I have disabled the usage of crumbs inside my Jenkins, for some users it works, for some it won't.
In order to trigger a job remotely I am using a token for 'Trigger builds remotely' - I have tried to change the token, I can see the api call we use access the job, but fail on the crumb part
Since it is an AD user, one can argue that it is a local Auth issue, but the same user can trigger another job on the same Jenkins, so I don't believe it to be the case,
On the matrix security block - I have ticked all the boxes - just to see if that is the case - still not.
I've verified the job name, token string and length,
In order to disable Crumbs I use on the Script Console
(again, this works on another job, with the same user, and others as well)
import jenkins.model.Jenkins
def instance = Jenkins.instance
instance.setCrumbIssuer(null)
Yet.. I am facing with this error when trying to trigger the job:
Error class: <class jenkins.JenkinsException>. Exception occurred: Error in request. Possibly authentication failed [401]: Unauthorized
<title>Error 401 Invalid password/token for user: USER_NAME</title>
URI: /crumbIssuer/api/json
STATUS: 401
MESSAGE: Invalid password/token for user: USER_NAME
SERVLET: Stapler
Can any one explain why it is not working ?
Related
We want to enable uploading apps to the Intune store via an API.
I saw this example on GitHub, and want to do something similar in JS, so I've tried using the same REST calls.
The problem is, I can't seem to make the https://graph.microsoft.com/beta/deviceAppManagement/mobileApps request properly - I always get 401. When making the same request via the Graph API Explorer it works fine.
I tried fixing my permissions, and I'm kinda stuck getting the correct token.
I did the following steps with an admin account, on both the "common" and our own tennant:
Called the admin consent - https://login.microsoftonline.com/nativeflow.onmicrosoft.com/adminconsent?client_id=<ID>&redirect_uri=<URI>
Got authorization from the user - https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=<ID>&response_type=code&redirect_uri=<URI>&response_mode=query&scope=DeviceManagementApps.ReadWrite.All
POST request to get the actual token -
https://login.microsoftonline.com/nativeflow.onmicrosoft.com/oauth2/v2.0/token
with the following body:
client_id: <ID>
scope: https://graph.microsoft.com/.default
client_secret: <secret>
grant_type: client_credentials
requested_token_use: on_behalf_of
code: <The code I got in step 2>
I tried changing the scope in step 3 to https://graph.microsoft.com/DeviceManagementApps.ReadWrite.All or simply to DeviceManagementApps.ReadWrite.All, but it says that it's not a valid scope.
I got a token in step 3, but when I try calling the actual API I receive this error:
{
ErrorCode:"Forbidden",
Message:{
_version: 3,
Message: "An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 7b5c3841-976d-4509-b946-f7fdabd047d7 - Url: https://fef.msub02.manage.microsoft.com/StatelessAppMetadataFEService/deviceAppManagement/mobileApps?api-version=5018-05-02",
CustomApiErrorPhrase: "",
RetryAfter: null,
ErrorSourceService: "",
HttpHeaders: {"WWW-Authenticate":"Bearer realm=urn:intune:service,f0f3c450-59bf-4f0d-b1b2-0ef84ddfe3c7"}
},
Target:null,
Details:null,
InnerError:null,
InstanceAnnotations:[]
}
So yeah, I'm pretty much stuck. Anyone have any experience with it? I've tried making the calls in Postman, curl and via code, but nothing works.
Cheers :)
You have a couple issues going on:
You're using the Authorization Code Grant workflow but requesting Client Credentials.
The scope Device.ReadWrite.All is an application scope, it is only applicable to Client Credentials. It isn't a valid Delegated scope so it will return an error when you attempt to authenticate a user (aka delegate) using Device.ReadWrite.All.
Your body is using key:value but it should be using standard form encoding (key=value).
To get this working, you need to request a token without a user. This is done by skipping your 2nd step and moving directly to retrieving a token (body line-breaks are only for readability):
POST https://login.microsoftonline.com/nativeflow.onmicrosoft.com/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id={id}
&client_secret={secret}
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&grant_type=client_credentials
Is it ever expected to see a "500" status response during the final redirect from an OAuth2 provider?
server_error: Unable to issue redirect for OAuth 2.0 transaction
I'm trying to determine if this is ultimately the provider Auth0's error (it seems to be) or mine. If it were mine I'd expect a 400 series error. It is possible to have hooks or rules, could these result in 500-series errors in a scenario like this? I would also anticipate a more specific 500-error not 500 but another available number like 599 for lack of a better example.
My more specific case has something like:
new auth0.WebAuth({
domain: '....auth0.com'
,clientID: 'theid...'
,callbackUri: 'http://localhost:8080/'
,audience: 'http...',
,responseType: 'token id_token'
,scope: 'openid profile'
,leeway: 60
});
success then 500 for /login/callback?state=... on return
I misspelled the callback field, it should be redirectUri (not callbackUri above)! Auth0 tech support was kind enough to point this out.
I also asked about changing the error from 500 internal server error to 400 "Bad Request" to indicate a missing client-provided detail per my read of the details
https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
details for 400 (and the rest) https://www.rfc-editor.org/rfc/rfc7231#section-6.5.1
I am Trying to set up Adwords API through Java, All the steps are going good but in last step while running GetCampaigns.java , Its giving several errors
"Exception in thread "main" com.google.api.ads.common.lib.exception.OAuthException: Credential could not be refreshed. at com.google.api.ads.common.lib.auth.OfflineCredentials.generateCredential(OfflineCredentials.java:240) at adwords.axis.v201705.basicoperations.GetCampaigns.main(GetCampaigns.java:46) Caused by: com.google.api.client.auth.oauth2.TokenResponseException: 400 Bad Request { "error" : "invalid_grant" } at com.google.api.client.auth.oauth2.TokenResponseException.from(TokenResponseException.java:105) at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:287) at com.google.api.client.auth.oauth2.TokenRequest.execute(TokenRequest.java:307) at com.google.api.client.auth.oauth2.Credential.executeRefreshToken(Credential.java:570) at com.google.api.client.googleapis.auth.oauth2.GoogleCredential.executeRefreshToken(GoogleCredential.java:362) at com.google.api.client.auth.oauth2.Credential.refreshToken(Credential.java:489) at com.google.api.ads.common.lib.auth.OAuth2Helper.callRefreshToken(OAuth2Helper.java:69) at com.google.api.ads.common.lib.auth.OfflineCredentials.generateCredential(OfflineCredentials.java:234) ... 1 more"
After this error message its not going through.
This looks like a problem with your refresh token. Have you generated your refresh token?
I normally run this file to generate a refresh token.
https://github.com/googleads/googleads-java-lib/blob/master/examples/adwords_axis/src/main/java/adwords/axis/auth/GetRefreshToken.java
Did you copy the refresh token into your ads.properties file?
I installed the latest WS02 API Manager, 1.6.0. I followed the directions and just did the plain install, nothing special. When I create an API, publish it, subscribe to it, create an Access Token, and try to access it, I am seeing the following error (I replaced the access key, but it is displaying):
[2014-02-03 13:25:47,850] ERROR - APIAuthenticationHandler API authentication failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Access failure for API: /weather, version: 1 with key: access_key
It seems that the API and access key are not getting connected. Is there something else that I have to do to make that happen? I am not using a separate database for the Key Manager, just whatever comes with the install which is a memory DB I assume. I have tried this from Advanced Rest Client in Chrome. I'm guessing something's just not configured correctly, but I don't see any errors in the start-up. I just see a few warnings along these lines:
[2014-02-03 13:25:01,262] WARN - DefaultSchemaGenerator We don't support method overloading. Ignoring [validateAudience Restriction]
Here is the full stack trace for the error:
[2014-02-03 13:25:47,850] ERROR - APIAuthenticationHandler API authentication failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Access failure for API: /weather, version: 1 with key: access_key
at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.jav
a:139)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHand
ler.java:92)
at org.apache.synapse.rest.API.process(API.java:285)
at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:76)
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:63)
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:220)
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:83)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:336
)
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:168)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
at java.lang.Thread.run(Thread.java:662)
Until few days ago everything worked fine. But after some changes on FitBit new user can not get OAuth handshake anymore. The problem is when I receive temporary tokens and make call to finish handshake and receive credentials.
So in first step I get:
TOKEN: 1a227cfde686220183763946a98173bc and VERIFIER: p2g5ims7o4ffscev603rbif05g
and in second step I use theme to make call to https://api.fitbit.com/oauth/access_token ...
Signature Base String is:
POST&https%3A%2F%2Fapi.fitbit.com%2Foauth%2Faccess_token&oauth_consumer_key%3D7c5e888aa3dd4d17a26d82a7f541b278%26oauth_token%3D1a227cfde686220183763946a98173bc%26oauth_nonce%3D5hw45lgu%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1391094796%26oauth_verifier%3Dp2g5ims7o4ffscev603rbif05g%26oauth_version%3D1.0
And by that I receive header (with signature calculated using the same function as in first step)
Authorizing with HEADER: OAuth oauth_consumer_key="7c5e888aa3dd4d17a26d82a7f541b278",oauth_token="1a227cfde686220183763946a98173bc",oauth_nonce="5hw45lgu",oauth_signature="X4udgn9A7Q2xI%2FN38QELl%2BIDVqM%3D",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1391094796",oauth_verifier="p2g5ims7o4ffscev603rbif05g",oauth_version="1.0"
That should work but I get 401 error saying:
{"errors":[{"errorType":"oauth","fieldName":"oauth_access_token","message":"Invalid signature or token 'JNGSIMomid/oghtWGrz7crC6KhM=' or token '6c45d0ce39195e848da14cad0a4f9719'"}],"success":false}
I have been working od that for 7 hours now ... and as far as I can see everything is OK ... Error is saying about field name oauth_access_token ... This fields doesn't even exist. I tried anyway and recived error saying that security is not OK ...
Any Idea?
I had the same problem. After doing some research I noticed that the API has changed and the lib I was using was out dated.
To fix that, I updated my lib and did some code changes.
Here is the link of a .Net implementation after the change:
https://github.com/aarondcoleman/Fitbit.NET/wiki/Breaking-Change-on-1-24-2014-as-a-result-of-OAuth-update-in-Fitbit-API
Regards,
Fredy