I'm trying to create a new client in my springboot realm through the keycloak REST API using postman, but I'm getting an unknown error as the response.
The URL in post method is
localhost:8180/auth/admin/realms/springboot/clients
The header includes
content-type - application/json
authorization - bearer <access token...>
The json body is
{
"id":"1",
"clientId":"zzzzz",
"name":"aaaaa",
"description":"bbbbb",
"redirectUris":[ "\\" ],
"enabled":"true"
}
The response I'm getting is 403 : unknown error.
I obtained the same error because the client had not the necessary role.
Go to Clients -> {your-client-name}
Select the 'Service Account Roles' tab
Add the necessary role. (In my case I needed the admin role)
Related
I would like to ask how to properly setup the authentication for Portainer CE v2.9.3 using OAuth2 with Azure AD.
The following fields in the Custom OAuth2 UI needs to be filled:
Client ID
Client secret
Authorization URL
Access token URL
Resource URL
Redirect URL
Logout URL
User identifier
Scopes
Currently, I use the following values:
Client ID: <tentant id>
Client secret: <created secret for the app in Azure AD>
Authorization URL: https://login.microsoftonline.com/``/oauth2/v2.0/authorize
Access token URL: https://login.microsoftonline.com/``/oauth2/v2.0/token
Resource URL: https://graph.microsoft.com/oidc/userinfo
Redirect URL: <our internal URL for the Portainer deployment>
Logout URL: <our internal URL for the Portainer deployment>
User identifier: email
Scopes: <Application ID URI>
When using these values, I get the following error:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure. Invalid audience.",
"innerError": {
"date": <some date>,
"request-id": <some request id>,
"client-request-id": <some client request id>
}
}
}
I need to use Portainer CE with the Customer OAuth Provider.
Thank you for any usefull advice.
Possible causes of Audience invalid error and workarounds
Client ID must be either the ApplicationId or ApplicationIdUri
depending on the app configuration.(not tenant Id)
Note :first try clientId:<Application Id> and if that is giving the
same error , change clientId to ApplicationIdUri i.e; clientId:api://<Application Id>
Scope is something that you see under add a scope blade .
When you click on add a scope ,you can mention any permission and it appears as a scope like below:
This scope must be in scopes value
Make sure to grant admin consent if required if app registration has permissions.
Example:
Another is the end point from which you are getting the token maybe different . Try to decode access token in https://jwt.io and see “ISS” value has v2 endpoint .If it has V2 endpoint,
in azure Active directory, Go to Manifest and change “accessTokenAcceptedVersion”:2 .Also check that Audience value i.e; “AUD” must match the client Id .The audience invalid occurs if they doesn’t match.
Reference
GET /imfpush/v1/apps HTTP/1.1
Host: mobilefoundation-3b-mf-server.mybluemix.net
Authorization: Bearer eyJhbGciOiJSUzI1NiIsImp....
Content-Type: application/json
another type of invocation
curl -X GET -H "Authorization: Bearer eyJhbGciOiJSUzI1N...." "https://mobilefoundation-3b-mf-server.mybluemix.net/imfpush/v1/apps"
Error 502: Failed to make token request, reason: Unsuccessful request to Authorization Server, server responded with status code: 400 and body : {"errorCode":"invalid_client"}, check the Authorization URL: http://localhost:8080/mfp/api/az/v1/token
TL;DR: right now looks like there is a bug in the /imfpush/v1/apps endpoint where it does not filter the applications by the vendor (APNS, GCM, WNS), so you can only get a list of all applications instead...
Note however that it all depends on your end goal. You can accomplish this by code or by using tools such as curl or Postman, Swagger etc... it all depends on what you want to achieve.
Here are 3 ways:
In the local development server - not available in Mobile Foundation service on Bluemix, you can use this URL to see the REST endpoints exposed in Swagger. You can then view push-enabled applications with this one: http://localhost:9080/doc/?url=/imfpush/v1/swagger.json#!/Applications/getAllApplications
First, in MobileFirst Operations Console > Runtime Settings > Confidential clients:
Add (just an example, choose your own) a new user client (id: user, secret: user)
Add the apps.read and push.application.* scopes
Be sure to click on the knob and add the apps.read and push.applications.* scopes.
You will also be asked to authorize. Use the username and password for the user confidential client that you previously created.
Using the /imfpush service, as described below.
Using the mfpadmin service, as described below.
In my examples I will use Postman.
In MobileFirst Operations Console > Runtime Settings > Confidential clients:
Added (just an example, choose your own) a new user client (id: user, secret: user)
Added the apps.read and push.application.* scopes
Obtained an access token by making a POST request to http://localhost:9080/mfp/api/az/v1/token with:
Authorization tab:
Type: Basic Auth
user: user
password: user
Body tab:
x-www—form-urlencoded
grant_code: client_credentials
scope: apps.read push.application.*
Obtained the list of applications by making a GET request to http://localhost:9080/imfpush/v1/apps with:
Headers tab:
Authorization: Bearer the-access-token-from-step-2
To filter the list by platform, the URL should change to the following, like the example in the API documentation: http://localhost:9080/imfpush/v1/apps/?expand=true&filter=platform==A&offset=0&size=10 But since this does not work right now... use: http://localhost:9080/imfpush/v1/apps/
Of course, you need to change localhost to your server's host.
To only obtain a list of all applications, it'd be faster to use the mfpadmin service applications endpoint. Using Postman:
Created a new GET request to http://localhost:9080/mfpadmin/management-apis/2.0/runtimes/mfp/applications
You can change the domain to yours.
In the Authorization tab, I have set the following:
Type: Basic Auth
Username and Password: your username and password (to the console)
In return I have received a list of registered applications.
Attempting to sign in (and enter a session) using user credentials in an Angular app using the Backand SDK. From the Backand docs I am attempting to sign in using the Backand.signin() method (from my local) which looks to be initially sending an OPTIONS http request to the API which unfortunately is causing this cross origin error:
XMLHttpRequest cannot load https://api.backand.com/token. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:xxxx' is therefore not allowed access. The response had HTTP status code 400.
The exact response from the endpoint is: {"error":"unsupported_grant_type"}
I've combed through the documentation extensively but can't find anyone else having these errors.
This is exact code I am using:
function Login(username, password, callback) {
Backand.signin(username, password).then(function(response){
console.log(response);
}, function(error){
console.log(error);
});
}
The error is logged to the console as a null object.
It looks like the error was in fact on my end.
While attempting to set up my own Authorization service in my Angular app I inadvertently was adding an encoded Authorization token header somehow. When the requests were being made to Backand from the Backand SDK, the headers were not correctly set and thus causing issues.
I am using the PayPal REST API for the first time and trying to get an authentication token but keep getting an "Invalid credentials error".
I am following Step 2 in the documentation found here:
https://developer.paypal.com/webapps/developer/docs/integration/direct/make-your-first-call/
I am using the Chrome extension "Advanced rest client"
Here are the values entered in the rest client:
Header:
content-type:application/x-www-form-urlencoded
Accept:application/json
Form data
grant_type:client_credentials
clientId:ASF6RRBP0uTq7FnC90tpFx7vfA-Pliw8uQDjv5RZ10Y_NVspuc88pUPLN6yM
secret: EAdx7BDKzWczDomYG2QDHu8jhaAXj4xDZLHadvL5aRfesjwo5c81zbSpRxuE
When I send the request I get the following error:
{
error: "invalid_client"
error_description: "Invalid client credentials"
}
Can anyone help me to figure what I am doing wrong here?
Form data should only contain
grant_type=client_credentials
and then add header
Authorization: Basic put base64of(clientid:secret)here
don't pass client id and secret in form data.
im trying to test the Survey Monkey api via the online test console but keep getting the following error:
https://developer.surveymonkey.com/io-docs (link)
It's asking me to enter the Authorisation:
Content-Type:
Authorization: bearer %s <--- not sure where to get this from? (Access token)
api_key:
JSON:
and so im getting a "errmsg": "Invalid \"Authorization\" data in request header"
Is this generated elsewhere.. or am i missing something
You get the access token when you perform OAuth - select the app from your existing client credentials, hit Authorize, log into your SurveyMonkey account, and it should auto-populate the 'Access Token' field. Then copy this into the Authorization header in the form "bearer (access token)" (without the quotes or parentheses).
Cheers,
Miles
The authorization header works for me with bearer XXXYYYZZ. Doc here: https://developer.surveymonkey.com/mashery/requests_responses