When I try to subscribe to push notifications and use my API Gateway endpoint as notifications url
curl -H 'Content-Type: application/json' -H 'Authorization: Bearer TOKEN' \
-d '{
"changeType": "Created",
"expirationDateTime": "2020-09-04T14:48:27.391Z",
"notificationUrl": "AWS_API_GATEWAY/dev/webhooks",
"resource": "/me/mailfolders('\''inbox'\'')/messages"}' \
-X POST "https://graph.microsoft.com/v1.0/subscriptions"
I get the request timeout error ()
{
"error": {
"code": "InvalidRequest",
"message": "Subscription validation request timed out.",
"innerError": {
"date": "2020-09-02T14:51:26",
"request-id": "2d4c31ae-af4c-40cb-a40e-d7ec4281ddfc"
}
}
}
A few weeks ago the same request worked without any issues. Now only 1 out of ~5 is successful.
However when I do the same request but put my ngrok as notification url (which is simple reverse proxy to THE VERY SAME AwsApiGateway ngrok -> ruby proxy stuff -> aws api gateway) it works perfectly
curl -H 'Content-Type: application/json' -H 'Authorization: Bearer TOKEN' \
-d '{
"changeType": "Created",
"expirationDateTime": "2020-09-04T14:48:27.391Z",
"notificationUrl": "NGROK_PROXY/dev/webhooks",
"resource": "/me/mailfolders('\''inbox'\'')/messages"}' \
-X POST "https://graph.microsoft.com/v1.0/subscriptions"
It looks like some Outlook put some limits on my ApiGateway endpoint. I have not found any explanations of such behaviour in docs though.
Any help would be much appreciated
We were encountering this exact issue for our graph subscription endpoint (AWS API Gateway backed by a NodeJS Lambda) and were struggling to track down the exact cause.
We tried numerous ways to debug what was going on including:
Checking Lambda execution logs - nothing for failed attempts.
API Gateway logs - nothing logged.
API Gateway 'Access Logging' - again nothing.
Calling the endpoint from VMs running in different Azure regions - worked without issue.
We came to a similar conclusion to you - the Microsoft Graph API is (intentionally or unintentionally) blocking subscription requests to AWS API Gateway endpoints.
Our solution was to add a Route53 managed domain in front of the API Gateway endpoint. Since adding this we have had zero failures due to 'timeout's.
Related
curl -X "GET" "https://chat.twilio.com/v2/Services/ISXXXXX/Channels/CHXXXXX/Messages" \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Authorization: Bearer ACCESS_TOKEN' \
I am trying to fetch Twilio chat messages as above but, I am getting
{
"code": 20003,
"detail": "Your AccountSid or AuthToken was incorrect.",
"message": "Authentication Error - No credentials provided",
"more_info": "https://www.twilio.com/docs/errors/20003",
"status": 401
}
I have created the ACCESS_TOKEN programatically with grant roles in given channel.
Do I need to pass AccountSid as parameter?
Twilio developer evangelist here.
Access tokens are only used to authenticate users of the Voice, Video, Conversations and Sync SDKs in the client side (web, iOS and Android).
When authenticating API requests you should use either your Account Sid and Auth Token or an API key and secret.
When authorising with an API key and secret you can add the auth header in curl like this:
curl -X "GET" "https://chat.twilio.com/v2/Services/ISXXXXX/Channels/CHXXXXX/Messages" \
-H 'Content-Type: application/x-www-form-urlencoded' \
-u $TWILIO_API_KEY:$TWILIO_API_SECRET
The administrator has created a O365 group and assigned my application as a service principal as an owner for the group. He also said he had added Mail.Send permission to the application.
I have obtained the access token via client_credentials flow for the application.
I try to send mail but it fails with the following error.
$ curl -v -H "Authorization: Bearer ${TOKEN}" --data-binary #email.json -H 'Content-Type: application/json' https://graph.microsoft.com/v1.0/users/<UPN>/sendMail
{"error":{"code":"NoPermissionsInAccessToken","message":"The token contains no permissions, or permissions can not be understood.","innerError":{"oAuthEventOperationId":"...","oAuthEventcV":"...","errorUrl":"https://aka.ms/autherrors#error-InvalidGrant","requestId":"...","date":"..."}}}
What can be a problem here? What does it even mean that the application (service principal) is an owner of the group? Does it give the app additional permissions? It does not seem like it since the following request also fails:
$ curl -v -H "Authorization: Bearer ${TOKEN}" https://graph.microsoft.com/v1.0/groups/groupemail#example.com
{
"error": {
"code": "Authorization_IdentityNotFound",
"message": "The identity of the calling application could not be established.",
"innerError": {...
}
}
}
After successfully authenticating, I want to refresh my authorization token, so I issue the following request
curl -X POST \
https://login.microsoftonline.com/<my-tenant>/oauth2/v2.0/token \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-F grant_type=refresh_token \
-F refresh_token=<my-refresh-token> \
-F client_id=<my-client-id> \
-F client_secret=<my-client-secret>
However, instead of returning with a new token, I get the following response:
{
"error": "server_error",
"error_description": "AADSTS50000: There was an error issuing a token.\r\nTrace ID: bb72ee21-7df2-4949-8375-e6d97b621300\r\nCorrelation ID: 719ea759-622b-4d63-be17-56fd6c255195\r\nTimestamp: 2018-06-15 09:07:13Z",
"error_codes": [
50000
],
"timestamp": "2018-06-15 09:07:13Z",
"trace_id": "bb72ee21-7df2-4949-8375-e6d97b621300",
"correlation_id": "719ea759-622b-4d63-be17-56fd6c255195"
}
The tenant, client id and client secret are all the same as those used when obtaining the refresh token. Yet, something is apparently missing or incorrect - but what?
You are missing the mandatory scope parameter as described here.
You also need to provide a redirect_uri, although you just make a POST request.
And the redirect_uri must match the redirect_uri used in the original authorization call.
When refreshing an access token you have to provide a scope for which you would like to get the token. Also make sure that you understand you can only refresh the access_token, not the id_token. And access_token always has a purpose (scope).
Everything described in the documentation.
I'm looking to make a POST request to create an issue on my JIRA server. I was able to make a successful request using postman and basic authentication, but I would like to use the bearer method.
Here is my curl command:
curl --request POST--header 'Authorization: Bearer <token>'--header 'Accept: application/json'--header 'Content-Type: application/json'--data '{ "fields": { "project": {"key": "key"}, "summary": "Bug notification", "description": "THis is a test notification from cmd", "issuetype": {"name": "Bug"},"components": [{ "id": "0000"}], "priority": { "id": "2"}}}'--url 'https://server.atlassian.net/rest/api/2/issue'
Can someone please guide me on how to get the token, I have combed through a lot of documentation and nothing seemed to fit the bill?
you need to go to the api tokens page and create one from there
you need to create a token by following this instruction https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/
After the token is generated, you need to copy it and put some syntax below.
Get the issue example.
curl --request GET \
--url 'https://your-domain.atlassian.net/rest/api/2/issue/{issueIdOrKey}' \
--user 'email#example.com:<api_token>' \
--header 'Accept: application/json'
I've installed the Authorization extension in my Auth0 account, so authorization functionality works perfectly but now I want to access all the groups I've created there in that authorization extension. So I've followed Authorization docs but when I use the token I've generated for that it throws 403: Insufficient scope error in response.
These are the steps I've gone through:
1.Requested a token:
curl -X POST \
https://my_domain.auth0.com/oauth/token \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{
"client_id":"auth0-authorization-extension-api-client-id",
"client_secret":"auth0-authorization-extension-api-secret",
"audience":"urn:auth0-authz-api",
"grant_type":"client_credentials"
}'
Response:
{"access_token":"encoded_access_token","expires_in":86400,"token_type":"Bearer"}
2.Requested group list:
curl -X GET \
https://domain.us.webtask.io/some_hash/api/groups \
-H 'authorization: Bearer access_token'
Response:
{
"statusCode": 403,
"error": "Forbidden",
"message": "Insufficient scope"
}
Hopefully this isn't a problem still for you, but if it is:
Go to your Auth0 dashboard
Click on APIs
You should have an API called auth0-authorization-extension-api
Select Non-interactive clients tab
Select the client you want to give access to and change toggle to Authorized
There's a drop down arrow beside the authorized toggle, click that and under scopes give access to read:groups. You may need read:users too.
Hope that helps, thanks
Kevin