I use AWS Credentials Provider Chain and AWS SES together.
Without using AWS Credentials Provider Chain there is no error as the Email address is not verified.
But when using Credentials Provider Chain there is an error as "Failed message 1: com.amazonaws.services.simpleemail.model.MessageRejectedException: Email address is not verified. The following identities failed the check in region AP-SOUTHEAST-1:"
My mail.server.address is in AP-SOUTHEAST-1 and the region is also AP-SOUTHEAST-1 and the email address is verified.
This is the bean configuration I did.
#Bean
public AmazonSimpleEmailService amazonSimpleEmailService() {
return AmazonSimpleEmailServiceClientBuilder.standard()
.withCredentials(
new DefaultAWSCredentialsProviderChain())
.withRegion(region)
.build();
}
#Bean
public JavaMailSender getMailSender(AmazonSimpleEmailService amazonSimpleEmailService) {
return new SimpleEmailServiceJavaMailSender(amazonSimpleEmailService);
}
Related
I have an iOS app that uses an AppSync GraphQL API created with AWS Amplify. I want some queries to be available with public auth (for unauthenticated users) via IAM. For this public case, when calling the API, I get the following error from AWSAppSync/AWSAppSyncClient/AWSAppSyncHTTPNetworkTransport.swift:
Fatal error: Credentials Provider and endpoint not set
The AppSync initialization is done in the AppDelegate:
let serviceConfigIAM = try AWSAppSyncServiceConfig(forKey: "bookapi_AWS_IAM")
let cacheConfigIAM = try AWSAppSyncCacheConfiguration(useClientDatabasePrefix: true, appSyncServiceConfig: serviceConfigIAM)
let clientConfigIAM = try AWSAppSyncClientConfiguration(appSyncServiceConfig: serviceConfigIAM, cacheConfiguration: cacheConfigIAM)
appSyncClient = try AWSAppSyncClient(appSyncConfig: clientConfigIAM)
I noticed in AWSAppSyncClientConfiguration#makeNetworkTransportForIAM that the resolvedCredentialsProvider is nil:
// Evaluates to nil
let resolvedCredentialsProvider = authProvider ?? AWSServiceInfo().cognitoCredentialsProvider
Do I need to create a credentials provider and pass it to the AppSync client config? How can I use IAM for unauthenticated users?
Vaultsharp is not able to authenticate with vault for TLS AUTH method
C# code on windows 10, cert and key in personal store
environment windows
X509Certificate2 clientCertificate = null;
X509Store store = new X509Store(StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certificateList =
store.Certificates.Find(X509FindType.FindBySubjectName, "subject name", false);
if (certificateList.Count > 0)
{
clientCertificate = certificateList[0];
};
store.Close();
// got clientCertificate here, it has private key as well
try
{
IAuthMethodInfo authMethod = new CertAuthMethodInfo(clientCertificate);
var vaultClientSettings = new VaultClientSettings("endpoint:8200", authMethod);
IVaultClient vaultClient = new VaultClient(vaultClientSettings);
Secret<Dictionary<string, object>> secret = null;
Task.Run(async () =>
{
secret = await vaultClient.V1.Secrets.KeyValue.V1.ReadSecretAsync("dummy_app/dev/connection_strings");
}).GetAwaiter().GetResult();
Above code is throwing error
{"errors":["client certificate must be supplied"]}
It should return the secret instead of throwing exception
Please check the following.
That the certificate really has a private key. (HasPrivateKey check on the object) Typically you read a private key from a store using a passphrase. I don't see that above, so it maybe that what you have is a public key.
Please ensure that the certificate is a valid cert with the full chain. The Vault API (not VaultSharp) throws an error if it cannot find the parent chain.
Please inspect the http or tcp connection to see if the cert is truly attached.
We have been using Amplify and Cognito to register our users for an Angular6 application deployed to Lambda. The client wanted to transition from email to username as primary user identification. So we created a new user pool / client. I don't have visibility into the configuration settings, I was simply given new user pool, identity pool, and client id's. Then I changed the code for application signup to look like this:
return from(Auth.signUp({
'username': username, // was email
'password': password,
attributes: { // added these
'email': email,
'phone_number': phone_number,
'family_name': name,
'birthdate': DOB,
'custom:last_4_ssn': SSN // custom attribute
}}));
The response I'm getting with no other changes made is: Unable to verify secret hash for client. Google claims the problem is that secretAccess is currently an unsupported configuration, but the guy who has access to these services swears to me that nowhere is secretAccess configured in our setup.
I apologize for not having access to the configuration, but is there any other possible reason to receive this error?
That error is probably originating from the fact that the app client you are connected to has an associated secret key. When you create a user pool app client, it generates a secret by default:
Right now, with React-Native Amplify you have to use an app client that does not have a secret key generated. So when you create a new app client with your desired attributes, make sure the "Generate client secret" box is unchecked.
The solution is to pass secret_hash along with the adminAuthInitiate Request. And to calculate the secret hash you can use the following method:
public static String calculateSecretHash(String userPoolClientId, String userPoolClientSecret, String userName) {
final String HMAC_SHA256_ALGORITHM = "HmacSHA256";
SecretKeySpec signingKey = new SecretKeySpec(
userPoolClientSecret.getBytes(StandardCharsets.UTF_8),
HMAC_SHA256_ALGORITHM);
try {
Mac mac = Mac.getInstance(HMAC_SHA256_ALGORITHM);
mac.init(signingKey);
mac.update(userName.getBytes(StandardCharsets.UTF_8));
byte[] rawHmac = mac.doFinal(userPoolClientId.getBytes(StandardCharsets.UTF_8));
return Base64.getEncoder().encodeToString(rawHmac);
} catch (Exception e) {
throw new RuntimeException("Error while calculating ");
}
}
How to Pass Secret_Hash
Map<String, String> authParams = new HashMap<>(2);
authParams.put("USERNAME", <username>);
authParams.put("PASSWORD", <password>);
authParams.put("SECRET_HASH", calculateSecretHash(cognitoClientId, cognitoClientSecret, <username>));
AdminInitiateAuthRequest authRequest = new AdminInitiateAuthRequest()
.withClientId(userPool.getClientId()).withUserPoolId(userPool.getUserPoolId())
.withAuthFlow(AuthFlowType.ADMIN_NO_SRP_AUTH).withAuthParameters(authParams);
AdminInitiateAuthResult result = cognito.adminInitiateAuth(authRequest);
auth = result.getAuthenticationResult();
This is my last stop in trying to get this thing to work.
I have created a WCF service in .net/C# and it is hosted in IIS (port 80) on an amazon EC2 instance. The service uses OAuth2 (GoogleWebAuthorizationBroker.AuthorizeAsync) to authorize the service to read/write files to google drive. The client app uses POST messages to call the services add method that triggers the auth and then adds a file to google drive.
My problem, and I've left no stone unturned, is that when I run the service on my dev machine, (visual studios created IIS express instance), the client has no problem when the POST is sent getting a proper successful response and adding the file to Google Drive (the file does transfer to google drive). However, when I upload the service to IIS on my Amazon EC2 instance and change the connection strings on the client to point to ec2 instance, the service returns a (400) Bad Request from the service.
I know the service works with everything except the google authorization and google drive file upload, because i removed this and the POST works, but when the google auth and google drive file upload are retained, I get a 400 bad request...
In the google dev console I have the redirect uri's setup to:
http://localhost:3537
http://localhost/authorize/
http://localhost:80/authorize/
http://localhost:80/TimesheetService.svc/authorize/
http://localhost/TimesheetService.svc/authorize/
http://localhost/authorize/
C# Using Namespaces:
using Google.Apis.Auth.OAuth2;
using Google.Apis.Drive.v2;
using Google.Apis.Drive.v2.Data;
using Google.Apis.Services;
using Google.Apis.Util.Store;
EC2 IIS setup:
The WCF service is hosted in IIS as a new site and points to localhost port 80
Here is the OAuth code that is failing on EC2 but not dev:
private static String ACTIVITY_ID = "REMOVED";
static String CLIENT_ID = "REMOVED";
static String CLIENT_SECRET = "REMOVED";
static String APP_USER_AGENT = "ApplicationB";
static String[] SCOPES = new [] { DriveService.Scope.Drive };
/// <summary> Returns the request initializer required for authorized requests. </summary>
private static async Task<DriveService> GetCredentials()
{
ClientSecrets secrets = new ClientSecrets
{
ClientId = CLIENT_ID,
ClientSecret = CLIENT_SECRET
};
IDataStore credentialPersistanceStore = getPersistentCredentialStore();
UserCredential credential = await GoogleWebAuthorizationBroker.AuthorizeAsync(secrets,
SCOPES, getUserId(), CancellationToken.None, credentialPersistanceStore);
var service = new DriveService(new BaseClientService.Initializer()
{
HttpClientInitializer = credential,
ApplicationName = APP_USER_AGENT
});
return service;
}
/// <summary>
/// Returns an ID string for the current user. IDs are unique within this application.
/// </summary>
private static String getUserId()
{
// TODO: Generate a unique user ID within your system for this user. The credential
// data store will use this as a key to look up saved credentials.
return "MyGoogleEmail#Gmail.com";
}
/// <summary> Returns a persistent data store for user's credentials. </summary>
private static IDataStore getPersistentCredentialStore()
{
// TODO: This uses a local file store to cache credentials. You should replace this with
// the appropriate IDataStore for your application.
return new FileDataStore("Drive.Sample.Credentals");
}
Can somebody please shine some light on the issues I'm facing revolving WCF on IIS in EC2 using google OAuth. I Cannot seem to get this working.
Exact duplicate of
SSL error RemoteCertificateNameMismatch
SSL error RemoteCertificateNameMismatch
I am using WCF for the client to access service. I am trying to access the endpoint with TLS (https). I have certificates with both private and public keys.
If I have the end point of the service to have the host name same as the certificate name ("Issued To"), then i am able to access the service from the client.
If the names of the "issued to" and end point domain name are different i get the error "Could not establish trust relationship for the SSL/TLS secure channel with authority". I have added the certificates to "Trusted Root", "Personal" and "trusted People". In my service i have used "PeerOrChainTrust".
Please let me know if anybody has any idea on this
In that case, you need to define the trust policy for the server on client side,
Call SetCertPolicy once before you make any call to the services.
using System.Net;
using System.Security.Cryptography.X509Certificates;
public static void SetCertPolicy()
{
ServicePointManager.ServerCertificateValidationCallback += RemoteCertValidate;
}
private static bool RemoteCertValidate( object sender, X509Certificate cert, X509Chain chain,
SslPolicyErrors error )
{
// trust any cert!!!
return true;
}