Following the docs on how to restrict sign in to G Suite domains, it says to verify the ID tokens 'hd' claims, and the existence thereof.
I have the following specified in my Firebase Auth UI config client side:
signInOptions: [
{
provider: firebase.auth.GoogleAuthProvider.PROVIDER_ID,
customParameters: { hd: "*" }
},
...
],
Which correctly show the login options for all G Suite domains. But when checking the idToken server side with admin.auth().verifyIdToken(token) the response returned does not include a hd claim. Can someone point me in the right direction here?
Related
I am building a web app in a low code platform (Mendix). I am connecting the web app with ArcGIS online resources via the ArcGIS JavaScript API v4.19, which all goes pretty smoothely.
The challenge arises when I want to load specific secured ArcGIS online content via the ArcGIS JavaScript API, specifically from some FeatureLayers which are secured. I looked into the documentation and it seems the best way forward would be a so-called 'application login'. For this I want to setup an OAuth application login based on CLient ID and Client Secret. With these two I can get a valid token via AOuth and use that token to access the content by feeding the token to the IdentityManager via the JavaScript API.
This is were it goes wrong currently, I can't seem to figure out where to make it explicit on the ArcGIS online side that this specific secured FeatureLayer can be accessed via this application login, hence currently I am getting errors that the valid token and app id don't have access to the resource, being the end-point of the secured FeatureLayer.
Does anybody know how to associate a secured FeatureLayer in ArcGIS online to a application login?
EDIT 10-6-2021: Added code sample
After succesfully retrieving a valid token on the server side based on client id and client secret I use the client ID (=AppID) and token in the ArcGIS JavaScript API like below:
const token = {
server: "http://www.arcgis.com",
userId: <AppID>,
token:
<valid token retrieved via OAuth generateToken request,
ssl: true,
expires: 7200
};
IdentityManager.registerToken(token);
Only implementing this gives me an error whilst trying to access the secured feature layer:
identity-manager:not-authorized. "You are currently signed in as:
AppID. You do not have access to this resource:
https://server/someid/arcgis/rest/services/somefeatureserver/FeatureServer/0
I also read that sometimes below could be needed so added as well:
const idString = JSON.stringify(IdentityManager.toJSON());
console.debug("idString: " + idString);
IdentityManager.initialize(idString);
This resolves the error but makes a login popup appear again.
The layer is afterwards declared like below:
const layer = new FeatureLayer({
// URL to the service
url: layerObj.layerURLStatic
definitionExpression: queryDefinition,
featureReduction: clusterConfig && { type: "cluster" },
popupTemplate: {
title: "{" + inAttributeTitle + "}",
content: [
{
type: "fields", // FieldsContentElement
fieldInfos
}
],
actions: [
{
title: props.intButtonLabel,
id: btnId,
className: props.intButtonClass + intButtonIconClass,
type: "button"
}
]
},
outFields: ["*"]
});
webMap.add(layer);
Here is a snippet to generate the token and then register it with IdentityManager:
IdentityManager = require('esri/identity/IdentityManager')
function login(user, password){
var serverInfo = {
"server": "https://www.arcgis.com",
"tokenServiceUrl" : "https://www.arcgis.com/sharing/generateToken"
};
var userInfo = {
username : user,
password : password
}
IdentityManager.generateToken(serverInfo, userInfo).then(function (response){
response.server = serverInfo.server;
response.userId = user;
IdentityManager.registerToken(response);
});
}
I'm not sure how you are going to fit this in you app, but the sample should work if you paste it in your developer tools console when the app is running.
Also, it seems to me that userId property is for arcgis online username, not for appId.
As pointed out by Shaked, if you append '?token=[token_value]' int the layer URL you probably don't even need to register the token to query the layer.
When I query GitHub's GraphQL API with the following:
query RetrievePackagesAssociatedWithRepo($repo: String!, $owner: String!) {
repository(name: $repo, owner: $owner) {
packages(packageType: NPM, first: 10) {
edges {
node {
id
name
packageType
}
}
}
}
}
I received an error stating:
{
"errors": [
{
"type": "INSUFFICIENT_SCOPES",
"locations": [
{
"line": 6,
"column": 11
}
],
"message": "Your token has not been granted the required scopes to execute this query. The 'id' field requires one of the following scopes: ['read:packages'], but your token has only been granted the: ['read:gpg_key', 'read:org', 'read:public_key', 'read:repo_hook', 'repo', 'user'] scopes. Please modify your token's scopes at: https://github.com/settings/tokens."
},
I followed the link https://github.com/settings/tokens and added the necessary permissions.
I tried to Authorizing a personal access token for use with SAML single sign-on but, the SSO button to enable is not present.
development settings token
Documentations I Followed: Creating Personal Token! | Authorizing Personal Token!
After trying out theses methods, the same error message persists "Your token has not been granted the required scopes".
My goal, through Github's API, is to retrieve packages associated with its repository.
Is there something I'm missing.
I have the following security schemes defined for a method in my swagger file:
...
get:
...
security:
- api_key: []
- firebase: []
securityDefinitions:
api_key:
in: query
name: key
type: apiKey
firebase:
authorizationUrl: ''
flow: implicit
type: oauth2
x-google-audiences: project-id
x-google-issuer: https://securetoken.google.com/project-id
x-google-jwks_uri: https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken#system.gserviceaccount.com
However, it will not work if I try to send a request using an api key, but it will if I use a firebase token (even if I do not provide the api key).
The response:
{
"code": 16,
"message": "JWT validation failed: Missing or invalid credentials",
"details": [
{
"#type": "type.googleapis.com/google.rpc.DebugInfo",
"stackEntries": [],
"detail": "auth"
}
]
}
If I remove firebase from the security definition, then it will work using the api key.
Is it a known issue that an api key security scheme will not work if there is also an oauth2 for the same method?
What happens is that "OR" security requirements are not supported when one of the alternatives is an API key. Therefore, you are experiencing the right behavior.
If you provide both alternatives the API key will be ignored, but if OAuth2 is removed and it only accepts the API key, it works.
According to the same documentation that I attached, you could require both authentication methods using an "AND" condition. Something like this:
...
security:
- api_key: []
firebase: []
....
In my app (node-bigcommerce-sdk) my customers will need to login as if they were on the bc store. I am able to verify that the provided email and password are correct. I cant find a method to exchange the user_id and my app credentials for a token that can be used in sso (described here)
I used the python sdk before and the part I want to do now in nodejs is the following
bc_client = b.api.BigcommerceApi(client_id, store_hash, access_token)
login_token = sdk.customer_login_token.create(bc_client, customer.id)
so far (not working)
let token = jwt.encode({
"iss": account.clientId,
"iat": 123456789,
"jti": "uid-"+uid,
"operation": "customer_login",
"store_hash": account.storeHash,
"customer_id": uid,
}, account.secret, 'HS512');
let sso_url = `${account.entry_url}/login/token/${token}`
example token received
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJja244ZzN5Z3V4MmY0cG14ZWw0M2dqbmJjOTViZ2FrIiwiaWF0IjoxMjM0NTY3ODksImp0aSI6InVpZC0xIiwib3BlcmF0aW9uIjoiY3VzdG9tZXJfbG9naW4iLCJzdG9yZV9oYXNoIjoiMmJpaHByMnd2eiIsImN1c3RvbWVyX2lkIjoiMSJ9.n4lygAJtfqhcrHnGEWle1far-Ee69xrgym-HWFWWwNWXB1-hBziKC03SK_y8PYjLBL_n43Q6K07YH9ysSV5a4g
${account.entry_url}/login/token/${token} results in an error message on the frontend Invalid login. Please attempt to log in again.
I'm creating a simple web application that will use Google authentication to return an OpenID token, and then pass that token to AWS using javascript WebIdentityCredentials.
What I have done:
Created the Google Project, and saved the OAuth ClientID
Created an IAM role using Google IDP, and OAuth ClientID as Audience field.
Include both Google API and AWS API javascript in web page configured with above.
(Client) Request the id token from Google using the google js api
Configure the id token on an WebIdentityCredentials
Retrieve the AWS credentials (using that token)
When retrieving the credentials, I get this error from STS:
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>InvalidIdentityToken</Code>
<Message>Incorrect token audience</Message>
</Error>
<RequestId>28d09368-bf98-11e5-b52f-953b4c773ebf</RequestId>
</ErrorResponse>
Here is the AWS role:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"Federated": "accounts.google.com"},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"accounts.google.com:aud": "<my-oauth-client-id>"
}
}
}
]
}
And here is the code I use to configure the token on the AWS context:
AWS.config.update({
region: 'us-east-1',
credentials: new AWS.WebIdentityCredentials({
RoleArn: 'arn:aws:iam::<my-acct>:role/lab-amp-google-idp',
WebIdentityToken : token
})
});
And here is where I test the credentials by fetching them:
AWS.config.credentials.get(function(err) {
if (err) console.log(err);
else console.log(AWS.config.credentials);
});
I have validated the id token using jwt.io and I can see it has the proper expected fields. The "aud" and "azp" properties have the OAuth Client ID. I also double checked the Trust stansza in the AWS role to confirm it also has the exact same OAuth Client ID in the Condition.
I have passed in other invalid tokens and altered the RoleArn just to see the different errors, which I do.
I cannot find anything on the web describing reasons for "Incorrect token audience" so I'm at a loss for what to try next.