I'm POSTing to the Pre-Create App User endpoint https://api.smooch.io/v1.1/apps/{appId}/appusers for smooch, using the appUser as the scope in my JWT, but I get this response:
{"error":{"code":"forbidden","description":"Invalid scope"}}
I tried the exact same JWT doing a GET to /v1.1/apps/{appId}/appusers/{userId} and that succeeded.
I did also try the app scope in case that was required for the create but not the get, but that also failed.
Is there some other scope I should be using?
Related
I'm trying to create a lti 1.3 integration in Brightspace (POC), and I was able to get to the point where the tool endpoint is launch. At this endpoint I'm trying to get access token in order to get the membership data, so I send the request (for the access token) with the relevant scope and all the credentials with no success. I also added to the url address the relevant parameters as the documentation shows.
I think that at this point I should get the access token with no problems, because when I was trying to integrate with moodle I successfully received the access token back. I know there is a standard in all LMSs but Is there any specific adjustment to integrate with Brightspace.
I am refering below document to get JWT Token .
However when I call the API /api/rest/tokenservice it doesn't return the token but returns a web interface asking for login . How can I get JWT Token
REST API Url :
https://docs.rapidminer.com/9.10/hub/rest-api/index.html
Response of postman:
In order to query the internal tokenservice endpoint, you need a valid "session". In the native installation method, you can use basic auth as "session" as outlined in the documentation.
curl -u user:pass "http://localhost:8080/api/rest/tokenservice"
{
"idToken": "the-valid-token",
"expirationDate": "the-exp"
}
However, for this to work when you've deployed RapidMiner AI Hub with Keycloak (and docker), you need to 1. enable basic auth for Keycloak, 2. access the route by first having a valid "login session" (cookie name is RM_SERVER_JSESSIONID) or 3. use a valid Keycloak token.
Enable basic auth in Keycloak
rm-server-homedir/configuration/keycloak/keycloak.json
{
...
"enable-basic-auth": true,
...
}
Valid cookie value
Login via web interface, open the browser's developer tools and use the very same RM_SERVER_JSESSIONID cookie value inside the REST request issued to the /api/rest/tokenservice endpoint.
Not sure what you like to achieve, e.g. schedule a process via REST, I like to outline that you can easily add a process and trigger via Web Service. The triggered process could make use of the Admin Tools extension. You still need to enable Keycloak's basic auth though if you like to trigger it from "outside". A guide how to use the extension can be found here.
Valid Keycloak token
Retrieve a valid Keycloak access token (from Keycloak's token endpoint, e.g. via OpenID Connect) and query the
/api/rest/tokenservice endpoint with Authorization: Bearer .
Disclaimer: This answer is used with permission of the original author from the RapidMiner community.
I'm trying to create a bucket with the POST buckets endpoint. However, I cannot seem to do this: When attempting to do so with a Three-legged token, I receive the error:
"Only 2 legged service tokens are allowed to access this api."
But when I use a two-legged token (with the same scopes):
"Token does not have the privilege for this request."
What am I doing wrong? I'm using NodeJS with the Request library.
You might want to check your Token have the correct scopes in this case you need bucket:create as part of your token scopes.
More about it here. https://forge.autodesk.com/en/docs/oauth/v2/developers_guide/scopes/
I have used lifeary service builder to build my services. some of my services require that the user is authenticated before he can use them.
how can i generate an auth token and send it in the header or in the URL?
I have tried username#host.com:password#http://localhost:8080/PortletName-portlet/api/jsonws/?serviceClassName=com.service.NameServiceUtil&serviceMethodName=getMyNames&serviceParameters=[userid]&userid=1
and it did not work!
I have made sure i have added the below line in my portal-ext.properties and restarted the server.
json.service.auth.token.enabled=true
What more should i do to be able to pass Auth Token? is there a better method that i can use?
You actually want to use AuthVerifier. This is the best way how to access the Liferay API and be authenticated. It similar to the autologin concept.
Have a look at https://dev.liferay.com/es/discover/deployment/-/knowledge_base/7-0/authentication-verifiers and check out the PortalSessionAuthVerifier class in the source code.
The concept is quite simple. Read the request object and determine who the user is. Perform your custom authentication and return the auth result with the user identification.
We're having issues initialising sessions in Smooch. We've successfully created a JWT token using the account level scope, and we've created a user (mycatalyst_test) using the API. When we use the API, we're able to access and query the user, create messages etc. correctly.
However, when we try to initialise the Smooch web messenger and log the user in:
Smooch.init({
appId: 'XXX',
userId: 'mycatalyst_test',
jwt: 'XXX',
embedded: true
});
We receive the error:
{"error":{"code":"forbidden","description":"Invalid scope"}}
We've checked the documentation and can't find any reference to the Invalid scope error or the Forbidden code in the Web Messenger documentation, and we're able to use the same JWT key to access the information through the API successfully, so we're not entirely sure what's going wrong.
We tried using the App scope rather than the Account scope to generate a new JWT key, but this also didn't work. We tried using the Smooch ID rather than the User ID, but this also didn't work.
We're at a bit of a loose end here, so would appreciate any pointers! (We're probably doing something stupid and obvious!).
See the documentation for authenticating users. When supplying a JWT to the login API, you must use a scope of appUser, otherwise you would be distributing JWTs to your users that give access to your whole account/app!
jwt.sign({
scope: 'appUser',
userId: userId
},
SECRET,
{
header: {
alg: 'HS256',
typ: 'JWT',
kid: KEY_ID
}
});
There is also this note in the authorization section of the REST API documentation:
An additional scope of appUser can also be used to authenticate users when using one of the Smooch native SDK integrations. For information on how and when to use this scope, see the guide for authenticating users.