Get custom user fields in google OAuth - google-oauth

I'm new with the API and I want to get a custom field ScreenConnect form my connection with the OAuth2. I created my project in console.developers.google.com and I have authorized the Admin SDK. In my scope I put https://www.googleapis.com/auth/admin.directory.user.readonly.
But I can't get the variable back. If I try https://www.googleapis.com/admin/directory/v1/customer/my_customer/schemas to retrieve all custom schemas (https://developers.google.com/admin-sdk/directory/v1/guides/manage-schemas). I have the Insufficient Permission: Request had insufficient authentication scopes. But https://www.googleapis.com/admin/directory/v1/users/userKey work fine (https://developers.google.com/admin-sdk/directory/v1/reference/users/get). So the restriction isn't coming from the SDK. I think it's a url error, but I can't understand what's going on.
I solved the error the Insufficient Permission with the scope https://www.googleapis.com/auth/admin.directory.userschema I still can't find out how to get the value of the variable

The scope you are using is not the correct one since it only grants readonly access. In order to have access to what you want to achieve, you should be using this:
https://www.googleapis.com/auth/admin.directory.user;
Moreover, if you want to retrieve the value set for each custom schema for a user, you will have to make the below GET request, where userKey is the user's email address.
https://www.googleapis.com/admin/directory/v1/users/userKey
In addition to this, you also have to set the customFieldMask parameter with the name of your schema name/s and the projection parameter to custom.
Therefore, for a particular user, your request will look something like this:
GET https://www.googleapis.com/admin/directory/v1/users/THE_EMAIL_OF_THE_USER?customFieldMask=NAME_OF_THE_SCHEMA&projection=custom&key=[YOUR_API_KEY]
HTTP/1.1
Authorization: Bearer [YOUR_ACCESS_TOKEN]
Accept: application/json
Reference
Directory API Users:get;

Related

Postman request - how to get data from endpoint based on API documentation

I want to retrieve data from a data warehouse that has a web-based API, I need to use an API key for authentication and use the GET / Customers command to retrieve the list of customers data, but when I am using that same thing in postman, it's returning the same documentation page of the data warehouse?
I am new to this any help will be really appreciated.
The URL doesn't look valid:
You need a base URL, endpoint, http method, authentication scheme, and credential or a token etc.
I don't know details about your system and API, so let's see an example:
base url is https://stackoverflow.com; your current base url is localhost:4444, is your server running on your machine? If so, it might be correct, but I assumer you're talking about a server running somewhere else, not on your computer
endpoint (path parameter) is /questions/69883697, in your case /customers
http method is GET and you find it here in Postman; it also means it will not go into query parameters where you put it:
authentication scheme - your docs mentions an api key that goes into a header called Authorization, so you have to set it in Headers, not as a query parameter:
Read carefully what's on your screen, Postman uses the same language as your API documentation, so if your doc speaks about headers, you need to go into Headers tab in Postman.

Is an authorization header required by the azure storage shared access signature (SAS) REST API

I need to read/write an azure storage table.
The client program is configured to use a shared access signature to read/write remote azure table.
Can anyone give me a good example of how to construct the authorization header in order to use the sas?
I am getting HTTP error code 403.
Microsoft documentation specified that all the rest API will have to be embedded with an authorization header. By default, the documentation suggests that I can use the storage account access key to generate the HMAC-SHA code for the authorization header. I think I am missing something here.
The whole idea of using a shared access signature (SAS) is to protect the storage account access key. At the same time, the doeumentation seems to suggest that the storage account owner needs to provide the account access key so the client can use the access key to generate the HMAC-SHA code. What am I missing here? can anyone shed some light here? Thanks,
If you're using sas_token in the request url, then you don't need to provide Authorization in the header.
How to check which header should be provided? in the related api page -> go to the Request Headers section -> check each header, if the header is required, then it will be described in it's Description. Here is a screenshot for your reference:
Here are the steps to query entities by using sas_token:
1.Generate sas_token from azure portal. You can refer to the screenshot below:
2.Check which header are required, as per query-entities -> request-headers, we know x-ms-date is required(Authorization is not required here since we're using sas_token). You can provide a value for x-ms-date, like Wed, 13 Jan 2021 01:29:31 GMT.
If you don't know how to get the value for x-ms-date header, you can open powershell -> type Get-Date command -> then it will generate the date:
3.Prepare the request url with sas_token, like below:
https://xxx.table.core.windows.net/testtable(PartitionKey='a1',RowKey='r11')?sv=2019-12-12&ss=t&srt=sco&sp=rwdlacu&se=2021-01-13T09:24:58Z&st=2021-01-13T01:24:58Z&spr=https&sig=xxxxx
4.Use some tools like Postman, send the request with proper header. Here is the test result by using Postman:

Twitter GET users/search client_credentials: Your credentials do not allow access to this resource

I have a static list of music artists and i want to get the id or screen_name of each one of them in Twitter.
I found this api endpoint: users/search which allows to run a query on Twitter and get all the accounts that match with the query. For example:
https://api.twitter.com/1.1/users/search.json?q=muse
will return all the accounts that match the query "muse".
I need to call this endpoint in client_credentials flow, i don't need any permission by the user (which is only me in any case). The problem is that Twitter returns the following response when i try to access the endpoint in client_credentials flow:
"message": "Your credentials do not allow access to this resource", "code": 220
I have tested other API endpoints such users/show, statuses/retweets, statuses/user_timeline and they all works in client_credentials, just the one i need doesn't work.
Is there anything i can do about that? Or i must change the OAUth flow?
mentioned error,
"{"errors":[{"message":"Your credentials do not allow access to this resource","code":220}]}"
comes when requesting an end point which requires a user context (such as statuses/home_timeline) using application only token.
You can verify whether or not same error comes for end points like statuses/home_timeline or statuses/retweets_of_me. These end points work only in some twitter user context. The end point that you want, users/search, also requires user context.
I am suspecting some issue in obtaining oauth token and secret. How are you getting authorized tokens for a given twitter user account?

Standard Response of a Login/Sign In API

While making an Login/SignUp RESTful API, should the response contain any other user information e.g. User Profile, Permissions etc?
When I've done this previously the Login returns a token for the new session and possibly the userid. Then I've had other services that I call with this token to get a list of permissions etc. You should make each resource do a single thing, which allows greater flexibility and reuse. Like everything though... this is my opinion on it but there is no right or wrong way to do it.
The REST principle is that when you POST a request to the server, it should respond with a status to indicate success or failure (i.e. 201 created) and a pointer to the new resource just created.
In my comments above the resource being created is the session and the token is the identifier of that resource.

Thinktecture Identityserver elevated login for admin page

I'm creating a site where I want to allow a administrator to log in with a Username Password combination, for his normal administrative tasks. But once he need to do some "dangerous" tasks, I want to make him log in using 2FA (only once), and thus elevate his permissions for the current session.
Does anyone know how to do this, or at least point me in the right direction.
Thx
When you log in you have to request the scope you want, so just make sure that your client has both scopes available but you only ask for the scope you need.
Ex: create an 'admin' scope and a 'dangerous' scope and make both scopes available to your client. On initial login just ask for 'admin' but when they hit the dangerous page, send another login request but ask for both 'admin' and 'dangerous' scope.
Also, if only certain admins can do the dangerous task, make sure to only give those admins the 'dangerous' claim. You can manually put that claim in the UserClaims table, or if you are using MembershipReboot as your database access, use the 'AddClaim()' method on the useraccount object.
Update:
Sorry, this answer is unrelated to two factor authentication, more related to how to add a second scope to the user's token.
Update:
For example, if you are using the 'resource owner' flow, your original login request, with only 'admin' scope, looks like:
POST /ids/connect/token HTTP/1.1
Host: https://mywebsite.com
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
grant_type=password&username=billybob&password=mypassword&scope=admin&client_id=MyClientId&client_secret=MyClientSecret
Then when you want to get the 'dangerous' scope, do another login the same way but add the 'dangerous' scope to your request (separated by a space), the access token you get back will now have both scopes (admin and dangerous):
POST /ids/connect/token HTTP/1.1
Host: https://mywebsite.com
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
grant_type=password&username=billybob&password=mypassword&scope=admin dangerous&client_id=MyClientId&client_secret=MyClientSecret