In WSO2 API Manager ,Iam using Token API and trying to generate Access tokens with User Credentials -Password Grant Type. Using SOAP UI to make the Token API requests.Key Manager is default one along with API Manager.
But upon requesting,iam not getting Access tokens.
Instead I get below error.
<am:fault xmlns:am="http://wso2.org/apimanager">
<am:code/>
<am:type>Status report</am:type>
<am:message>Runtime Error</am:message>
<am:description/>
</am:fault>
No exception in the console as well .
Please help in addressing this issue.
Related
I am trying to dynamically create email accounts for users via the CPanel API. According to the documentation here, an access token can be used to call the API endpoints. I have an access token generated already but I keep getting acccess denied. I already tried generating another access token just incase the first one was wrong but Its still the same error.
My curl command is in this format as specified in the docs:
curl -H'Authorization: cpanel username:U7HMR63FHY282DQZ4H5BIH16JLYSO01M' 'https://example.com:2083/execute/Email/add_pop?email=newuser&password=12345luggage'
What could I be doing wrong please ?
I'm using ASP.Net Core 6 to build a secured Web API.
HOW I BUILT IT
dotnet new webapi --auth SingleOrg --aad-instance https://login.microsoftonline.com/ --client-id <CLIENT ID> --domain company.onmicrosoft.com --tenant-id <TENANT ID> --calls-graph true -o GraphTestService
APP REGISTRATION OF WEB API
I added a Scope in the Export API "EmployeeRecord.Read"
APP REGISTRATION FOR CLIENT (Public Client)
Added permission for Graph API (User.Read)
Added permission "EmployeeRecord.Read"
HOW I GET TOKEN USING THE CLIENT
I'm using "InteractiveBrowserCredential".
Everything works fine up until the Web service tries to call Graph API. It throws MsalUIRequiredException.
Understandable, since I did not include any graph API permissions when I requested a token.
FINALLY, THE PROBLEM
When I inspect the Bearer token that's returned, it has the "EmployeeRecord.Read" scope. Ok, that's fine. The Web API authorizes it; but the token doesn't have any permissions for Graph API.
When I add a graph API permission to the scopes, I get
AADSTS28000: Provided value for the input parameter scope is not valid because it contains more than one resource. Scope api://<APP URI ID>/EmployeeRecord.Read https://graph.microsoft.com/User.Read offline_access openid profile is not valid.
If I only include the graph API permission, the Web API returns an Unauthorized error.
WHAT I'VE TRIED
In addition to playing with the scopes, I tried adding my client application to the Web API app registration under the "Expose an API / Add A client Application". This made no difference. No difference in token or errors.
You are trying to add scopes for 2 different resource ,the scope parameter cannot be used to specify permissions for multiple resources similar issue .
we recommend you to use MSAL libarry , MSAL will store tokens for you and refresh whenever token is expired. Just call acquireTokenSilent to get an access token silently, and if you get an error, call acquireToken (see details on error handling here: https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-handling-exceptions#msal-for-ios-and-macos-errors)
for more info please check similar issue
Thanks
I am getting following error while running DataFlow pipeline
Error reporting inventory checksum: code: "Unauthenticated", message: "Request is missing required authentication credential.
Expected OAuth 2 access token, login cookie or other valid authentication credential.
We have created service account dataflow#12345678.iam.gserviceaccount.com with following roles
BigQuery Data Editor
Cloud KMS CryptoKey Decrypter
Dataflow Worker
Logs Writer
Monitoring Metric Writer
Pub/Sub Subscriber
Pub/Sub Viewer
Storage Object Creator
And in our python code we are using import google.auth
Any idea what am I missing here ?
I do not believe I need to create key for SA , however I am not sure if "OAuth 2 access token" for SA need to be created ? If yes how ?
This was the issue in my case https://cloud.google.com/dataflow/docs/guides/common-errors#lookup-policies
If you are trying to access a service through HTTP, with a custom request (not using a client library), you can obtain a OAuth2 token for that service account using the metadata server of the worker VM. See this example for Cloud Run, you can use the same code snippet in Dataflow to get a token and use it with your custom HTTP request:
https://cloud.google.com/run/docs/authenticating/service-to-service#acquire-token
I need to use the MS Graph API to retrieve calendar data for Office365 resources. We need to do this in a server app, so prior consent is needed. I created an app registration in the Azure Portal that provides API permissions for Calendars.read, Calendars.read.shared, Users.Read.All, among other permissions. Admin permission has been granted for all. A client secret was created to support token issue.
I am successful in obtaining a token, but when I use the token to read a resource calendar (or even my calendar,)
I receive the following error:
"code": "NoPermissionsInAccessToken",
"message": "The token contains no permissions, or permissions can not be understood."
URL for GET request is something similar to the following:
https://graph.microsoft.com/v1.0/users/conferenceroom1#contoso.com/calendar
What's the proper to set up a registration and use keys/secrets to read graph api data for resource mailbox calendar events?
It seems that you granted delegated permissions, but you need the application permissions. Remember to grant admin consent after adding the permissions.
You can decode your token to check if you have the correct permissions by using https://jwt.io/
I use a Google service account to access users of an organization using directory API and then use drive API to perform certain file operations on users.
It works fine for few users and for others, the drive API call is returning the following error when trying to list the user's files (For that matter any drive API call on that user is returning the same error).
https://www.googleapis.com/drive/v2/files?alt=json&maxResults=1000 returned "Invalid Credentials">
Quoting from this this documentation about 401 error,
"Invalid authorization header. The access token you're using is either expired or invalid. Suggested action: Refresh the access token using the long-lived refresh token."
I have a valid access token which is not expired. And the user for which this error message seen is not suspended either.
Are there any other reasons as to why Google sends this error?