I'm working with UAA from cloudfoundry. there are two users with same email: saml and uaa. when i do get, uaac ask me to choose user:
uaac user get xxx#yyy.com
Select an origin:
1. uaa
2. SAML
Select user:
to avoid the question i can also do this:
uaac user get xxx#yyy.com --origin=uaa
and when i do
uaac member add scim.read xxx#yyy.com
i got:
RuntimeError: not all users found, none added
and i can't do
uaac member add scim.read xxx#yyy.com --origin=uaa
so how can i add one specific user to UAA?
the only way i found was to use uaac curl:
uaac curl -XPOST -H "Content-Type: application/json" -H "Accept: application/json" -d '{"value":"xxxx-xxx-xxx-xxx-xxx","origin":"uaa","type":"USER"}' /Groups/yyyy-yyy-yyy-yyy-yyyy/members
If you're trying to create account--and it seems like you are, given you're trying to "add" a user to the UAA origin--you should use uaac user add instead of uaac member add
Related
I am using this guide to configure Microsoft Azure AD for external OAuth in Snowflake.
I'm pretty sure that I followed all the steps because tried that meticulously on three Azure subscriptions and got the same result.
Every time I got stuck at the testing procedure section where I'm supposed to send a request to Azure AD to get an access token:
curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
--data-urlencode "client_id=<OAUTH_CLIENT_ID>" \
--data-urlencode "client_secret=<OAUTH_CLIENT_SECRET>" \
--data-urlencode "username=<AZURE_AD_USER>" \
--data-urlencode "password=<AZURE_AD_USER_PASSWORD>" \
--data-urlencode "grant_type=password" \
--data-urlencode "scope=session:role:analyst" \
'<AZURE_AD_OAUTH_TOKEN_ENDPOINT>'
I am a subscription owner and definitely granted admin access to the session:role:analyst scope:
However, instead of the access token, I get the following response:
{
"error": "invalid_grant",
"error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID '...' named 'Snowflake OAuth Client'. Send an interactive authorization request for this user and resource.\r\nTrace ID: ...\r\nCorrelation ID: ...\r\nTimestamp: ...",
"error_codes": [
65001
],
"timestamp": "...",
"trace_id": "...",
"correlation_id": "...",
"suberror": "consent_required"
}
Tried to grant the consent by reaching https://login.microsoftonline.com/{{tenant_id}}/adminconsent?client_id={{client_id}} and after granting the consent, got an error: AADSTS500113: No reply address is registered for the application.
Found this and added the return URL http://localhost/ (without a clear understanding of why). Granted the consent again and was redirected to http://localhost/?admin_consent=True&tenant={{tenant_id}}# which, I suppose, is fine.
But I still get AADSTS65001: The user or administrator has not consented to use the application.
Reached to Microsoft documentation and figured out that using grant_type=password is not recommended - makes sense.
Tried grant_type=client credentials:
curl --location --request GET 'https://login.microsoftonline.com/{{tenant_id}}/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id={{client_id}}' \
--data-urlencode 'scope=https://graph.microsoft.com/.default' \
--data-urlencode 'client_secret={{client_secret}}'
Got the access token, but attempts to connect to Snowflake with a connection string like:
connection.ConnectionString = $"account={account};host={host};authenticator=oauth;user={oauthUser};token={token};";
Throw Snowflake.Data.Client.SnowflakeDbException: 'Invalid OAuth access token..
I suspect this is because scope=https://graph.microsoft.com/.default, but replacing it with session:scope:analyst brings this:
{
"error": "invalid_scope",
"error_description": "AADSTS1002012: The provided value for scope session:scope:analyst is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI).\r\nTrace ID: ...\r\nCorrelation ID: ...\r\nTimestamp: ...",
"error_codes": [
1002012
],
"timestamp": "...",
"trace_id": "...",
"correlation_id": "..."
}
Since I already deviated from the official Snowflake guide, I'm asking the community for help with this issue. Thank you in in advance!
When obtaining an access token with the Resource Owner Password Credentials Grant flow (which is not recommended and you really shouldn't do), the resulting access token is for accessing a resource (API) on behalf of the signed-in user. In the Microsoft identity platform, access on behalf of a user requires the client application be granted at least one delegated permissions to the requested resource.
In your screenshot, we see that the permission you granted for "Snowflake OAuth Resource" is an application permission (aka "app role").
You need to do two things:
On the resource app's app registration, make sure you followed sub-step 10 under Step 1: Configure the OAuth Resource in Azure AD, and defined "session:scope:analyst" as a delegated permission (scope).
In the client's app registration, under API permissions, choose the corresponding delegated permission for the resource, and grant it.
Then, when you go to test obtaining the token, make sure the "scope" parameter is the full scope value, including the resource's identifier URI (which you defined in sub-step 9). For example, if your identifier URI is https://my.snowflake.example.com, then the "scope" value would be https://my.snowflake.example.com/session:role:analyst and your cURL request would be:
curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
--data-urlencode "client_id=<OAUTH_CLIENT_ID>" \
--data-urlencode "client_secret=<OAUTH_CLIENT_SECRET>" \
--data-urlencode "username=<AZURE_AD_USER>" \
--data-urlencode "password=<AZURE_AD_USER_PASSWORD>" \
--data-urlencode "grant_type=password" \
--data-urlencode "scope=https://my.snowflake.example.com/session:role:analyst" \
'<AZURE_AD_OAUTH_TOKEN_ENDPOINT>'
WARNING: The Resource Owner Password Credentials Grant flow is not recommended. I suggest reaching out to app publishers who are suggesting you use this flow. Here is Microsoft's warning on the subject:
Microsoft recommends you do not use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows. You should only use this flow when other more secure flows can't be used.
If the set up is still configured for "password" type grant credentials then the issue there is with the scope which should be set up on AAD and passed as follows:
**session:role-<name>**
Note, that the hyphen between role and name and it's not a colon.
In your setup, it seems to be set up and passed as:
session:role:<name>
I think, it would be much more easier to fix this issue by checking the steps done on your environment with the details here:
https://community.snowflake.com/s/article/External-oAuth-Token-Generation-using-Azure-AD
I'm creating a payment intent as per the Stripe documentation:
payment_intent = Stripe::PaymentIntent.create({
payment_method_types: ['card'],
amount: '1000',
currency: 'aud',
application_fee_amount: '10',
}, stripe_account: 'pi_1IwLlIJuxAkCMV')
When stripe_account is an Express account, the payment intent gets created and appears in the dashboard as expected.
But when stripe_account is a Standard account, the payment intent appears to be created and is visible in the console, but the payment intent is not visible in the stripe dashboard, and nor can it be retrieved with Stripe::PaymentIntent.retrieve(id):
Stripe::PaymentIntent.retrieve(payment_intent.id)
Stripe::InvalidRequestError: No such payment_intent: 'pi_1IwLlIJuxAkCMV'
from stripe-5.26.0/lib/stripe/stripe_client.rb:592:in `handle_error_response'
Question
Why does creating a payment intent work for express connected accounts but not standard connected accounts?
In your initial snippet, you likely meant to include an account id like acct_123 in the optional stripeAccount header (ref). That optional parameter also should be within an {} object/hash, though that appears to not be used in the example you linked.
Authenticating as one of your connected accounts like this creates the payment intent as a direct charge on the connected account itself (as described eslewhere on the doc you linked).
After creating a direct charge like this, you need to include that same stripeAccount header to authenticate during the retrieval:
Stripe::PaymentIntent.retrieve(payment_intent.id, { stripeAccount: 'acc'})
Edit to add: Confirming this curl example works as expected:
curl --request POST \
--url https://api.stripe.com/v1/payment_intents \
-u sk_test_123: \
--header 'Stripe-Account: acct_123' \
--data amount=10000 \
--data currency=usd \
--data confirm=true \
--data payment_method=pm_card_visa \
--data application_fee_amount=500
Creates pi_456, then:
curl --request GET \
--url https://api.stripe.com/v1/payment_intents/pi_456 \
-u sk_test_123: \
--header 'Stripe-Account: acct_123' \
The administrator has created a O365 group and assigned my application as a service principal as an owner for the group. He also said he had added Mail.Send permission to the application.
I have obtained the access token via client_credentials flow for the application.
I try to send mail but it fails with the following error.
$ curl -v -H "Authorization: Bearer ${TOKEN}" --data-binary #email.json -H 'Content-Type: application/json' https://graph.microsoft.com/v1.0/users/<UPN>/sendMail
{"error":{"code":"NoPermissionsInAccessToken","message":"The token contains no permissions, or permissions can not be understood.","innerError":{"oAuthEventOperationId":"...","oAuthEventcV":"...","errorUrl":"https://aka.ms/autherrors#error-InvalidGrant","requestId":"...","date":"..."}}}
What can be a problem here? What does it even mean that the application (service principal) is an owner of the group? Does it give the app additional permissions? It does not seem like it since the following request also fails:
$ curl -v -H "Authorization: Bearer ${TOKEN}" https://graph.microsoft.com/v1.0/groups/groupemail#example.com
{
"error": {
"code": "Authorization_IdentityNotFound",
"message": "The identity of the calling application could not be established.",
"innerError": {...
}
}
}
I am trying to use the Jenkins REST API. In the instructions it says I need to have the API key. I have looked all over the configuration pages to find it. How do I get the API key for Jenkins?
Since Jenkins 2.129 the API token configuration has changed:
You can now have multiple tokens and name them. They can be revoked individually.
Log in to Jenkins.
Click you name (upper-right corner).
Click Configure (left-side menu).
Use "Add new Token" button to generate a new one then name it.
You must copy the token when you generate it as you cannot view the token afterwards.
Revoke old tokens when no longer needed.
Before Jenkins 2.129: Show the API token as follows:
Log in to Jenkins.
Click your name (upper-right corner).
Click Configure (left-side menu).
Click Show API Token.
The API token is revealed.
You can change the token by clicking the Change API Token button.
The non UI way to do this post Jenkins 2.129 is:
curl 'https://<jenkinsURL>/me/descriptorByName/jenkins.security.ApiTokenProperty/generateNewToken' \
--data 'newTokenName=foo' \
--user username:Password
which returns:
{
"status": "ok",
"data": {
"tokenName": "foo",
"tokenUuid": "<uuid>",
"tokenValue": "<redacted>"
}
}
Pre Jenkins 2.129
curl http://<username>:<password>#<jenkins-url>/me/configure
Tested in Jenkins 2.225
After making research for several hours I could find the answer:
The API token is used instead of the CSFR token. However, what happens if you want to make authentication from any other client (Postman, CLI, cURL, etc.)?
First you need to get a CSFR token and save the information in a cookie with --cookie-jar
Request
curl -s --cookie-jar /tmp/cookies -u username:password
http://localhost:8080/crumbIssuer/api/json
Response
{
"_class": "hudson.security.csrf.DefaultCrumbIssuer",
"crumb": "bc92944100d12780cfc251c9255f3f323a475562b4ee0d8b9cc6e4121f50a450",
"crumbRequestField": "Jenkins-Crumb" }
Then we can read the cookie with --cookie and generate the new token:
Request
curl -X POST -H
'Jenkins-Crumb:your_crumb_token_generated_above'
--cookie /tmp/cookies http://localhost:8080/me/descriptorByName/jenkins.security.ApiTokenProperty/generateNewToken?newTokenName=\your_token_name
-u username:password
Response
{
"status": "ok",
"data": {
"tokenName": "my android token",
"tokenUuid": "c510e26c-b2e8-4021-bf79-81d1e4c112af",
"tokenValue": "11a2a0c91913d1391d8e8cb155ca714581"
} }
How to a generate Jenkins API token
The following commands need curl and jq. Execute them in the same session.
# Change the following appropriately
JENKINS_URL="http://localhost:8080"
JENKINS_USER=admin
JENKINS_USER_PASS=admin
Get the Crumb
JENKINS_CRUMB=$(curl -u "$JENKINS_USER:$JENKINS_USER_PASS" -s --cookie-jar /tmp/cookies $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
Get the access token
ACCESS_TOKEN=$(curl -u "$JENKINS_USER:$JENKINS_USER_PASS" -H $JENKINS_CRUMB -s \
--cookie /tmp/cookies $JENKINS_URL'/me/descriptorByName/jenkins.security.ApiTokenProperty/generateNewToken' \
--data 'newTokenName=GlobalToken' | jq -r '.data.tokenValue')
Consecutive API calls
Instead of the password, you need to use the token with the username along with the crumb that was generated.
curl -u $JENKINS_USER:$ACCESS_TOKEN \
-H $JENKINS_CRUMB \ ..........
I've installed the Authorization extension in my Auth0 account, so authorization functionality works perfectly but now I want to access all the groups I've created there in that authorization extension. So I've followed Authorization docs but when I use the token I've generated for that it throws 403: Insufficient scope error in response.
These are the steps I've gone through:
1.Requested a token:
curl -X POST \
https://my_domain.auth0.com/oauth/token \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{
"client_id":"auth0-authorization-extension-api-client-id",
"client_secret":"auth0-authorization-extension-api-secret",
"audience":"urn:auth0-authz-api",
"grant_type":"client_credentials"
}'
Response:
{"access_token":"encoded_access_token","expires_in":86400,"token_type":"Bearer"}
2.Requested group list:
curl -X GET \
https://domain.us.webtask.io/some_hash/api/groups \
-H 'authorization: Bearer access_token'
Response:
{
"statusCode": 403,
"error": "Forbidden",
"message": "Insufficient scope"
}
Hopefully this isn't a problem still for you, but if it is:
Go to your Auth0 dashboard
Click on APIs
You should have an API called auth0-authorization-extension-api
Select Non-interactive clients tab
Select the client you want to give access to and change toggle to Authorized
There's a drop down arrow beside the authorized toggle, click that and under scopes give access to read:groups. You may need read:users too.
Hope that helps, thanks
Kevin