I can request a token for a user by visiting the following url:
https://trello.com/1/connect?key=<key>&name=appName&response_type=token&scope=read,write&expiration=never
However, when I request the token's info through the API, I get a response that looks like this:
{
"id": "...",
"identifier": "appName",
"idMember": "...",
"dateCreated": "2015-10-15T05:21:19.886Z",
"dateExpires": null,
"permissions": [
{
"idModel": "*",
"modelType": "Board",
"read": true,
"write": true
},
{
"idModel": "*",
"modelType": "Organization",
"read": true,
"write": true
}
]
}
I'd like to be able to request a token only grant privileges to a specific organization. But I can't seem to find clear documentation on what kinds of options the /1/connect endpoint accepts, or what other method I can use to obtain a token for a specific organization that does not expire.
I could make a machine user with access only to the organization, but it would be a shame to pay for another user account when I only want a subset of the permissions I already have.
I don't think that would be possible as you just authenticate against the API as that user and therefore have the ability to see everything that user can. The only way I'm aware of would be (as you suggested) to create a new user and limit what they can see.
Related
So I know there's several SDK packages for many languages available for nHost, however I need to create my own interface to the system since the language I'll be using isn't typical.
I basically just need to know how to interact with authentication endpoints, send a users un/pw and recieve a JWT token. I've been successfully able to do this with aws Cognito, but I'd like to explore this instead.
I'm also not sure if I'm using the right base url, here's my thought so far:
https://kbvlufgpikkxbfkzkbeg.nhost.run/auth/login
So I would POST to there with some json in the body with the un/pw stuff, and the response should be the jwt token right?
I get a "resource does not exist" response from the above, however, so obviously I'm not forming the url correctly in the first place.
Thanks for the help!
Nhost supports multiple sign-on methods.
For example, using the email+password method, you would send:
POST https://xxxxxxxxxxxxx.nhost.run/v1/auth/signin/email-password
{"email":"foo#example.com","password":"bar"}
and the response:
{
"session": {
"accessToken": "somejwt....",
"accessTokenExpiresIn": 900,
"refreshToken": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"user": {
"id": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"createdAt": "2022-09-17T19:13:15.440221+00:00",
"displayName": "foo#example.com",
"avatarUrl": "",
"locale": "en",
"email": "foo#example.com",
"isAnonymous": false,
"defaultRole": "user",
"metadata": {},
"emailVerified": true,
"phoneNumber": null,
"phoneNumberVerified": false,
"activeMfaType": null,
"roles": [
"user",
"me"
]
}
},
"mfa": null
}
The JWT is short-term, when it expires, the refresh token is used to get a new one.
The Nhost JavaScript SDK handles it automatically for you, that's a big benefit to the platform (in addition to being integrated with Hasura). If you are trying to port it to another unsupported language, you'd have to reimplement it. Probably by reading the library and/or running one of their sample client application and reverse-engineering the HTTP over the wire.
I'm using Strapi 3.6.10.
When I create user via http://host:1337/auth/local/register, I'm not able to achieve desirable user's role. It's always Authenticated, even if I directly set it to another in my request
{
"username": "user",
"email": "user#mail.com",
"password": "123456789",
"role": {
"_id": "626eacea45f0a420ccb35094"
}
}
I've also tried using API documented in generated by Documentation plugin Swagger - PUT /users/{id}. But if I send request with new role nothing happens to my user's entry
Recently I had configure to use amplify with #aws-amplify/ui-react library to login Federated users.
Once login, for google user, I would get payload like
{
"id": "",
"email": "",
"name": "",
"picture": "",
"token": ""
}
Yet for facebbook user, I get similar stuff but no picture info
{
"id": "",
"email": "",
"name": "",
"token": ""
}
I had tried to update config in my Cognito for Facebook provider. However, this failed to get picture info for me.
Is it possible to make amplify's federated login through Facebook to pass me back picture info as well? I know I could just call another Facebook api to retrieve picture, but I wish this could be avoided, since Google login would return picture info automatically.
P.S.
Here's my Facebook identity providers config:
PPS.
Here's my recent Cognito attribute mapping config:
For Facebook:
and in CognitoUserSession's idToken's payload:
the picture field would include a JSON object about profile picture's information
For Google, much simpler:
and the payload:
the picture field is simply the image link
Assuming you're requesting public_profile, use "picture" from Facebook Attribute is actually correct, I do face similar problems that I couldn't receive it until i delete the userpool, and creating a new one.
The value you will get from picture should be something like this
{
"data": {
"height": 50,
"is_silhouette": false,
"url": "https://platform-lookaside.fbsbx.com/platform/profilepic/?etcetcetcetc",
"width": 50
}
}
I am implementing Vault for my team to use and store secrets, and we wanted to keep it simple so we decided to go with the default token authentication.
The thing is I can't find a way to manage tokens that were created, so that if I want to revoke a certain person's token, I know exactly which one to revoke.
Does anyone know how to manage tokens in Vault?
You cannot list the tokens because tokens are sensitive information.
You can list token accessors (API docs)
which will give you a value like this 476ea048-ded5-4d07-eeea-938c6b4e43ec which is safe to share - think of it as a pointer to the token.
Then you can lookup the token accessor (API docs) and get a response like this
{
"data": {
"accessor": "8609694a-cdbc-db9b-d345-e782dbb562ed",
"creation_time": 1523979354,
"creation_ttl": 2764800,
"display_name": "ldap2-tesla",
"entity_id": "7d2e3179-f69b-450c-7179-ac8ee8bd8ca9",
"expire_time": "2018-05-19T11:35:54.466476215-04:00",
"explicit_max_ttl": 0,
"id": "",
"identity_policies": ["dev-group-policy"],
"issue_time": "2018-04-17T11:35:54.466476078-04:00",
"meta": {
"username": "tesla"
},
"num_uses": 0,
"orphan": true,
"path": "auth/ldap2/login/tesla",
"policies": ["default", "testgroup2-policy"],
"renewable": true,
"ttl": 2763902
}
}
which will probably help you figure out if the tokens requires revoking or not.
We are trying to update details information for serveral Venues in behalf of our clients/users by using Foursquare API.
It works pretty well for most of the clients, and we are using their own personal oauth credentials most of the time.
BTW, we have a lot of problems with some clients/accounts, because we are getting this error when trying to update the venues:
{
"meta": {
"code": 403,
"errorType": "not_authorized",
"errorDetail": "User not authorized to edit venue",
"requestId": "59bba14e351e3d0e31fcf9f1"
},
"notifications": [
{
"type": "notificationTray",
"item": {
"unreadCount": 0
}
}
],
"response": {}
We’ve checked the API limits and everything it’s correct. We’ve also checked the account Oauth token several times and it’s correct. Even we are using the 'venues/managed’ endpoint to ensure that the given Oauth credential can manage the given Venue and everything looks fine.
Any idea about what's happening?