I'm creating a simple web application that will use Google authentication to return an OpenID token, and then pass that token to AWS using javascript WebIdentityCredentials.
What I have done:
Created the Google Project, and saved the OAuth ClientID
Created an IAM role using Google IDP, and OAuth ClientID as Audience field.
Include both Google API and AWS API javascript in web page configured with above.
(Client) Request the id token from Google using the google js api
Configure the id token on an WebIdentityCredentials
Retrieve the AWS credentials (using that token)
When retrieving the credentials, I get this error from STS:
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>InvalidIdentityToken</Code>
<Message>Incorrect token audience</Message>
</Error>
<RequestId>28d09368-bf98-11e5-b52f-953b4c773ebf</RequestId>
</ErrorResponse>
Here is the AWS role:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"Federated": "accounts.google.com"},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"accounts.google.com:aud": "<my-oauth-client-id>"
}
}
}
]
}
And here is the code I use to configure the token on the AWS context:
AWS.config.update({
region: 'us-east-1',
credentials: new AWS.WebIdentityCredentials({
RoleArn: 'arn:aws:iam::<my-acct>:role/lab-amp-google-idp',
WebIdentityToken : token
})
});
And here is where I test the credentials by fetching them:
AWS.config.credentials.get(function(err) {
if (err) console.log(err);
else console.log(AWS.config.credentials);
});
I have validated the id token using jwt.io and I can see it has the proper expected fields. The "aud" and "azp" properties have the OAuth Client ID. I also double checked the Trust stansza in the AWS role to confirm it also has the exact same OAuth Client ID in the Condition.
I have passed in other invalid tokens and altered the RoleArn just to see the different errors, which I do.
I cannot find anything on the web describing reasons for "Incorrect token audience" so I'm at a loss for what to try next.
Related
I am trying to use Nodemailer in express server with Oauth from Office 365 but I am getting Can't create new access token for user and {"code": "EAUTH", "command": "AUTH XOAUTH2" error. It seems like nodemailer is unable to obtain either the access token and refresh token and the user is not being authenticated to send mails.
const transporter = nodemailer.createTransport({
host: "smtp.office365.com",
port: 587,
secure: false,
tls: {
ciphers: "SSLv3"
},
requireTLS: true,
auth: {
type: "OAuth2",
user: process.env.SENDER_EMAIL,
clientId: "CLIENT_ID",
clientSecret: "CLEINT_SECRET",
accessUrl: "https://login.microsoftonline.com/SOMETHING_SECRET_HERE/oauth2/v2.0/authorize"
// pass: process.env.SENDER_PASSWORD
}
});
I am not familiar with OAuth 2.0 with Office 365 to begin with so there could be some configurations error etc. The nodemailer works fine if I use my account credentials though. Can someone please suggest me something to try out or let me know if my config is wrong.
Please note that, accessUrl is an endpoint for requesting new access token.
As you have passed Authorization endpoint, please try changing it to OAuth 2.0 token endpoint (v2).
You can find this endpoint value in the Portal like below:
Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your App
Alternatively, you can make use of Microsoft Graph API to send the mails like below:
Make sure to have Mail.Send permission consented before using the below query:
POST https://graph.microsoft.com/v1.0/me/sendMail
{
"message": {
"subject": "Regarding leave approval",
"body": {
"contentType": "Text",
"content": "Please approve my leave request."
},
"toRecipients": [
{
"emailAddress": {
"address": "XXXXX"
}
}
],
"ccRecipients": [
{
"emailAddress": {
"address": "XXXXX"
}
}
]
},
"saveToSentItems": "false"
}
Response:
The mail was successfully triggered like below:
For more in detail, please refer the below links:
Send mail - Microsoft Graph v1.0 | Microsoft Docs
Modern Oauth2 authentication for sending mails using Nodemailer nodejs by Sivaprakash-MSFT
When I query GitHub's GraphQL API with the following:
query RetrievePackagesAssociatedWithRepo($repo: String!, $owner: String!) {
repository(name: $repo, owner: $owner) {
packages(packageType: NPM, first: 10) {
edges {
node {
id
name
packageType
}
}
}
}
}
I received an error stating:
{
"errors": [
{
"type": "INSUFFICIENT_SCOPES",
"locations": [
{
"line": 6,
"column": 11
}
],
"message": "Your token has not been granted the required scopes to execute this query. The 'id' field requires one of the following scopes: ['read:packages'], but your token has only been granted the: ['read:gpg_key', 'read:org', 'read:public_key', 'read:repo_hook', 'repo', 'user'] scopes. Please modify your token's scopes at: https://github.com/settings/tokens."
},
I followed the link https://github.com/settings/tokens and added the necessary permissions.
I tried to Authorizing a personal access token for use with SAML single sign-on but, the SSO button to enable is not present.
development settings token
Documentations I Followed: Creating Personal Token! | Authorizing Personal Token!
After trying out theses methods, the same error message persists "Your token has not been granted the required scopes".
My goal, through Github's API, is to retrieve packages associated with its repository.
Is there something I'm missing.
I am trying to translate some text using GCP translation service with REST api https://translation.googleapis.com/v3
I'm using API key auth method.
url and
Body
https://translation.googleapis.com/v3/projects/my-translator-1122333:translateText?key=thisismykey
{
"content": ["Hello"],
"sourceLanguageCode": "en",
"targetLanguageCode": "ru"
}
However I got
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
Could anyone explain me what is wrong I do?
Thanks
Following the docs on how to restrict sign in to G Suite domains, it says to verify the ID tokens 'hd' claims, and the existence thereof.
I have the following specified in my Firebase Auth UI config client side:
signInOptions: [
{
provider: firebase.auth.GoogleAuthProvider.PROVIDER_ID,
customParameters: { hd: "*" }
},
...
],
Which correctly show the login options for all G Suite domains. But when checking the idToken server side with admin.auth().verifyIdToken(token) the response returned does not include a hd claim. Can someone point me in the right direction here?
Im using com.amazonaws.services.cloudsearchdomain.AmazonCloudSearchDomainClient to uploadDocuments() with passing AWS secretkey and access id, End points .
Access Policy - Access all for all services
It is returning
Service: AmazonCloudSearchDomain; Status Code: 403; Error Code:
SignatureDoesNotMatch;
But with same package i have tried search() with same credentials , im getting search result correctly as expected.
Some one please help for above exception
This may be caused by your access policy allowing public access to search requests, but not upload. So there may be an issue with the credentials being passed, but you don't see that error when performing search requests, because credentials aren't necessary for that type of request.
For example, this access policy below would allow anyone to search without presenting credentials. But any other operation (like uploading documents) would require a valid set of credentials that have access to the CloudSearch domain.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "cloudsearch:search"
}
]
}