I am implementing Vault for my team to use and store secrets, and we wanted to keep it simple so we decided to go with the default token authentication.
The thing is I can't find a way to manage tokens that were created, so that if I want to revoke a certain person's token, I know exactly which one to revoke.
Does anyone know how to manage tokens in Vault?
You cannot list the tokens because tokens are sensitive information.
You can list token accessors (API docs)
which will give you a value like this 476ea048-ded5-4d07-eeea-938c6b4e43ec which is safe to share - think of it as a pointer to the token.
Then you can lookup the token accessor (API docs) and get a response like this
{
"data": {
"accessor": "8609694a-cdbc-db9b-d345-e782dbb562ed",
"creation_time": 1523979354,
"creation_ttl": 2764800,
"display_name": "ldap2-tesla",
"entity_id": "7d2e3179-f69b-450c-7179-ac8ee8bd8ca9",
"expire_time": "2018-05-19T11:35:54.466476215-04:00",
"explicit_max_ttl": 0,
"id": "",
"identity_policies": ["dev-group-policy"],
"issue_time": "2018-04-17T11:35:54.466476078-04:00",
"meta": {
"username": "tesla"
},
"num_uses": 0,
"orphan": true,
"path": "auth/ldap2/login/tesla",
"policies": ["default", "testgroup2-policy"],
"renewable": true,
"ttl": 2763902
}
}
which will probably help you figure out if the tokens requires revoking or not.
Related
So I know there's several SDK packages for many languages available for nHost, however I need to create my own interface to the system since the language I'll be using isn't typical.
I basically just need to know how to interact with authentication endpoints, send a users un/pw and recieve a JWT token. I've been successfully able to do this with aws Cognito, but I'd like to explore this instead.
I'm also not sure if I'm using the right base url, here's my thought so far:
https://kbvlufgpikkxbfkzkbeg.nhost.run/auth/login
So I would POST to there with some json in the body with the un/pw stuff, and the response should be the jwt token right?
I get a "resource does not exist" response from the above, however, so obviously I'm not forming the url correctly in the first place.
Thanks for the help!
Nhost supports multiple sign-on methods.
For example, using the email+password method, you would send:
POST https://xxxxxxxxxxxxx.nhost.run/v1/auth/signin/email-password
{"email":"foo#example.com","password":"bar"}
and the response:
{
"session": {
"accessToken": "somejwt....",
"accessTokenExpiresIn": 900,
"refreshToken": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"user": {
"id": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"createdAt": "2022-09-17T19:13:15.440221+00:00",
"displayName": "foo#example.com",
"avatarUrl": "",
"locale": "en",
"email": "foo#example.com",
"isAnonymous": false,
"defaultRole": "user",
"metadata": {},
"emailVerified": true,
"phoneNumber": null,
"phoneNumberVerified": false,
"activeMfaType": null,
"roles": [
"user",
"me"
]
}
},
"mfa": null
}
The JWT is short-term, when it expires, the refresh token is used to get a new one.
The Nhost JavaScript SDK handles it automatically for you, that's a big benefit to the platform (in addition to being integrated with Hasura). If you are trying to port it to another unsupported language, you'd have to reimplement it. Probably by reading the library and/or running one of their sample client application and reverse-engineering the HTTP over the wire.
For my React Native app I am using Parse JS SDK and hosted Parse Server on Back4app.
When I try to register a new user, the user is not authenticated because the response does not return a sessionToken.
However, once the user is in the db and signs in a sessionToken is returned and the user is authenticated successfully.
Request
The request is the same for sign in/up.
await Parse.User.logInWith('google', {
// auth data received from #react-native-community/google-signin
authData: {
id,
id_token: token
}
})
Response on initial Sign Up
The response is supposed to return a sessionToken which is missing. So the user is not authenticated and modifications on the user object are not possible.
{
"authData": {...},
"createdAt": "...",
"objectId": "...",
"updatedAt": "...",
"username": "..."
}
Response on sign in after user was created
{
"ACL": {...},
"authData": {...},
"createdAt": "...",
"objectId": "...",
"sessionToken": "...",
"updatedAt": "...",
"username": "..."
}
I don't use any cloud code. Just a simple auth flow with Google oAuth.
Any help is highly appreciated.
Edit: same issue for 'sign in with Apple'
As far as I know, according to the Official Documentation, Parse will respond 200 (HTTP OK) and include the Session Token only when it verifies the user is already associated with the OAuth authentication data.
So, again, as far as I know, the very first request when you create the user, will not contain the sessionToken.
Take a look to this tutorial https://www.thinkertwin.com/how-to-setup-google-oauth2-login-with-parse-server-in-react/
Here there is an explanation on how to setup your Cloud Code. It's for React, but with small adjustments it will work for React Native.
You also need Cloud Code as you need to store your Client ID and Secret. You don't want to have those on your public application
We are trying to update details information for serveral Venues in behalf of our clients/users by using Foursquare API.
It works pretty well for most of the clients, and we are using their own personal oauth credentials most of the time.
BTW, we have a lot of problems with some clients/accounts, because we are getting this error when trying to update the venues:
{
"meta": {
"code": 403,
"errorType": "not_authorized",
"errorDetail": "User not authorized to edit venue",
"requestId": "59bba14e351e3d0e31fcf9f1"
},
"notifications": [
{
"type": "notificationTray",
"item": {
"unreadCount": 0
}
}
],
"response": {}
We’ve checked the API limits and everything it’s correct. We’ve also checked the account Oauth token several times and it’s correct. Even we are using the 'venues/managed’ endpoint to ensure that the given Oauth credential can manage the given Venue and everything looks fine.
Any idea about what's happening?
I can request a token for a user by visiting the following url:
https://trello.com/1/connect?key=<key>&name=appName&response_type=token&scope=read,write&expiration=never
However, when I request the token's info through the API, I get a response that looks like this:
{
"id": "...",
"identifier": "appName",
"idMember": "...",
"dateCreated": "2015-10-15T05:21:19.886Z",
"dateExpires": null,
"permissions": [
{
"idModel": "*",
"modelType": "Board",
"read": true,
"write": true
},
{
"idModel": "*",
"modelType": "Organization",
"read": true,
"write": true
}
]
}
I'd like to be able to request a token only grant privileges to a specific organization. But I can't seem to find clear documentation on what kinds of options the /1/connect endpoint accepts, or what other method I can use to obtain a token for a specific organization that does not expire.
I could make a machine user with access only to the organization, but it would be a shame to pay for another user account when I only want a subset of the permissions I already have.
I don't think that would be possible as you just authenticate against the API as that user and therefore have the ability to see everything that user can. The only way I'm aware of would be (as you suggested) to create a new user and limit what they can see.
I don't know if I'm really confused or missing something but I can't find my Etsy API key anywhere.
I have created a new application but all it comes up with is KEYSTRING and Share secret.
I have tried to used the KEYSTRING value in
https://openapi.etsy.com/v2/users/etsystore?api_key=YOUR_API
but comes up with the wrong user or nothing at all.
Am I looking in the wrong place as Im starting to pull my hair out
Matt
Just follow the link: https://www.etsy.com/developers/register
Fill fields and create new App.
Profit! After that you'll see API key.
It worked for me by using just the "Keystring" value that i received while creating the app. The url looks like this -
https://openapi.etsy.com/v2/users/etsystore?api_key=my_keystring_value
and the response that I got was -
{
"count": 1,
"results": [
{
"user_id": xxxxxx,
"login_name": "EtsyStore",
"creation_tsz": 1282269739,
"user_pub_key": {
"key": "-----BEGIN PUBLIC KEY-----xxxx-----END PUBLIC KEY-----",
"key_id": 21832645947
},
"referred_by_user_id": null,
"feedback_info": {
"count": 3063,
"score": 100
}
}
],
"params": {
"user_id": "etsystore"
},
"type": "User",
"pagination": {}
}
I guess it could be some temporary issue.
Please make sure that the call you are using does not require an OAuth verification.
If the call does not require the Oauth verification, the KEYSTRING will be acting as the application key and can be passed with the URL for the results.