I am going to make request from postman to https://lms.freedomhighschool.ca/d2l/api/lp/1.30/users/
but after request i got message
{ Errors: [ {Message: "Forbidden"} ] }
I have Application ID and Application Key but don't understand how to use this data in my request
I highly and strongly recommend you consider switching from D2L's proprietary ID/KEY AUTH over to the Brightspace API OAuth2.
D2L has many resources available on its Brightspace Developer Community. And, even more helpful, is this GitHub repo --> https://github.com/Brightspace/Postman-Collections
In order to get access to DevCop.brightspace.com, you have to be a registered member of the Brightspace Developer Community.
Tool:
Postman (recommended for OAuth 2.0 Apps)
Notes:
Postman is a market-leading API test tool. It is available for free download at www.getpostman.com. You can find Sample Postman Environments and Collections on the Brightspace Github organization. You can find information on how to connect Postman to Brightspace in the Brightspace Developer Community.
Tool:
API Test Tool (ID Key Apps Only)
Notes:
The API Test Tool runs in a web browser and provides an interface to point to an instance of Brightspace, supply an App ID/Key pair, and log in with a given user account. Once authenticated, you can make calls using a straightforward interface. You can find more information about using the API test tool on the Brightspace Developer Community.
Conclusion use this -> API Test Tool if you have Application ID and Application Key
refer this documentation for brief info
To pass API key-value pair in header -> x-api-key
Related
I'm trying to automate the Application Proxy configuration. I can create applications, and service principals and configure permission. But I can't find a way to configure the app proxy. I found this page https://learn.microsoft.com/en-us/graph/application-proxy-configure-api?tabs=http but it uses the beta version.
Are there any endpoints in the Graph API in the release version that I can use to configure app proxy or when is MS going to release the beta version?
As I can see the Azure portal uses the https://main.iam.ad.ext.azure.com/api API to configure the app proxy. Can I use this API in my automated process? If so, how can I obtain a token for this API?
I found that I can obtain a token using az account get-access-token --subscription $subscription --resource 74658136-14ec-4630-ad9b-26e160ff0fc6 but it doesn't work for me because I have to use oauth authorization-code-flow. Is there any chance to use this https://main.iam.ad.ext.azure.com/api API?
I found following endpoint as well but still I'm not going to pass the client username and password through my APP.
POST https://login.microsoftonline.com/{{tenatId}}/oauth2/token
resource:74658136-14ec-4630-ad9b-26e160ff0fc6
grant_type:password
username:{{username}}
password:{{password}}
Postman Request
Connected question
As mentioned in the document as the Application Proxy configuration is only supported in Beta version, you could a feature for the same for this feature to be available in the V1 release as well.
Raise a feature request here:https://techcommunity.microsoft.com/t5/microsoft-365-developer-platform/idb-p/Microsoft365DeveloperPlatform
I need to create an organizational feed to host nuget packages shared among projects on our Azure DevOps environment.
After several unsuccesful attempts and research, I discovered that the only way to create an organizational feed is, by design from Microsoft mouth, the Azure DevOps API.
Source for the claim : This question on VS dev community
and The MS docs on project-scoped feeds
Basically, I just need to be able to perform a POST here :
https://feeds.dev.azure.com/{organization}/_apis/packaging/feeds?api-version=5.1-preview.1
with the body :
{
"name": "{myfeedname}",
"hideDeletedPackageVersions": true,
"upstreamEnabled": true
}
And of course, a Bearer token to authenticate myself. That's the point where I'm confused.
What is the simplest way to obtain one ? I'm logged in through my company Microsoft AD account on my computer browser on Azure DevOps. I don't see any Bearer token that I can "steal" to use in PostMan in my browser dev tools.
The API docs described some relevant info, but I'm confused on how to use it in Postman :
Security oauth2
Type: oauth2
Flow: accessCode
Authorization URL: https://app.vssps.visualstudio.com/oauth2/authorize&response_type=Assertion
Token URL: https://app.vssps.visualstudio.com/oauth2/token?client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
Scopes Name Description
vso.packaging_write Grants the ability to
create and read feeds and packages.
Here is the interface in Postman for OAuth2:
Ican see how the info in the docs relates to the fields 1 - 2 - 3 - 4, but then, what callback url should I use ? What credentials ? my Microsoft email + password from AD ?
I tried this, and all I seem to get is this from Postman :
{"$id":"1","innerException":null,"message":"A potentially dangerous Request.Path value was detected from the client (&).","typeName":"System.Web.HttpException, System.Web","typeKey":"HttpException","errorCode":0,"eventId":0}
TLDR
How do I properly proceed to get a token with Postman, or other tool to manually execute my one-time request to Azure DevOps REST API ?
notes :
Following info here : Unable to get Authorization code for Devops using Postman oAuth2.0
, leading here : https://github.com/Microsoft/azure-devops-auth-samples/tree/master/OAuthWebSample , I understand that I have to register and run a whole web application. Am I understanding this correctly ? I there a simpler way ?
I understand that I have to register and run a whole web application. Am I understanding this correctly ? I there a simpler way ?
Yes, you are right. You have to register whole web application.
As the interface in Postman for OAuth2, we need provide the CallbackUrl, ClientID, ClientSecret and so on. Then, we check the document Requesting an OAuth 2.0 token, we could to know the Callback URL is:
The client application callback URL redirected to after auth, and that
should be registered with the API provider.
So, we have to register an OAuth client app in Azure DevOps (https://app.vsaex.visualstudio.com/app/register), then we could get the following information, like:
You could check the document Authorize access to VSTS REST APIs with OAuth 2.0 for some more details.
AFAIK, there is currently no simpler way to get a bearer token to send requests to the Azure DevOps API.
Hope this helps.
I have a functions app in azure that both a machine (client credential flow) and humans (authorization code flow) need to be able to authorize/authenticate against.
Initially I was using easy-auth, Azures out-of-the-box solution for securing functions apps. However according to this https://stackoverflow.com/a/57357226/7411328 it's not possible to use the client credentials flow with easy auth. Although I don't understand why this is. Why is it not possbile to use the same authority for two different flows with a single app registration?
Making the assumption (perhaps incorrectly) that the above is true and I have to implement JWT validation on my own.
Is there any reliable way to tell whether an API is being called by a machine or by a human?
Should I still do it with two seperate app registrations?
My understanding of these technologies might inadequate to properly ask the question, please let me know if I can do anything to clarify the question.
As far as I know, you can use client credentials flow to call an Azure function that protected by easy-auth(AAD as auth provider).Generally ,you can try the steps below :
Register an Azure AD App
Getting an access token from Azure AD by request below :
URL:
POST https://login.microsoftonline.com/<your tenant ID/name>/oauth2/token
Header:
Content-Type: application/x-www-form-urlencoded
Body:
client_id=<your new resistered app ID>&
client_secret=<your new resistered app secret>&
resource=<your Azure function app ID which configed at easy-auth>&
grant_type=client_credentials
Result:
Use this access token to call Azure function :
If you are using Azure AD b2c , pls provide me with more detailed infos , and I'll do some research for you .
I am developing a performance test script for hybrid mobile application using Rational Performance Tester V9.0 & V8.7.
The mobile application sends the request to IBM Mobile First Server v8.0 which authenticates its user using OAuth with JWT (JSON Web Token).
I tried enhancing the script and replayed but it fails at login step in an API which requests for token /mfp/api/az/v1/token
Below mentioned is the request & response for the API call,
URI: POST /mfp/api/az/v1/token
Request:
client_assertion=eyJhbGciOiJSUzI1NiIsImp3ayI6eyJhbGciOiJSUzI1NiIsImUiOiJBUUFCIiwiZXh0Ijp0cnVlLCJrZXlfb3BzIjpbXSwia3R5IjoiUlNBIiwibiI6IjAtX19nSjFLWnZsVlU5M1JGRlFuZk80TGdLeUhTN3hIMVg3RUw2ZGhKa1B6SGQ0cUhEaHdFQzFIT0k0cHhmeEMzZWh6M1I3cXQtU3A5WnpOb3o4Z1lDTVRmSmh3T21OZWh5dkNkMDU3V09PVjB1b0ZPQmFpS21pMG9qdHJoMFMzMlNuS1VWTElwekxhQUZJSkhsOGtCSm9sZ21JQW9hZHNRdFpTUWg0MVJZN2c3aWNCUzlJRkRCdGdDbUtjRHlRY29VSnpTWkIxZk1ZY2VYNGFBNDZ3elkwRkdaY3hxcG11U1kwV0xCTEhDUjdLSm9oa2wwZDk4OFlSVGtuQkE3dFBLTEF4RnQxT2daQ1BYR1owWW41ZHFKN3ZwWXZtd21hc09vSFNacWp3cktMOW51MDR0QUZ1OENHZ3ZrTnZPUmJjRFRQaElvcy1iQ0J0ZFhXZjBWek1uUSIsImtpZCI6IjYxZWNkMjY2LTNjYTItNDhlYy04M2M2LTY3MTk5MGVjNzdlOCJ9fQ%3D%3D.eyJpc3MiOiJlQmFua2luZyR3ZWIiLCJzdWIiOiI2MWVjZDI2Ni0zY2EyLTQ4ZWMtODNjNi02NzE5OTBlYzc3ZTgiLCJleHAiOjE1Mzk3Nzc3NjMxNzQsImlhdCI6MTUzOTc3NzcwMzE3NCwianRpIjoiLTQ0NjkwNTY3Njc4NzAzMTYyNzEiLCJhdWQiOiJhei92MS90b2tlbiJ9.nMcfmOPDcLjONOXhF%2B3mArM87AiPfqEPp5Bk815f9Dg7VaaIgY41jeSmlWASCdmjf9Cno3%2BwHGom%2BzAEGQDdFkmBjLpCY7TnCAv9j8HzIPDubYdSQW2pq7WKVz%2FvEQ8Z5Pa8jh8aAMTlrsBnjlPoiVfcqHBh%2F2vpHZnKvkSoCOcA2TAeJnioSlp4vpWOc26IsMwKYMqZlVs9K2Z8JwHQvESKlzDu9etxYnnQfxyqunwhG%2B5T9GKgMmCAo1%2BBGqqsEtTwOG5UmhoyYIYbMnNHzHFdl8fWwMMOtpf%2F3RqjBYNeAsZ%2BTuGkskLlA5hrLiHmfOhzPYstr8tCO2IMLbTpjQ%3D%3D&code=5059335353176972418&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fuatirmob.qcdib.com%2Fmfp%2Fapi%2Faz%2Fv1%2Fauthorization%2Fredirect%2F17553a31-f583-44f9-9b7a-d8fab31b3bff&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
Response:
{"errorCode":"invalid_client","errorMsg":"Incorrect JWT format"}
I noticed that the client_assertion value carries dynamic data in JSON form when I decrypted with https://jwt.io/#debugger
Also, developed encryption logic mentioned in IBM mobile first site to generate the client_assertion value referring this link: https://mobilefirstplatform.ibmcloud.com/blog/2016/08/09/performance-testing-for-mobilefirst-foundation-8-0/
It was not successful after following the above steps.
Please provide solution to handle the /mfp/api/az/v1/token request and generate access token which will passed in the subsequent requests.
Thanks in advance.
We have documented performance testing instruction for JMeter.
Please refer to link here for more details - https://mobilefirstplatform.ibmcloud.com/blog/2016/08/09/performance-testing-for-mobilefirst-foundation-8-0/
Please refer to section "Sign grant code" and ensure you are following steps properly [ https://mobilefirstplatform.ibmcloud.com/blog/2016/08/09/performance-testing-for-mobilefirst-foundation-8-0/#sign-grant-code ]
Try the latest Mobilefirst v8 build (late Oct 2018) which will fix this.
I am working on an LTI widget, that then needs to authenticate to the API to get additional information.
I'm struggling with trying to figure out how to process the API user authentication, and redirect back retaining the LTI information.
The request string that is returned looks like:
Array ( [x_a] => **********************
[x_b] => **********************
[x_c] => *********************************** )
The issue is that I have my PHP LTI script setup to only load if it meets the following condition:
if(!isset($_REQUEST['lis_outcome_service_url'])
|| !isset($_REQUEST['lis_result_sourcedid'])
|| !isset($_REQUEST['oauth_consumer_key'])
)
x_a is the user id, x_b is the user key .. what is x_c?
Any suggestions appreciated!
My answer is referring to the detailed topic on the IDKey Auth scheme for the Valence dev platform.
The part of the auth sequence you are referring to here is equivalent to the second stage of the sequence, just after the user has successfully authenticated themselves (when you chain on the back of an LTI launch like this, you know that the user driving the user-agent has already authenticated, because they wouldn't have otherwise been able to do the LTI launch) and the service sends back the long-lived user tokens to your service.
See steps 5 to 7 in the sequence notes, in the section called Using a third-party web application in the IDKey Authentication docs topic:
x_a={tokenID} – Unique ID associated with the long-lived token: the web application can provide this ID so that the service can precisely locate the web application/user context.
x_b={tokenKey} – Key associated with the long-lived token: the web application can use this as a key to generating session signatures.
x_c={tokenSig} – Token identity signature: the service joins (and delimits with an ampersand) the User ID (tokenID) and the User Key (tokenKey) to use as the base-string, and uses the Application Key as the key.
Note that you will need to use your Valence Application ID/Key pair in order to verify the token signature contained in x_c.
Remote plugins. Note that the Brightspace Remote Plugin service is a convenience service wrapper around LTI/external learning tools. The docs about Remote Plugins contain a fairly detailed walkthrough/sample that showcases a simple Python web-service Tool Provider implementation that receives a Brightspace LTI launch, and can turn around and use Valence API calls to get more information. You might find it useful to have a close look at that.