In my single page application once I login with FeathersJS authentication I am passing my JWT token to the server for further service requests . In my service hook I am using authenticate("jwt") to check for authentication . It is working perfect , but also populating context.params.user with the user information . So authenticate("jwt") calling user get service for every API call which has authentication enabled .
1) If I don't need any user information other the the user ID can I avoid this user get service call ? Or is there any other specific reason to populate user object ?
2) By avoiding the above call , Can I just populate context.params.user only with the ID ( From the JWT token? )?
Thank You
There's no way to avoid populating the user object right now unless you want to extend various internals of feathers authentication to do so.
Related
I'm attempting to delegate product subscription from Azure API Management using the sample provided here. My prototype has a functioning user authentication delegation however the product subscription delegation is befuddling.
During user login delegation I receive a request from APIM to my delegation page and handle it according to the sample link above without issue. During delegation of product subscription, a call is made to my login page first; not the delegation page. This leads me to my first series of questions:
Can someone explain why delegation of product subscription would fundamentally flow differently than delegation of user authentication?
If the login delegation page (as per the sample referenced above) handles user authentication by checking User.Identity.IsAuthenticated, why can't product delegation do the same and why would it be sent to the login page and not the delegation page?
I've handled the above issue by using the login page to evaluate whether or not the user is authenticated first, then to redirect them to the returnUrl as follows:
if (User.Identity.IsAuthenticated)
{
return LocalRedirect(returnUrl);
}
The value of returnUrl, as provided by APIM, contains the following variables:
Path = /Identity/Account/Manage/Delegate
productId = [productId]
userId = [userId]
operation = Subscribe
salt = [salt]
sig = [sig]
Since these are ALL the variables provided in the returnUrl from APIM, I have the following questions:
Following the documentation about subscription using APIM REST API, how do you determine the following required properties:
subscriptionId
resourceGroupName
serviceName
sid
Additionally for the request body, how do you determine properties.scope as per this reference.
As a test, I set a breakpoint in code just before calling the PUT method on the endpoint containing the following line of code. I used Postman to test creating a subscription by copying out the Authorization header in VS2017 and all relevant header/body data. I was able to get back a 201 response indicating a subscription was created, however it doesn't show up in the APIM portal anywhere and I certainly didn't have many of the "required" properties as defined in the docs article:
response = await client.PutAsync("/subscriptions/" + subscriptionId + "?api-version=" + apiVersion, new StringContent(ApimSubscriptionJson, Encoding.UTF8, "text/json"));
Here is the body of my test call to the API:
{
"userId" : "/users/c22afea6-3e9c-4b85-87a6-2d5e97e259cf",
"scope" : "/products/ring-0-beta-access"
}
Based on this oddity, I have the following additional questions:
If the subscription to the product was indeed created, where would it be if not in the Azure APIM portal? It also doesn't show up in the user's profile.
How am I able to get a 201 response on the PUT method if I haven't given the APIM REST API all the 'required' parameters?
I found a solution and wanted to share.
I was okay to use the method explained in the Channel 9 video. I was simply using the wrong property. Instead of userId it should be ownerId. I noticed after running a GET on my subscriptions that I could see them all. They have no association to a user so they don't show up in the Azure APIM portal.
Another key miss was notifications. If you leave out the ¬ify=true query string parameter you won't get notified when someone subscribes to your API. This is particularly troublesome when your API requires approval.
This seems like a potential product bug as you shouldn't be able to create an 'owner-less' subscription. It makes it nearly impossible to find if you don't know where to look.
I have used lifeary service builder to build my services. some of my services require that the user is authenticated before he can use them.
how can i generate an auth token and send it in the header or in the URL?
I have tried username#host.com:password#http://localhost:8080/PortletName-portlet/api/jsonws/?serviceClassName=com.service.NameServiceUtil&serviceMethodName=getMyNames&serviceParameters=[userid]&userid=1
and it did not work!
I have made sure i have added the below line in my portal-ext.properties and restarted the server.
json.service.auth.token.enabled=true
What more should i do to be able to pass Auth Token? is there a better method that i can use?
You actually want to use AuthVerifier. This is the best way how to access the Liferay API and be authenticated. It similar to the autologin concept.
Have a look at https://dev.liferay.com/es/discover/deployment/-/knowledge_base/7-0/authentication-verifiers and check out the PortalSessionAuthVerifier class in the source code.
The concept is quite simple. Read the request object and determine who the user is. Perform your custom authentication and return the auth result with the user identification.
I am creating an application in which I am getting a Client_secret.json file, and in my application I'm trying to load that json file and get the credentials from it using the following code:
credentials=get_credentials(filename)
http = credentials.authorize(httplib2.Http())
service = discovery.build('admin', 'directory_v1', http=http)
userinfo = {'primaryEmail': primaryEmail,
'name': { 'givenName':user },
'password': password
}
service.users().insert(body = userinfo).execute()
It gives the following error:
httpError 403 when requesting https
//www.googleapis.com/admin/directory/v1/users?alt=json returned
insufficient permission
I'm not sure what I'm doing wrong or am I missing something? I was wondering if the problem is in the json file which I'm creating?
Any help would be appreciated.
Thanks,
Aman
Well, you can start by checking a few things:
If you're using a service account, be sure to enable the "wide domain delegation option" to allow a service account to access user data on behalf of your users and perform operations.
Check if the scope https //www.googleapis.com/admin/directory/v1/users is authorized for your client ID on your google admin console > Security > Advanced settings > Authentication > Manage API client access.
Check if the user that you're using to insert the new user have enough privileges a.k.a super admin privileges.
Check if the Admin SDK API is active on your project.
Keep in mind that just downloading the client_json and activating a API isn't enough to allow these types of operations. For certain APIs like Admin SDK, the user you're gonna use to consume those services need to have specific privileges.
Here's a few helpful links
https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
https://support.google.com/a/answer/162106?hl=en
I would first check to make sure that you have the correct Admin privileges on the account that you are trying to use OAuth credentials on. I would try logging into the account and going to this reference page in the Directory API for Users:insert
https://developers.google.com/admin-sdk/directory/v1/reference/users/insert
On the right hand side you should go to the Try this API section and see if that account has permissions to create new users.
Also another thing I noticed as well, is that you're not setting the required field familyName inside of the name field. familyName is a required property.
I am implementing spring oauth2 for securing my rest api. Basically i am limiting the use of rest api to particular users rather then limiting to every users.
I had implemented the backend and secured my api using spring oauth2.
I am following this steps:
1)Send the GET request with the five parameters.
localhost:8080/SpringRestSecurityOauth/oauth/token?grant_type=password&client_id=Awyi123nasdk89&client_secret=asdj39m32##$s&username=rahul#gmail&password=rahul#9831
2) Server validates the user with the help of spring security and return the json response with access code.
{
"access_token": "22cb0d50-5bb9-463d-8c4a-8ddd680f553f",
"token_type": "bearer",
"refresh_token": "7ac7940a-d29d-4a4c-9a47-25a2167c8c49",
"expires_in": 119
}
3)I access protected resources by passing this access token as a parameter, the request goes something like this:
localhost:8080/SpringRestSecurityOauth/api/users/?access_token=8c191a0f-ebe8-42cb-bc18-8e80f2c4238e
4) In case the token is expired, user needs to get a new token using its refreshing token that was accepted in step(2). A new access token request after expiration looks something like this:
localhost:8080/SpringRestSecurityOauth/oauth/token?grant_type=refresh_token&client_id=restapp&client_secret=restapp&refresh_token=7ac7940a-d29d-4a4c-9a47-25a2167c8c49
All the above step are working fine. Now i need to implement this on my client side. So that a particular client can access this call. I am using HTML/CSS as client side technology.
How client can get the access token? Should it be stored in the browser local storage? Or it should be generated every time the rest call is been made?
Any example would help me to proceed further.
I'm implementing my project like you. I use angularjs and get the access token from response json then store it into cookies.
This link provide sample code for you: http://www.baeldung.com/rest-api-spring-oauth2-angularjs. (See Frontend - Password Flow).
Because refresh token should keep secret and the client is html app, you should see this link http://www.baeldung.com/spring-security-oauth2-refresh-token-angular-js for handling refresh token.
For html client, after obtaining access token using refresh token when access token is expired, I use http-auth-interceptor ([http]://witoldsz.github.io/angular-http-auth/) to retry all rest requests failed because of expired access token.
I'm sorry that I have not enough reputation to post more than 2 links.
I was trying to make Box Enterprise API work using As-User. I have a admin account which i used to try to retrieve the Contents in a sub account.
I first used the admin account to retrieve the User ID of the sub account. And added the User ID as a field "As-User: ########". However, I was returned with a reply of 403.
The error message : "The request requires higher privileges than provided by the access token."
I am using the access token i had used to retrieve the user list. Do I have to get a new access token using the as the new user? or is the admin access token fine?
GET /2.0/folders/0/items HTTP/1.1\r
Host: api.box.com\r
Authorization: Bearer #######################\r
As-User: ########\r
Connection: close\r
\r
The access code is the same access code used to retrieve the user list /user
All the scopes has been checked
Your application must be manually approved by Box for As-User requests. The documentation mentions this but it's easy to miss. To start the approval process send Box a note and include your API Key.
I am unable to add a comment on this, so I would like to add (in case the support staff doesn't give you a head's up) you may have to do this after they enable the As-User header --
Go back to your - Admin Console->Business Settings->Apps
Find the Custom Applications section
Authorize or reauthorize the app you are working with
I had the same problem and found this:
https://support.box.com/hc/ja/community/posts/360049157874-Insufficent-scope-when-trying-to-make-a-call-using-As-User-header
So you should use the scope admin_on_behalf_of.