With a private repo on github, I can generate a "personal access token" and
curl https://<oauth-secret>:x-oauth-basic#raw.githubusercontent.com/<me>/<repo>/master/<file>
and get the content of the file. Is the same thing possible with bitbucket?
Oh hey, it turns out you can just use http(s) authentication.
curl --user <username>:<password> https://bitbucket.org/<username>/<repo>/raw/<file>
It's a bit of a bigger security hole having a username and password in a script than a token (for which you can restrict permissions), but it gets the job done in this case.
According to OAuth on Bitbucket Cloud you need to write https://x-token-auth:{access_token}#bitbucket.org so that you are using the token as password instead of username.
Use OAuth token and Bitbucket api with access_token param:
https://api.bitbucket.org/2.0/repositories/{username}/{repo_slug}/src/master/{file}?access_token={access_token}
Related
I need to create an organizational feed to host nuget packages shared among projects on our Azure DevOps environment.
After several unsuccesful attempts and research, I discovered that the only way to create an organizational feed is, by design from Microsoft mouth, the Azure DevOps API.
Source for the claim : This question on VS dev community
and The MS docs on project-scoped feeds
Basically, I just need to be able to perform a POST here :
https://feeds.dev.azure.com/{organization}/_apis/packaging/feeds?api-version=5.1-preview.1
with the body :
{
"name": "{myfeedname}",
"hideDeletedPackageVersions": true,
"upstreamEnabled": true
}
And of course, a Bearer token to authenticate myself. That's the point where I'm confused.
What is the simplest way to obtain one ? I'm logged in through my company Microsoft AD account on my computer browser on Azure DevOps. I don't see any Bearer token that I can "steal" to use in PostMan in my browser dev tools.
The API docs described some relevant info, but I'm confused on how to use it in Postman :
Security oauth2
Type: oauth2
Flow: accessCode
Authorization URL: https://app.vssps.visualstudio.com/oauth2/authorize&response_type=Assertion
Token URL: https://app.vssps.visualstudio.com/oauth2/token?client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
Scopes Name Description
vso.packaging_write Grants the ability to
create and read feeds and packages.
Here is the interface in Postman for OAuth2:
Ican see how the info in the docs relates to the fields 1 - 2 - 3 - 4, but then, what callback url should I use ? What credentials ? my Microsoft email + password from AD ?
I tried this, and all I seem to get is this from Postman :
{"$id":"1","innerException":null,"message":"A potentially dangerous Request.Path value was detected from the client (&).","typeName":"System.Web.HttpException, System.Web","typeKey":"HttpException","errorCode":0,"eventId":0}
TLDR
How do I properly proceed to get a token with Postman, or other tool to manually execute my one-time request to Azure DevOps REST API ?
notes :
Following info here : Unable to get Authorization code for Devops using Postman oAuth2.0
, leading here : https://github.com/Microsoft/azure-devops-auth-samples/tree/master/OAuthWebSample , I understand that I have to register and run a whole web application. Am I understanding this correctly ? I there a simpler way ?
I understand that I have to register and run a whole web application. Am I understanding this correctly ? I there a simpler way ?
Yes, you are right. You have to register whole web application.
As the interface in Postman for OAuth2, we need provide the CallbackUrl, ClientID, ClientSecret and so on. Then, we check the document Requesting an OAuth 2.0 token, we could to know the Callback URL is:
The client application callback URL redirected to after auth, and that
should be registered with the API provider.
So, we have to register an OAuth client app in Azure DevOps (https://app.vsaex.visualstudio.com/app/register), then we could get the following information, like:
You could check the document Authorize access to VSTS REST APIs with OAuth 2.0 for some more details.
AFAIK, there is currently no simpler way to get a bearer token to send requests to the Azure DevOps API.
Hope this helps.
I want to have oauth/bearer token to authenticate my private registry. please let me know the steps.
docker login needs id and password, so how to pass token?
New to this domain, so need help.
You will have to perform API calls in the following order:
Authenticate and get the token
https://docs.docker.com/registry/spec/auth/oauth/
https://docs.docker.com/registry/spec/auth/token/
Using the token, get the digest for the image and use that digest to pull the corresponding layer via API calls mentioned in the link below.
https://docs.docker.com/registry/spec/api/#pulling-an-image
Found samples for Custom grant, password and credentials. Is there some sample (nodejs, curl, java or any other option) that you can test the authorization code with the playground2?
Oauth with Grant Type Password:
http://xacmlinfo.org/2015/03/09/openid-connect-support-with-resource-owner-password-grant-type/
Oauth with Grant Type Credentials:
http://xacmlinfo.org/2013/12/02/client-credential-grant-type-with-oauth-2-0/
Alternatively, you can try the Authorization Code grant type in the browser without having to use any web app. I wrote a blog post on how to do it [1]
You can test the authorization grant with a combination of a browser redirect and a curl command. The step by step guide with screenshots to achieving this is explained in the blog post.
Let me explain the summary of steps here,
Log in to Identity Server (5.1.0 or higher)
Create a Service Provider and enable Inbound OAuth Authentication
Provide the callback URL as "https://localhost/callback"
Open a private window in a browser and type in the below URL. Replace {client_id} with the client_id of the OAuth client_id of the Service Provider
https://localhost:9443/oauth2/authorize?response_type=code&client_id={client_id}&redirect_uri=https://localhost/callback&scope=read
Next, you will be prompted to login and thereafter to approve for consent.
You will be redirected with the authorization code as "code"
query param in the URL
Use a CURL request to the token endpoint to get a valid access token
curl -k -v --user {client_id}:{client_secret} -d "grant_type=authorization_code&code={authorization_code}&redirect_uri=https://localhost/callback" https://localhost:9443/oauth2/token
(replace {client_id},{client_secret} and {authorization_code} with correct values)
You can refer [1] for screenshots.
[1] http://blog.farazath.com/2016/05/trying-out-oauth2-authorization-code.html
You can quickly download and spin up an IS 5.0.0 and then configure it with the Info Recovery Sample.
https://docs.wso2.com/display/IS500/Recovering+Account+Information+Using+a+Webapp
The sample is a simple self service account management tool.
We use Mulesoft currently for our middleware. I am in the process of evaluating Wso2 as a possible alternative. Our primary focus is mobile clients. For the most part we implement OAuth.
Before I give too much detail, when I register an OAuth2 app on Wso2 Identity Server 5.0.0 I am expecting to see a consumer key/id. It does NOT however display one. All I see are :
Access Token Url - https://localhost:9454/oauth2/token
Authorize Url - https://localhost:9454/oauth2/authorize.
Is there something I need to enable, or am I doing something worng ?
P.S. ( "Allowed Grant Types" are all ticked )
When you create an OAuth app, you will get a OAuth Client Key & OAuth Client Secret at the table under
Inbound Authentication Configuration ->OAuth/OpenID Connect Configuration. Please use this as the consumer key and consumer secret to obtain the access token.
creating the access token can be done as combining the consumer key and consumer secret as follows and encode it by base64.
for e.g : FNZ8oxGPxWer_2elrZBoueS4XcYa:gr0JizDbStaFelXBV06cahh7Lxga
after encoding the above looks as : Rk5aOG94R1B4V2VyXzJlbHJaQm91ZVM0WGNZYTpncjBKaXpEYlN0YUZlbFhCVjA2Y2FoaDdMeGdh
Add the encoded value as follows in the CURL command.
The below Curl command is an example on how you could use it :
curl -k -d "grant_type=password&username=admin&password=admin" -H "Authorization" -H "Authorization: Basic Rk5aOG94R1B4V2VyXzJlbHJaQm91ZVM0WGNZYTpncjBKaXpEYlN0YUZlbFhCVjA2Y2FoaDdMeGdh, Content-type=application/x-www-form-urlencoded" https://domain:9443/oauth2/token
You could also find the following useful
[1] https://docs.wso2.com/display/IS500/Configuring+Inbound+Authentication+for+a+Service+Provider
[2] http://blog.lasindu.com/2014/12/wso2-identity-server-provision-service.html
[3]https://docs.wso2.com/display/IS500/OAuth+Token+Revocation+with+WSO2+Identity+Server
Hope this helps.
Regards,
Shani.
After a couple of weeks of searching the net for support on this, to speed up the evaluation, I downloaded IS 4.6.0, completed the steps as previous and there appeared the necessary information to continue the evaluation process. I now see all the fields :
Client Id ????????????????????????
Client Secret ??????????????????????
Access Token Url - https://localhost:9454/oauth2/token
Authorize Url - https://localhost:9454/oauth2/authorize.
I'm trying to implement Google OAuth 2 to get access to Google APIs. I follow this guide, using server-side scenario.
I have no problem with getting the code, server redirects to localhost (which is the only server allowed in redirect URIs for now).
To achieve this, I go to https://accounts.google.com/o/oauth2/auth?client_id=whatever.apps.googleusercontent.com&redirect_uri=http://localhost/&scope=https://www.google.com/m8/feeds/&response_type=code page.
Then, I tried using curl (as in guide) to test, if Google's server responds with access token. However, it seems to fail very hard. Only response I can get is {"error":"invalid_client"}. I'm sure I provide everything Google wants me to provide - code, client ID, client secret, redirect URI (localhost) and grant_type=authorization_code.
Whole curl command line is:
curl https://accounts.google.com/o/oauth2/token -d "code=<code>&client_id=whatever.apps.googleusercontent.com&client_secret=<won't tell!>&redirect_uri=http://localhost&grant_type=authorization_code"
Am I missing something? How can I exchange code for access token?
Did you urlencode your client secret and redirect url? That works for me.
Should be http%3A%2F%2Flocalhost instead of https://localhost.
I had the same error until I realized that I was trying to connect with a client ID which I created for iOS. So for me the solution was to create a new API key-secret pair on the API Console with the platform set to "other".
Now I'm getting other errors but that's another story. ;)
Happens when you use wrong Client secret. Make sure you are using correct Client secret from Google API console. I was using Email address since API console displays the information in the following order:
Client ID
Email address
Client secret