the following endpoint:
https://login.microsoftonline.com/{tenantId}/oauth2/token.
I tried to reconstruct the request in Postman:
POST /7e8c2868-7490-4dd7-82b7-f5ec29222d30/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Accept: application/json, text/plain, */*
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
grant_type=authorization_code
code=...
code_verifier=...
client_id=...
redirect_uri=...
...and end up with the following message:
{
"error": "invalid_client",
"error_description": "AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.\r\nTrace ID: ed0413ad-89f1-4a2b-8d68-e23498701800\r\nCorrelation ID: deb53b0d-5398-4f72-a9a5-6c0863547b99\r\nTimestamp: 2020-03-06 09:30:36Z",
"error_codes": [
7000218
],
"timestamp": "2020-03-06 09:30:36Z",
"trace_id": "ed0413ad-89f1-4a2b-8d68-e23498701800",
"correlation_id": "deb53b0d-5398-4f72-a9a5-6c0863547b99",
"error_uri": "https://login.microsoftonline.com/error?code=7000218"
}
This seems odd, since the official specification of the Authentication Flow with PKCE doesn't require a client_secret or client_assertion. This is only required for the default Authentication Flow.
Is there something wrong with the AD implementation or have i misconfigured it?
The manifest of the web client looks like this:
{
"id": "...",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": null,
"addIns": [],
"allowPublicClient": true,
"appId": "...",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "...",
"groupMembershipClaims": null,
"identifierUris": [],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "...",
"oauth2AllowIdTokenImplicitFlow": false,
"oauth2AllowImplicitFlow": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"preAuthorizedApplications": [],
"publisherDomain": "...",
"replyUrlsWithType": [
{
"url": "http://localhost:4200",
"type": "Web"
}
],
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "...",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADMyOrg",
"tags": [],
"tokenEncryptionKeyId": null
}
And my application is registered as a public app in AD.
The Authentication request that was sent prior to that looked like this:
GET /.../oauth2/authorize
response_type=code
&client_id=...
&state=...
&redirect_uri=http%3A%2F%2Flocalhost%3A4200
&scope=openid%20user_impersonation%20offline_access
&code_challenge=...
&code_challenge_method=...
&nonce=...
Host: login.microsoftonline.com
Update 2021
Microsoft finally updated their portal, so we now have a UI to properly configure the Authorization Code Flow with PKCE.
All you have to do is open the Authentication-page of your registered AAD Application. There you can add a new Platform by clicking the button on the left:
Select the new Single-page application tile and enter your redirect urls.
Previous Answer (Manifest)
I just found the answer in the #azure/msal-browser package. At the moment Azure AD seems to be working on supporting this auth flow. To activate it you must set a new type for the redirection urls, that they just recently added.
To use the Authorization Code Flow with PKCE with Azure Active Directory you need to:
Set add a web plattform to your azure ad application and add your redirect urls.
Change the type of those redirect urls from 'Web' to 'Spa'. This must be done in the Manifest. Changing it will make the urls disappear from the Authentication Page. But that's ok, since it's still present in the Manifest.
Treat the web app as a public client (Authentication > Advanded settings > Default client type - 'Yes').
Now the token endpoint doesn't require a client_secret or client_assertion anymore.

Attempting to create an issue with JIRA REST API results in a 500 error

For automation purposes I'm trying to create issues through the JIRA REST API, but I'm getting a 500, Internal Server Exception as response without any additional information.
With the Chrome-plugin "advance REST client", I ran through the following steps:
Entered the endpoint: h.ttps://[company-jira-url]/rest/api/2/issue/
Set the HTTP method: POST
Added the required headers:
Content-Type: application/json
Authorization: Basic (100% sure this one's correct)
Added the json payload (Basically the minimum required fields):
{
"fields": {
"project":
{
"key": "HACK"
},
"summary": "REST EXAMPLE",
"description": "Creating an issue via REST API",
"issuetype": {
"name": "Bug"
}
}
}
Click "Send"
The request basically looks like this (base64 string is not correct in this example):
The Request
Result:
The Response
Anyone ?

how to get an openstack token and validate it?

I followed this guide: http://keystone.openstack.org/api_curl_examples.html
and it seemed that I got a valid token by ran:
curl -d '{"auth":{"passwordCredentials":{"username": "can", "password": "mypassword"}}}' -H "Content-type: application/json" http://url:35357/v2.0/tokens
and it returned:
{
"access":
{
"token":
{
"expires": "2012-05-21T14:35:17Z",
"id": "468da447bd1c4821bbc5def0498fd441"
},
"serviceCatalog": {},
"user":
{
"username": "can",
"roles_links": [],
"id": "bb6d3a09ad0c4924bf20c1a32ccb5781",
"roles": [],
"name": "can"
}
}
}
but when I came to the next few sections to validate this token, I encountered this magic number: X-Auth-Token:999888777666. At first I thought it's the token I got but I was wrong.
I think I may have missed something, so I read related sections in openstack documents( http://keystone.openstack.org/configuration.html and http://docs.openstack.org/api/openstack-compute/programmer/content/ ), but still no idea how the number comes from.
could anyone explain to me
what's the meaning of that magic number
how to get the right value of it so I can get a working token to manage other parts of openstack
That magic number (string really) is the admin_token setting in your keystone.conf file. Under the [DEFAULT] section in keystone.conf set
admin_token = abcd1234
If you don't use it for admin actions, you'll see something like
ubuntu#i-000004bc:~/devstack$ curl http://localhost:35357/v2.0/tenants
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized"}}
If you do use it, you'll see something like
ubuntu#i-000004bc:~/devstack$ curl -H "X-Auth-Token: abcd1234" http://localhost:35357/v2.0/tenants
{"tenants_links": [], "tenants": [{"enabled": true, "description": null, "name": "demo", "id": "aee8a46babcb4e4286021c8f6ef996cd"}, {"enabled": true, "description": null, "name": "invisible_to_admin", "id": "de17fea45de148ada0a58e998e6c3e73"}, {"enabled": true, "description": null, "name": "admin", "id": "f34b0c8ab30e450489b121fbe723fde5"}, {"enabled": true, "description": null, "name": "service", "id": "fbe3e2e530fd47298cb2cba1b4afa3da"}]}
To get the list of tenants, in our current implementation, we authenticate with admin credentials and use the token returned to get list of tenants.
The implementation works smooth with the authentication token. It may work with admin_token but I have not verified.
If you see the examples you are referring to, there are 2 types of endpoints used
Endpoint pointing to port 5000 - public port
Endpoint pointing to port 35357 - admin port
In examples which are hitting admin port you would need to specify the "X-Auth-Token" header as the admin_token (specified in the keystone.conf file)
The token itself is in dict["access"]["token"]["id"] which is that part that will go in the header of subsequent HTTP requests, i.e
X-Auth-Token: 468da447bd1c4821bbc5def0498fd441
The value 999888777666 is from the curl example tutorial and will definitely not work.
As for the value of the token itself, it's randomly generated by the OpenStack service and shouldn't contain any useful information from your point of view.
(BTW, you probably shouldn't go pasting the tokens into forums as they're valid for 24 hours and anyone with a copy of the token and access to your compute endpoint can use it to impersonate you).

Resources