I have been tasked with trying to use the Google DocumentAI service to extract table data from PDF files. I am using Alteryx, but the principle would apply to PostMan or other apps where you format your own requests.
I have set up a Google Cloud Bucket, and loaded up my PDFs. I have set up a project, and got a Service Account.
The documentation shows formatting a request, and has the Authorization header as "Authorization: Bearer gcloud auth application-default print-access-token".
Given that I have the credentials json file like this...
{
"type": "service_account",
"project_id": "my-proj",
"private_key_id": "12345abc",
"private_key": "-----BEGIN PRIVATE KEY-----\stuff\n-----END PRIVATE KEY-----\n",
"client_email": "me#my-proj.iam.gserviceaccount.com",
"client_id": "12345",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/me%40my-proj.iam.gserviceaccount.com"
}
... How do I get the bearer token? I assume I will have to make some kind of call to the identity server, but it is not clear how to do this.
Related
When I request an OAuth token from Azure AD for an application user (using a client_id and client_secret) targeting the correct resource audience (target application), I don't know how to get Azure AD to populate a claim for the client's DisplayName attribute (primarily for an application client, but also users should work too) in Azure AD.
POST /<tenant_id>/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id=<client_id>&resource=<target_aud_app_uri>&client_secret=<client_secret>
{
"typ": "JWT",
"alg": "RS256",
"x5t": "xxx",
"kid": "xxx"
}.{
"aud": "<target_aud_app_uri>",
"iss": "https://sts.windows.net/<tenant_id>/",
"iat": 1619676176,
"nbf": 1619676176,
"exp": 1619680076,
"aio": "xxx",
"appid": "<client_id>",
"appidacr": "1",
"idp": "https://sts.windows.net/<tenant_id>/",
"idtyp": "app",
"oid": "xxx",
"rh": "xxx",
"roles": [
"XXX"
],
"sid": "xxx",
"sub": "xxx",
"tenant_ctry": "AU",
"tenant_region_scope": "OC",
"tid": "xxx",
"uti": "xxx",
"ver": "1.0"
}.[Signature]
In the target application configuration in Azure AD, I've added all the optional claims it allows in the UI, and even tried adding 'display_name' via the manifest but it doesn't know how to pick it up. Is there a way to do this?
This question has been asked before.
This is possible under the Microosft.graph namespace only cannot be used for any custom app. In other words, only the ms graph api token has app_displayname claim. For the token of the application custom api, it is currently not possible to add the app_displayname claim, at least for now this is impossible.
I suggest you submit user voice, and I will vote for it.
I have done OAuth2.0 using PKCE flow in .NET Framework (C# Winforms).
Now I have tokens_response in my hand.
But I'm wondering is it possible to fetch all of the organisation (not only one)?
You can check the organisations (tenants) that you can access with a given token using the /connections endpoint, like this:
GET https://api.xero.com/connections
Authorization: "Bearer " + access_token
Content-Type: application/json
Response:
[
{
"id": "e1eede29-f875-4a5d-8470-17f6a29a88b1",
"authEventId": "d99ecdfe-391d-43d2-b834-17636ba90e8d",
"tenantId": "70784a63-d24b-46a9-a4db-0e70a274b056",
"tenantType": "ORGANISATION",
"tenantName": "Maple Florist",
"createdDateUtc": "2019-07-09T23:40:30.1833130",
"updatedDateUtc": "2020-05-15T01:35:13.8491980"
},
{
"id": "32587c85-a9b3-4306-ac30-b416e8f2c841",
"authEventId": "d0ddcf81-f942-4f4d-b3c7-f98045204db4",
"tenantId": "e0da6937-de07-4a14-adee-37abfac298ce",
"tenantType": "ORGANISATION",
"tenantName": "Adam Demo Company (NZ)",
"createdDateUtc": "2020-03-23T02:24:22.2328510",
"updatedDateUtc": "2020-05-13T09:43:40.7689720"
}
]
If you need more information than the organisations' id and name, you'll need to call the /organisation endpoint individually for each.
The connections endpoint is described more in section 5 on this page of the docs: https://developer.xero.com/documentation/oauth2/auth-flow
I am learning about OAuth2 and OpenID Connect by experimenting with ASP.NET Core and IdentityServer4. So far I created a protected API server, an authorization server and a client by following a certain Udemy course. Things worked out well as client is able to get access token from the authorization server and use it to access protected API in the ASP.NET Core Web API project.
However, I am curious how can I manually validate JWT I get from my authorization server. The token I get is this:
eyJhbGciOiJSUzI1NiIsImtpZCI6IjdiMjM1NzYyMTRlOTg3ZjE3NTdjMWYxNDE1ZTg4OGEyIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1NTMyNTYxNzMsImV4cCI6MTU1MzI1OTc3MywiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwiYXVkIjpbImh0dHA6Ly9sb2NhbGhvc3Q6NTAwMC9yZXNvdXJjZXMiLCJiYW5rT2ZEb3ROZXRBcGkiXSwiY2xpZW50X2lkIjoiY2xpZW50Iiwic2NvcGUiOlsiYmFua09mRG90TmV0QXBpIl19.boION1QMOxuHxgIkBT0hZchkCEzINSpIS20Az5HkkkkrbH72IHqC2u9tOQobCsPt4okSPIuKGmgsGY2oyPMNcQpZPAOivmKXknhij_lhTv7pzaSXmFFSSpih-eigk4243VkGz8fTH9vA_IHmQ59o9zv0Wva_pKBt9lBSd39BDocNblJR092VHl66gAp79iEJctDzEKBBdN_E-RCrgPPsetU_sO0wqgOuxA0wECAo_jQhPu3LkuU9sKfj2HAFGLVxwz0Is3SAg1XIXeZylivAJdXThMkVypjrFBTeehso_9g26MVY4bKCfZ5Bx75NmYUbOfpX1gLPSo0CWvTfHhwaNg
When I decode it on jwt.io website I get Header:
{
"alg": "RS256",
"kid": "7b23576214e987f1757c1f1415e888a2",
"typ": "JWT"
}
and Payload:
{
"nbf": 1553256173,
"exp": 1553259773,
"iss": "http://localhost:5000",
"aud": [
"http://localhost:5000/resources",
"bankOfDotNetApi"
],
"client_id": "client",
"scope": [
"bankOfDotNetApi"
]
}
Since I used RS256 algorithm for signing I need to add public key to the jwt.io to verify the token. But where do I get this public key?
If I go to discovery endpoint of my auth server (eg. http://localhost:5000/.well-known/openid-configuration/jwks) I get following data:
{
keys: [
{
kty: "RSA",
use: "sig",
kid: "7b23576214e987f1757c1f1415e888a2",
e: "AQAB",
n: "509tIiUvmKkjjGOwzKElduRqpRND7YO-Op-IlsAeNwTlxY9_t22XfCqmxUyNvuvmdIVYXz-utl5bee3Tjwp8e7ok-Vn2uX-nI0jBcjTIKL0arbd7Qo5XgvICU4x-UcINrHtqMnY4S_R0uMKgaJkl3105bh9svQh--65tknjiKqmefT4M5SLHStWTisy2e0YwiaqvLam-O_rtbEawMy5-4avZep33y9Wz_JlgWyQ4jKD1Kn8mNGybjRoW3FJRkqzVNUSrGzjqwdDPL1cZOzM2HnbBqwVSFNnJiRYxPxKL_N8Q4CS9e2OVRjTof_EdzTTGC5mkOPhBCjpmvYS5d0j6JQ",
alg: "RS256"
}
]
}
But which of these is public key? I tried pasting values for n, e and kid to jwt.io page under public key textfield in the "verify signature" section, but I always get "Invalid signature" error.
So how do I get public key for RS256 token from discovery endpoint and how can I use it to validate token in manually in jwt.io website?
Put there the whole (first and only) keys object value, including curly brackets, at least the following:
{
"kty":"RSA",
"kid":"7b23576214e987f1757c1f1415e888a2",
"e":"AQAB",
"n":"509tIiUvmKkjjGOwzKElduRqpRND7YO-Op-IlsAeNwTlxY9_t22XfCqmxUyNvuvmdIVYXz-utl5bee3Tjwp8e7ok-Vn2uX-nI0jBcjTIKL0arbd7Qo5XgvICU4x-UcINrHtqMnY4S_R0uMKgaJkl3105bh9svQh--65tknjiKqmefT4M5SLHStWTisy2e0YwiaqvLam-O_rtbEawMy5-4avZep33y9Wz_JlgWyQ4jKD1Kn8mNGybjRoW3FJRkqzVNUSrGzjqwdDPL1cZOzM2HnbBqwVSFNnJiRYxPxKL_N8Q4CS9e2OVRjTof_EdzTTGC5mkOPhBCjpmvYS5d0j6JQ"
}
I'm having issue authenticating with Azure Active Directory which is linked to a power BI service. I'm trying to get an access token so that I can access the power bi rest API.
If i use postman, I'm able to successfully use their OAuth2 login to retrieve a token that has the correct credentials to communicate with the power bi rest API.
However, when I try to do this with the adal.js the token is invalid. To simplify this to be able to reproduced, I based my project off
https://github.com/Azure-Samples/active-directory-angularjs-singlepageapp-dotnet-webapi
You need to update window config in : \active-directory-javascript-singlepageapp-dotnet-webapi\TodoSPA\App\Scripts\app.js
window.config = {
instance: 'https://login.microsoftonline.com/',
tenant: <insert tenant>,
clientId: <insert clientid>,
postLogoutRedirectUri: window.location.origin,
cacheLocation: 'localStorage', // enable this for IE, as sessionStorage does not work for localhost.
endpoints: {
"https://api.powerbi.com": "https://analysis.windows.net/powerbi/api",
}
};
Workaround
I'm able to get the token via silent authentication where you have to hard code the username and password.
I followed this http://community.powerbi.com/t5/Developer/How-to-use-Power-BI-Rest-API-without-GUI-authentication-redirect/m-p/14218#M119 to create the request for silent authentication:
Post Url: https://login.windows.net/<tenant>/oauth2/token
Body:
password: <password>
username: <username>
client_id: <clientid>
client_secret: <secret>
grant_type: password
scope: openId
resource: https://analysis.windows.net/powerbi/api
I also validated that the account I used had the correct permission by using postman and authorization with OAuth2. The token I received had the correct permission for PowerBI.
Post Man Configuration
On postman, click on Authorization Tab -> Set Type to OAuth2.0 -> Get New Access Token:
The configuration you would use:
AuthUrl: https://login.microsoftonline.com//oauth2/authorize?resource=https://analysis.windows.net/powerbi/api
Access Token URL: https://login.microsoftonline.com//oauth2/token
Grant Type: Authorization Code:
Client ID:
Client Secret:
Go to https://dev.powerbi.com/apps to generate the clientID/ClientSecret and set the Redirect URL: https://www.getpostman.com/oauth2/callback
postman generated token:
{
"aud": "https://analysis.windows.net/powerbi/api",
"iss": "https://sts.windows.net/<id>/",
"iat": 1500464096,
"nbf": 1500464096,
"exp": 1500467996,
"acr": "1",
"aio": <value>,
"amr": [
"pwd"
],
"appid": <app_id>,
"appidacr": "1",
"family_name": "Sunderam",
"given_name": <userName>,
"ipaddr": "23.252.49.99",
"name": <name>,
"oid": <oid_id>,
"platf": "3",
"puid": <puid_id>,
"scp": "Content.Create Dashboard.Read.All Data.Alter_Any Dataset.Read.All Dataset.ReadWrite.All Group.Read Group.Read.All Metadata.View_Any Report.Read.All Report.ReadWrite.All",
"sub": <sub_id>,
"tid": <tid_id>,
"unique_name": <user_email>,
"upn": <user_email>,
"ver": "1.0",
"wids": [
<wid_id>
]
}
adal.js token
{
"aud": <aud_id>,
"iss": "https://sts.windows.net/<id>/",
"iat": 1501037728,
"nbf": 1501037728,
"exp": 1501041628,
"aio": <aio_id>",
"amr": [
"pwd"
],
"family_name": <name>,
"given_name": <name>,
"ipaddr": "23.252.49.99",
"name": ,"name"
"nonce": "b21969c3-ae73-4928-bcd0-e9c501f791e4",
"oid": <oid_id>,
"platf": "5",
"sub": <sub_id>,
"tid": <tid_id>,
"unique_name": <user_email>,
"upn": <user_email>,
"ver": "1.0"
}
Notice that the postman token has the scp, appid, and wids.
Any Advice appreciated,
Thanks,
Derek
You need to check the token via the request. For example, you can check it via the developer tools-Network tab(Chrome, F12).
And based on the token and code, the config seems incorrect. For the endpoints is the collection of {Endpoint-ResourceId} used for automatically attaching tokens in webApi calls.
You can use the config like below:
window.config = {
instance: 'https://login.microsoftonline.com/',
tenant: <insert tenant>,
clientId: <insert clientid>,
postLogoutRedirectUri: window.location.origin,
cacheLocation: 'localStorage', // enable this for IE, as sessionStorage does not work for localhost.
endpoints: {
"https://analysis.windows.net/powerbi/api": "https://api.powerbi.com",
}
};
More detail about this library, you can refer this link.
I'm using omniauth on client-side to connect with a google account. Everything is working well, I'm able to get the id_token and some more informations such as the email, name, family_name, given_name etc...
Here is how I configured the provider in app/config/initializer/omniauth.rb :
provider :google_oauth2, ENV['GOOGLE_ID'], ENV['GOOGLE_SECRET'], scope: "profile,email"
Then, as a test, to verify the authenticity of the id_token, using Postman I send a POST request such as:
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=x
replacing x by the id_token I got on my client
I get a valid answer such as :
{
"iss": "accounts.google.com",
"at_hash": "xxx-xxx",
"aud": "xxx-xxx.apps.googleusercontent.com",
"sub": "xxx",
"email_verified": "true",
"azp": "xxx-xxx.apps.googleusercontent.com",
"email": "xxx#gmail.com",
"iat": "xxx",
"exp": "xxx",
"alg": "xxx",
"kid": "xxx"
}
When I connected with my client, I allowed the application to access my profile informations and my email, and I've been following this tuto:
https://developers.google.com/identity/sign-in/web/backend-auth
who says :
// These seven fields are only included when the user has granted the "profile" and
// "email" OAuth scopes to the application.
"email": "testuser#gmail.com",
"email_verified": "true",
"name" : "Test User",
"picture": "https://lh4.googleusercontent.com/-kYgzyAWpZzJ/ABCDEFGHI/AAAJKLMNOP/tIXL9Ir44LE/s99-c/photo.jpg",
"given_name": "Test",
"family_name": "User",
"locale": "en"
I can't figure out why I'm unable to get the 5 last fields
I'm working on an API and I'd like my API to be able to fill a User model by itself, only by getting the id_token.
I'm able to get those informations on the client-side but I think this is not the client job to send this extra informations to my API right?
Token calls don't include profile info... for that you muse use:
https://www.googleapis.com/plus/v1/people/me/openIdConnect?access_token=YOUR_ACCESS_TOKEN
Since you are doing this with ruby there are 2 things i can suggest trying
Try adding your scopes as an array ["profile", "email"]
Add an extra parameter fetch_basic_profile from here