In wso2 Application Manager if I log into the ui of the /store module and go to an application registered with that user I can request an access token with a specific duration.
Is it possible to do the same through api?
I'd like tokens for a specific customer to have a different duration
Application Tokens can be generated with different expiry times like this.
curl -k -d "grant_type=client_credentials&validity_period=3600" -H "Authorization: Basic XXX" https://localhost:8243/token
User tokens have a fixed expiry time, which can be configured in identity.xml. See docs here.
I have tried by passing "validity_period" in token API (as suggested by Bhathiya in his response) but it doesn't work for me (I have used WSO2 API Manager 1.10.0 integrated with WSO2 IS), So I have created API to update "[VALIDITY_PERIOD]" column value for "[IDN_OAUTH2_ACCESS_TOKEN]" table in the associated database.
You can set any required expiry time in this table.
For more details, you can refer to below link:
https://bhajanmehtablog.wordpress.com/2017/02/01/playing-with-access-oauth-token-for-wso2-api-manager-or-wso2-is/
Related
Following this quickstart guide (Python version), I was able to quickly create and deploy a Python Flask app to a project owned by my organization. However, toward the end the guide instructs "Visit your deployed container by opening the service URL in a web browser", and but this is the step I can't get to work.
Curiously, in the logs
(https://console.cloud.google.com/logs/) the 'textPayload' data element for the request is "The request was not authenticated. Either...", which seems unusual, as I'd expect an unauthenticated request to return 401, not 403. In any case, it does not list my org email address in the request, suggesting my identity for some reason isn't being supplied. Any way to fix this so I can access the URL using a user with appropriate permissions?
Note: I can access the URL by manually running "curl -H 'Authorization: Bearer <my token>'"
Cloud Run URLs aren't directly accessible if the service only allows authenticated invocations because passing the URL on your browser will not generate the credential for you. You will have to pass auth credentials on your request and the easiest way to invoke the service is to use a tool like curl which is exactly what you noted.
You have two options to authenticate your end users which are the following:
Integrate Google Sign-In.
Implement Identity Platform or Firebase Authentication.
In either of the above choices, you need a public web or mobile app that handles the sign-in flow and then makes authenticated API calls to a Cloud Run (fully managed) service.
For more information on authenticating end users, check out the official documentation.
To complement what Mr. Donnald Cucharo said, you can also use Identity Aware Proxy (IAP) to expose your application in a secure way.
I am using WSO2 APIM 2.1.0. I followed this guide, I managed to make everything work but at the last step to generate an access token in order to call my API, I'm facing an issue. I make the call to get my token :
curl -k -d "grant_type=client_credentials&scope=test" -H "Authorization: Basic <base64id+secret>, Content-Type: application/x-www-form-urlencoded" http://localhost:8080/v1/token
I actually get my token
{"scope":"test","access_token":"67d45764-a4d3-4467-a0cc-67df34e53b28","token_type":"bearer","expires_in":3600}
But then I try to use it to call my api I get the following error :
Access failure for API: /api/1, version: 1 status: (900901) - Invalid Credentials. Make sure you have given the correct access token
When I directly check the WSO2 APIM Store interface I don't see an access token. Plus if I try to generate it from the interface it works, I get an access token which doesn't work as well and if I reload my page it disappears. I'm obviously doing something wrong but I can't figure out what. Is there some configuration that's not specified in the guide mentioned above ?
I have modified the endpoint in TokenAPI.xml with http://127.0.0.1:8080/v1/token, but I don't know what the revoke endpoint is.
The WSO2 APIM Store is only for testing purposes. The tokens generated via the curl are totally separate from the Store interface.
In your case, please check the api scopes are set correctly. (As you genereate a token with scope 'test', the api should also have the test scope)
I had an Identity Server running as well and didn't think to check the configuration. I had to uncomment the APIKeyManager section of the api-manager.xml in the Identity Server. I don't understand why having only one configuration setup gives you a token but not the correct one, it should not give you a token or throw an error saying that configuration is missing in the IS or something.
I've set up something called the Data Export Service for Dynamics 365 so that it replicates into an Azure SQL database. This is working as expected.
I'm trying to find a way to be proactively notified if this service encounters any errors. There does not appear to be a native way to do this through the setup in CRM itself, but they do provide an API. The Swagger page outlining all methods can be found here.
I'm trying to call the GetProfilesByOrganizationId method using Postman:
https://discovery.crmreplication.azure.net/crm/exporter/profiles?organizationId=4ef7XXXX-XXXX-XXXX-XXXX-XXXXXX8a98f&status=true
I'm having issues with authentication and always receive the following error:
"Message": "Received unauthenticated requestRequest Url https://discovery.crmreplication.azure.net/crm/exporter/profiles?organizationId=4ef7XXXX-XXXX-XXXX-XXXX-XXXXXX8a98f&status=true"
I have registered an application in Azure that has permission to access Dynamics 365 on behalf of the authenticated user which in this case is me, the administrator.
I have set the Type to OAuth 2.0 on the Authorization tab of Postman. I have requested an Access Token using the Grant Type of Authorization Code against the above application successfully. This has added a header to the request:
Key: Authorization
Value: Bearer BIGLONGACCESSTOKEN
Despite this header being present I still get the error mentioned above.
The API documentation implies the authentication is OAuth2 Implicit Grant Flow (click on any red exclamation mark in the documentation) but I can't get this to work in Postman. When I try to request a token with this method I get the error:
unsupported_response_type
... in the Postman console.
Any ideas how to authenticate (with Implicit Grant?) against this API in Postman?
(I'd accept C# examples if they're more appropriate, but I'd be surprised if Postman can't show me what I need)
It looks like the code sample shown by Microsoft can work if updated with newer methods and with some extra configuration in Azure that's not documented.
Azure configuration
By installing the Data Export service (and assuming it's all working) you'll have a new Enterprise Application listed in Azure AD as Crm Exporter.
To take advantage of this application and authenticate with the Data Export API you must configure an app of your own.
Go to the App registrations tab in Azure AD and add a new application registration.
Give it a name and set the Application type to Native. The redirect URI doesn't typically matter as long as it's valid.
Click the Manifest button to edit the manifest, change the property oauth2AllowImplicitFlow to true and save the changes.
The only other important configuration is Required permissions which should be set as below:
Windows Azure Active Directory
Delegated permissions
Sign in and read user profile
Data Export Service for Microsoft Dynamics 365 (Crm Exporter)
Delegated permissions
Have access to Data Export Service for Microsoft Dynamics 365 API
You will then need to click Grant Permissions.
C# changes
The updated method looks like this:
using Microsoft.IdentityModel.Clients.ActiveDirectory;
string clientId = "11cfXXXX-XXXX-XXXX-XXXX-XXXXXXXXd020";
string user = "my.username#domain.com";
string password = "PASSWORD";
var authParam= await AuthenticationParameters.CreateFromResourceUrlAsync(
new Uri("https://discovery.crmreplication.azure.net/crm/exporter/aad/challenge")
);
var context = new AuthenticationContext(authParam.Authority, false);
var credentials = new UserPasswordCredential(user, password);
var token = await context.AcquireTokenAsync(authParam.Resource, clientId, credentials).AccessToken;
You can now query the Data Export API by providing the token as a header:
Authorization : Bearer eJ0y........Hgzk
curl -X GET --header 'Accept: application/json' 'https://discovery.crmreplication.azure.net/crm/exporter/profiles?organizationId=MyOrgId&status=true'
Any good resources on how to do this? I tried doing a curl, but I have no clue how to get my app-secret. I've gone here to get the client/app id. And when I submit the curl it verifies that it's a valid client/app id.
curl -X POST -H "Cache-Control: no-cache" -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=<your-app-id>&client_secret=<your-app-secret>&grant_type=client_credentials&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default' 'https://login.microsoftonline.com/common/oauth2/v2.0/token'
On the first page you linked to (https://docs.botframework.com/en-us/skype/chat/#authentication), there's a link later on in that section:
For more information on obtaining an OAuth2 token see the OAuth 2.0
Authorization Code Flow.
On that page, in the section titled 'Request an Access Token,' it provides a more detailed description of the purpose of the POST request you're trying to send including descriptions of all the parameters, including 'client-secret.' It says the following about client-secret:
The application secret that you created in the app registration portal
for your app. It should not be used in a native app, because
client_secrets cannot be reliably stored on devices. It is required
for web apps and web APIs, which have the ability to store the
client_secret securely on the server side.
So assuming your app is a web app, when you registered it there should have been a section in the app registration portal (the second link in your original post) where you are able to generate a client_secret. That section looks like this:
If you didn't do that initially, you should still be able to go back and edit the registration to add another secret.
Hopefully that answers your question.
We use Mulesoft currently for our middleware. I am in the process of evaluating Wso2 as a possible alternative. Our primary focus is mobile clients. For the most part we implement OAuth.
Before I give too much detail, when I register an OAuth2 app on Wso2 Identity Server 5.0.0 I am expecting to see a consumer key/id. It does NOT however display one. All I see are :
Access Token Url - https://localhost:9454/oauth2/token
Authorize Url - https://localhost:9454/oauth2/authorize.
Is there something I need to enable, or am I doing something worng ?
P.S. ( "Allowed Grant Types" are all ticked )
When you create an OAuth app, you will get a OAuth Client Key & OAuth Client Secret at the table under
Inbound Authentication Configuration ->OAuth/OpenID Connect Configuration. Please use this as the consumer key and consumer secret to obtain the access token.
creating the access token can be done as combining the consumer key and consumer secret as follows and encode it by base64.
for e.g : FNZ8oxGPxWer_2elrZBoueS4XcYa:gr0JizDbStaFelXBV06cahh7Lxga
after encoding the above looks as : Rk5aOG94R1B4V2VyXzJlbHJaQm91ZVM0WGNZYTpncjBKaXpEYlN0YUZlbFhCVjA2Y2FoaDdMeGdh
Add the encoded value as follows in the CURL command.
The below Curl command is an example on how you could use it :
curl -k -d "grant_type=password&username=admin&password=admin" -H "Authorization" -H "Authorization: Basic Rk5aOG94R1B4V2VyXzJlbHJaQm91ZVM0WGNZYTpncjBKaXpEYlN0YUZlbFhCVjA2Y2FoaDdMeGdh, Content-type=application/x-www-form-urlencoded" https://domain:9443/oauth2/token
You could also find the following useful
[1] https://docs.wso2.com/display/IS500/Configuring+Inbound+Authentication+for+a+Service+Provider
[2] http://blog.lasindu.com/2014/12/wso2-identity-server-provision-service.html
[3]https://docs.wso2.com/display/IS500/OAuth+Token+Revocation+with+WSO2+Identity+Server
Hope this helps.
Regards,
Shani.
After a couple of weeks of searching the net for support on this, to speed up the evaluation, I downloaded IS 4.6.0, completed the steps as previous and there appeared the necessary information to continue the evaluation process. I now see all the fields :
Client Id ????????????????????????
Client Secret ??????????????????????
Access Token Url - https://localhost:9454/oauth2/token
Authorize Url - https://localhost:9454/oauth2/authorize.