I search through google and also with keyword e.g. site:stackoverflow.com, but I do not find relevant solutions that answer my problem. I suppose it's because there are several issues bumping together.
My problem:
I have a deployed Google Cloud Functions. And I can successfully use gcloud obtaining identify token (through the steps 1. gcloud auth login 2. gcloud set project 3. gcloud auth print-identity-token) to access that deployed Google Cloud Functions without a problem.
However, there is a new requirement that an external client also wants to access to that Google Cloud Functions, but through curl (or RESTful plain http style). Now the problem raises. When following the link [1],
I do not know the client_id and client_secret because the deployed Google Cloud Functions is a service account, which looks like no client_id and client_secret. I tried using the client_id, and client_secret found in legacy credential adc.json. But the curl responds a html doc like
The document has moved here
I can auth by clicking the link in the browser, but that misses the purpose to auth in a non-interactive way.
Don't know the exact parameter to refresh to token, but I suppose this is because I do not use the correct client_id and client_secret.
I appreciate any suggestions and comment. Many thanks!
[1]. https://developers.google.com/identity/protocols/oauth2/web-server
This is just a workaround, but it works for my current requirement. I understand this may not be the correct answer. But I hope it would be of help if someone runs into similar issue.
Create client_id, client_secret, and refresh_token
gcloud auth application-default print-access-token
Refresh token
curl -s https://oauth2.googleapis.com/token \
-d client_id=$client_id \
-d client_secret=$client_secret \
-d refresh_token=$refresh_token \
-d grant_type=refresh_token
The step one will create an application-default.json file, which stores client_id, client_secret, and refresh_token, in gcloud setting's folder.
Then at the step 2, one can retrieve the refreshed token by ripping the value in response json, and use it the call to the cloud functions deployed in Google env.
The doc I use as reference is https://developers.google.com/identity/protocols/oauth2/web-server#httprest_7
Related
We have some APIs that we'd like to allow a specific backend service we'd like Keycloak to work with. We have it working with regular users with the traditional username/password type login. As you can imagine, we don't want to have a password based system, but ideally some sort of long key we can weld into the calling app to start the authentication process. If it helps to know, I'd like this to be a stateless JWT solution (eventually anyway). Yes, I've seen the documentation, but I don't know where this is talked about. Can someone send me a good link.
Client Credentials Flow in OAuth 2.0 for backend service.
This is good overview of OAuth Flow
Diagrams And Movies Of All The OAuth 2.0 Flows
How to call Client Credentials in Keycloak
What is a PAT and how to obtain it
API format
curl -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d 'grant_type=client_credentials&client_id=${client_id}&client_secret=${client_secret}' \
"http://localhost:8080/realms/${realm_name}/protocol/openid-connect/token"
Keycloak: Client Credentials Grant Example
Keycloak Realm VS Keycloak Client
I need to create an HTTP access token for a repository which allows me to pull modules from it while building a nodeJS application in another repository.
This was done in the past by using a personal access token from one of the employees and I want to change that.
I refered to this article " https://confluence.atlassian.com/bitbucketserver/personal-access-tokens-939515499.html " in which the steps are stated as follows:
Create HTTP access tokens for projects or repositories
HTTP access tokens can be created for teams to grant permissions at the project or repository level rather than for specific users.
To create an HTTP access token for a project or repository (requires project or repository admin permissions):
From either the Project or Repository settings, select HTTP access tokens.
Select Create token.
Set the token name, permissions, and expiry.
The problem is in my repository settings, I can't find "HTTP access tokens".
I'm using Bitbucket cloud whereas the article refers to bitbucket Server, does that make a problem? If so, this option isn't available in bitbucket cloud?
Atlassian has vast documentation, but I have a problem with it and still don't understand how to get an access token to be able simply download archives from private repositories.
So here is my step by step tutorial
Insert your workspace name instead of {workspace_name} and go to the following link in order to create an OAuth consumer
https://bitbucket.org/{workspace_name}/workspace/settings/api
set callback URL to http://localhost:8976 (doesn't need to be a real server there)
select permissions: repository -> read
use consumer's Key as a {client_id} and open the following URL in the browser
https://bitbucket.org/site/oauth2/authorize?client_id={client_id}&response_type=code
after you press "Grant access" in the browser it will redirect you to
http://localhost:8976?code=<CODE>
Note: you can spin your local server to automate this step
use the code from the previous step and consumer's Key as a {client_id}, and consumer's Secret as {client_secret}:
curl -X POST -u "{client_id}:{client_secret}" \
https://bitbucket.org/site/oauth2/access_token \
-d grant_type=authorization_code \
-d code={code} \
you should receive similar json back
{
"access_token": <access_token>,
"scopes": "repository",
"token_type": "bearer",
"expires_in": 7200,
"state": "authorization_code",
"refresh_token": <refresh_token>
}
use the access token in the following manner
curl https://api.bitbucket.org/2.0/repositories/{workspace_name} \
--header "Authorization: Bearer {access_token}
Whilst your question is about Bitbucket Cloud, the article you linked is for Atlassian's self-hosted source control tool Bitbucket Server. They have different functionality for different use cases, which is why they don't look the same.
Depending on your use case you can use App passwords or OAuth instead.
Full disclosure: I work for Atlassian
Easiest way to do it is:
Create an OAuth consumer in your Bitbucket settings (also provide dummy redirect like localhost:3000, copy KEY and SECRET.
Use curl -X POST -u "KEY:SECRET" https://bitbucket.org/site/oauth2/access_token -d grant_type=client_credentials to get JSON data with access-token.
I have a cloud run app deployed that is for internal use only.
Therefore only users of our cluster should have access to it.
I added the permission for allAuthenticated members giving them the role Cloud Run Invoker.
The problem is that those users (including me) now have to add authorization bearer header everytime I want to access that app.
This is what Cloud Run suggests to do (somehow useless when u wanna simply visit a frontend app)
curl -H \
"Authorization: Bearer $(gcloud auth print-identity-token)" \
https://importer-controlroom-frontend-xl23p3zuiq-ew.a.run.app
I wonder why it is not possible to be realized as authorized member like the GCP figures out. I can access the cluster but have to add the authorization header to access the cloud run app as authorized member? I find this very inconvenient.
Is there any way to make it way more fun to access the deployed cloud run app?
PS: I do not want to place the app in our cluser - so only fully managed is an option here
You currently can't do that without the Authorization header on Cloud Run.
allAuthenticated subject means any Google user (or service account), so you need to add the identity-token to prove you're one.
If you want to make your application public, read this doc.
But this is a timely request! I am currently running an experiment that lets you make requests to http://hello and automatically get routed to the full domain + automatically get the Authorization header injected! (This is for communication between Cloud Run applications.)
GCP now offers a proxy tool for making this easier, although it's in beta as of writing this.
It's part of the gcloud suite, you can run:
gcloud beta run services proxy $servicename --project $project --region $region
It will launch a webserver on localhost:8080, that forwards all requests to the targeted service, injecting the user's GCP token into all requests.
Of course this can only be used locally.
We could run "gcloud auth list" to get our credentialed account, and now I want to do the same thing in my python code, that is checking the credential account by API in python. But I didn't fine it..... Any suggestion?
More information is:
I want to check my account name before I create credentials
CREDENTIALS = GoogleCredentials.from_stream(ACCOUNT_FILE)
CREDENTIALS = GoogleCredentials.get_application_default()
gcloud stores credentials obtained via
gcloud auth login
gcloud auth activate-service-account
in its internal local database. There is no API besides gcloud auth list command to query them. Note that this is different (usually a subset) from the list of credentials in GCP.
Credentials used by gcloud are meant to be separate from what you use in your python code.
Perhaps you want to use
https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/keys/list, there is also API for that https://cloud.google.com/iam/docs/creating-managing-service-accounts.
For application default credentials you would download json key file using developer console https://console.cloud.google.com/iam-admin/serviceaccounts/project?project=YOUR_PROJECT or use gcloud iam service-accounts keys create command.
There is also gcloud auth application-default login command, which will create application default credential file in well known location, but you should not use it for anything serious except perhaps developing/testing. Note that credentials obtained via this command do not show up in gcloud auth list.
I'm working on OAuth implicit flow implementation with IBM API Management Beta version.Can anyone please tell me what is the process for generating an access token with an example or do I need to use curl command for access token ??? Any clear steps to follow OAuth implementation in IBM APIM Beta using any security scheme either Application flow/Implicit/Password flow is also helpful.
follow these curl for password flow:
1.) curl -k -X POST -d "grant_type=password&&scope=your_API_scope&username=your_IBM_APIM_username&password=your_IBMAPIM_password&client_id=client_id" "token_endpoint_url"
it gives access token ...copy the access token and save it in notepad.
2.) curl -k -H "Authorization : Bearer your_Access_token" -X GET "api_url&client_id=a30124a6-6757-48d6-b979-cf11b701c72a"
gives you data.