I have fetched data to phonepe api "https://api-preprod.phonepe.com/apis/merchant-simulator/pg/v1/pay" the base 64 payload as request in body and Sha256 x-verify as x-verify in headers. When i fetch data on phonepe website postman it works and i get a transaction initiated response but It doesn't work on either localhost or on official website "wearmiho.com".
Shows error
""Access to fetch at 'https://api-preprod.phonepe.com/apis/merchant-simulator/pg/v1/pay' from origin 'https://www.wearmiho.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.""
I have tried to add mode: "no-cors" to headers but it still didn't worked shows error failed
Possible reasons
1.) Maybe it needs to have the domain name pre-register on phonepe As for example firebase requires some registered domain to have access to its functionalities I have talked to the phonepe team they said for test credentials it should work on any url like localhost or live website
2.) Maybe my code got some error but its the same as on phonepe postman ref "https://developer.phonepe.com/v1/reference/pay-api#pay-request-for-web-flow"(the side postman ALso i used js)
Related
I am having an issue calling External Transfer Settings API. I tested other APIs and was able to get a response. Below is the URI I used for External Transfers.
https://banno.com/a/transfer-settings/api/v0/institutions/xxxx/xxxxxxx/transfer/settings/external
and the response I got is 'Cannot PUT /a/transfer-settings/api/v0/institutions/xxxx/xxxxx/transfer/settings/external'
1) Which endpoint is the the one that is failing?
The /xxxx/xxxxx/ makes it a bit ambiguous if this is the Institution External Transfer Settings endpoint (PUT /a/transfer-settings/api/v0/institutions/{institutionId}/transfer/settings/external or if it is the User External Transfer Settings endpoint (PUT /a/transfer-settings/api/v0/institutions/{institutionId}/users/{userId}/transfer/settings/external
2) Can you provide the full error response?
The error response will have an HTTP status code (which is helpful), a response body, and a header x-request-id (which is also helpful) to understand what is occurring.
I'm trying to "get" the information in this website: http://nestlegremio.ddns.net:8003/local/people-counter/.api?export-csv&date=20181126&res=30m using only vue.js http
this.$http.get('http://nestlegremio.ddns.net:8003/local/people-counter/.api?export-csv&date=20181126&res=30m').then(response => {
if (response.body.length === 0) {
console.log('error')
} else {
console.log(response.body)
}
})
but I'm getting the console error:
Access to XMLHttpRequest at 'http://nestlegremio.ddns.net:8003/local/people-counter/.api?export-csv&date=20181126&res=30m' from origin 'http://localhost:8080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Is there another way to do this?
The error you are facing here comes from the fact the the server your are trying to get the file from does not allow CORS (Cross-Origin Resource Sharing).
Putting is simply, you site (e.g. running on http://localhost:3003/) is trying to access http://nestlegremio.ddns.net:8003/.
When a web browser tries to access a resource that doesn't reside on
the same domain (http://localhost:3003/), it does a first query to
the web server with OPTIONS to get CORS info from the server.
If the server does not say CORS is enabled for this domain, then the
browser won't run the request and throw the error message you saw.
The solution here is:
If you have access to this given we server, is to allow CORS on it, if you want to rely only on client-side code.
If you don't have access to the server, you will have to build some server code to retrieve your data from the given url, then to give it back to your Vue.js code. Http calls done from server-side code are not impacted by CORS.
Here is a more detailed explanation on this topic.
I am doing post request to API via Azure ApiManagement.
If Origin header is present and its not one of specified in Cors policy even postman will return empty response.
As soon as I disable Origin header I can get response.
So problem is following for web based application we must enable cors,
<cors allow-credentials="true">
<allowed-origins>
${env:CorsOrigin}
</allowed-origins>
<allowed-methods>
<method>*</method>
</allowed-methods>
<allowed-headers>
<header>*</header>
</allowed-headers>
</cors>
But our cordova app is also calling same api, and by default cordova will append Origin: file:// Then Api management is doing strange things it will cut body. So response will be empty. If i do same request directly to azure function, I will get proper response back, and since cordova does not care (To a degree in our case is ok) about CORS I would expect api management not to cut response.
Also Api management will not allow me to enter *, because of allow-credentials="true" and also I can't set it to allow file://
APIM does not support origin with file scheme, only http and https. I'll see if we can fix it. But there the workaround for allow-origins=* and allow-credentials=true is to use expressions:
<allowed-origins>
<origin>#(context.Request.Headers.GetValueOrDefault("Origin", "*"))</origin>
</allowed-origins>
This way response will contain sent Origin header value in Access-Control-Allow-Origin and not just * which is not allowed.
I've set up a MediaWiki server on an Azure website with the PluggableAuth and OpenID Connect extensions. The latter uses the PHP OpenID Connect Basic Client library. I am an administrator in the Azure AD domain example.com, wherein I've created an application with App ID URI, sign-on URL and reply URL all set to https://wiki.azurewebsites.net/. When I navigate to the wiki, I observe the following behavior (cookie values omitted for now):
Client Request
GET https://wiki.azurewebsites.net/ HTTP/1.1
RP Request
GET https://login.windows.net/example.com/.well-known/openid-configuration
IP Response
(some response)
RP Response
HTTP/1.1 302 Moved Temporarily
Location: https://login.windows.net/{tenant_id}/oauth2/authorize?response_type=code&redirect_uri=https%3A%2F%2Fwiki.azurewebsites.net%2F&client_id={client_id}&nonce={nonce}&state={state}
Client Request
(follows redirect)
IP Response
HTTP/1.1 302 Found
Location: https://wiki.azurewebsites.net/?code={code}&state={state}&session_state={session_state}
Client Request
(follows redirect)
RP Request (also repeats #2 & #3)
POST https://login.windows.net/{tenant_id}/oauth2/token
grant_type=authorization_code&code={code}&redirect_uri=https%3A%2F%2Fwiki.azurewebsites.net%2F&client_id={client_id}&client_secret={client_secret}
IP Response
(As interpreted by MediaWiki; I don't have the full response logged at this time)
AADSTS50001: Resource identifier is not provided.
Note that if I change the OpenID PHP client to provide the 'resource' parameter in step 8, I get the following error response from AAD instead:
RP Request
POST https://login.windows.net/{tenant_id}/oauth2/token
grant_type=authorization_code&code={code}&redirect_uri=https%3A%2F%2Fwiki.azurewebsites.net%2F&resource=https%3A%2F%2Fwiki.azurewebsites.net%2F&client_id={client_id}&client_secret={client_secret}
IP Response
AADSTS90027: The client '{client_id}' and resource 'https://wiki.azurewebsites.net/' identify the same application.
(This has come up before.)
Update
I've made some progress based on #jricher's suggestions, but after working through several more errors I've hit one that I can't figure out. Once this is all done I'll submit pull requests to the affected libraries.
Here's what I've done:
I've added a second application to the example.com Azure AD domain, with the App ID URI set to mediawiki://wiki.azurewebsites.net/, as a dummy "resource". I also granted the https://wiki.azurewebsites.net/ application delegated access to this new application.
Passing in the dummy application's URI as the resource parameter in step #8, I'm now getting back the access, refresh, and ID tokens in #9!
The OpenID Connect library requires that the ID token be signed, but while Azure AD signs the access token it doesn't sign the ID token. It comes with the following properties: {"typ":"JWT","alg":"none"}. So I had to modify the library to allow the caller to specify that unsigned ID tokens are considered "verified". Grrr.
Okay, next it turns out that the claims can't be verified because the OpenID Provider URL I specified and the issuer URL returned in the token are different. (Seriously?!) So, the provider has to be specified as https://sts.windows.net/{tenant_id}/, and then that works.
Next, I found that I hadn't run the MediaWiki DB upgrade script for the OpenID Connect extension yet. Thankfully that was a quick fix.
After that, I am now left with (what I hope is) the final problem of trying to get the user info from AAD's OpenID Connect UserInfo endpoint. I'll give that its own section.
Can't get the user info [Updated]
This is where I am stuck now. After step #9, following one or two intermediate requests to get metadata and keys for verifying the token, the following occurs:
RP Request:
(Updated to use GET with Authorization: Bearer header, per MSDN and the spec.)
GET https://login.windows.net/{tenant_id}/openid/userinfo
Authorization: Bearer {access_token}
IP Response:
400 Bad Request
AADSTS50063: Credential parsing failed. AADSTS90010: JWT tokens cannot be used with the UserInfo endpoint.
(If I change #10 to be either a POST request, with access_token in the body, or a GET request with access_token in the query string, AAD returns the error: AADSTS70000: Authentication failed. UserInfo token is not valid. The same occurs if I use the value of the id_token in place of the access_token value that I received.)
Help?
Update
I'm still hoping someone can shed light on the final issue (the UserInfo endpoint not accepting the bearer token), but I may split that out into a separate question. In the meantime, I'm adding some workarounds to the libraries (PRs coming soon) so that the claims which are already being returned in the bearer token can be used instead of making the call to the UserInfo endpoint. Many thanks to everyone who's helped out with this.
There's also a nagging part of me that wonders if the whole thing would not have been simpler with the OpenID Connect Basic Profile. I assume there's a reason why that was not implemented by the MediaWiki extension.
Update 2
I just came across a new post from Vittorio Bertocci that includes this helpful hint:
...in this request the application is asking for a token for itself! In Azure AD this is possible only if the requested token is an id_token...
This suggests that just changing the token request type in step 8 from authorization_code to id_token could remove the need for the non-standard resource parameter and also make the ugly second AAD application unnecessary. Still a hack, but it feels like much less of one.
Justin is right. For authorization code grant flow, your must specify the resource parameter in either the authorization request or the token request.
Use &resource=https%3A%2F%2Fgraph.windows.net%2F to get an access token for the Azure AD Graph API.
Use &resource=https%3A%2F%2Fmanagement.core.windows.net%2F to get a token for the Azure Service Management APIs.
...
Hope this helps
Microsoft's implementation of OpenID Connect (and OAuth2) has a known bug where it requires the resource parameter to be sent by the client. This is an MS-specific parameter and requiring it unfortunately breaks compatibility with pretty much every major OAuth2 and OpenID Connect library out there. I know that MS is aware of the issue (I've been attempting to do interoperability testing with their team for quite a while now), but I don't know of any plans to fix the problem.
So in the mean time, your only real path is to hack your client software so that it sends a resource parameter that the AS will accept. It looks like you managed to make it send the parameter, but didn't send a value that it liked.
I had issues getting this running on Azure, even though I got something working locally. Since I was trying to setup a private wiki anyway, I ended up enabling Azure AD protection for the whole site by turning on:
All Settings -> Features -> Authentication / Authorization
From within the website in https://portal.azure.com
This made it so you had to authenticate to Azure-AD before you saw any page of the site. Once you were authenticated a bunch of HTTP Headers are set for the application with your username, including REMOTE_USER. As a result I used the following plugin to automatically log the already authenticated user into Azure:
https://www.mediawiki.org/wiki/Extension:Auth_remoteuser
Using soap ui 4.6 ,I need to authenticate rest api using certificate and username/password and then i have to get the session id(cookie) and work with it for other operation.How can i do this? any reference?
I do this manually in order to avoid any unknown cookies and/or "magic" that the session manager might pass along. Here is my Java RestAssured example and the equivalent SoapUI request headers:
response = given().cookie("SESSIONID", "12345").cookie("ABC_123", "abcde").header("CLIENT_ID", "aaa123");
In SoapUI set these headers:
Name Value Style Level
CLIENT_ID aaa123 HEADER RESOURCE
Cookie SESSIONID=12345; ABC_123=abcde HEADER RESOURCE
i.e. you put all the cookies in correct format in single header called "Cookie". Standard http stuff, but nobody really gave this answer yet.