I have a Drupal deployed on a Bitnami Image containing some content that I use in a mobile application. For that, I sat a Rest API to request Drupal and get the data.
Using Postman and the basic_auth credentials, I am able to get my API response properly with no problems.
After that, I deployed Azure API Management and tried to pass the call of Drupal API through it, I provided the credentials via an authentication-basic policy, everything worked perfectly for a moment then suddenly I now getting a 403 Forbidden Access.
I still can request the Drupal API directly via POSTMAN using the same credentials with no problems.
Thanks
Actually, When I was creating the API on API Management, I used wrong authentication credentials many times for that, Drupal had blocked the API from access to the data.
I fixed that by doing a Truncate on the table flood of my database
Related
I am building a private API which provides some data, I have already set CORS to only allow requests from my website, and that works, but there is a problem: a user can make the request with the chrome console from my website to the API and that request will succeed since the API has no real way to tell if the request comes from the code i have written.
So my question is: is there any way to tell that? is there any way to prevent users from making that request from my website to call the API and bypass the CORS?
You need to update your request model so that requests to the API come from the web server itself, rather than from a users client.
That way you can add authentication to the API and only allow requests that come directly from your web server. Then web server can then display those results to your users.
CORS is not a method for checking/enforcing authentication or authorisation. It is purely an additional security control to protect against browser-based security vulnerabilities (XSS etc).
Requirments
I have created a Web API that requires access token from Microsoft Active Directory Application and then uses the access token in a subsequent request to Web API. I am consuming these Web APIs in my PowerApp components. However, I am unable to get the access token internally from Javascript without redirecting the user to the login page. As per my requirements, I have to get the access token and then access my Web APIs, without redirecting the user to login.
Implementation
I am making a POST call to "https://login.microsoftonline.com/{tanent_id}/oauth2/token" from JS and trying to get the access token by using client secret.
Issue
I am getting the CORS issue whenever trying to reach the login API. I can get the access token from Postman and Internet Explorer but not to the rest of the browsers (i.e. Chrome, Firefox, Edge).
Can someone suggest me the way to prevent the CORS issue and proceed with my Web APIs calls with the access token. I have already learned the Implicit approach and it did not work since we need to redirect to URL in this approach too.
Since Implicit Grant Flow is not your option, and you do need an app-only token, I am afraid you must do the request from a back-end application. Then you can get the access token from the back-end application.
I have a SPA application that I've developed using Auth0 for my IDP. When developing locally, I set the Auth0 Allowed Web Origins settings to http://localhost:8080 and got everything working.
Now I've deployed my app to Azure as a Web App -- so my app is addressed like so: myapp.azurewebsites.net. I've also included a custom domain so that I can access my app like this: myapp.mydomain.com.
I went into my Auth0 dashboard and updated the Allowed Web Origins to include https://myapp.azurewebsites.net and https://myapp.mydomain.com
However, I can no longer get Auth0 to authenticate. When I make the call to the auth endpoint at Auth0, I get a callback to my signin-oidc endpoint with the error
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
My guess is that I'm not getting the Allowed Web Origins correct. What can I do to get this working again?
You are looking in a wrong direction (just like me :) ). Solution is adding web.config to your project. Discussed lot's of time here before.
Angular2 - page refresh 404ing when hosted in Azure
Error : The resource you are looking for has been removed, had its name changed, or is temporarily unavailable
I currently have an MVC app that's using the Microsoft.Owin.Security.WSFederation package for authentication with Azure's Active Directory. This lets me use the Authorize attribute on my controllers to redirect users to the Microsoft login site.
I now have the requirement to add access to a WebAPI project that will be hosted on a different domain but will use the same AD store.
I've managed to pull together something using the ADAL JS library provided by Azure but this gives the following process:
user visits site and is redirected to Azure login
user logs in and is returned to site
JS code checks for login and redirects to Azure
user is already authenticated so redirects back to site with token
JS picks up token, stores it, and redirects to the original page
So it works, but involves 4 redirects, which seems like a huge overhead.
I thought that there might be some way of pulling a bearer token out of the authorisation credentials returned when the WSFederation succeeds but I can't see anything like that in the data. And, even if I could, I don't know how I'd be able to then refresh the token from the client script. So I strongly suspect I'm doing something fundamentally wrong.
What would be the best process for sharing authentication between the two sites?
I've been trying to integrate my application (ruby) with a Google AppScript (published as a Web Application with access level as 'only me') on behalf of a Google Apps account for quite some time, but I can't get a handle of it. Maybe I'm missing a key concept here or that sort of authentication/authorization isn't available when making requests in the background.
The script works fine when I'm logged in to gmail and access the script endpoint. I can also successfully connect to it using a sinatra application authenticated with openid.
I've already tried to use google-api-ruby-client, but I can't get the authorization scope right (service name). I've also tried clientlogin in gdata-ruby-util, to use Gmail login/password and get an authorization error message when trying to fetch from the script url.
Is it doable? Can anyone point me in the right direction?
Unfortunately, Contentservice in Apps Script (which I think you are using to create your webservice) doesn't provide any authentication mechanism. If you are accessing it from a server side script, you can use a token string which is known by your webservice app and your server to provide a level of security to your publicly accessible webservice.
Here are some similar discussion
How to use Google Apps Script ContentService as a REST server
Google App Script: ContentService web app usage