acl:
##
## The 'admin' ACL grants administrative privileges to XMPP accounts.
## You can put here as many accounts as you want.
##
admin:
user:
- "******#*****"
My ejabberd.yml file has this properties.
I want to get the user value in a module to get Admin user's name.
Since I am new to ejabberd, confused with so many codes which is getting max_user_sessions, shaper_rules etc.
How can I do this?
Advance thanks.
How to get the admin user configured in ejabberd.yml file
If the account "user1" is registered in the vhost "localhost" and you want to grant it admin rights, configure like this in ejabberd.yml:
acl:
admin:
user:
- user1#localhost
Related
I am trying to rech the endpoint
https://graph.microsoft.com/v1.0/users/{emailaddress}/mailFolders('InBox') but am receiving
Error Access Denied response.
I have granted both Mail.Read.Shared and Mail.ReadWrite.Shared on delegated permission.
The scenario I have is that in Azure AD there are a number of users , Manager#acme.com and Tests#acme.com , so they exist under the same tennant /organization.
I have an app whereby I login as Manager#acme.com as the current user. I the create a connection to the App using client id , secret etc and receive an Auth toke n to use in my api calls.
but when i try to call
https://graph.microsoft.com/v1.0/users/Tests#acme.com/mailFolders('InBox') with that token I
get the following error:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again."
}
}
Do i ned to grant both Mail.Read.Shared and Mail.ReadWrite.Shared on Application level ?
Or do i need to create a shared folder in Outlook ?
I don't believe Mail.Read.Shared or Mail.ReadWrite.Shared exist as assignable application permissions.
The only permission your App Registration should need is Mail.Read, unless you're intending on the using Graph to delete / send emails etc.
You will likely also need an ApplicationAccessPolicy. You can either create one in the Exchange Online Admin Center, or through PowerShell. I recommend you create a mail enabled security group for all addresses which you need to access and grant restricted access to your app through that policy.
I prefer PowerShell, so in that case you would need the ExchangePowerShell module, and connect to Exchange Online. You'll need some Exchange admin role to be able to do this.
So, let's assume you've created a mail enabled security group called GraphAccessibleUsers#acme.com. You can set the property to hide this from the GAL so users can't see it.
You would then create a policy as follows:
New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "<Your-App-Registration-Id" -PolicyScopeGroupId GraphAccessibleUsers#acme.com -Description "Allow App access to users in GraphAccessibleUsers#acme.com"
The -PolicyScopeId parameter will accept:
Name
Distinguished name (DN)
Display name
Email address
GUID
If you only have a few addresses, you may opt to create an individual ApplicationAccessPolicy for each email address.
Finally, I don't think your Graph API URI is correct.
If you want to access the Inbox of Tests#acme.com, then try this instead:
https://graph.microsoft.com/v1.0/users/Tests#acme.com/mailFolders/Inbox
Please refer to mailFolder Resource Type here.
I am having trouble creating a PowerApps Custom Connector which allows me to access Microsoft Graph using APPLICATION permissions.
I have created my Azure AD App Registration, with three API permissions:
Delegated: User.Read
Application: User.Read.All
Application: Directory.Read.All
I have confirmed the Redirect URI is correctly set for Power Apps (https://global.consent.azure-apim.net/redirect) and I have generated a Client Secret.
I have then created TWO different Power Apps custom connectors, and both of them give me exactly the same results.
Connector A: Auth Type: OAuth2.0
Identity Provider: Generic OAuth 2
Client ID & Client Secret (as expected)
Auth URL: https://login.microsoftonline.com/{{Tenant ID}/oauth2/v2.0/authorize
Token URL: https://login.microsoftonline.com/{{Tenant ID}/oauth2/v2.0/token
Scope: https://graph.microsoft.com/.default
Connector B: Auth Type: OAuth 2.0
Identify Provider: Azure Active Directory
Client ID & Client Secret (as expected)
Login URL: https://login.windows.net
Tenant ID: common (this is the default)
Resource URL: https://graph.microsoft.com
Scope: {blank} (this is the default)
I then setup (in both connectors) the same two actions:
/v1.0/me
/v1.0/users
In BOTH connectors the first action (/me) works .. and returns the details of the logged in user.
The second connector (/users) returns "Access Denied - Insufficient Privileges".
This is telling me it is using the Delegated permissions (which allows it to retrieve /me) and not the Application permissions (which is why it can't list all of the user accounts).
So .. is there any setting in Power Apps which allows me to specify that this connector should use Application requests rather than delegated?
Thank you!
I've followed Grafana docs and I'm not sure how to configure the Grafana with OpenID connect.
https://grafana.com/docs/grafana/latest/auth/generic-oauth/
We already configured several applications with OpenID connect which works OK.
What I need is to configure the OpenID connect to Grafana.
What we have:
ClientID
Client Secret
expose Grafana publicly
In addition, we exposed our Grafana publicly and should configure "/redirect" to it.
Our issuer servers configs support the following:
"issuer" : "https://accounts.fds.com"
"authorization_endpoint": "https://accounts.fds.com/oauth2/authorize"
"token_endpoint":"https://accounts.fds.com/oauth2/token"
"response_types_supported":["code","id_token","token"]
"scope_supported": ["openid"]
From the doc This callback URL must match the full HTTP address that you use in your browser to access Grafana, but with the prefix path of /login/generic_oauth"
So we provided this also, my question is what should I do further, what is mandatory ?
Should I create some application or this is just configuration task?
We are using Grafana 7.1 .
I've configured it like following:
grafana:
enabled: true
namespaceOverride: ""
grafana.ini:
server:
root_url: http://a725be449-30559695.eu-central-1.elb.amazonaws.com/
auth.generic_oauth:
enabled: true
client_id: foo_clientid
client_secret: foo_secert
scopes: "openid"
auth_url: https://accounts.fds.com/oauth2/authorize
token_url: https://accounts.fds.com/oauth2/token
# api_url: https://${domain}/userinfo. //Not sure what this
allow_sign_up: true
In the 'root_url' field I've put the the link to our grafana which redirects to to /login
Not sure what is the API_URL???, what should I provide there?
When deploying the app I see new button with sigh in with oAuth when I click I got error: "OpenID provider cannot process the request because the configuration is incorrect. Please contact your system administrator." any idea ?
In addition if I want to configure redirect url which property should I use?
update
I was able to see the redirect working but I got this error, any idea ?
Your used OIDC client should have configured this redirect URL:
http://a725be449-30559695.eu-central-1.elb.amazonaws.com/login/generic_oauth
That will be requested redirect URL by Grafana based on your grafana.ini configuration.
I hope you know that https protocol is required for OIDC.
I am trying to implement AWS Cognito into my application for better all round authentication. The system is a Rails application that is currently using Warden/Devise as the method for handling user accounts (Login,Registration).
My goal is to have a AWS UserPool that contains the list of users for the application. When a user is verified using Cognito I wish to then search the tables that we currently use for the role and move the user to the correct area of the system based on the role that they are assigned too.
I have started to implement the logic to handle this but have come up against a brick wall.
Please see below my code.
cognito_authenticatable.rb
Logic for handling the cognito authentication. All i want to do here is check that the user is registered and return the valid token so i can prefer internal application checks to gather the user role.
def authenticate!
if params[:login]
region_name = 'us-east-2'
user_pool_id = 'us-east-2_Qj78BNQon'
client_id = '1pv3eno72e51mll3q36cuiojmr'
client = Aws::CognitoIdentityProvider::Client.new(
region: region_name
)
resp = client.initiate_auth({
client_id: client_id,
auth_flow: "USER_PASSWORD_AUTH",
auth_parameters: {
"USERNAME" => email,
"PASSWORD" => password
}
})
end
end
divise.rb
This code is just to add the new authentication strategy to the applications warden service.
config.warden do |manager|
manager.strategies.add(:cognito,
Devise::Strategies::CognitoAuthenticatable)
manager.default_strategies(:scope => :login).unshift :cognito
manager.default_strategies(:scope => :login).pop
end
The output error within the console is
Aws::Errors::MissingCredentialsError (unable to sign request without credentials set):
config/initializers/cognito_authenticatable.rb:23:in `authenticate!'
and here is an image from the localhost application that was running.
Any help on this would be amazing.
Thanks in advance.
One solution could be to uncheck the option for generating a client secret when you create the app client in the Cognito user pool. This option is checked by default and you have to know to uncheck it (https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html).
By default, user pools generate a client secret for your app. If you don't want that to happen, clear Generate client secret.
It's only possible to uncheck the client secret during the creation of a new client, so you might have to delete your client app and create a new one (not a big deal).
I also collect my learnings on Cognito, Devise, Rails and VueJS in a Medium article: https://medium.com/#morgler/beta-learnings-from-developing-vuejs-quasar-aws-amplify-and-cognito-application-dd38ec58b881
You are getting this error due to your AWS SDK for Ruby not being configured correctly. That error would likely exist not only for Cognito APIs, but it would exist for any AWS Signature V4 signed API calls. Kindly refer to this documentation to configure your SDK correctly for your application.
I am using Ruby on Rails with the Google Drive API (https://github.com/gimite/google-drive-ruby) and I am trying to display data from a spreadsheet on my Google-account in a webpage.
This is the code I use to authorize the application to use my Google Drive account. I have generated credentials for a service account in Google Developers console.
def build_client(credentials)
client = Google::APIClient.new
client.authorization = credentials
client = client.discovered_api('drive', 'v2')
client
end
Now to access the files I need to start a new session but there is only documentation on how to start a session when you authorize the application via OAuth (https://github.com/gimite/google-drive-ruby#how-to-use) and I am using the credentials generated in Developers Console... what I am trying to figure out is how to start a session when logged in with pre-generated credentials for a service account.
You should be able to obtain the credentials from your project in console.google.com. From there, we have to update the code in google_drive.rb to authenticate as a service account. The code should be something like:
require 'google/api_client'
## Email of the Service Account #
SERVICE_ACCOUNT_EMAIL = '<some-id>#developer.gserviceaccount.com'
## Path to the Service Account's Private Key file #
SERVICE_ACCOUNT_PKCS12_FILE_PATH = '/path/to/<public_key_fingerprint>-privatekey.p12'
##
# Build a Drive client instance authorized with the service account
# that acts on behalf of the given user.
#
# #param [String] user_email
# The email of the user.
# #return [Google::APIClient]
# Client instance
def build_client(user_email)
key = Google::APIClient::PKCS12.load_key(SERVICE_ACCOUNT_PKCS12_FILE_PATH, 'notasecret')
asserter = Google::APIClient::JWTAsserter.new(SERVICE_ACCOUNT_EMAIL,
'https://www.googleapis.com/auth/drive', key)
client = Google::APIClient.new
client.authorization = asserter.authorize(user_email)
client
end
You can find out more information here.