http://docs.identityserver.io/en/latest/reference/api_resource.html says "An API must have at least one scope."
It seems this restriction is not enforced by IdentityServer4: I have
public static IEnumerable<ApiResource> GetApis(IConfiguration config)
{
return new ApiResource[]
{
new ApiResource("orm", "Our ORM"),
};
}
(without scopes here) and my software does work and seems not to produce any errors. Do I understand correctly that here I have an error but IdentityServer4 just does not diagnose the error?
Moreover, I have
new Client
{
ClientId = "mvc",
ClientName = "MVC Client",
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
ClientSecrets = { new Secret("XXX".Sha256()) },
RedirectUris = { ormClientURL + "/signin-oidc" },
FrontChannelLogoutUri = ormClientURL + "/signout-oidc",
PostLogoutRedirectUris = { ormClientURL + "/signout-callback-oidc" },
AllowOfflineAccess = true,
AllowedScopes = { "openid", "profile", "orm" }
},
and it works despite I have no scope "orm" defined.
Why does it indeed work?
How to fix this properly? (Which clients and scopes should I define?)
It appears that the ApiResource constructor adds a Scope using the name and displayName provided:
public ApiResource(string name, string displayName)
: this(name, displayName, null)
{
}
public ApiResource(string name, string displayName, IEnumerable<string> claimTypes)
{
if (name.IsMissing()) throw new ArgumentNullException(nameof(name));
Name = name;
DisplayName = displayName;
Scopes.Add(new Scope(name, displayName));
if (!claimTypes.IsNullOrEmpty())
{
foreach (var type in claimTypes)
{
UserClaims.Add(type);
}
}
}
https://github.com/IdentityServer/IdentityServer4/blob/master/src/Storage/src/Models/ApiResource.cs
Related
const cc = DataStudioApp.createCommunityConnector();
function getAuthType() {
return cc.newAuthTypeResponse()
.setAuthType(cc.AuthType.USER_TOKEN)
.setHelpUrl('https://api.sigecloud.com.br/swagger/ui/index#/')
.build();
}
function resetAuth() {
var userTokenProperties = PropertiesService.getUserProperties();
userTokenProperties.deleteProperty('dscc.username');
userTokenProperties.deleteProperty('dscc.password');
}
function isAuthValid() {
var userProperties = PropertiesService.getUserProperties();
var userName = userProperties.getProperty('dscc.username');
var token = userProperties.getProperty('dscc.token');
var res = UrlFetchApp.fetch(`https://api.sigecloud.com.br/request/Pedidos/GetTodosPedidos&Authorization-Token${token}&User=${userName}&page=12&App=API APP`, { 'muteHttpExceptions': true });
return res.getResponseCode() == 200;
}
function getConfig() {
}
function getSchema() {
}
function getData() {
}
This is Manifest:
{
"timeZone": "America/Sao_Paulo",
"dependencies": {},
"exceptionLogging": "STACKDRIVER",
"runtimeVersion": "V8",
"dataStudio":{
"name": "Two Dogs Connector with Sige",
"description": "The unofficial conecctor to acess Sige Data",
"company": "Mateus C Rocha",
"logoUrl": "https://images.sympla.com.br/62ea7b9d69ec5.png",
"addOnUrl": "https://twodogs.com/br/quem-somos/",
"supportUrl": "https://twodogs.com/br/quem-somos/"
}
}
This error appears when I add the implementation ID generated when I select the test implementation option, in the google script
My api needs to receive: Page, user(constant value), token(constant value) and App(constant value)...
I don't know how it works, but I was hoping it wouldn't show errors, as I followed the documentation https://developers.google.com/looker-studio/connector/get-started
The following controller should create a user within the local SQL Server database, but when refreshing the dbo.AspNetUsers table, there are no users found. What am I missing here?
UserController.cs
using System.Threading.Tasks;
using backend.Models;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Mvc;
namespace backend.Controllers
{
[Route("api/[controller]/[action]")]
[ApiController]
public class UserController : Controller
{
private readonly UserManager<AppUser> userManager;
public UserController(UserManager<AppUser> usrMgr)
{
userManager = usrMgr;
}
[HttpPost]
public async Task<IActionResult> Register([FromBody]CreateUserModel model)
{
AppUser user = new AppUser
{
UserName = model.Email,
Email = model.Email
};
var result = await userManager.CreateAsync(user, model.Password);
return CreatedAtAction(nameof(Register), user);
}
}
}
Postman returns the following 201 Created body:
{
"id": "random string of characters here",
"userName": "user#example.com",
"normalizedUserName": null,
"email": "user#example.com",
"normalizedEmail": null,
"emailConfirmed": false,
"passwordHash": null,
"securityStamp": null,
"concurrencyStamp": ""random string of characters here",
"phoneNumber": null,
"phoneNumberConfirmed": false,
"twoFactorEnabled": false,
"lockoutEnd": null,
"lockoutEnabled": false,
"accessFailedCount": 0
}
Solution
After using the answer by Volodymyr Bilyachat, the failed result object passed to Postman revealed that the test password that I was using was too weak. I then knew to add the following password settings to Startup.cs, and to choose a password that would work.
services.Configure<IdentityOptions>(options =>
{
// Password settings.
options.Password.RequireDigit = true;
options.Password.RequireLowercase = true;
options.Password.RequireNonAlphanumeric = true;
options.Password.RequireUppercase = true;
options.Password.RequiredLength = 6;
options.Password.RequiredUniqueChars = 1;
// Lockout settings.
options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(5);
options.Lockout.MaxFailedAccessAttempts = 5;
options.Lockout.AllowedForNewUsers = true;
// User settings.
options.User.AllowedUserNameCharacters =
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._#+";
options.User.RequireUniqueEmail = false;
});
You need to check result
var result = await userManager.CreateAsync(user, model.Password);
if (result.Succeeded)
{
return CreatedAtAction(nameof(Register), user);
}
// handle bad request
so it can be that result contains error code.
I am trying to setup a Web API with Swagger and an IdentityServer and can't figure out how to make Swagger works correctly.
My React app is working with the IdentityServer and I managed to get the ui working but when I try to activate authentication, I always get a "insufficient_scope" error.
Here's my config :
Client
public static IEnumerable<Client> Get()
{
return new[]
{
new Client
{
ClientId = "ipassportimplicit",
ClientName = "iPassport (Implicit)",
Flow = Flows.Implicit,
AllowAccessToAllScopes = true,
//redirect = URI of the React application callback page
RedirectUris = new List<string>
{
Constants.iPassportReact + "callback.html"
}
},
new Client
{
ClientId = "swaggerui",
ClientName = "Swagger (Implicit)",
Flow = Flows.Implicit,
AllowAccessTokensViaBrowser = true,
PostLogoutRedirectUris = new List<string>
{
"http://localhost:53633/swagger/"
},
AllowAccessToAllScopes = true,
RedirectUris = new List<string>
{
"http://localhost:53633/swagger/ui/o2c-html"
}
}
};
}
Scope
public static IEnumerable<Scope> Get()
{
return new List<Scope>
{
new Scope
{
Name = "passportmanagement",
DisplayName = "Passport Management",
Description = "Allow the application to manage passports on your behalf.",
Type = ScopeType.Resource
},
new Scope
{
Name = "swagger",
DisplayName = "Swagger UI",
Description = "Display Swagger UI",
Type = ScopeType.Resource
}
};
}
SwaggerConfig
public static void Register(HttpConfiguration config)
{
var thisAssembly = typeof(SwaggerConfig).Assembly;
config
.EnableSwagger(c =>
{
c.SingleApiVersion("v2", "api_iPassport");
c.OAuth2("oauth2")
.Description("OAuth2 Implicit Grant")
.Flow("implicit")
.AuthorizationUrl(Constants.iPassportSTSAuthorizationEndpoint)
.TokenUrl(Constants.iPassportSTSTokenEndpoint)
.Scopes(scopes =>
{
scopes.Add("swagger", "Swagger UI");
});
c.OperationFilter<AssignOAuth2SecurityRequirements>();
})
.EnableSwaggerUi(c =>
{
c.EnableOAuth2Support("swaggerui", "swaggerrealm", "Swagger UI");
});
}
Operation Filter
public class AssignOAuth2SecurityRequirements : IOperationFilter
{
public void Apply(Operation operation, SchemaRegistry schemaRegistry, ApiDescription apiDescription)
{
var actFilters = apiDescription.ActionDescriptor.GetFilterPipeline();
var allowsAnonymous = actFilters.Select(f => f.Instance).OfType<OverrideAuthorizationAttribute>().Any();
if (allowsAnonymous)
return; // must be an anonymous method
//var scopes = apiDescription.ActionDescriptor.GetFilterPipeline()
// .Select(filterInfo => filterInfo.Instance)
// .OfType<AllowAnonymousAttribute>()
// .SelectMany(attr => attr.Roles.Split(','))
// .Distinct();
if (operation.security == null)
operation.security = new List<IDictionary<string, IEnumerable<string>>>();
var oAuthRequirements = new Dictionary<string, IEnumerable<string>>
{
{"oauth2", new List<string> {"swagger"}}
};
operation.security.Add(oAuthRequirements);
}
}
Response Headers
{
"date": "Fri, 12 May 2017 03:37:08 GMT",
"www-authenticate": "Bearer error=\"insufficient_scope\"",
"x-sourcefiles": "=?UTF-8?B?TzpcTG9jYWwgV29ya3NwYWNlXFZTVFMgSUJNXFJlcG9zXFdlYkFQSVxhcGlfaVBhc3Nwb3J0XGFwaV9pUGFzc3BvcnRcYXBpXFVzZXJcR2V0?=",
"server": "Microsoft-IIS/10.0",
"x-powered-by": "ASP.NET",
"content-length": "0",
"content-type": null
}
Anything I can't see? All help appreciated!
Thanks
My problem was in my Startup.cs class of the Web API in which I didn't add the required scope to the
public void ConfigureAuth(IAppBuilder app)
{
var options = new IdentityServerBearerTokenAuthenticationOptions()
{
Authority = Constants.iPassportSTS,
RequiredScopes = new[] { "passportmanagement", "swagger" }
};
app.UseIdentityServerBearerTokenAuthentication(options);
}
We need to update users claims after they log in to our website. This is caused by changes in the users licenses done by another part of our system.
However I am not able to comprehend how to update the claims without logout/login.
Rigth now this is our client setup
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
//user validation host
Authority = UrlConstants.BaseAddress,
//Client that the user is validating against
ClientId = guid,//if not convertet to Gui the compare from the server fails
RedirectUri = UrlConstants.RedirectUrl,
PostLogoutRedirectUri = UrlConstants.RedirectUrl,
ResponseType = "code id_token token",
Scope = "openid profile email roles licens umbraco_api umbracoaccess",
UseTokenLifetime = false,
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = async n =>
{
_logger.Info("ConfigureAuth", "Token valdidated");
var id = n.AuthenticationTicket.Identity;
var nid = new ClaimsIdentity(
id.AuthenticationType,
Constants.ClaimTypes.GivenName,
Constants.ClaimTypes.Role);
// get userinfo data
var uri = new Uri(n.Options.Authority + "/connect/userinfo");
var userInfoClient = new UserInfoClient(uri,n.ProtocolMessage.AccessToken);
var userInfo = await userInfoClient.GetAsync();
userInfo.Claims.ToList().ForEach(ui => nid.AddClaim(new Claim(ui.Item1, ui.Item2)));
var licens = id.FindAll(LicenseScope.Licens);
nid.AddClaims(licens);
// keep the id_token for logout
nid.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));
n.AuthenticationTicket = new AuthenticationTicket(
nid,
n.AuthenticationTicket.Properties);
_logger.Info("ConfigureAuth", "AuthenticationTicket created");
},
RedirectToIdentityProvider = async n =>
{
// if signing out, add the id_token_hint
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
{
var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token").Value;
_logger.Debug("ConfigureAuth", "id_token for logout set on request");
_logger.Debug("ConfigureAuth", "Old PostLogoutRedirectUri: {0}", n.ProtocolMessage.PostLogoutRedirectUri.ToString());
n.ProtocolMessage.IdTokenHint = idTokenHint;
var urlReferrer = HttpContext.Current.Request.UrlReferrer.ToString();
if (!urlReferrer.Contains("localhost"))
{
n.ProtocolMessage.PostLogoutRedirectUri = GetRedirectUrl();
}
else
{
n.ProtocolMessage.PostLogoutRedirectUri = urlReferrer;
}
_logger.Debug("ConfigureAuth", string.Format("Setting PostLogoutRedirectUri to: {0}", n.ProtocolMessage.PostLogoutRedirectUri.ToString()));
}
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.AuthenticationRequest)
{
n.ProtocolMessage.RedirectUri = GetRedirectUrl2();
n.ProtocolMessage.AcrValues = GetCurrentUmbracoId();
_logger.Debug("ConfigureAuth", string.Format("Setting RedirectUri to: {0}", n.ProtocolMessage.RedirectUri.ToString()));
}
},
}
});
We get our custom claims in SecurityTokenValidated
var licens = id.FindAll(LicenseScope.Licens);
nid.AddClaims(licens);
I do not follow how to get this without doing a login? Any help is highly appreciated.
That's a reminder that you should not put claims into tokens that might change during the lifetime of the session.
That said - you can set a new cookie at any point in time.
Reach into the OWIN authentication manager and call the SignIn method. Pass the claims identity that you want to serialize into the cookie.
e.g.
Request.GetOwinContext().Authentication.SignIn(newIdentity);
I've been trying to access or find away to access data from NFL.com, but have not found it yet. There is public documentation on these sites:
https://api.nfl.com/docs/identity/oauth2/index.html
but these docs do not tell you how to get a client id or client secret.
I've also tried:
http://api.fantasy.nfl.com/v2/docs
The documentation says that you need to send an email to fantasy.football#nfl.com to get the app key. I sent an email a while ago and a follow up and I've received no responses.
You can send requests to these API's and they will respond telling you that you have invalid credentials.
Have you had any success with this? Am I doing something wrong? Are these sites out of date?
EDIT: I emailed them on 10/30/2015
While I haven't had any success with api.nfl.com, I am able to get some data from the api.fantasy.nfl.com. You should have read access to all of the /players/* endpoints (e.g. http://api.fantasy.nfl.com/v1/players/stats?statType=seasonStats&season=2010&week=1&format=json). I would think you need an auth token for the league endpoints and the write endpoints.
How long ago did you email them?
EDIT:
I emailed the NFL and this is what they had to say: "We've passed your API request along to our product and strategy teams. NFL.com Fantasy APIs are available on a per-use, case-by- case basis for NFL partners. Our team reviews other requests, but our APIs are typically not available for external usage otherwise."
You can replicate the experience of generating a client JWT token in Nfl.com by opening chrome inspector and going to nfl.com then clearing your application local storage and your network console, refreshing the page and then just watching the responses come across the line and how it issues a token.
I'd argue they probably have a bit of a security gap in how they issue tokens because they sent their clientId and clientSecret to the end user which is later posted back to the server create a JWT, when they should probably have some sort of end point that gens a token and also has some site origin protections, but hey makes consumption of the API a bit easier.
Usage:
using (var client = await WebClientFactory.Create())
{
foreach (var week in all)
{
var url = $"https://api.nfl.com/football/v1/games?season={year}&seasonType=REG&week={week}&withExternalIds=true";
var content = await client.DownloadStringTaskAsync(url);
var obj = JsonConvert.DeserializeObject<SeasonStripV2>(content);
// do so0mething here
}
}
The meat and potatoes:
public class WebClientFactory
{
static WebClientFactory()
{
ServicePointManager.ServerCertificateValidationCallback += (o, c, ch, er) =>
{
Console.WriteLine(er);
// I had some cert troubles you may need to fiddle with this if you get a 405
// if (c.Subject?.Trim() == "CN=clubsweb.san1.nfl.com")
// {
// return true;
// }
Console.WriteLine(c);
return false;
};
}
public static async Task<WebClient> Create()
{
var clientInfo = new
{
clientId = "e535c7c0-817f-4776-8990-56556f8b1928",
clientKey = "4cFUW6DmwJpzT9L7LrG3qRAcABG5s04g",
clientSecret = "CZuvCL49d9OwfGsR",
deviceId = "1259aca6-3793-4391-9dc3-2c4b4c96abc5",
useRefreshToken = false
};
var clientUploadInfo = JsonConvert.SerializeObject(clientInfo);
var webRequest = WebRequest.CreateHttp("https://api.nfl.com/identity/v1/token/client");
webRequest.Accept = "*/*";
webRequest.ContentType = "application/json";
webRequest.Method = WebRequestMethods.Http.Post;
await WriteBody(webRequest, clientUploadInfo);
var result = await GetResult(webRequest);
var tokenWrapper = JsonConvert.DeserializeObject<RootV2>(result);
var client = new WebClient();
client.Headers.Add("Authorization", $"Bearer {tokenWrapper.accessToken}");
return client;
}
private static async Task WriteBody(HttpWebRequest webRequest, string clientUploadInfo)
{
using (var stream = webRequest.GetRequestStream())
{
using (var sw = new StreamWriter(stream))
{
await sw.WriteAsync(clientUploadInfo);
}
}
}
private static async Task<string> GetResult(HttpWebRequest webRequest)
{
using (var response = await webRequest.GetResponseAsync())
{
return await GetResult((HttpWebResponse) response);
}
}
private static async Task<string> GetResult(HttpWebResponse webResponse)
{
using (var stream = webResponse.GetResponseStream())
{
using (StreamReader sr = new StreamReader(stream))
{
return await sr.ReadToEndAsync();
}
}
}
private class RootV2
{
public string accessToken { get; set; }
public int expiresIn { get; set; }
public object refreshToken { get; set; }
}
}
Note you can also getting a token by calling this endpoint:
POST "https://api.nfl.com/v1/reroute"
BODY: "device_id=5cb798ec-82fc-4ba0-8055-35aad432c492&grant_type=client_credentials"
and add these headers:
client.Headers[HttpRequestHeader.ContentType] = "application/x-www-form-urlencoded";
client.Headers["X-Domain-Id"] = "100";
Hooks Data provides a real-time API for major US sports including NFL.
1) Get API KEY here: https://www.hooksdata.io/signup?invite=SM4555
2) Subscribe to soccer games:
curl -H "Content-type: application/json" -d '{
"query": "SELECT * FROM NFLGames WHERE away_team.team_name = 'New England Patriots' OR home_team.team_name = 'New England Patriots' AND start_datetime.countdown = 3600"}' 'http://api.hooksdata.io/v1/subscriptions'
DOCS: https://www.hooksdata.io/docs/api/datasources/nflgames/
3) Optional: Add a Webhooks URL where you want to get the data: https://www.hooksdata.io/webhooks
4) Pull the data using fetch endpoint https://www.hooksdata.io/docs/api/api-reference/#query-datasource
5) Get all the data in JSON:
{
"matches_count": 1,
"results": [
{
"_entity_type": "NFLGame",
"_id": "NFLGame_400999173",
"away_score": null,
"away_team": {
"_entity_type": "NFLTeam",
"_id": "NFLTeam_NE",
"acronym": "NE",
"division": "AFC East",
"id": "NFLTeam_NE",
"team_name": "New England Patriots"
},
"game_id": "400999173",
"home_score": null,
"home_team": {
"_entity_type": "NFLTeam",
"_id": "NFLTeam_PHI",
"acronym": "PHI",
"division": "NFC East",
"id": "NFLTeam_PHI",
"team_name": "Philadelphia Eagles"
},
"link": "http://espn.go.com/nfl/game?gameId=400999173",
"start_datetime": null,
"status": "FUTURE"
}
]
}