Every user getting registered to the Sandbox gets added to the Platform as an Identity.
How can I get the Identity ID of my user when I log in to the Sandbox environment?
I need this user ID for creating links between identities as is exemplified in this guide after creating group.
Another way is to check request from browser's network after you log in:
https://world-sandbox.oftrust.net/api/me
See the id in response
Using the /me endpoint of Login API in Platform of Trust, you can retrieve the identity ID of the user currently logged in to Sandbox.
Sample request in cURL is:
curl -i -X GET \
-H "Authorization: Bearer eyJ0eXAiOiJ...qW1QhdEsJLNGV2YA" \
"https://api-sandbox.oftrust.net/me"
On success, you should get the following response:
HTTP/1.0 200
{
"#context": "https://standards.oftrust.net/v2/Context/Identity/LegalParty/Person/",
"#type": "Person",
"#id": "33237067-14c3-4801-9e50-bf08406406e2",
"email": "user#example.com",
"role": "developer",
"firstName": "Anna",
"lastName": "Bar"
}
You can get your Bearer token (valid for 24 hours) from the Sandbox environment.
You may need to obtain the identity ID for your user when you are building apps in the Platform and creating authorization flow for the intended users.
You can access the API documentation for Platform of Trust Login API here.
Related
Following the authentication guide for Cloud Run here, I wanted to make a service only accessible by authenticated users.
I created a base service, called helloworld (yes, no originality here), and applied the following policy:
gcloud run services add-iam-policy-binding helloworld \
--member="allAuthenticatedUsers" \
--role="roles/run.invoker"
I then tried to invoke it using the gcloud auth print-identity-token ID Token like this:
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" https://helloworld-*****.a.run.app
All good, the service responds with bearer tokens coming from a #gmail.com account and a GSuite one using gcloud.
As a next step, I followed the end-user authentication guide here and:
created web application credentials in the same project as the Cloud Run service above
redeployed the service to absorb the new Client ID configuration
created a simple HTML page with that Client ID and Google Sign-In logic (like this one)
run a local webserver to serve that page and got a new ID Token
attempted to do the same curl with that very token
This time though, the response was a 401 with the following value in the WWW-Authenticate header:
Bearer error="invalid_token" error_description="The access token could not be verified"
This is the response of the https://oauth2.googleapis.com/tokeninfo API:
{
"iss": "accounts.google.com",
"azp": "*****************.apps.googleusercontent.com",
"aud": "*****************.apps.googleusercontent.com",
"sub": "*******",
"email": "theuser#gmail.com",
"email_verified": "true",
"at_hash": "********",
"name": "********",
"picture": "********",
"given_name": "********",
"family_name": "********",
"locale": "en",
"iat": "1581617530",
"exp": "1581621130",
"jti": "6a0dd7561c0d95f7c92fc29a885039fe3f23db16",
"alg": "RS256",
"kid": "d8efea1f66e87bb36c2ea09d837338bdd810353b",
"typ": "JWT"
}
and the azp and aud values are the same Client ID that is defined as a Web Application credential in the project.
I also tried to add the specific user to the service like this:
gcloud run services add-iam-policy-binding helloworld \
--member="user:theuser#gmail.com" \
--role="roles/run.invoker"
Still no luck... What am I doing wrong?
Thanks to wlhee's input about the issue, I redeployed the service and was able to successfully access it with a token generated using the Client ID from the same project.
Is it possible to access the Google Cloud Scheduler API using an API key?
Method: projects.locations.jobs.create
https://cloud.google.com/scheduler/docs/reference/rest/v1/projects.locations.jobs/create
I am trying to create a Job using curl:
curl -X POST \
'https://cloudscheduler.googleapis.com/v1/projects/my-project/locations/nam5/jobs?key=[MyAwesomeAPIKey]' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"name": "test-awesome-job",
"description": "My first job",
"schedule": "45 23 * * 6",
"timeZone": "utc",
"pubsubTarget": {
"topicName": "projects/my-project/topics/topic-name",
"attributes": {
"name": "39ro"
}
}
}'
but it result in a 401 Unauthorized response:
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
The Cloud Scheduler API uses service account credentials as described in https://cloud.google.com/docs/authentication/production. As the API docs state, a limited number of GCP services support API keys and that does not include Cloud Scheduler.
If you are running the code to interact with the Cloud Scheduler API on App Engine, Cloud Functions, or Cloud Run the service account is built-in and all you need to do is grant that service account permission to interact with Cloud Scheduler via IAM.
The docs have some more streamlined information on getting set up with the Cloud Scheduler client libraries.
I get confused watching the API explorer which suggested as possible credentials
Google OAuth 2.0 or API key and from the "Help me choose" tool from Google Cloud API credentials (https://console.cloud.google.com/apis/credentials), which apparently now reports the correct solution:
For your situation you can use Application Default Credentials,
which provide a simple way to access Google APIs from App Engine or Compute Engine.
previously it showed the API keys as a possible option.
Thanks #Grayside for pointing me out!
I am following the below steps to get the subscriptions per application.
curl -X POST -c cookies http://localhost:9763/store/site/blocks/user/login/ajax/login.jag -d 'action=login&username=random&password=random
Now logged in and got the cookie details.
2.curl -b cookies 'http://localhost:9763/store/site/blocks/subscription/subscription-list/ajax/subscription-list.jag?action=getSubscriptionByApplication&app=App1'
Now , I am getting the subscriptions for the application App1 which has subscriber by the user admin not random.
Why this API thorws admin subscription instead of the particular user even though we are posting the request with the use of cookies. Please help.
The following curl request will List all API subscriptions of App1.
Request
.curl -b cookies 'http://localhost:9763/store/site/blocks/subscription/subscription-list/ajax/subscription-list.jag?action=getSubscriptionByApplication&app=App1'
Response
{"error" : false, "apis" : [{"apiName" : "CalculatorAPI", "apiVersion" : "1.0", "apiProvider" : "admin", "description" : "Simple calculator API to perform addition, subtraction, multiplication and division.", "subscribedTier" : "Unlimited", "status" : "PUBLISHED", "subStatus" : "UNBLOCKED"}]}
The response does not have a field for subscribedUsers
Hence I assume what you saw as admin was the apiProvider.
In using Instagram API, when I login with my Instagram ID, my url is like this : 'http://ec2-54-92-53-75.ap-northeast-1.compute.amazonaws.com/instagram_about_token/example/?code=34cde9ac55c047918e4973c9591595cb'
Actually, I set redirect URL as 'http://ec2-54-92-53-75.ap-northeast-1.compute.amazonaws.com/instagram_about_token/example/', so as a result of login, '?code=34cde9ac55c047918e4973c9591595cb' this was added.
Is this an access token of Instagram?? I'm not sure right now because in API console of Instagram, the request is something like this :
"GET /v1/users/self/feed?access_token=1470328514.1fb234f.09a36e85629645fe8115c369202ec012 HTTP/1.1"
As you see, the access token is added like '?access_token=~~~~',
so I want to know whether '?code=~~~' on my website means that I got an access token on my website. Thank you.
The code in URL is not the access token you want, but it is required to get it. The whole process is good described on Instagram Developer Documentation: http://instagram.com/developer/authentication/
Step Three: Request the access_token
In the previous step, you’ll have received a code which you’ll have to
exchange in order to receive an access_token for the user. In order to
make this exchange, you simply have to POST this code, along with some
app identification parameters to our access_token endpoint. Here are
the required parameters:
client_id: your client id
client_secret: your client secret
grant_type: authorization_code is currently the only supported value
redirect_uri: the redirect_uri you used in the authorization request.
Note: this has to be the same value as in the authorization request.
code: the exact code you received during the authorization step.
For example, you could request an access_token like so:
curl \-F 'client_id=CLIENT-ID' \
-F 'client_secret=CLIENT-SECRET' \
-F 'grant_type=authorization_code' \
-F 'redirect_uri=YOUR-REDIRECT-URI' \
-F 'code=CODE' \https://api.instagram.com/oauth/access_token
If successful, this call will return a neatly packaged OAuth Token that
you can use to make authenticated calls to the API. We also include
the user who just authenticated for your convenience:
{
"access_token": "fb2e77d.47a0479900504cb3ab4a1f626d174d2d",
"user": {
"id": "1574083",
"username": "snoopdogg",
"full_name": "Snoop Dogg",
"profile_picture": "http://distillery.s3.amazonaws.com/profiles/profile_1574083_75sq_1295469061.jpg"
} }
I'm trying to fork a repo using the GitHub V3 API via REST, however, I am having issues making a POST request as per the docs (https://developer.github.com/v3/repos/forks/#create-a-fork).
Basically, what I have so far:
A logged-in user with an OAuth Token
A POST request setup to the API (URL: https://api.github.com/repos/carmichaelalonso/infiniteflight/forks/) - I am testing this with hurl.it to begin with.
Headers in the request: one has the name Authorization with the value 'token ...', the other specifies Content-Type with the value application/json
A body with the following JSON: {"organization" : "shortlisthome"} (shortlisthome is the account I am trying to fork the repo to.
I am not intending to fork this to an organization, instead of a standard user account, which is where I am getting confused. When I run the request, I do not get any authentication errors or 404 errors (I previously had but I had been entering incorrect values by mistake, causing such errors).
When I run this request though, I get the following result (a 422 unprocessable request):
{
"message": "Validation Failed",
"documentation_url": "---url-to-docs---",
"errors": [
{
"resource": "Fork",
"code": "invalid",
"field": "organization"
}
]
}
I am unsure whether or not I am able to fork this to a standard user, or if it is an error with my request. Please let me know if I can provide any more info (first post here so a bit unfamiliar with the convention).
Thanks!
In order for shortlisthome to fork the repository you need to authenticate as them. The repository you're trying to fork is public, so all you need to do is obtain a OAuth token for shortlisthome and then make a similar request to the one you're making now. The only difference will be that you do not need to provide the JSON body of {"organization": "shortlisthome"}.
For what it is worth, the optional JSON body is intended for you to use when you are a member of an organization with proper permissions and you want to fork the repository to that organization. You cannot fork a repository to someone else's account unless you are authenticated as them.
I've so far avoided OAuth2, and do not know hurl. Yet, perhaps this can help.
This post shows how it can be done using cURL's -u username flag:
curl -u 'myusername' https://api.github.com/repos/carmichaelalonso/infiniteflight/forks/ -d ''
The -d (or alternatively --data) flag turns it into a POST request.
Without that flag cURL defaults to a GET request, which is not what you want.
Since, the data is part of the URI for this request, send an empty string for the data that must follow the -d param, as such: -d ''.
Of course, using -u will require you to also supply a password..
Here is what GitHub shows using OAuth2 with their API:
OAuth2 Token (sent in a header):
curl -H "Authorization: token OAUTH-TOKEN" https://api.github.com
OAuth2 Token (sent as a parameter):
curl https://api.github.com/?access_token=OAUTH-TOKEN
Read more about OAuth2. Note that OAuth2 tokens can be acquired programmatically, for applications that are not websites.
OAuth2 Key/Secret
curl 'https://api.github.com/users/whatever?client_id=xxxx&client_secret=yyyy'
I suspect that adding -d '' (or some equivalent in hurl),
plus one of the formats above for sending OAuth2 info might get you most of the way there.
I used this command to fork on github enterprise
curl -vX POST https://git.redacted.com/api/v3/repos/<org-to-fork-from>/<repo-to-fork>/forks?access_token=<api-token> -d #gh-fork.json --header "Content-Type: application/json"
gh-fork.json is just
{
"organization": "org-to-fork-to",
"description": "",
"homepage": "https://git.redacted.com",
"private": false
}