We Keep Coding

Watson Machine Learning (WML) Authentication Issue; WML working example (?)

I am experimenting with Watson Machine Learning (WML) as I would like to deploy a deep learning model through a web API. I have an issue regarding authentication.
I am following the IBM tutorials and I have an issue with the WML authentication. On the tutorial it is mentioned to provide the following credentials to deploy the model on WML:
wml_credentials = { "apikey" : "***",
"url" : "https://ibm-watson-ml.mybluemix.net",
"username" : "***",
"password" : "***",
"instance_id" : "***"
}
I fear that the information is outdated. When looking for the at the WML service credentials on IBM cloud I am provided with the following info:
{
"apikey": "xxx",
"iam_apikey_description": "xxx"
"iam_role_crn": "xxx",
"iam_serviceid_crn": "xxx",
"instance_id": "xxx",
"url": "https://us-south.ml.cloud.ibm.com"
}
I get no username & passwd. Moreover the url is different to the one provided in the tutorial is different than the one provided on the tutorial. I tried to play with the python script but I get errors, which are diffcult to understand given that I have no idea of the structure of WML.
Can anyone provide a functioning script and some good intuition about the mechanism of working with WML. The tutorial is not very informative on what is happening under the hood and that makes it difficult to troubleshoot and get started with...
tutorial link
Thanks

For Cloud if the wml instance is in us-south region, you can use the below.
wml_credentials = {
"apikey" : "",
"url" : "https://us-south.ml.cloud.ibm.com",
"instance_id" : ""
}
The values for apikey, url and instance_id should be used from the wml instance credentials. (instance vcap)
The url differs based on the region where the wml instance has been created.
e.g for us-south it will be https://us-south.ml.cloud.ibm.com
for London it will be https://eu-gb.ml.cloud.ibm.com

hyperledger-composer: "The current identity, with the name 'admin' and the identifier 'xxx' has not been registered"

My question is on Authentication in Hyperledger Composer.
I created a business network (and on top of that also an angular app but that angular app is not relevant to this question).
I started the rest server with authentication and multi-user mode enabled.
Going to the rest server at localhost:3000, requests were blocked due to missing authentication - as expected.
Before starting the rest server I had run the following command:
export COMPOSER_PROVIDERS='{
"github": {
"provider": "github",
"module": "passport-github",
"clientID": "<MY CLIENT ID>",
"clientSecret": "MY CLIENT SECRET",
"authPath": "/auth/github",
"callbackURL": "/auth/github/callback",
"successRedirect": "http://localhost:4200",
"failureRedirect": "/"
}
}'
That is, authentication requires GitHub-login. So I went to http://localhost:3000/auth/github and logged into GitHub.
Then I went back to http://localhost:3000/explorer and tried to send a request. I got the following error: "A business network card has not been specified".
I thought this meant that I needed to import the business network card of the current user. The current user was, in this case, the NetworkAdmin that was created automatically when I started the business network using the following command:
composer network start --networkName composer-app --networkVersion 0.0.1 --card PeerAdmin#hlfv1 --networkAdmin admin --networkAdminEnrollSecret adminpw
So I imported the business network card of this NetworkAdmin by selecting the respective file and sending the relevant HTTP request (see screenshot):
After confirming that the card had been imported successfully, I then tried to send a request again.
This time I got the following error message:
"Error trying to ping. Error: 2 UNKNOWN: error executing chaincode: transaction returned with failure: Error: The current identity, with the name 'admin' and the identifier '57e1bd6da04f49b1703d4813d4950c4c5cd6641fce3f805fae2545023fb2f16b', has not been registered"
So I guess I am doing something wrong/misunderstanding something.
Does anybody know what I am doing wrong?

This looks like a problem with the Network Admin card you have imported. When the Identity is Issued (and the Card is created) a one-time secret is created. When the card is used for the first time the secret is exchanged for Certificates/Keys and the the one-time secret is invalidated.
I'm guessing that you have imported the .card file which you have then used to start the REST server - so now the secret is invalid. If I'm right, you need to export the card on the Command line with composer card export -c admin#<my-network> -f admin-plus-cert.card and import that new .card file into the REST server wallet.
Once you have that card successfully imported, you can go ahead and access the Business Network, and also issue new identities (with new cards, and import those into the REST server too)

Moving data from Google Big Query to Azure Data Lake Store using Azure Data Factory

I have a scenario where I need to connect the Azure Data Factory (v2) in Google Big Query for to move data to my Azure Data Lake but I don't work.
When I create a Linked Service, I choose Big Query as Source, I put all informations about BigQuery, as project-name, type of connection, etc but when I click in Validade button a message is show for me: (for exemple)...
UserError: ERROR [28000] [Microsoft][BigQuery] (80) Authentication
failed: invalid_grant ERROR [28000] [Microsoft][BigQuery] (80)
Authentication failed: invalid_grant'Type=,Message=ERROR [28000]
[Microsoft][BigQuery] (80) Authentication failed: invalid_grant ERROR
[28000] [Microsoft][BigQuery] (80) Authentication failed:
invalid_grant,Source=,', activityId:
05ff5ce1-5262-4794-853c-c9e39b7f4b71
Any idea? Someone already tested this connector?
Tks.
Peeter Bonomo

The documentation for the ADF connector to BigQuery explains what the parameters mean, but it doesn't give any guidance on how to obtain the values for those parameters.
I spent a couple of days on this and finally got it to work. I used "User Authentication" because I wanted to use a cloud-based IR. The "Client Id" and "Client Secret" can be obtained by creating new credentials in the GCP Console. But to get the "Refresh Token", you have to do the OAuth2 dance with Google and intercept the token.
I put together a PowerShell script to do this for you and wrote up a post on GitHub that walks you through the process of authenticating ADF v2 to Google BigQuery:
https://github.com/AnalyticJeremy/ADF_BigQuery

This is the error you get for any access issues unfortunately. It's also the error you get when your refresh token has expired which it always does after 60 minutes. Which is incredibly curious....this like so many sets of instructions on OAuth2.0 authentication for ADF never mention all this work is to get a code that expires in 60 minutes. Without some method of refreshing it everytime you connect this is worthless. At least the following link mentions this error and you get it because the token has expired...its the only blog post (or Microsoft documentation) that bothers to mention this super big issue. https://medium.com/#varunck/data-transfer-from-google-bigquery-to-azure-blob-storage-using-azure-data-factory-adf-80659c078f83
Here's a different method which is what I will be attempting...it uses service account and IR https://www.youtube.com/watch?v=oRqRt7ya_DM

According to https://learn.microsoft.com/en-us/azure/data-factory/connector-google-bigquery, to connect to Google BigQuery via cloud IR, you need to provide the below information:
{
"name": "GoogleBigQueryLinkedService",
"properties": {
"type": "GoogleBigQuery",
"typeProperties": {
"project" : "<project ID>",
"additionalProjects" : "<additional project IDs>",
"requestGoogleDriveScope" : true,
"authenticationType" : "UserAuthentication",
"clientId": "<id of the application used to generate the refresh token>",
"clientSecret": {
"type": "SecureString",
"value":"<secret of the application used to generate the refresh token>"
},
"refreshToken": {
"type": "SecureString",
"value": "<refresh token>"
}
}
}
}
and that the user you use to grant permission to the application should have access to the project you want to query.
Thanks,
Eva

What is the REST (or CLI) API for logging in to Amazon Cognito user pools

How do i make logins happen via Amazon Cognito REST APIs (for user pools) on platforms for which there is no official SDK? - Note that i am asking for user pools - not identity pools.
Synopsis
Amazon cognito provides 3 kinds of logins:
federated logins (creates identity pools) - using social connects like FB, Twitter, G+ etc
AWS managed logins (creates user pools) - using Amazon's own managed signup, signin, forgot password, reset password services
developer provided logins (my custom designed authentication service managed by myself)
I am using the second one (with User Pools)
Amazon cognito has several SDKs for android, iOS, javascript, Xamarin etc. Cognito also provides REST APIs for building on platforms other than those supported by official SDKs. I am building an app for a different platform and, hence, REST API is my only way as there is no official SDK for my platform.
The Cognito REST API provides various endpoints for 'sign up', 'forgot password', 'confirm verification' etc, but surprisingly, the REST API does not have any endpoint for simple signin / login.
From Cognito CLI API docs I have all the OFFICIAL CLI APIs necessary to "signup users", "confirm signups", "change passwords", "verify phone numbers", "forgot passwords" etc. Surprisingly there is no CLI API mentioned for LOGINs. I was hoping there should be some CLI API like "$ aws cognito-idp log-in" just like there is for "$ aws cognito-idp sign-up" or for "$ aws cognito-idp forgot-password" etc.
Also from this getting started tutorial it talks about "*what should be done with tokens received AFTER successful authentication of a user*". However, it doesn't talk about HOW TO make the successful authentication happen on the first place with Cognito User Pool APIs. Examples are available only for Android, iOS, javascript SDKs. There are no authentication examples available for platforms which do not have SDKs.
Hence, How do i make logins happen via Amazon Cognito REST APIs (for user pools) on platforms for which there is no official SDK?

This curl command works for me:
curl -X POST --data #aws-auth-data.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.us-east-1.amazonaws.com/
Where aws-auth-data.json is:
{
"AuthParameters" : {
"USERNAME" : "yourusername#example.com",
"PASSWORD" : "yourpassword"
},
"AuthFlow" : "USER_PASSWORD_AUTH",
"ClientId" : "75........................"
}
The user pool client must allow USER_PASSWORD_AUTH for this to work - that's an AWS-side setting.

Update:
As you pointed out in the comments below, the authentication flow is documented here: http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html. This might help to clarify the authentication flow
It is somewhat counter-intuitive, but it does make sense for mobile apps where you don't want to have the user explicitly sign in, but instead carry tokens around for the user. Note that there is an explicit signin (login) API in the AWS Userpools SDK for iOS. I have not used it, but I suppose it is just an alternate client side API to get through the same InitiateAuth() followed by a RespondToAuthChallenge() flow. The iOS signin example is documented here - IOS SDK Example: Sign in a User
Original Post:
The Cognito User Pools API documentation for initiating auth is available here
The way it works becomes clearer if you implement a user pools application in one of the SDK's (I did one in Swift for iOS, it is clarified because the logging of the JSON responses is verbose and you can kind of see what is going on if you look through the log).
But assuming I understand your question: In summary you should InitiateAuth() and the response to that (from the Cognito User Pools server) is a challenge. Then you do RespondToAuthChallenge() (also documented in that API doc) and the response to that is an authentication result - assuming that the password / session / token were accepted.
The combination of those two things is, I believe, what you are calling LOGIN, and it works like a login. In the API's, the way it is set up is that attempts to get user information when the user is unauthenticated kicks off that InitiateAuth() and (in iOS anyway) the API does a callback to the code you write to ask for passwords, and send a RespondToAuthChallenge() request etc.

Just to add to #andrewjj's answer. You might get back a challenge (NEW_PASSWORD_REQUIRED) as InitiateAuth response. It is when you are being asked to change passport on initial signin.
You can use Postman or curl command. This example expects Postman being used.
InitiateAuth - This step is same as #andrewjj
Add this to Body as raw values
{
"AuthParameters": {
"USERNAME": "youremail#example.com",
"PASSWORD": "temporary-password",
},
"AuthFlow": "USER_PASSWORD_AUTH",
"ClientId": "2s........................"
}
Set headers
X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth
Content-Type: application/x-amz-json-1.1
Send a request to https://cognito-idp.us-east-1.amazonaws.com/ You might have to change region.
If you receive this response then your are ok, otherwise continue with step 2.
{
"AuthenticationResult": {
"AccessToken": "eyJra........",
"ExpiresIn": 3600,
"IdToken": "eyJra........",
"RefreshToken": "eyJjd........",
"TokenType": "Bearer"
},
"ChallengeParameters": {}
}
RespondToAuthChallenge - this is new step
In case you receive Challenge back like this one:
{
"ChallengeName": "NEW_PASSWORD_REQUIRED",
"ChallengeParameters": {
"USER_ID_FOR_SRP": "1231-......",
"requiredAttributes": "[]",
"userAttributes": "{\"email_verified\":\"true\",\"email\":\"youremail#example.com\"}"
},
"Session": "Sfas......"
}
You need to set new password. Add this to Body as raw values
{
"ChallengeName": "NEW_PASSWORD_REQUIRED",
"ChallengeResponses": {
"USERNAME": "youremail#example.com",
"NEW_PASSWORD": "newpassword"
},
"ClientId": "2s........................",
"Session": "Sfas......(use one from the InitiateAuth response)"
}
Set headers
X-Amz-Target: AWSCognitoIdentityProviderService.RespondToAuthChallenge
Content-Type: application/x-amz-json-1.1
Send a request to https://cognito-idp.us-east-1.amazonaws.com/ You might have to change region.
Do step 1 again to receive tokens.

Sharing curl direct may help to anyone
curl -X POST --data #user-data.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.<just-replace-region>.amazonaws.com/
file json user-data.json
{"AuthParameters" : {"USERNAME" : "sadfsf", "PASSWORD" : "password"}, "AuthFlow" : "USER_PASSWORD_AUTH", "ClientId" : "csdfhripnv7sq027kktf75"}
make sure your app client does not contain app-secret or create new app without secret. also inside app enable USER_PASSWORD_AUTH

One of the developers from AWS Cognito team here.
To add to #md-abdul-munim's answer, we recommend using one of the client side SDKs. If you are building a REST API and then a front end which talks to those APIs, it is better to just integrate Cognito from your front end.
If you absolutely need to use Cognito from a back end, the authentication APIs will be available with our GA release. In our Cognito User Pools beta release authentication is only available through client SDKs.

From what you have discussed, I consider you are trying to do that from a web frontend. Cause, cognito is providing you the necessary backend support and it expects you to communicate(e.g. authenticate, sign up etc.) from a presentation layer- that's why you found SDK's for different mobile platforms. They also have SDK for web app- the access is available via their Javascript SDK.
Here's a detailed tutorial to achieve what you have asked from a web frontend using their JS SDK-
Accessing Your User Pools using the Amazon Cognito Identity SDK for JavaScript

I have a similar problem and was wondering how to integrate Cognito within an Elixir backend and found this library: https://github.com/aws-beam/aws-elixir
From what I can understand by reading its source code, they ultimately make a POST request that contains the header "X-Amz-Target": "AWSCognitoIdentityProviderService.#{name_of_api_action}" (this is here: https://github.com/aws-beam/aws-elixir/blob/master/lib/aws/cognito_identity_provider.ex#L564). That's without the authorization headers, they are added elsewhere, but I found it interesting. The functions that construct the request URL are following, so you should be able to get an idea of the endpoint that gets called.
I must say I tried following this article written in Japanese - https://qiita.com/yujikawa/items/e79929ed14277102f4b8, and couldn't manage to make it work, maybe because I was not sure what the proper AWS_ENDPOINT environment variable should be. I am currently thinking of trying out the Ruby SDK, from the looks of the documentation it seems fine. But, nonetheless, this information may still help someone.

Thank #andrewjj, your answer is a big help.
Here is additional info for someone who has trouble with client secret. You don't need to turn it off.
You need to generate a secret hash from username, clientId, client secret, as following:
message = bytes(username+app_client_id,'utf-8')
key= bytes(clientSecret,'utf-8')
secret_hash = base64.b64encode(hmac.new(key, message, digestmod=hashlib.sha256).digest()).decode()
src: https://aws.amazon.com/premiumsupport/knowledge-center/cognito-unable-to-verify-secret-hash/
Then add the secret hash to your AuthParameters, as following:
{
"AuthParameters" : {
"USERNAME" : "...",
"PASSWORD" : "...",
"SECRET_HASH" : "..."
},
"AuthFlow" : "USER_PASSWORD_AUTH",
"ClientId" : "..."
}

Error code 403 in Google+ api

I got "error": {
"errors": [
{
"domain": "usageLimits",
"reason": "dailyLimitExceededUnreg",
"message": "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup.",
"extendedHelp": "https://code.google.com/apis/console"
}
],
"code": 403,
"message": "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup."
}
When i try to fetch User Profile in Google+ api by https://www.googleapis.com/plus/v1/people/me URL String.If anyone have any suggestion then please tell me as soon as possible.Thanks in advance for your time.

That message implies that you haven't set up a Google APIs console project.
Create a Google APIs Console project
On the Services pane, enable all of the APIs that your project requires.
On the API Access pane, click Create an OAuth 2.0 client ID. A dialog opens. Fill in your project's information. Click Next
Choose the appropriate application type. Based on the tags you used for this post, I am guessing this is an iOS project so select Installed application.
Enter your bundle ID. You don't need to enter an App Store ID until your app is listed there.
Click Create Client ID.
You will see the client ID and client secret values. You will use these values to enable communication with your project and the Google APIs.
If you aren't already using it, see the Google+ iOS SDK and documentation for a full walk through. The task called "write moments" is similar in implementation and demonstrates how to connect to and use the Google+ REST APIs from within an iOS project that uses the SDK.
You'll need to specify the scope of plus.me to get the profile information.

I got the same error and after much hunting I found that, in my case, the Authorization header with the access token was not set. Set Authorization: "Bearer <YOUR_ACCESS_TOKEN>" in the header of the request of EVERY Google API call.

I just want to add a little information here in the rare case that someone runs into this problem.
I have an organization (ORG). I created a second channel (SC) with some playlists, that referenced videos from ORG.
I made the mistake of assuming that because ORG owned SC, that I could use the same oauth credentials from ORG to access both. I was wrong.
I switched credentials and was confused when I could access the playlists but not the videos. Again, I needed credentials for each one separately to access the resources on the respective channel.
Lame, but that was how it was.

BrettJ's answer will cover most of the bases. However, you will also get this error - even when your credentials are properly authenticated - when the scope is not properly set up. I would check the scope setting in your OAuth dance. Make sure your user is permitted to do the thing your code is trying to help them do.

On top of what BrettJ has mentioned, it is important to send the authorization header for the request done to fetch UserProfile in google+ API.
For example, Add the following header
key: Authorization
value: Bearer ya29.Ci-cA_CywoVdVG#######

For what it's worth, I also got this error when using rclone to sync files and my firewall wasn't configured to allow that traffic.