I have a need to alter the end-point variables in my Snowflake Oauth Integration I setup for Tableau. The integration was setup using this guide: https://docs.snowflake.com/en/user-guide/oauth-partner.html#step-1-configuring-an-oauth-integration. The two parameters I need to alter are:
OAUTH_AUTHORIZATION_ENDPOINT
OAUTH_TOKEN_ENDPOINT
I need to change the endpoint from "https://account_name.snowflake..." to "https://account-name.snowflake..."
I have tried to do this by:
alter security integration tableau_server set OAUTH_AUTHORIZATION_ENDPOINT = 'https://account-name.snowflakecomputing.com/oauth/authorize';
I get this error: SQL compilation error: invalid property 'OAUTH_AUTHORIZATION_ENDPOINT' for 'INTEGRATION - OAUTH - TABLEAU_SERVER'
I am using the accountadmin role and I can change other parameters, just not these two.
I'm trying to make this change to resolve a SSL certificate error. Apparently domain names that have an underscore "_" do not follow SSL protocol any longer. Replacing the underscore with a dash works to resolve the issue but I need to make this change in my integration settings for SSO to work. Any help on how to get this done is appreciated!
I'm not an expert in this area, but those 2 parameters are not configurable parameters of your security integration object in Snowflake. Per the documentation:
For convenience, Snowflake defines the endpoints when a client is
registered.
This means they are generated when you create the security integration object using these directions:
https://docs.snowflake.com/en/user-guide/oauth-custom.html#step-1-create-an-oauth-integration
My interpretation here is that if you wish to modify those, you'd need to create a new security integration (or drop and replace the existing one).
Related
I have a default Spring authorization Server implementation. i want to modify it as per my project requirements.
I want to implement customized introspection endpoint in new spring authorization server.
I will be having different kinds of tokens, based on token type I want to validate them differently.
So I found out by default spring authorization server uses 'OAuth2TokenIntrospectionEndpointFilter', is there a way to use this class or we have to write a new class and add it to server configuration?
Thank you.
I tried doing the following.
authorizationServerConfigurer.tokenIntrospectionEndpoint(
t -> t.authenticationProvider(customTokenAuthProvider)
.introspectionResponseHandler(successHandler));
I want to know if this the right way to do or any other method exists.
It seems you have two goals:
Customize a jwt, by adding custom claims.
Obtain those claims via the introspection endpoint from a resource server.
There is actually nothing to code for on the authorization server side to achieve #2, as the introspection endpoint returns all claims for a jwt by default. I’m not clear on what you mean by “validate” here, so I’m assuming you mean validate the token and then obtain claims from it. This is what the introspection endpoint does, no customization required. Do note however that the introspection endpoint is not usually called if the resource server is decoding the jwt locally. This would only happen if the resource server is treating the token as opaque.
In order to achieve #1, simply provide an OAuth2TokenCustomizer #Bean as demonstrated in the reference documentation.
Note: I don’t see a need for a custom AuthenticationProvider. If you feel you do have a need for one, then I think some details of your use case are missing.
I've followed the doc https://docs.wso2.com/display/IS500/Writing+a+Custom+OAuth+2.0+Grant+Type
Now that I created my new Grant Type, I need do make it easy to config to each environment.
How can I add custom properties in a Custom Grant Type?
I need to use those properties to deploy the custom grant_type in distinct environments(production,QA, development, ...) without rebuilding the code.
For example, my Grant Type make a request to a REST Endpoint to validade the credentials, but this endpoint is different for each environment. (rigth now, my custimized grant type have those configuration properties hardcoded)
When you create a project with custom grant_type you can add as many query parameters as you want to your request.
Because of this you can add one custom parameter for your environment and base on this parameter you can add a logic in your custom grant type project to make a separate call to the different REST Endpoints.
In the documentation that you followed a such custom query parameter that I suggest to use is mobileNumber=0333444
EDIT:
Base on our communication I edit my first response.
You can use NetworkUtils.getLocalHostname() from org.wso2.carbon.utils jar library which will return HostName property from carbon.xml file.
Is there any way to disable the authentication requirement for accessing the API Documentation endpoints provided by the apiDiscovery-1.0 feature?
I have the apiDiscovery-1.0 feature enabled on Liberty 16.0.0.4.
I am able to see the swagger documents when I access /ibm/api/explorer as expected, but I am required to authenticate.
I am only able to authenticate by using credentials defined in a basicRegistry element within my server.xml. However, I want to eliminate this basicRegistry from my server configuration.
You can do that in the latest Beta (https://developer.ibm.com/wasdev/downloads/liberty-profile-beta/)
With that driver, you only need apiDiscovery-1.0 (SSL is optional).
The default address for the public endpoint is http://host:port/api/explorer
You can change the "/api" portion by using the publicURL attribute in the apiDiscovery element in server.xml, for example:
<apiDiscovery publicURL="/myPublicAPI" />
This is targeted for Liberty's next release, 17.0.0.1.
Please note that in the public endpoint, internal endpoints (such as JMX, Batch, etc) are not displayed - only your deployed applications.
For the internal endpoints, you can use /ibm/api/explorer (which remains requiring SSL and authentication).
I believe you can't remove the requirement for authentication for apiDiscovery for security reasons.
I doubt this helps but, you shouldn't "only be able to authenticate using credentials defined in a basicRegistry element within my server.xml" and instead any supported authentication mechanics should work like quickStartSecurity, LDAP, etc (and they can be set in any configuration file that is read by the server, not just server.xml). For example, you should be able to use quickStartSecurity in wlp/usr/shared/config to apply an Admininistrator role for all servers under that /wlp/usr/servers/ directory.
I am trying to implement XPagesSBT on localhost.
I have followed this article http://heidloff.net/home.nsf/dx/12152011034545AMNHECAP.htm and the SBT document by Niklas and was trying to implement dropbox oAuth.
I have also placed http://localhost/XPagesSBT.nsf/ and http://localhost/WebSecurityStore.nsf in root folder
but still i get this error
Error while executing JavaScript action expression
Script interpreter error, line=1, col=26: Error calling method 'isAuthenticated()' on java class 'com.ibm.xsp.extlib.sbt.services.client.endpoints.DropboxEndpoint'
No application is registered with id XPagesSBT and provider Dropbox
if(!#Endpoint("dropbox").isAuthenticated()) {#Endpoint("dropbox").authenticate(true);}
do i need to make any other configuration /setup to XPagesSBT db? or it wont work with Localhost?
I don't remember exactly anymore but reading my blog entry you linked it says you shouldn't use Anonymous:
"Additionally there are a couple of security related settings which are important to understand. First of all you need to assign access to the document with the application keys to the ID with which you signed the two NSFs. In the screenshot above I've entered both OpenNTF servers and my own user ID. When you use the web UI to do this these names are added to the document in an authors field and a readers field.
In the last step you need to configure the ACL of the security store. Anonymous must not have access to this database. All users who you want to be able to use the Social Enabler OAuth functionality need to have author access. This is so that their user keys can be stored in this database so that they only have to do the OAuth dance once. "
It should work on localhost. It looks like a configuration issue with SBT not being able to read the security tokens from the websecuritystore.nsf . Did you create the Dropbox Application Key with an admin id and sign the websecuritystore with the correct id?
Padraic
I'm working on a project that will generate an OAuth querystring in JavaScript, using HTTPS and in internal application, so security is not a major concern at this point (figured I'd mention that up front )
The JavaScript querystring is used to call a C# script on a different server and domain, essentially to pass data from the internal application to the C# application, and allow to verification that a) the query comes from the right source, and b) the query is valid and hasn't expired, etc.
OAuthSimple gives me a signed URL like this:
http://www.myremotesite.com/mycodepath/mycodefile.aspx?firstname=Kevin&lastname=Blount&oauth_consumer_key=ThisIsTheConsumerKey&oauth_nonce=nuOoM&oauth_signature=DAoaSxD5SvVFTTDNSxiTbANzGlc%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1313162452
My question is, one the C# side of things.. what do I do next? I've two thoughts, but I can't work out which I need to explore:
using C# generate a new signed URL and compare the two (or just compare the oauth_signature values)
take the querystring and somehow decrypt/decode it and verify it.
I'm told that DotNetOpenAuth is the standard to use, but I can't figure out my next step using it.
Can I get some advice on what I need to look into, or articles that explain how I should proceed?
Read the instructions on DotNetOpenAuth and make sure you understand it. I haven't used it previously, but have heard good things about it.
The oAuth server will do several steps:
Validate version - Is the client using the correct version of oAuth for you to handle
Validate TimeStamp - All timestamps must be in UTC to avoid Time Zone problems
Validate Nonce - Has it been used previously allowed time range
Validate Signature - Get the private key from the consumer key, compute the signature using the values passed in the parameters and compare to the actual signature.
Once the message has passed all the checks, then the server will return the resource requested by the message