I create a brand new schema called 'blogpost' with the service http://www.Stackmob.com. Its read/write access is granted to authenticated users.
After authenticating as a user to my schema, my POST queries succeeds, but GET fails with
{"error":"Invalid OAuth credentials or signature: Key not provided"}
I don't understand this because the authentication header in my POST/GET requests are created from the exact same function, which takes input mac_key and access_token values granted to a user from the server.
Why would this be? Details of the code post is also at:
http://stackmob.zendesk.com/entries/27724236-Invalid-OAuth-credentials-or-signature-Key-not-provided
I hope this is not a Flash11 restriction.
Related
I am trying to send a login payload which is
{"username":"EMAIL","password":"PASSWORD","wnaMode":"modal"}
to https://www.zalando.nl/api/reef/login I am doing this so my program can login and get all my orders and put it in a spreadsheet automatically, however when I send the post request I get this back
Access Denied
You don't have permission to access "http://failover.www.zalando.de/waf_deny_shop.html?" on this server.
Reference #18.9f633e17.1577580584.7b7612d
What could I do?
This is a result of a bot-protection solution they use, it is working against login automations just like the one you wrote. Consider a scenario where someone is brute-forcing the password of a specific user or just tries to re-use credential dumps (AKA "credential stuffing") - this is why this defense mechanism is in place.
I created a users resource for my RESTAPI and now i am able to register a user.
After that i installed passport and i am getting the token.
When i tried to accesss
'/user'
I got as unauthorized.
When i pasted the token in Authorization Header, i was prompted with api_token column is missing, on which i updated my migration for api_token column with string 60.
Again when i tried to access '/user' i am still getting as unauthorized.
Followingly, let me say i got posts generated as resource. I want my moderator or admin only to have delete access not to the user. How can i achieve it? In short, how to control the authorization for resource routes.
Are you using the api middleware and auth:api? Submitting a X-CSRF-TOKEN as well? GET or POST? Need more info to help you out here.
I'm working on a project that consumes Service Now API (Rest). To do so our client has registered us as a user in order to login and make all service calls we need to. This project has an interface where users can login once they have an account on Service Now as well, the username they type to log in has nothing to do with service now by the way, but later they associate theirs service now users to it. They can do some operations through this interface, where all of them are done using the integration user/pass not their service now users theirselves, even because they do not need to share their passwords with us. But it's needed to track the correct user to register on service now and I'm in trouble specifically about commenting on an incident. The endpoint to comment is the following :
http://hostname/api/now/table/incident/{sys_id}
where request body is a json object just as simple as :
{
"comments": "My comment is foo bar"
}
but when this comment is registered on Service Now it is under integration user instead the user which commented. Is there any way I could keep a specific user, considering I already have the user id on Service Now ready to inform it on the request the way it should be.
I tried reading Service Now documentation but had no clue how to solve it, altought I've found something about impersonate
This is happening because you're being proxied through the "Integration User" instead of your own account. As long as this is the case, your comments are going to be attributed to the Integration User.
I can think of two ways to fix this issue.
Ask the client to log you into their system directly as a user.
Implement a special API (Scripted REST API, available in Geneva or later) that allows you to identify the Incident and enter the comment, and then the script forges the comment on your behalf, attributing authorship correctly.
The first solution can be expensive due to possible additional licensing costs.
The second solution will require a willing client to devote 2-3 hours of development time, depending on the programmer.
Firstly, you need an integration user with suffient rights. Our integration user has suffient rights out of the box, but your story could be different. A quick check is to try impersonate as other user using menu.
Login as integration user to ServiceNow instance.
Go to https://{instance}.service-now.com/nav_to.do
Click on username at top right corner. This is a drop down.
There should be at least three menu items: "Profile", "Impersonate User", and "Logout". If you do not have "Impersonate User" in this menu, your integration user miss some permissions. Contact system administrator if you miss this menu item to configure appropriate permissions.
Then you need to find sys_id of user that you want to impersonate. For example:
https://{instance}.service-now.com/api/now/table/sys_user?sysparm_query=user_name={username}&sysparm_fields=sys_id
If you have suffient privileges, you could invoke the folling endpoint with sys id of user that you want to impersonate:
HTTP POST to https://{instance}.service-now.com/api/now/ui/impersonate/{user_sys_id} with body "{}" and content type "application/json". You need to provide HTTP basic authentication to this query as your integration user.
The response code on success is 200. The response body could be ignored. The interesting result of this response is a set of cookies for impersonated user in response headers. These cookies could be used for subsequent REST API calls until they expire. Use some HTTP rest client dependent method to capture them and to provide them to next calls.
For Apache HTTP Client (Java), I'm creating http client context using:
HttpClientContext context = HttpClientContext.create();
context.setCookieStore(new BasicCookieStore());
Pass thing context to impersonation request and to subsequent API calls until I get 401 reply, after that I'm reaquiring cookies. Setting new cookie store is important, as otherwise some default cookies store is used.
Two things to note:
This API looks like internal one, so it could change at any time. If it happens, look for what "Impresonate User" menu item does, and repeat it youselves.
ServiceNow permissions are quite fine-grained, so the target user could lack permissions to perform operation. In some cases, if there is no permission to update the field the operation PATCH on object returns reponse 200, but field is not updated. This introduces a surprising mode of failure when you use impersonation.
i have plan about write Api Module for login by api. Detail, that another device can login with social account(Facebook, Google, etc..). So i not exact scenario for todo.
First i have scenario:
Client Send token to server
Server receive token and clients name(facebook, google..) and receive user info.
Server store data and response to client
Client receive data and login
So, please share me detail or show me some document for more info.
I've wrote a tiny script that retrieves publicly available data from some APIs, in JSON format. I'm now trying to get some protected data out from bit.ly (click stats from a given user) and so I obviously need to authenticate via OAuth.
I don't seem to understand the role of client id and secret, as well as the user API key. I also don't get how to grab an access token (maybe generated during OAuth authentication?) to authenticate my HTTP requests of protected data. Do you guys know any good (e)book, article or any other resources I should read to understand in detail these architectural nuances of authenticated data retrievals and HTTP requests?
It is exactly as you suspect. The access token is granted during the OAuth process, which is basically a three step rocket of getting
Temporary credentials for your application
An end user needs to authenticate those temporary credentials, which grants you a verifier token
And finally you exchange your temporary credentials and the user verification for an access token.
Depending on which language/framework you are using, there are often good libaries available to help you implement an OAuth client. Check out: http://oauth.net/code/
But you will be well served by a clear understanding of how the whole thing works. Twitter has a great tutorial about OAuth 1: https://dev.twitter.com/docs/auth/oauth.
Regarding OAuth 2. Check out http://hueniverse.com/2010/05/introducing-oauth-2-0/. Hueniverse is a good resource for all things OAuth by the way.