I have followed the AWS documentation for enabling an authoriser for API access using Cognito tokens.
When I test the authoriser with the ID token within the AWS console, it works fine.
On using the access tokens and trying to access via Postman I repeatedly get and "unauthorised" error (401).
I have tried the following but to no avail
Disabling and enabling CORS (both combinations)
Using the ID token instead of the access token
Republishing the API after changing the auth scope params
Deleting and recreating the API again
When I turn off authorisation the API works fine via Postman/ Browser. When I turn it back on again the problem resurfaces.
Related
I'm using ASP.Net Core 6 to build a secured Web API.
HOW I BUILT IT
dotnet new webapi --auth SingleOrg --aad-instance https://login.microsoftonline.com/ --client-id <CLIENT ID> --domain company.onmicrosoft.com --tenant-id <TENANT ID> --calls-graph true -o GraphTestService
APP REGISTRATION OF WEB API
I added a Scope in the Export API "EmployeeRecord.Read"
APP REGISTRATION FOR CLIENT (Public Client)
Added permission for Graph API (User.Read)
Added permission "EmployeeRecord.Read"
HOW I GET TOKEN USING THE CLIENT
I'm using "InteractiveBrowserCredential".
Everything works fine up until the Web service tries to call Graph API. It throws MsalUIRequiredException.
Understandable, since I did not include any graph API permissions when I requested a token.
FINALLY, THE PROBLEM
When I inspect the Bearer token that's returned, it has the "EmployeeRecord.Read" scope. Ok, that's fine. The Web API authorizes it; but the token doesn't have any permissions for Graph API.
When I add a graph API permission to the scopes, I get
AADSTS28000: Provided value for the input parameter scope is not valid because it contains more than one resource. Scope api://<APP URI ID>/EmployeeRecord.Read https://graph.microsoft.com/User.Read offline_access openid profile is not valid.
If I only include the graph API permission, the Web API returns an Unauthorized error.
WHAT I'VE TRIED
In addition to playing with the scopes, I tried adding my client application to the Web API app registration under the "Expose an API / Add A client Application". This made no difference. No difference in token or errors.
You are trying to add scopes for 2 different resource ,the scope parameter cannot be used to specify permissions for multiple resources similar issue .
we recommend you to use MSAL libarry , MSAL will store tokens for you and refresh whenever token is expired. Just call acquireTokenSilent to get an access token silently, and if you get an error, call acquireToken (see details on error handling here: https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-handling-exceptions#msal-for-ios-and-macos-errors)
for more info please check similar issue
Thanks
I have an SPA that uses B2C as its certification.
not AD, im using B2C.
Now I want to display user information on the SPA,
so I want to use MsGraphAPI to get data from B2C.
Therefore, we are trying to obtain an access token using credential flow.
The code is as follows
requestUri = "https://login.microsoftonline.com/{tenandId}/oauth2/v2.0/token";
var params = new URLSearchParams();
params.append("grant_type","client_credentials");
params.append("client_id","XXXX");
params.append("client_secret","ZZZZ");
params.append("scope","https://graph.microsoft.com/.default");
const response = fetch(requestUri, {
method:"POST",
body:params
});
At this time, the developer tool shows a corrs error.
The following error.
access to fetch "https://login.microsoftonline.com/{tenandId}/oauth2/v2.0/token" from origin "http://localhost:3000" has been blocked by CORS policy.
How can I resolve this?
SPA is available at http://localhost:3000.
Is the localhost no good?
The purpose of authenticating is to get user information. You can insert any attribute into the token, and then parse the id_token to display the users profile information in your application. Calling MS Graph API for this seems counter intuitive.
Next, you shouldnt be using client_credentials in your SPA, those are secret credentails, and should only be used by your server. By exposing those credentials in your SPA, any user could extract them and use them to read your entire directroy store. This is why you are getting a CORS error, it's never supposed to be running on the client browser.
I started working with adding migration from OAuth1a to OAuth2 inside my application and i face some problems.
This is what I've done :
I updated my partner app just like it is described here https://developer.xero.com/documentation/oauth2/migrate (added Auth2.0 redirect , got client id and secret etc ...)
I implemented token migration exactly as it is done here https://github.com/XeroAPI/xero-net-oauth2-sampletokenmigration and it works fine when OAuth1 token is valid :)
But when it is invalid and I'm doing refresh (using app updated in step 1) and call ~/oauth/migrate endpoint (using access token that i just recived after refresh step) to get OAuth2 token. I'm reciving this error "You can only migrate an OAuth1.0a connection to an OAuth2.0 connection for the currently authorised app". Also same thing happen when i create new connection (using partner applications created in in step 1) and than try to migrate this access token to Auth2.0.
Can anybody point me what I'm doing wrong ?
That is the error returned when you try to migrate to a newly created app. Are you sure you are using the tokens from the same Partner app tile in your /myapps dashboard.
It should look something like this, once you've added the correct OAuth2 redirect uri and generated your secret.
I am trying to configure login using Auth0. As part of the initial steps, I created an application and added Allowed Callback URLs and Allowed Logout URLs. I have no hosted pages in /login, /login-results, /logout routes. I am just trying to learn working of Auth0 by getting the JWT token and test it in http://jwt.io/.
I tried to use the login UI flow which available out of the box in Auth0. I created the login URL as mentioned in this doc to hit this endpoint
GET https://YOUR_DOMAIN/authorize?audience=API_IDENTIFIER&scope=SCOPE&response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=https://YOUR_APP/callback&state=STATE
But I am getting this error while executing the endpoint which I created using the credentials of my application with above-mentioned callback URL.
http://127.0.0.1:8080/login-results#error=access_denied&error_description=Service%20not%20found%3A%20name
Endpoint which I generated:
https://fsnd-kavin.auth0.com/authorize?audience=audiencename&response_type=token&client_id={CLIENT_ID}&redirect_uri=http://127.0.0.1:8080/login-results
What is the actual issue? Am I missing any other configurations?
Service Not Found
This error message points to that you passed non existent API identifier as audience. Check that API is created in the API section of Dashboard.
We have a deployed API which is responding correctly; however it has a different URL endpoint configured for Sandbox vs Production.
When I curl a request to the API Manager it is always the Production endpoint which is hit despite which Bearer token I submit. Authentication is working as if I submit an invalid Bearer token I get unauthenticated errors.
Any clues of where the mis-configuration might be?
(version 1.4.0)
When looking at your mentioned issue,I think you have used the 'PRODUCTION' scoped access token to invoke your SANDBOX endpoint.
After you defined two different endpoints as sandbox URL and production URL when creating the API,to invoke them you need to use different access tokens based on its scope [PRODUCTION/SANDBOX].
To invoke SANDBOX endpoint from your API,you need to use SANDBOX access token.
To find these production and sandbox endpoints related keys,you can navigate to APIStore->My Subscriptions page and view the keys under sections of 'production' and 'sandbox' in the particular subscription.And under each 'PRODUCTION/SANDBOX' keys section of subscriptions page,you'll see a separate access token and consumer key/secret.
Try invoking your SANDBOX endpoint of API,with above shown sandbox access token in 'My Subscriptions' page of APIStore or else you can use sandbox based consumer key/secret to generate sandbox scoped user tokens[1] and use those tokens to invoke your API sandbox based endpoint.
A sample cURL request to generate sandbox scoped user token would be as below;
curl -k -d "grant_type=password&username=xxx&password=xxx&scope=SANDBOX" -H "Authorization :Basic base64encoded_SANDBOX_based_consumer key:secret, Content-Type: application/x-www-form-urlencoded" https://ip:8243/token
[1] http://docs.wso2.org/wiki/display/AM140/Token+APIs#TokenAPIs-GeneratingusertokensGenerating