Watson speech to text authentication - authentication

I am trying to get Transcribe from Microphone working on my server as a starting point.
The code is straightforward but I am having trouble with the token.
on IBMcloud I created a IAM-Service id with Access Policies
Viewer, Reader 14 Speech to Text service in all resource groups
created an apikey from that
created the token file
curl -k -X POST --output token \
--header "Content-Type: application/x-www-form-urlencoded" \
--header "Accept: application/json" \
--data-urlencode "grant_type=urn:ibm:params:oauth:grant-type:apikey" \
--data-urlencode "apikey={apikey}" \
"https://iam.cloud.ibm.com/identity/token"
the response has 'access_token' but the javascript SDK 0.38.1 looks for 'accessToken'
when I start microphone I get a socket error 'wss://stream.watsonplatform.net/speech-to-text/api/v1/recognize"
I checked token expiration.
I confirmed it is an auth problem:
curl -X GET "https://stream.watsonplatform.net/speech-to-text/api/v1/models?access_token="{accessToken}"
responds "unauthorized"
I have researched and am unsure what to do next. My best guess is I am generating the token improperly.

I would leave the token generation to the code. All the SDKs have an IAMAuthenticator component. The full documentation for Node.js is here. It has a very simple example where you pass in the API key:
import { IamAuthenticator } from 'ibm-cloud-sdk-core';
const authenticator = new IamAuthenticator({
apikey: '{apikey}',
});
Thereafter, you instantiate the service, e.g., STT.

Related

Cognito Service Authentication returns valid JWT but subsequent JWT validations fail

I have a lambda that accepts a username and password and returns a JWT. The code (seen below) basically uses cognito adminInitiateAuth() to use the username and password to get the JWT.
let USER_POOL_CLIENT_ID = "6adc4ziG7GCzYmMwhWWVnJySbP";
let USER_POOL_ID = "us-east-1_upxvqiJUP";
AWS.config.update({region: 'us-east-1'});
const cognito = new AWS.CognitoIdentityServiceProvider();
let params = {
AuthFlow: "ADMIN_NO_SRP_AUTH",
ClientId: USER_POOL_CLIENT_ID,
UserPoolId: USER_POOL_ID,
AuthParameters: {
USERNAME: event.username,
PASSWORD: event.password
}
};
//console.log(`${JSON.stringify(params)}`);
const jwtContainer = await cognito.adminInitiateAuth(params).promise();
console.log(`jwtContainer = ${JSON.stringify(jwtContainer)}`);
This seems to work and, in fact, does return a valid JWT with a kid decoded by jwt.io. Whenever I attempt to use the JWT on a different endpoint that is JWT protected (as seen below) I get an error:
curl -v https://myapi.execute-api.us-east-1.amazonaws.com/reset-service-auth-password \
-H 'Accept-Language: en-US,en;q=0.9' \
-X POST \
-d '{"password": "xyz123","confirmPassword": "22221"}' \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Origin: http://localhost:8080" \
-H 'Authorization: Bearer jwtdataxxxxxxxxxxxxxxxx'
But when I execute the above I get this error:
www-authenticate: Bearer scope="aws.cognito.signin.user.admin" error="invalid_token" error_description="unable to find an appropriate key in the JWKS. Ensure a "kid" is provided in the JWT, and that your JWKS has a supported cert available for this ID"
I checked my JWKS and the kid in the JWT is in fact in the JWKS. I am not sure what to do next or what is really wrong.
My authorizer expects the scope aws.cognito.signin.user.admin and my client does not require a secret. Please ask any clarification that you might need to help me with this issue.
I've had the same issue today. I hope you figured it out since then but, just in case, and for others...
I followed the same investigation steps that you did. I was convinced there was something wrong with AWS. There's not.
In my case, the token was generated against our production pool, but a development endpoint leaked in the config, and we were trying to authenticate on a wrong endpoint.
So my guess is that you got something similar: recheck your URLs, there's probably a mismatch between your pool ID and the API you request.

Keycloak does not refresh the token

I'm trying to refresh a token but Keycloak returns a 400 Bad Request error with following message:
{
"error": "invalid_grant",
"error_description": "Invalid refresh token"
}
I successfully get the refresh token in a request like this:
curl --location --request POST 'http://localhost:8080/auth/realms/my_realm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'username=my_user' \
--data-urlencode 'password=my_password' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_id=my_client_id' \
--data-urlencode 'client_secret=my_client_secret'
So I get a JWT response with access token and refresh token. Both of them appear to be valid as I load them in jwt.io.
But when I try to use the refresh token I get previous error. The request is like this:
curl --location --request POST 'http://localhost:8080/auth/realms/my_realm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=my_client_id' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token=my_refresh_token' \
--data-urlencode 'client_secret=my_client_secret'
In Keycloak's log there is no clue of what the problem is.
Waht could be the cause? Or at least, is there a way to get more info on the cause of the error from Keycloak' response or log?
EDIT:
I have implemented an User Storage Provider SPI so it does the authentication against an external DB but it doesn't manage users into Keycloak. Is it needed that the token owner user exists in Keycloak so refreshing the token works?
Thanks.
Finally it was an issue in my User Storage Provider SPI. It was necessary to implement following method as Keycloak takes the user ID from the refresh token and look for the user by such ID:
public UserModel getUserById(String id, RealmModel realm) {
StorageId storageId = new StorageId(id);
String username = storageId.getExternalId();
return getUserByUsername(username, realm);
}

Waste Management API - Authorization: Bearer problem

Im reading this documentation:
https://api.wm.com/howtotest/#make-an-api-call
And I want to make this test request in the postman:
curl -i https://apitest.wm.com/v1/helloworld \
-H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhbnlvbmVAYW55LmNvbSIsInN1YiI6Ildhc3RlIG1hbmFnZW1lbnQgIHRlYW0iLCJqdGkiOiIwQkQyRTVDQkM2RDE2Mzc0RkNFQSIsInNjb3BlIjpbInNlbGYiLCJoZWxsb3dvcmxkIl0sImlhdCI6MTQ5MDg5ODk1NSwiZXhwIjoxNTIyNDM0OTU1fQ.O2k-senypXFZQwW4Ln3mBg60qzOSo-diPQWVfir3m6Q" \
-H "ClientId: 0BD2E5CBC6D16374FCEA" \
-H "Request-Tracking-Id: 12132"
But i recived response like this:
{
"message": "'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhbnlvbmVAYW55LmNvbSIsInN1YiI6Ildhc3RlIG1hbmFnZW1lbnQgIHRlYW0iLCJqdGkiOiIwQkQyRTVDQkM2RDE2Mzc0RkNFQSIsInNjb3BlIjpbInNlbGYiLCJoZWxsb3dvcmxkIl0sImlhdCI6MTQ5MDg5ODk1NSwiZXhwIjoxNTIyNDM0OTU1fQ.O2k-senypXFZQwW4Ln3mBg60qzOSo-diPQWVfir3m6Q' not a valid key=value pair (missing equal-sign) in Authorization header: 'Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhbnlvbmVAYW55LmNvbSIsInN1YiI6Ildhc3RlIG1hbmFnZW1lbnQgIHRlYW0iLCJqdGkiOiIwQkQyRTVDQkM2RDE2Mzc0RkNFQSIsInNjb3BlIjpbInNlbGYiLCJoZWxsb3dvcmxkIl0sImlhdCI6MTQ5MDg5ODk1NSwiZXhwIjoxNTIyNDM0OTU1fQ.O2k-senypXFZQwW4Ln3mBg60qzOSo-diPQWVfir3m6Q'."
}
This is the example of their official documentation, how it can be it doesnt works, or I didnt do something good?
I think that the error message is potentially misleading. If you are using the test example you need to request a clientid and token from WM per the documentation.
From the documentation:
With a valid access token and clientId, you are ready to make requests to Waste Management API.

Getting "You don't have a required scope to access the endpoint" when inserting script

I'm developing an app, for store fronts and want to get some analytics in checkout. So I want to inject a script in that scope of checkout. When I try to insert it I'm getting "You don't have a required scope to access the endpoint" but I have updated the scopes to checkoutcontent to modify. Not sure what else is wrong
Trying to insert script via an app, getting 403 even though I updated the OAuth scopes to include, Check out content and Checkout
curl --request POST \
--url https://api.bigcommerce.com/stores/{store_hash}/v3/content/scripts \
--header 'accept: application/json' \
--header 'content-type: application/json' \
--header 'x-auth-client: XXXXX' \
--header 'x-auth-token: XXXXX' \
--data '{"name":"Test Scripts Tag","description":"Test Scripts Tag","html":"<script src=\\\"https://Somedestination/Test.js\\\"></script>","src":"https://Somedestination/Test.js","auto_uninstall":true,"load_method":"default","location":"footer","visibility":"checkout","kind":"src"}'
Getting below error, while expecting a status=200
status: 403,You don't have a required scope to access the endpoint
The html field shouldn't be included when using src, could you try removing it?
The only errors I was receiving in testing were due to malformed HTML in the html field with the error code 422. It may also be worth trying to create a new API account to rule out scoping causing this.

What is -u from cURL when adding an authorization header to an http request

I am trying to test one of Mix Panel's API endpoints. I'm using Postman to do this, and in Mix Panel's documentation they use cURL to show you how to make the request. When entering the URL, and the POST data for the request, it works in the sense that it hits the right place, and tells me that I need to be authenticated by adding an authorization header. What I'm confused on is, what should the key be for the header ? in their cURL example its -u API_SECRET, so would the authorization header key be 'username' ?
From documentation
# this uses a test project API secret, replace ce08d087255d5ceec741819a57174ce5
# with your own API secret
curl https://mixpanel.com/api/2.0/jql \
-u ce08d087255d5ceec741819a57174ce5: \
--data-urlencode params='{"from_date":"2016-01-01", "to_date": "2016-01-07"}' \
--data-urlencode script='function main(){ return Events(params).groupBy(["name"], mixpanel.reducer.count()) }'
If I wanted to create an AJAX query for example
$.ajax({
method: 'POST',
url: 'https://mixpanel.com/api/2.0/jql',
data: {
'params': '{"from_date":"2016-01-01", "to_date": "2016-01-07"}',
'script': '\'function main(){ return Events(params).groupBy(["name"], mixpanel.reducer.count()) }\''
},
headers: {
<WHAT GOES HERE>: API_SECRET
}
}).then(function success(response){
console.log('SUCCESS');
console.log(response)
}, function error(response){
console.log('There was an error running JQL');
console.log(response.error)
});
In this case, your API_SECRET is the username and there is no password. So using curl -u <API_SECRET>: without any "username" key is correct.
From the mixpanel documentation on an example call https://mixpanel.com/help/reference/data-export-api
Authorization steps The Data Export API accepts Basic access
authentication over HTTPS as an authorization method. To make an
authorized request, put your project's API Secret in the "username"
field of the Basic access authentication header. Make sure you use
HTTPS and not HTTP - our API rejects requests made over HTTP, since
this sends your API Secret over the internet in plain text.
Examples Here's an example of a properly-authenticated request made
with cURL:
curl https://mixpanel.com/api/2.0/segmentation/ \
-u YOUR_API_SECRET: \
-d from_date="2016-02-11" -d to_date="2016-02-11" -d event="Viewed Page"