Direct naked impersonation - authentication

I am having issues getting these steps to work, documented in Securing Applications and Services Guide. This thread in stackoverflow showed an option which did not work as well. Can some one point me to the steps needed to fix this to allow naked impersonation?
Realm/client/policy/user details in the attached picture.
enter image description here
Query:
curl -k -X POST
–header ‘Content-Type: application/x-www-form-urlencoded’
–data-urlencode “client_id=starting-client”
–data-urlencode “client_secret=.....”
–data-urlencode “grant_type=urn:ietf:params:oauth:grant-type:token-exchange”
–data-urlencode “requested_subject=target-user”
https://localhost:8543/auth/realms/target_realm/protocol/openid-connect/token
Response:
{“error”:“access_denied”,“error_description”:“Client not allowed to exchange”}
Server logs:
22:40:08,396 WARN [org.keycloak.events] (default task-149) type=TOKEN_EXCHANGE_ERROR, realmId=target_realm, clientId=starting-client, userId=null, ipAddress=172.17.0.1, error=not_allowed, reason=‘client not allowed to impersonate’, auth_method=token_exchange, grant_type=urn:ietf:params:oauth:grant-type:token-exchange, requested_subject=target-user, client_auth_method=client-secret

This is an issue with the documentation in Securing Applications and Services Guide. Instead of add client policy for scope "user-impersonated", policy must added for scope "impersonate". Once that change was done it started to work.

Please use the below request format, and it should work. Tested and verified.
curl --location --request POST 'https://api.kong.stg.vrpintegration.dev/requestJWT/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'client_id=CLIENT_ID' \
--data-urlencode 'client_secret=bddf3a83-f4ec-45f6-afa0-cf9c94cb5518' \
--data-urlencode 'subject_token=xxxxxx' \
--data-urlencode 'audience=CLIENT_ID' \
--data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:refresh_token'

Make sure you checked the user exist, because if it doesn't exist it will return "Client cannot impersonate".
Also, there is some contraction on the doc.
Reading it from
redhat keycloak it is using impersonate instead of user-impersonate in user permission while for keycloak official doc it added user-impersonate, I used impersonate and added my starting-client. It works for me.

Related

Not able to create ENV variable using API token

I was trying to automate creating ENV variables in CI/CD by using API commands, but unfortunately getting 401 Unauthorized error.
Earlier I used to do this in same way and was able to do it.
But now it’s throwing an error, could anyone please help me to find out.
Command:
curl --request POST --header “PRIVATE-TOKEN: <your_access_token>” \
“https://gitlab.com/api/v4/projects/1/variables” --form “key=NEW_VARIABLE” --form “value=new value”
Please look into the error message:
The "Create a variable" API call indeed looks like:
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" \
"https://gitlab.com/api/v4/projects/1/variables" --form "key=NEW_VARIABLE" --form "value=new value"
(make sure to use the right double-quotes " instead of “)
Double-check the ID of the project (in your case "1") and make sure the user authenticated with your token has the right permissions:
They must be "maintainer" or "owner", in order to have the right to "Manage project-level CI/CD variables".
Example, using a Personal Access Token with api scope, starting with glpat- (glpat-xxxxxxx), I can first list my projects (using jq):
curl -XGET --header "PRIVATE-TOKEN: glpat-xxxx" "https://gitlab.com/api/v4/projects/owned?=true"|jq ".[] | \"\(.id) \(.path_with_namespace)\""
That allows me to find the project id
I can then list variables for an existing project:
curl -XGET --header "PRIVATE-TOKEN: glpat-xxxx" "https://gitlab.com/api/v4/projects/<projectId>/variables"
Result:
[]
I have none on that project.
I will set one with:
curl -XPOST --header "PRIVATE-TOKEN: glpat-xxxx" "https://gitlab.com/api/v4/projects/<projectId>/variables" --form "key=NEW_VARIABLE" --form "value=new value"
Result:
{"variable_type":"env_var","key":"NEW_VARIABLE","value":"new value","protected":false,"masked":false,"environment_scope":"*"}
Let's double-check with:
curl -XGET --header "PRIVATE-TOKEN: glpat-xxxx" "https://gitlab.com/api/v4/projects/<projectId>/variables"
Result:
[{"variable_type":"env_var","key":"NEW_VARIABLE","value":"new value","protected":false,"masked":false,"environment_scope":"*"}]
It does work.
The OP Anirban Das confirms in the comments an issue with how Postman was used:
Actually in the body of Postman, select 'form', there I had mentioned directly key name in the Key section and value in the Value section.
But that was not correct.
In the Key section, we need to mention "key" and key name should be in Value section.
Similarly "value" in key section and it's value in Value section.
Once this worked, you will see "</>" icon in right navigation pane, which will provide you corresponding curl command

dremio list user API

I'm trying to query dremio using the documented API to get list of users.
Dremio version:
Build
20.2.2-202203241726030461-f7eea3e0
Edition
Enterprise Edition
API:
https://docs.dremio.com/software/rest-api/user/list-users/
sample query:
curl -X GET --location "http://localhost:9047/api/v3/user" \
-H "Authorization: _dremiohrr395nv31g8k610616tucp91g" \
-H "Content-Type: application/json" \
-H "Accept: application/json"
I keep getting this error:
{
"errorMessage": "Something went wrong. Please check the log file for details, see https://docs.dremio.com/advanced-administration/log-files.html",
"moreInfo": "HTTP 405 Method Not Allowed"
}
It seems that this API is not supported at all.
Is there a published API to list all users so that I can get user name, uid, and role memberships?
I'm trying to avoid using SQL query.
v3 list users API is buggy.
user apiv2/user works

Watson speech to text authentication

I am trying to get Transcribe from Microphone working on my server as a starting point.
The code is straightforward but I am having trouble with the token.
on IBMcloud I created a IAM-Service id with Access Policies
Viewer, Reader 14 Speech to Text service in all resource groups
created an apikey from that
created the token file
curl -k -X POST --output token \
--header "Content-Type: application/x-www-form-urlencoded" \
--header "Accept: application/json" \
--data-urlencode "grant_type=urn:ibm:params:oauth:grant-type:apikey" \
--data-urlencode "apikey={apikey}" \
"https://iam.cloud.ibm.com/identity/token"
the response has 'access_token' but the javascript SDK 0.38.1 looks for 'accessToken'
when I start microphone I get a socket error 'wss://stream.watsonplatform.net/speech-to-text/api/v1/recognize"
I checked token expiration.
I confirmed it is an auth problem:
curl -X GET "https://stream.watsonplatform.net/speech-to-text/api/v1/models?access_token="{accessToken}"
responds "unauthorized"
I have researched and am unsure what to do next. My best guess is I am generating the token improperly.
I would leave the token generation to the code. All the SDKs have an IAMAuthenticator component. The full documentation for Node.js is here. It has a very simple example where you pass in the API key:
import { IamAuthenticator } from 'ibm-cloud-sdk-core';
const authenticator = new IamAuthenticator({
apikey: '{apikey}',
});
Thereafter, you instantiate the service, e.g., STT.

Getting "You don't have a required scope to access the endpoint" when inserting script

I'm developing an app, for store fronts and want to get some analytics in checkout. So I want to inject a script in that scope of checkout. When I try to insert it I'm getting "You don't have a required scope to access the endpoint" but I have updated the scopes to checkoutcontent to modify. Not sure what else is wrong
Trying to insert script via an app, getting 403 even though I updated the OAuth scopes to include, Check out content and Checkout
curl --request POST \
--url https://api.bigcommerce.com/stores/{store_hash}/v3/content/scripts \
--header 'accept: application/json' \
--header 'content-type: application/json' \
--header 'x-auth-client: XXXXX' \
--header 'x-auth-token: XXXXX' \
--data '{"name":"Test Scripts Tag","description":"Test Scripts Tag","html":"<script src=\\\"https://Somedestination/Test.js\\\"></script>","src":"https://Somedestination/Test.js","auto_uninstall":true,"load_method":"default","location":"footer","visibility":"checkout","kind":"src"}'
Getting below error, while expecting a status=200
status: 403,You don't have a required scope to access the endpoint
The html field shouldn't be included when using src, could you try removing it?
The only errors I was receiving in testing were due to malformed HTML in the html field with the error code 422. It may also be worth trying to create a new API account to rule out scoping causing this.

Pushbullet API from cURL - invalid request

I'm working on an app using Pushbullet's API, but I'm running into odd errors when running through the sample code at https://docs.pushbullet.com/v2/pushes/.
I'm executing the following cURL command (in Windows):
curl -k -u <MY_API_KEY>: -X POST https://api.pushbullet.com/v2/pushes --header 'Content-Type: application/json' --data-binary '{"type": "note", "title": "Note Title", "body": "Note Body"}'
...but it keeps generating the following error:
{"error": {"type":"invalid_request","message":"The param 'type' has an invalid value.","param":"type","cat":"\u003e:3"}}
It also produces this error:
The other commands for the other endpoints in the documentation work fine...it's just this one.
Got any suggestions? Thanks for the help! :)
It looks like windows doesn't support those kinds of quotes on the command line. Here's an example that works:
curl https://api.pushbullet.com/v2/pushes -X POST -u <access token>: --header "Content-Type: application/json" --data-binary "{\"type\": \"note\", \"title\":\"Note Title\", \"body\": \"Note Body\"}"
I think I'm going to try to replace the curl examples with something that has less confusing behavior.
I figured it out - I don't really know why, but the cURL command wasn't working through the DOS prompt, and also wasn't working using the Postman REST client for Chrome, but I got it working in the DHC extension for Chrome. The trick was setting the Authorization header to "Basic", which resolves the Pushbullet access token to some other form, and makes a successful the HTTP request.
Hope this helps someone down the road if they run into this on Windows!