Grafana role assignment using Azure AD OAuth - oauth

I'm trying to assign the Admin role in Grafana for certain user groups using Azure AD OAuth.
I can successfully log in with Azure AD credentials using this documentation: Set up OAuth2 with Azure Active Directory
According to this page I need to include role_attribute_path somewhere: Role mapping
role_attribute_path = contains(info.groups[*], 'admin') && 'Admin' || contains(info.groups[*], 'editor') && 'Editor' || 'Viewer'
Has anyone got a working example of role assignment using the Azure AD log in?

I've just got this to work with Keycloak as my OIDC provider. This required trapping the response from the UserInfo OAuth2 endpoint and examining the resulting JSON. Only then are you going to be able to modify the JMESPath expression to achieve what you want.
To trap the response I had to make two curl calls and therefore you will likely need to do something similar for AzureAD. The first gets you an access token, and the second call uses this to get you the details you want - ie. groups/roles - that you have chosen to expose - from the UserInfo endpoint. This behavior is described in the Grafana docs.
For what it is worth for Keycloak the calls were on Linux/bash:
ACCESS_TOKEN=$(curl \
-d "client_id=xxxx" \
-d "client_secret=xxxx" \
-d "username=xxxx" \
-d "password=xxxx" \
-d "grant_type=password" \
"https://xxx.foo.bar/auth/realms/myrealm/protocol/openid-connect/token" \
| jq --raw-output .access_token)
curl \
-X POST \
-H "Authorization: bearer "$ACCESS_TOKEN \
"https://xxx.foo.bar/auth/realms/myrealm/protocol/openid-connect/userinfo" \
| jq
When I managed to do this I found that I hadn't properly exposed the groups I was interested in and so needed to do some more config within Keycloak to enable this.
Through this tinkering I eventually got a JSON document with the groups key. Something like this:
{
...
"groups": [
"MyGroup"
],
...
}
At this point I could see that my JMESPath should therefore be:
contains(groups[*], 'MyGroup') && 'Admin'
Addendum
If you use multiple organizations in Grafana, and are migrating from LDAP, you may find that your next question is how can you map users to an org_id in a similar rules-based fashion.
As of Grafana 6.5.1 this feature is not supported although it has been requested as an enhancement. Nor is it possible to concurrently maintain a separate LDAP bind solely for the purpose of group lookups and org mappings UNLESS you are using an Oauth proxy configuration (Documentation regarding the possibility of using Oauth for authentication and LDAP for authorization with some sample configs here.)

With the introduction of Grafana 6.6.0, role assignment using OAuth with Azure AD is now possible.
I put the following into the config ini file to assign the Admin role to anyone in a certain Azure AD group and everyone else would become a Viewer:
[auth.generic_oauth]
name = Azure AD
enabled = true
allow_sign_up = true
client_id = {{ .azure.client.id }}
client_secret = {{ .azure.client.secret }}
scopes = openid email profile
auth_url = https://login.microsoftonline.com/{{ .azure.tenantid }}/oauth2/authorize
token_url = https://login.microsoftonline.com/{{ .azure.tenantid }}/oauth2/token
api_url =
team_ids =
allowed_organizations =
role_attribute_path = contains(groups[*], '{{ .azure.admin_group }}') && 'Admin' || 'Viewer'
where
{{ .azure.client.id}} is the Azure AD, App registration, Application client ID
{{ .azure.client.secret}} is the client secret associated with the above registered app
{{ .azure.tenantid }} is the Azure AD tenant ID
{{ .azure.admin_group }} is the ObjectID of the Azure AD group you want as Admin roles

Related

Snowflake: Configure Microsoft Azure AD for External OAuth - admin consent

I am using this guide to configure Microsoft Azure AD for external OAuth in Snowflake.
I'm pretty sure that I followed all the steps because tried that meticulously on three Azure subscriptions and got the same result.
Every time I got stuck at the testing procedure section where I'm supposed to send a request to Azure AD to get an access token:
curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
--data-urlencode "client_id=<OAUTH_CLIENT_ID>" \
--data-urlencode "client_secret=<OAUTH_CLIENT_SECRET>" \
--data-urlencode "username=<AZURE_AD_USER>" \
--data-urlencode "password=<AZURE_AD_USER_PASSWORD>" \
--data-urlencode "grant_type=password" \
--data-urlencode "scope=session:role:analyst" \
'<AZURE_AD_OAUTH_TOKEN_ENDPOINT>'
I am a subscription owner and definitely granted admin access to the session:role:analyst scope:
However, instead of the access token, I get the following response:
{
"error": "invalid_grant",
"error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID '...' named 'Snowflake OAuth Client'. Send an interactive authorization request for this user and resource.\r\nTrace ID: ...\r\nCorrelation ID: ...\r\nTimestamp: ...",
"error_codes": [
65001
],
"timestamp": "...",
"trace_id": "...",
"correlation_id": "...",
"suberror": "consent_required"
}
Tried to grant the consent by reaching https://login.microsoftonline.com/{{tenant_id}}/adminconsent?client_id={{client_id}} and after granting the consent, got an error: AADSTS500113: No reply address is registered for the application.
Found this and added the return URL http://localhost/ (without a clear understanding of why). Granted the consent again and was redirected to http://localhost/?admin_consent=True&tenant={{tenant_id}}# which, I suppose, is fine.
But I still get AADSTS65001: The user or administrator has not consented to use the application.
Reached to Microsoft documentation and figured out that using grant_type=password is not recommended - makes sense.
Tried grant_type=client credentials:
curl --location --request GET 'https://login.microsoftonline.com/{{tenant_id}}/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id={{client_id}}' \
--data-urlencode 'scope=https://graph.microsoft.com/.default' \
--data-urlencode 'client_secret={{client_secret}}'
Got the access token, but attempts to connect to Snowflake with a connection string like:
connection.ConnectionString = $"account={account};host={host};authenticator=oauth;user={oauthUser};token={token};";
Throw Snowflake.Data.Client.SnowflakeDbException: 'Invalid OAuth access token..
I suspect this is because scope=https://graph.microsoft.com/.default, but replacing it with session:scope:analyst brings this:
{
"error": "invalid_scope",
"error_description": "AADSTS1002012: The provided value for scope session:scope:analyst is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI).\r\nTrace ID: ...\r\nCorrelation ID: ...\r\nTimestamp: ...",
"error_codes": [
1002012
],
"timestamp": "...",
"trace_id": "...",
"correlation_id": "..."
}
Since I already deviated from the official Snowflake guide, I'm asking the community for help with this issue. Thank you in in advance!
When obtaining an access token with the Resource Owner Password Credentials Grant flow (which is not recommended and you really shouldn't do), the resulting access token is for accessing a resource (API) on behalf of the signed-in user. In the Microsoft identity platform, access on behalf of a user requires the client application be granted at least one delegated permissions to the requested resource.
In your screenshot, we see that the permission you granted for "Snowflake OAuth Resource" is an application permission (aka "app role").
You need to do two things:
On the resource app's app registration, make sure you followed sub-step 10 under Step 1: Configure the OAuth Resource in Azure AD, and defined "session:scope:analyst" as a delegated permission (scope).
In the client's app registration, under API permissions, choose the corresponding delegated permission for the resource, and grant it.
Then, when you go to test obtaining the token, make sure the "scope" parameter is the full scope value, including the resource's identifier URI (which you defined in sub-step 9). For example, if your identifier URI is https://my.snowflake.example.com, then the "scope" value would be https://my.snowflake.example.com/session:role:analyst and your cURL request would be:
curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
--data-urlencode "client_id=<OAUTH_CLIENT_ID>" \
--data-urlencode "client_secret=<OAUTH_CLIENT_SECRET>" \
--data-urlencode "username=<AZURE_AD_USER>" \
--data-urlencode "password=<AZURE_AD_USER_PASSWORD>" \
--data-urlencode "grant_type=password" \
--data-urlencode "scope=https://my.snowflake.example.com/session:role:analyst" \
'<AZURE_AD_OAUTH_TOKEN_ENDPOINT>'
WARNING: The Resource Owner Password Credentials Grant flow is not recommended. I suggest reaching out to app publishers who are suggesting you use this flow. Here is Microsoft's warning on the subject:
Microsoft recommends you do not use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows. You should only use this flow when other more secure flows can't be used.
If the set up is still configured for "password" type grant credentials then the issue there is with the scope which should be set up on AAD and passed as follows:
**session:role-<name>**
Note, that the hyphen between role and name and it's not a colon.
In your setup, it seems to be set up and passed as:
session:role:<name>
I think, it would be much more easier to fix this issue by checking the steps done on your environment with the details here:
https://community.snowflake.com/s/article/External-oAuth-Token-Generation-using-Azure-AD

Matching code was not found or was already used

I am trying to use the Instagram OAuth using the developer documentation at
https://developers.facebook.com/docs/instagram-basic-display-api/getting-started
Step 1 and 2 are working without any problems, so I have my Client-ID, the Client-Secret, the Redirect-URI and the code.
18
I am trying to use the Instagram OAuth using the developer documentation at
https://www.instagram.com/developer/authentication/.
Step 1 and 2 are working without any problems, so I have my Client-ID, the Client-Secret, the Redirect-URI and the code.
But every-time I am trying to get the Acces Token I get the following error:
{
"code": 400,
"error_type": "OAuthException",
"error_message": "Matching code was not found or was already used."
}
Any tips how to solve this?
Follow the instructions from Facebook link you posted not Instagram (they won't work for the new API):
Redirect for user authorization:
https://api.instagram.com/oauth/authorize
?app_id={app-id}
&redirect_uri={redirect-uri}
&scope=user_profile,user_media
&response_type=code
Exchange the code returned for a token:
curl -X POST \
https://api.instagram.com/oauth/access_token \
-F app_id={app-id} \
-F app_secret={app-secret} \
-F grant_type=authorization_code \
-F redirect_uri={redirect-uri} \
-F code={code}

Unable to get Linkedin to return data from socialActions v2 endpoints

I am using the Linkedin API OAuth 2.0 API and trying to perform a 'like' to a post or a comment using the new version 2 of the Linkedin API using the Postman client.
I have added the following permissions to the scope
r_liteprofile r_emailaddress rw_organization_admin w_organization_social r_organization_social w_member_social w_organization_social r_organization_social
And added the relevant callback, Auth & Access Token URLs to the postman request along with the Client ID and Client Secret ID.
When I perform a request to the \me v2 endpoint it returns relevant data.
When I perform the following GET request it gives me an not enough permissions error (even though it has been recently been accepted to the Marketing API for Linkedin)
https://api.linkedin.com/v2/socialActions/urn%3Ali%3Aorganisation%3A24799518/comments
I would expect to get data - but get a 403 status code and the error message below -
Not enough permissions to access: GET /socialActions/urn%3Ali%3Aorganisation%3A24799518/comments"
The cURL request looks as follows :
curl -X GET \https://api.linkedin.com/v2/socialActions/urn%3Ali%3Aorganisation%3A24799518/comments \
-H 'Authorization: Bearer {MY BEARER TOKEN HERE}' \
-H 'Content-Type: application/json' \
-H 'Postman-Token: 59c239c2-d1c7-48ee-9e5f-a894afde95dc' \
-H 'X-Restli-Protocol-Version: 2.0.0' \
-H 'cache-control: no-cache'
-- update --
I have manually tried this using cURL also with the X-Restli-Protocol-Version: 2.0.0 header and have the same issue. I am ultimately trying to use the API to like posts/comments etc..
Social Action Api is not applicable for organization|Page
GET https://api.linkedin.com/v2/socialActions/{shareUrn|ugcPostUrn|commentUrn}/comments
It is applicable for share|ugcPost|Comment
Use the following request to fetch the shares and use the share Id in the above request to get the comments for the post
GET https://api.linkedin.com/v2/shares?owners=urn:li:organization:24799518&q=owners&count=100

openAM token introspection always return active as false

I have deployed the OpenAM - AccessManagement (6.0.0.4) version. I am using Rest API's to get the access token using password flow. And trying to introspect the token.
1) get access token
$ curl \
--request POST \
--user "clientid:clientsecret" \
--data "grant_type=password&username=user&password=welcome&scope=openid" \
http://openam.mydomain.com:8080/openam/oauth2/access_token
2) get header token (to be used for authorization header while token
introspection in step 3)
$ curl \
--request POST \
--user "clientid:clientsecret" \
--data "grant_type=client_credentials&scope=openid" \
http://openam.mydomain.com:8080/openam/oauth2/access_token
3) introspect token
$ curl \
--request POST \
--header "Authorization: Basic ZGVtbzpjaGFuZ2VpdA==" \
--data "token=f9063e26-3a29-41ec-86de-1d0d68aa85e9"
"https://openam.mydomain.com:8080/openam/oauth2/introspect"
Token introspection is always returning as {"active" : false }. I guess I am missing some OpenAM configuration. any thoughts please?
UPDATE
As suggested by #BernhardThalmayr it is working when I gave token as query parameter. 3 issues here:
1)I need to give authorization header as encoded clientid:clientsecret.I can not use the bearer token generated in step 2 as authorization header.
With gluu as IDP, bearer token is accepted as auth header for token introspection.But with openAm it gives
{
"error_description": "Invalid authorization",
"error": "invalid_client"
}
I can see in docs for openam micro-services, for token validation bearer token being used as auth header. https://backstage.forgerock.com/docs/platform/6/mservices-guide/#sec-validate-am-sso-token. How to do it without microservice?
2) scope list is empty : I have added scopes in client configuration as openid, introspect, mail,cn,profile. still token introspection returns scopes array as empty
3) openam/oauth2/userinfo endpoint returns only {
"sub": "amadmin"
}
IMHO AM is not spec compliant as it requires the value of the token to be sent as query parameter [backstage.forgerock.com/docs/am/6/oauth2-guide/… in contrast to what is defined in [tools.ietf.org/html/rfc7662]. Have you tried to provide the token as documented in AM docs?

How to get the API token for Jenkins

I am trying to use the Jenkins REST API. In the instructions it says I need to have the API key. I have looked all over the configuration pages to find it. How do I get the API key for Jenkins?
Since Jenkins 2.129 the API token configuration has changed:
You can now have multiple tokens and name them. They can be revoked individually.
Log in to Jenkins.
Click you name (upper-right corner).
Click Configure (left-side menu).
Use "Add new Token" button to generate a new one then name it.
You must copy the token when you generate it as you cannot view the token afterwards.
Revoke old tokens when no longer needed.
Before Jenkins 2.129: Show the API token as follows:
Log in to Jenkins.
Click your name (upper-right corner).
Click Configure (left-side menu).
Click Show API Token.
The API token is revealed.
You can change the token by clicking the Change API Token button.
The non UI way to do this post Jenkins 2.129 is:
curl 'https://<jenkinsURL>/me/descriptorByName/jenkins.security.ApiTokenProperty/generateNewToken' \
--data 'newTokenName=foo' \
--user username:Password
which returns:
{
"status": "ok",
"data": {
"tokenName": "foo",
"tokenUuid": "<uuid>",
"tokenValue": "<redacted>"
}
}
Pre Jenkins 2.129
curl http://<username>:<password>#<jenkins-url>/me/configure
Tested in Jenkins 2.225
After making research for several hours I could find the answer:
The API token is used instead of the CSFR token. However, what happens if you want to make authentication from any other client (Postman, CLI, cURL, etc.)?
First you need to get a CSFR token and save the information in a cookie with --cookie-jar
Request
curl -s --cookie-jar /tmp/cookies -u username:password
http://localhost:8080/crumbIssuer/api/json
Response
{
"_class": "hudson.security.csrf.DefaultCrumbIssuer",
"crumb": "bc92944100d12780cfc251c9255f3f323a475562b4ee0d8b9cc6e4121f50a450",
"crumbRequestField": "Jenkins-Crumb" }
Then we can read the cookie with --cookie and generate the new token:
Request
curl -X POST -H
'Jenkins-Crumb:your_crumb_token_generated_above'
--cookie /tmp/cookies http://localhost:8080/me/descriptorByName/jenkins.security.ApiTokenProperty/generateNewToken?newTokenName=\your_token_name
-u username:password
Response
{
"status": "ok",
"data": {
"tokenName": "my android token",
"tokenUuid": "c510e26c-b2e8-4021-bf79-81d1e4c112af",
"tokenValue": "11a2a0c91913d1391d8e8cb155ca714581"
} }
How to a generate Jenkins API token
The following commands need curl and jq. Execute them in the same session.
# Change the following appropriately
JENKINS_URL="http://localhost:8080"
JENKINS_USER=admin
JENKINS_USER_PASS=admin
Get the Crumb
JENKINS_CRUMB=$(curl -u "$JENKINS_USER:$JENKINS_USER_PASS" -s --cookie-jar /tmp/cookies $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
Get the access token
ACCESS_TOKEN=$(curl -u "$JENKINS_USER:$JENKINS_USER_PASS" -H $JENKINS_CRUMB -s \
--cookie /tmp/cookies $JENKINS_URL'/me/descriptorByName/jenkins.security.ApiTokenProperty/generateNewToken' \
--data 'newTokenName=GlobalToken' | jq -r '.data.tokenValue')
Consecutive API calls
Instead of the password, you need to use the token with the username along with the crumb that was generated.
curl -u $JENKINS_USER:$ACCESS_TOKEN \
-H $JENKINS_CRUMB \ ..........

Resources