I am using the JIRA web fragment and trying to create a REST endpoint. I am using a web fragment and its corresponding REST endpoint which is called "MounaBulkSummary". How can I enable "anonymous allowed" for my REST endpoint? You notice my REST endpoint is all the way to the bottom and it doesn't have the option "Anonymous allowed", how can I add it?
Related
For context, I'm very new to writing services, using Azure Relay, and Swagger, but I'm on the right track.
I have legacy WCF services that I'm writing a proxy wrapper for with ASP MVC Core, then I'm using Azure Relay hybrid connection to expose them for use to avoid firewall things.
When I run my application, Swagger shows my API's and the relevant documentation:
I have created 2 hybrid relays in Azure. One that "Requires Client Authorization" and one that does not.
The code I'm using is pictured below to switch between (1) no AZ relay, (2) AZ relay with no auth, and (3) AZ relay with auth.
When I run using the Azure relay with no auth (2), I can see the API documentation:
When I run using the Azure relay with auth (3), I just get a token required.
I know how to call the API's w/a SAS token, but is it possible to somehow view/interact with the Swagger documentation??
How do I interact with the web-front of an API when the API (not documentation) itself needs to be secure?
I've got a SPA application which gives statistics and information to anonymous users. It is a react spa app and will consume backend REST Web API(.net core). These data are not specific to users, therefore the information is freely available and no user authentication is required. However, I don't want my Backend Api layer to be exposed to the internet (i.e not use by anonymous applications such as postman, rest clients, etc). I'm familiar with the Client credential flow (OAuth) but I can't use it for this application because there is no concept for user login in this application.
What would be my best options that limit access to my API layer to anonymous applications (i.e postman, etc), or is it not possible at all?
You can't use client credentials flow for your SPA. Anyone would be able to download your SPA, extract the client id and secret and use it to call your API.
If you do not want to authenticate your users, there's no good way to protect your API. Move your SPA to a traditional web application hosted on a server to protect it using client credentials flow.
It's not possible to make an API accessible to a public client (your SPA) without also making it accessible to users making API calls from Postman or custom code. It's possible to do the reverse, only because of the limitations that browsers put in place.
Depending on what you're trying to achieve, you could use something like reCAPTCHA to validate that the users of your API are humans, not scripts. That along with human-scale rate limiting would probably filter out most of non-app users.
I am trying to read SharePoint lists using the following endpoint (http://url/_api/web/lists) and I am passing the access token, but the response returns Access Denied.
While I use the same access token to call an endpoint from the graph API (https://graph.microsoft.com/v1.0/sites/root/lists) and it works fine.
Should I use a different access token when I work with SharePoint REST APIs? or am I missing something here?
Thanks.
Yes, you should use a different access token since the endpoints are different. The graph api and sharepoint api are different resource, you need to grant the application different permissions.
Note:
SharePoint APIs are available via the Microsoft Graph API. You may
want to consider using Microsoft Graph instead.
I'm creating integration with site that support autorization via OAuth 1. As a OAuth callback I put Crm web resource. But when site executes callback - crm gives me HTPP 500 because path is something like that http://crm/webresources/auth.html?oauth_token=<data>&oauth_verifier=<data>&realmId=1381471230&dataSource=QBO.
Is there any way to enable this get parameters in CRM web resources?
You can't pass on custom parameters to CRM. You have to pass any custom parameters via the standard "data" URL parameter. https://msdn.microsoft.com/en-us/library/gg327945.aspx
We need to expose a REST endpoint to the outside world to be called by an external service which we don't control. The people responsible for this external service seem to be security experts (not), and so instead of using at the very least HTTP Basic Auth or any other real authentication mechanism, they authenticate themselves using a fixed secret. It goes like this:
GET /endpoint?secret=WE_ARE_THE_TRUE_GUYS
As we're already using spring-security-oauth2, we'd like to integrate this authentication flow with our existing flow so that we can specify rules for this endpoint the same way we do for every other enpoint on our ResourceServer, get the same error handling behaviour and etc. How shall we go about implementing a custom authentication filter - or whatever it may be - that will grab the secret parameter from the query string, transform it into some kind of "client credentials" for a pre-configured client on the AuthorizationServer and integrate seamlessly with the rest of the OAuth2 flow?
If you can transform "WE_ARE_THE_TRUE_GUYS" into a valid OAuth2Authentication then all you need is an authentication filter that does that (and sticks it in the SecurityContext). Then the downstream filters and handlers will behave just as if it was a real OAuth2 authentication. If I were you I would put some very tight conditions in that filter to match the request to one that is on the allowed resources from this highly unusual and not very secure authentication channel.