I would like to automate the process of updating users' entitlements in DevOps. Shortly saying, when someone requests the access to a specific project I want:
Flow to trigger approval -> when it is approved -> flow add the selected entitlement to the user
I have a problem with the last part where I am using the DevOps HTTP request connector:
where:
URI:
"https://dev.azure.com/"MyOrgName"/_apis/userentitlements/5b0da6ff-c071-43aa-9178-7af9d6173dc4?api-version=5.0-preview.2"
Headers:
Content-Type application/json-patch+json
Body:
[
{
"op":0,
"path":"/projectEntitlements",
"value":{"projectRef":{"id":"3477b8aa-ff18-4f55-a632-3bbba54dbdff"},
"group":{"groupType":2}}
}
]
I am receiving an error code 400 - not authorized.
I know from my experience, that such an error doesn't need to mean missing authorization settings but just an incorrect URI or body in an HTTP request.
Any idea what can be wrong with my request or what can be the workaround for this?
Thank you in advance for your help.
Jacek
Related
As we are migrating our app from Firebase to Couchbase, we also need to change the authentication part. We are using the google_sign_in package and would like to continue using it to have the native Google Sign In popup. Using the package we can get a serverAuthCode, which from my understanding we can then send to the _oidc_callback endpoint of Couchbase Sync Gateway. First I had to set disable_callback_state to true in the Sync Gateway configuration ("DisableCallbackState determines whether or not to maintain state between the /_oidc and /_oidc_callback endpoints."). However, when I now send the serverAuthCode to the _oidc_callback endpoint, I get the following error with status code 500:
body: {"error": "Internal Server Error", "reason": "Failed to exchange token: oauth2: cannot fetch token: 400 Bad Request\nResponse: {\n \"error\": \"invalid_grant\",\n \"error_description\": \"Bad Request\"\n}"}
I assume it is because the login was done using the package and not through the browser with a redirect to the app afterwards. Now I have no idea how to do this correctly though, that I sign in with the google_sign_in package and then use the code to get the tokens from the Sync Gateway. I can't find any helpful information for this problem.
I would be very happy if someone could help me, possibly in a call. Maybe this way something like this can be solved faster.
I'm attempting to fetch the bearer token for OroCommerce, via POSTMAN and am encountering a 405 error, for the following request:
URL: http://<OroCommerce DNS>/oauth2-token
Header: Content-Type: application/json
Body:
{
"grant_type": "client_credentials",
"client_id": "XXXX",
"client_secret": "XXXX"
}
I have generated the public and private keys and added them to the /var directory of the application. Per this issue, I have tried "Enabled Guest Access" checked and unchecked. Both result in the same 405 error w/ HTML in the response (see image below). The back-end is up, when attempting these requests. Any suggestions on where to look (configurations, etc), in order to successfully fetch the bearer token, via the REST API?
Response HTML
First of all, make sure an API is enabled: https://doc.oroinc.com/api/enabling-api-feature/.
Then, make sure you are using the POST HTTP method to submit the request.
If it wouldn't help, make sure the maintenance mode is fully disabled. It's step 13 in the upgrade guide: https://doc.oroinc.com/backend/setup/upgrade-to-new-version/#id1
Check the application log at var/logs/prod.log for errors. Usually, the error message explains what is wrong, or at least, you can use it to google the issue.
If nothing works, you can try to access the same endpoint using the dev environment. There should be a more explicit error message with the stack trace. Or enable an xdebug extension and check it step by step.
While trying to create a new execution of a cycle in zephyr I am getting an error code of 104. I have tried it through postman as well of which i am pasting a screenshot as well. please any type of guidance would be great
Below is the body that i am sending
{"projectId": 10000, "issueId": 10000, "versionId": -1}
We had the same issue - a few things to check:
Make sure that your JWT token request is using the user's account ID instead of email. This was recently changed due to GDPR. Here is an example.
Check the "Disable Jira Permission on Zephyr Rest API" checkbox in Jira's administration section for Zephyr (Admin -> Apps -> Zephyr -> General Configuration)
Hello Microsoft/Azure/Skype experts,
I'm tasked with accessing presence data from Skype For Business Online accounts from my macOS app (native).
I'm unfortunately stuck and i always get a 403 error when i access the autodiscover request and never get the link to the applications resource
I have been following this documentation
https://learn.microsoft.com/en-us/skype-sdk/ucwa/authenticationusingazuread
STEP 1
We have registered the app in the Azure Management Portal using our Office 365 account credentials.
We have used custome redirect URL (http://localhost)
Allow Implicit Flow is set to true in manifest
We pre-configure the permissions needed for Skype for business
online
STEP 2
Issuing a GET as specified in the documentation to initiate sign in and authorization check.
GET https://login.microsoftonline.com/common/oauth2/authorize?response_type=token&client_id=c#####-4d41-485e-871f-0a22aa79e52b&redirect_uri=http://localhost
This returns a 200 OK.
STEP 3
We got the Auto discover URL as described in the documentation.
This is what i get - i use the domain marked in RED.
STEP 4
As per the documentation, they ask me to do this
Requesting an access token using implicit grant flow
So i issue a GET as described
https://login.microsoftonline.com/oauth2/authorize?
response_type=id_token &client_id=######-4d41-485e-871f-0a22aa79e52b
&redirect_uri=http://localhost
&state=8f0f4eff-360f-4c50-acf0-99cf8174a58b
&resource=https://webdirin1.online.lync.com
Now this shows the sign in page, i sign in and then it throws an error
AADSTS90014%3a+The+required+field+%27nonce%27+is+missing.
I researched and could not fix this error.
So after lots of research and looking at this Microsoft documentation LINK (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#requesting-individual-user-consent) , apparently there is another way of getting the bearer token.
STEP 4 - SECOND TRY
I then Request individual user consent by sending the SCOPE parameter for Skype for Business.
I then issue a GET request to
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=#######-4d41-485e-871f-0a22aa79e52b&response_type=code&redirect_uri=http://localhost&response_mode=query&scope=https://api.skypeforbusiness.com/User.ReadWrite&state=12345
This returns an access code which i use in next step to get the TOKEN
STEP 5 - Get the bearer TOKEN
Issue a POST to following URL
https://login.microsoftonline.com/common/oauth2/v2.0/token With the
following data in POST body
"grant_type": "authorization_code", "client_id":
"######-4d41-485e-871f-0a22aa79e52b", "scope":
"https://api.skypeforbusiness.com/User.ReadWrite", "code":
"OAQABAAIAAACEfexX.........", "redirect_uri": "https://localhost"
This returns the bearer token in the following response JSON
{
"access_token" = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1........w4b-- gnWG_iOGtQ";
"expires_in" = 3599;
"ext_expires_in" = 3599;
scope = "https://api.skypeforbusiness.com/User.ReadWrite";
"token_type" = Bearer;
}
STEP 6
Yay! Got the bearer token at laaast!
Now back to the main documentation
https://learn.microsoft.com/en-us/skype-sdk/ucwa/authenticationusingazuread
And where we do this - 'Resending an autodiscovery request with the bearer token'
We execute a GET request to
https://webdirin1.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user
Now this, as per the documentation should return this JSON
{
"_links":{
"self":
{"href":"https://webdirX.online.lync.com/Autodiscover/AutodiscoverService.svc/root/user"},
"applications":
{"href":"https://webpoolXY.infra.lync.com/ucwa/oauth/v1/applications"}
}
}
BUT i GET A 403: PERMISSIONS denied error
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page
using the credentials that you supplied.</h3>
</fieldset></div>
So thus i have never got the applications url and I have checked the manifest, registration and i have no idea, why i get this error.
Any inputs would be appreciated.
For step 4, you need to specify nonce=somestring in the URL. Typically this should be a securely random value that is only used once. It can contain any value.
Also, you are only requesting an id token. Set response_type=id_token+token.
I have a situation where I am trying to handle auto discover in an iOS app (GOD I HATE auto discover with a passion). I'm at this point where I have followed through several sequences of redirects and email aliases, and the auto discover is now pointing me to an Office 365 URL (this user has been migrated to Office365).
I'm seeing a HTTP redirect to https://autodiscover-s.outlook.com, and I'm POST-ing the standard POX to https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml with the user's credentials. I'm getting a 401 in return. I'm also getting a 401 when I curl this manually.
My POST is to https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml. This is authenticated using the users email and password (I'm using AFNetworking 2.0, so I'm using the HTTPRequestSerilizer authentication mechanism)
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>user#Service.domain.com</EMailAddress>
<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>
The response that I get is:
Domain=AFNetworkingErrorDomain Code=-1011 "Request failed: unauthorized (401)" UserInfo=0x8be9280 {
NSErrorFailingURLKey=https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml,
AFNetworkingOperationFailingURLResponseErrorKey=
{
URL: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
}
{ status code: 401,
headers {
"Cache-Control" = private;
"Content-Length" = 0;
Date = "Thu, 06 Mar 2014 05:00:49 GMT";
RequestId = "ee723790-60db-4008-b800-7d44d9884498";
Server = "Microsoft-IIS/7.5";
"Www-Authenticate" = "Basic Realm=\"\"";
"X-AspNet-Version" = "2.0.50727";
"X-DiagInfo" = BLUPRD0810CA020;
"X-Powered-By" = "ASP.NET";
} }, NSLocalizedDescription=Request failed: unauthorized (401)}
I get the same error when I try to CURL the same post data with the same user and password.
However, when I go to testexchangeconnectivity.com, I see the following, which I don't receive through the POX APIs:
Test Steps
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml for user user#Service.domain.com.
The Autodiscover XML response was successfully retrieved.
Additional Details
An HTTPS redirect was received in response to the Autodiscover request. The redirect URL is https://pod51008.outlook.com/Autodiscover/Autodiscover.xml.
Is there something wrong that I'm doing? I think the credentials work, because the initial auto discover to the user's on premise domain resolves fine and sends me online. The fact that curl also doesn't work leads me to think that there is some special office365 authentication that I'm not doing properly.
Any ideas?
I discovered the problem. I received an email address change from Autodiscover indicating that I should go from user#domain.com to user#service.domain.com. I then re-built the auto discover urls using user#service.domain.com. However, I was authenticating with user#service.domain.com, not user#domain.com. This is why I received 401.
I hate auto discover. None of this is documented anywhere (http://msdn.microsoft.com/en-us/library/jj900154(v=exchg.150).aspx).
I can't figure out what is going on without seeing every request and response. What is the structure of the Office365 URL?
Did you try an un-authenticated GET request to "http://autodiscover." + domain + "/autodiscover/autodiscover.xml"? In Autodiscover for Exchange, there is a Phase 3 sub section that describes this. This article captures much of the requirements for implementing auto discover for a client.
I think Michael meant to link to Handling Autodiscover error messages. However, it doesn't explicitly note that you should not change your user name in your credentials when you get a redirect to another email address. You only change it in the EMailAddress element. Thanks for the feedback, and sorry for the confusion!