We're having issues initialising sessions in Smooch. We've successfully created a JWT token using the account level scope, and we've created a user (mycatalyst_test) using the API. When we use the API, we're able to access and query the user, create messages etc. correctly.
However, when we try to initialise the Smooch web messenger and log the user in:
Smooch.init({
appId: 'XXX',
userId: 'mycatalyst_test',
jwt: 'XXX',
embedded: true
});
We receive the error:
{"error":{"code":"forbidden","description":"Invalid scope"}}
We've checked the documentation and can't find any reference to the Invalid scope error or the Forbidden code in the Web Messenger documentation, and we're able to use the same JWT key to access the information through the API successfully, so we're not entirely sure what's going wrong.
We tried using the App scope rather than the Account scope to generate a new JWT key, but this also didn't work. We tried using the Smooch ID rather than the User ID, but this also didn't work.
We're at a bit of a loose end here, so would appreciate any pointers! (We're probably doing something stupid and obvious!).
See the documentation for authenticating users. When supplying a JWT to the login API, you must use a scope of appUser, otherwise you would be distributing JWTs to your users that give access to your whole account/app!
jwt.sign({
scope: 'appUser',
userId: userId
},
SECRET,
{
header: {
alg: 'HS256',
typ: 'JWT',
kid: KEY_ID
}
});
There is also this note in the authorization section of the REST API documentation:
An additional scope of appUser can also be used to authenticate users when using one of the Smooch native SDK integrations. For information on how and when to use this scope, see the guide for authenticating users.
Related
so I am trying to create API using Postman followed by the instruction given in Smartsheet API: https://smartsheet-platform.github.io/api-docs/.
I am able to access my smartsheet data using the GET, it shows me details of my columns and rows. So I continued with the tutorial, I started with the following code:
// Initialize the client
var client = require('smartsheet');
var smartsheet = client.createClient({
accessToken: '----',
logLevel: 'info'
});
and I get the the error saying
Cannot find module 'smartsheet'
I have the smartsheet api package download on my desktop, but I am not sure how I can make use of it. any help would be appreciated.
Thank you.
Postman is for testing individual API requests (GET, PUT, POST, DELETE, etc.). You can't use/call an SDK (or as you've referred to it, "the Smartsheet API package") from Postman.
Also -- you should never post your Access Token publicly, as anyone can use it to gain programmatic access to your Smartsheet data. I've edited your post to remove the Access Token value but would nonetheless recommend that you revoke that token immediately so that it's no longer valid. Then you can generate a new Access Token -- but don't share it publicly!
i am creating a mobile app for multiple platforms (iOS, Android, PWA (Web)) and have my backend build with the serverless framework on AWS Lambda, using API Gateway and DynamoDb.
My most recent goal is to add a user login using AWS Cognito, enabling my users to either login using their email and password, or a facebook login. I read multiple threads, tutorials and the official AWS Documentation but am super confused because of the mass of different information.
I want to integrate authorized API Endpoints which can only be called when the user is logged in.
Therefore my first question is:
1) Should i rather use AWS Cognito User Pools or AWS Cognito Identity Pools?
I also read that for user pools you can solely use the hosted UI for login, which is not a possibility for my app. I want to style my own login page.
As i could not find any sample code for the client side integration, i went with identity Pools for now, and created an endpoint in my serverless.yml which is specified the following:
functions:
xxx-auth:
handler: endpoints/xxx-auth.execute
events:
- http:
path: xxx-auth
method: put
cors: true
integration: lambda
authorizer: aws_iam
So my second question is:
2) How do i properly integrate the authorization for my Cognito Identity Pool or User Pool?
From another Thread i read that there is the possibility to generate an SDK for the API one created on API Gateway, which handles the signature procedures of the request for you. As i tried to do so in my iOS application, i first log the user in using the following code:
let credentialsProvider = AWSCognitoCredentialsProvider(regionType: .EUCentral1 ,
identityPoolId:"eu-central-1:XXXXXXXX" ,
identityProviderManager: CustomIdentityProvider(tokens: ["graph.facebook.com": FBSDKAccessToken.current().tokenString]))
let configuration = AWSServiceConfiguration(region: .EUCentral1, credentialsProvider: credentialsProvider)
AWSServiceManager.default().defaultServiceConfiguration = configuration
and then use the following created code to submit the PUT request:
public func XXXPut() -> AWSTask<AnyObject> {
let headerParameters = [
"Content-Type": "application/json",
"Accept": "application/json",
]
let queryParameters:[String:Any] = [:]
let pathParameters:[String:Any] = [:]
return self.invokeHTTPRequest("PUT", urlString: "/XXX", pathParameters: pathParameters, queryParameters: queryParameters, headerParameters: headerParameters, body: nil, responseClass: nil)
}
But i cannot see any code that signs the HTTP request. Therefore the third question is:
3) How do i create the SDK that properly sends the signed HTTP request to my API Gateway backend?
I also tried the same for Cognito User Pools, using a simple "Authorization" header, but could not figure out a way to obtain the respective Authorization token on the iOS application without using any kind of hosted UI.
It would be very kind if someone could explain this jungle to me.
I figured it out by myself:
1) It depends. I am now using a combination of both for the following reason:
For a Facebook Login, we are using a Cognito Identity Pool, as the Cognito UserPool does not support a Facebook Login outside of the hosted UI. For Email signup and login we use a UserPool inside the Cognito Identity Pool.
2) The code snippet i posted was correct.
3) The code snippet was also correct. My mistake was that i did not correctly display and inspect the reply of my API and therefore thought the request was not authorized, but it was.
I'm attempting to delegate product subscription from Azure API Management using the sample provided here. My prototype has a functioning user authentication delegation however the product subscription delegation is befuddling.
During user login delegation I receive a request from APIM to my delegation page and handle it according to the sample link above without issue. During delegation of product subscription, a call is made to my login page first; not the delegation page. This leads me to my first series of questions:
Can someone explain why delegation of product subscription would fundamentally flow differently than delegation of user authentication?
If the login delegation page (as per the sample referenced above) handles user authentication by checking User.Identity.IsAuthenticated, why can't product delegation do the same and why would it be sent to the login page and not the delegation page?
I've handled the above issue by using the login page to evaluate whether or not the user is authenticated first, then to redirect them to the returnUrl as follows:
if (User.Identity.IsAuthenticated)
{
return LocalRedirect(returnUrl);
}
The value of returnUrl, as provided by APIM, contains the following variables:
Path = /Identity/Account/Manage/Delegate
productId = [productId]
userId = [userId]
operation = Subscribe
salt = [salt]
sig = [sig]
Since these are ALL the variables provided in the returnUrl from APIM, I have the following questions:
Following the documentation about subscription using APIM REST API, how do you determine the following required properties:
subscriptionId
resourceGroupName
serviceName
sid
Additionally for the request body, how do you determine properties.scope as per this reference.
As a test, I set a breakpoint in code just before calling the PUT method on the endpoint containing the following line of code. I used Postman to test creating a subscription by copying out the Authorization header in VS2017 and all relevant header/body data. I was able to get back a 201 response indicating a subscription was created, however it doesn't show up in the APIM portal anywhere and I certainly didn't have many of the "required" properties as defined in the docs article:
response = await client.PutAsync("/subscriptions/" + subscriptionId + "?api-version=" + apiVersion, new StringContent(ApimSubscriptionJson, Encoding.UTF8, "text/json"));
Here is the body of my test call to the API:
{
"userId" : "/users/c22afea6-3e9c-4b85-87a6-2d5e97e259cf",
"scope" : "/products/ring-0-beta-access"
}
Based on this oddity, I have the following additional questions:
If the subscription to the product was indeed created, where would it be if not in the Azure APIM portal? It also doesn't show up in the user's profile.
How am I able to get a 201 response on the PUT method if I haven't given the APIM REST API all the 'required' parameters?
I found a solution and wanted to share.
I was okay to use the method explained in the Channel 9 video. I was simply using the wrong property. Instead of userId it should be ownerId. I noticed after running a GET on my subscriptions that I could see them all. They have no association to a user so they don't show up in the Azure APIM portal.
Another key miss was notifications. If you leave out the ¬ify=true query string parameter you won't get notified when someone subscribes to your API. This is particularly troublesome when your API requires approval.
This seems like a potential product bug as you shouldn't be able to create an 'owner-less' subscription. It makes it nearly impossible to find if you don't know where to look.
I'm POSTing to the Pre-Create App User endpoint https://api.smooch.io/v1.1/apps/{appId}/appusers for smooch, using the appUser as the scope in my JWT, but I get this response:
{"error":{"code":"forbidden","description":"Invalid scope"}}
I tried the exact same JWT doing a GET to /v1.1/apps/{appId}/appusers/{userId} and that succeeded.
I did also try the app scope in case that was required for the create but not the get, but that also failed.
Is there some other scope I should be using?
I am creating an application in which I am getting a Client_secret.json file, and in my application I'm trying to load that json file and get the credentials from it using the following code:
credentials=get_credentials(filename)
http = credentials.authorize(httplib2.Http())
service = discovery.build('admin', 'directory_v1', http=http)
userinfo = {'primaryEmail': primaryEmail,
'name': { 'givenName':user },
'password': password
}
service.users().insert(body = userinfo).execute()
It gives the following error:
httpError 403 when requesting https
//www.googleapis.com/admin/directory/v1/users?alt=json returned
insufficient permission
I'm not sure what I'm doing wrong or am I missing something? I was wondering if the problem is in the json file which I'm creating?
Any help would be appreciated.
Thanks,
Aman
Well, you can start by checking a few things:
If you're using a service account, be sure to enable the "wide domain delegation option" to allow a service account to access user data on behalf of your users and perform operations.
Check if the scope https //www.googleapis.com/admin/directory/v1/users is authorized for your client ID on your google admin console > Security > Advanced settings > Authentication > Manage API client access.
Check if the user that you're using to insert the new user have enough privileges a.k.a super admin privileges.
Check if the Admin SDK API is active on your project.
Keep in mind that just downloading the client_json and activating a API isn't enough to allow these types of operations. For certain APIs like Admin SDK, the user you're gonna use to consume those services need to have specific privileges.
Here's a few helpful links
https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
https://support.google.com/a/answer/162106?hl=en
I would first check to make sure that you have the correct Admin privileges on the account that you are trying to use OAuth credentials on. I would try logging into the account and going to this reference page in the Directory API for Users:insert
https://developers.google.com/admin-sdk/directory/v1/reference/users/insert
On the right hand side you should go to the Try this API section and see if that account has permissions to create new users.
Also another thing I noticed as well, is that you're not setting the required field familyName inside of the name field. familyName is a required property.