I'm trying to access a Jenkins instance via its remote API. I'm using a command like the following:
`curl -v -X GET https://jenkins.somewhere.com/job/trt/api/xml --user user#gmail.com:abc123abc123abc123acb123`
The user ID and API token are taken from my User page. The Jenkins instance is secured to use Google Apps SSO for its Security Realm, and Role-based strategy for Authorization. My user is in a role which has all permissions, however I get a 403 response, and it seems to think I'm the "anonymous" user (response below). How can I diagnose what's going wrong?
< HTTP/1.1 403 Forbidden
< Date: Tue, 30 Sep 2014 09:29:49 GMT
* Server Jetty(8.y.z-SNAPSHOT) is not blacklisted
< Server: Jetty(8.y.z-SNAPSHOT)
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Content-Type: text/html;charset=utf-8
< X-Hudson: 1.395
< X-Jenkins: 1.574
< X-Jenkins-Session: 0a2fc55a
< X-Hudson-CLI-Port: 37761
< X-Jenkins-CLI-Port: 37761
< X-Jenkins-CLI2-Port: 37761
< X-You-Are-Authenticated-As: anonymous
< X-You-Are-In-Group:
< X-Required-Permission: hudson.model.Hudson.Read
< X-Permission-Implied-By: hudson.security.Permission.GenericRead
< X-Permission-Implied-By: hudson.model.Hudson.Administer
< Set-Cookie: JSESSIONID.cf04cd2b=rdgbn9cxz0s045quzsaybywo;Path=/
< Via: 1.1 jenkins.somewhere.com
< Vary: Accept-Encoding
< Content-Length: 578
<
<html><head><meta http-equiv="refresh" content="1;url=/securityRealm/commenceLogin?from=%2Fjob%2Ftrt%2Fapi%2Fxml"><script>window.location.replace('/securityRealm/commenceLogin?from=%2Fjob%2Ftrt%2Fapi%2Fxml');</script></head><body style="background-color:white; color:white;">
Authentication required
<!--
You are authenticated as: anonymous
Groups that you are in:
Permission you need to have (but didn't): hudson.model.Hudson.Read
... which is implied by: hudson.security.Permission.GenericRead
... which is implied by: hudson.model.Hudson.Administer
-->
Related
Im creating a login with apple music feature on a PHP coded website, so far so good. Im able to login get the access_token from the user, im also able to get public track and playlist info using my encrypted developer token.
But I would also like to create a library playlist for that logged in user, the docs in apple suggest that to make personal changes I need to add a special header:
Music-User-Token: [music user token]
I assumed that the Music-User-Token is the access_token of the user, but that fails, I also tried the id_token from the logged in session, but it also fails.
My end CURL request looks something like this:
curl -v \
-H 'Content-Type: application/json' \
-H 'Music-User-Token: USER_MUSIC_TOKEN' \
-H 'Authorization: Bearer DEVELOPER_TOKEN' \
--request POST \
--data '{"attributes":{"name":"1622799194 playlist","description":""},"relationships":{"tracks":{"data":[{"id":"1560879523","type":"songs"}]}}}' \
"https://api.music.apple.com/v1/me/library/playlists"
The response I get is:
* upload completely sent off: 135 out of 135 bytes
< HTTP/1.1 403 Forbidden
< Content-Type: application/json;charset=utf-8
< Content-Length: 132
< Server: daiquiri/3.0.0
< x-apple-jingle-correlation-key: 7QETXMYLA5HYFGWO75NMIYAZ2E
< x-apple-request-uuid: fc093bb3-0b07-4f82-9ace-ff5ac46019d1
< b3: fc093bb30b074f829aceff5ac46019d1-3adb16d23e03d043
< x-b3-traceid: fc093bb30b074f829aceff5ac46019d1
< x-b3-spanid: 3adb16d23e03d043
< apple-seq: 0.0
< apple-tk: false
< apple-originating-system: MZStorePlatform
< X-Apple-Application-Site: ST11
< X-Apple-Application-Instance: 2513606
< x-responding-instance: MZStorePlatform:2513606:::
< apple-timing-app: 11 ms
< Cache-Control: private, no-cache, no-store, no-transform, must-revalidate, max-age=0
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< is-jetty: true
< x-apple-lokamai-no-cache: true
< x-daiquiri-instance: daiquiri:48626004:st53p00it-qujn14050101:7987:21HOTFIX5
< Access-Control-Allow-Origin: *
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Date: Fri, 04 Jun 2021 09:55:15 GMT
< Connection: close
<
* Closing connection 0
{"errors":[{"id":"7QETXMYLA5HYFGWO75NMIYAZ2E","title":"Forbidden","detail":"Invalid authentication","status":"403","code":"40300"}]}
How do I generate the proper for Apple Music Kit Music-User-Token manually?
Thank you!
I added some custom fonts to my website and uploaded them to AWS S3 + CloudFront.
A lot of topics here describe this problem but non of them are solving my issue.
Using curl I get this output:
curl --head https://cdn.mzguru.de/fonts/sourcesanspro/source-sans-pro-v12-latin-ext_latin-700.woff2
HTTP/1.1 200 OK
Content-Type: binary/octet-stream
Content-Length: 25348
Connection: keep-alive
Date: Tue, 22 Oct 2019 11:54:18 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
Access-Control-Max-Age: 3000
Last-Modified: Fri, 12 Apr 2019 10:54:26 GMT
ETag: "639c2738552a0376c91e7d485e476fda"
Cache-Control: max-age=62208000
Accept-Ranges: bytes
Server: AmazonS3
X-Cache: Hit from cloudfront
Via: 1.1 bae3e24625567f5728a5caa96d6b7669.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: FRA53
X-Amz-Cf-Id: iAy-QTfuV9ZqwmaRjXE0ramVSgsZkA6MtRmQOKDSonf6I8OabrpLZA==
Age: 12818
Within Chrome I get this error:
Access to font at 'https://cdn.mzguru.de/fonts/sourcesanspro/source-sans-pro-v12-latin-ext_latin-700.woff2' from origin 'https://www.monteurzimmerguru.de' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
This is the point where I do not understand the problem. The error message says: "No 'Access-Control-Allow-Origin' header is present"
But in the curl request I see this header. What is wrong?
Thank you
EDIT
I have attached a screenshot with the error messages.
EDIT 2: AWS Interface changed (2022)
Please take a look at #James Dean post.
1.) Do I need to tick the options box?
2.) I can not find the settings you describe. I guess the UI changed in the meanwhile.
Your S3 CORS configuration is correct based on below output:
>curl -vk "https://cdn.mzguru.de/fonts/sourcesanspro/source-sans-pro-v12-latin-ext_latin-700.woff2" -H "Origin: https://www.monteurzimmerguru.de"
< HTTP/2 200
< content-type: binary/octet-stream
< content-length: 25348
< date: Thu, 24 Oct 2019 12:19:41 GMT
< access-control-allow-origin: *
< access-control-allow-methods: HEAD, GET
< access-control-max-age: 3000
< last-modified: Fri, 12 Apr 2019 10:54:26 GMT
< etag: "639c2738552a0376c91e7d485e476fda"
< cache-control: max-age=62208000
< accept-ranges: bytes
< server: AmazonS3
< x-cache: Hit from cloudfront
However, Chrome/Browser is making OPTIONS/Preflight request on CloudFront and options request is not allowed on cloudfront currently. Only Head and GET are allowed.
curl -X OPTIONS "https://cdn.mzguru.de/fonts/sourcesanspro/source-sans-pro-v12-latin-ext_latin-700.woff2" -H "Origin: https://www.monteurzimmerguru.de"
>This distribution is not configured to allow the HTTP request method that was used for this request
To fix this , you need to do it:
In the CloudFront cache behaviour, you need to allow GET,HEAD and OPTIONS
In Cache behaviour, cache based on selected header, you should select Origin
Invalidate cache once and test it again.
You have to update,
Query String Forwarding and Caching to Forward all, cache based on all
in cloudfront Cache Behavior Settings ( cloudfont -> select one -> edit )
I would like to automate chrome extension deployment and followed this guide for the most part: https://developer.chrome.com/webstore/using_webstore_api. I created a project in my developer console, activated the Chrome Web Store API. Next step is creating the right credentials. There are three different ones, when i let google help me choose it tells me that API-key is just fine to use for this API, so i did.
My question: How can i use this API-key to make API calls? I tried to include the key in the params as pointed out in the docs but that doesn't work. If this is the wrong approach i really don't understand, that these sort of authentication is suggested by the developer console.
As i try to automate things on a build server without using chrome or some other browser i cannot really use OAuth credentials.
curl \
-H "x-goog-api-version: 2" \
-H "Content-Length: 0" \
-H "Expect:" \
-X GET \
-v \
"https://www.googleapis.com/chromewebstore/v1.1/items/ITEM_ID?projection=draft&key=API_KEY"
results in
https://www.googleapis.com/chromewebstore/v1.1/items/ITEM_ID\?projection\=draft\&key\=API_KEY
* Trying 172.217.17.234...
* Connected to www.googleapis.com (172.217.17.234) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.googleapis.com
* Server certificate: Google Internet Authority G2
* Server certificate: GeoTrust Global CA
> GET /chromewebstore/v1.1/items/ITEM_ID?projection=draft&key=API_KEY HTTP/1.1
> Host: www.googleapis.com
> User-Agent: curl/7.43.0
> Accept: */*
> x-goog-api-version: 2
> Content-Length: 0
>
< HTTP/1.1 401 Unauthorized
< Vary: X-Origin
< WWW-Authenticate: Bearer realm="https://accounts.google.com/"
< Content-Type: application/json; charset=UTF-8
< Date: Thu, 15 Sep 2016 14:14:18 GMT
< Expires: Thu, 15 Sep 2016 14:14:18 GMT
< Cache-Control: private, max-age=0
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Server: GSE
< Alt-Svc: quic=":443"; ma=2592000; v="36,35,34,33,32"
< Accept-Ranges: none
< Vary: Origin,Accept-Encoding
< Transfer-Encoding: chunked
<
* Connection #0 to host www.googleapis.com left intact
{"error":{"errors":[{"domain":"global","reason":"required","message":"Login Required","locationType":"header","location":"Authorization"}],"code":401,"message":"Login Required"}}
I also tried to set it as header but neither of these worked.
I'm currently working on an HTTP API in Symfony 2 for which I have implemented OAuth2 Password Credentials for authentication. On authentication the client received two tokens, one access and one refresh token.
Somehow I need to be able to inform the client that the access token is no longer valid and that the refresh token must be used to obtain a new access token.
I have gone through the list of HTTP codes [1] and to me the 419 Authentication Timeout status seems the most appropriate. However, when I use this in the Response object I actually receive a 500 status instead:
return new Response("OK", 419);
Results:
$ curl -X GET http://local.api
< HTTP/1.1 500 Internal Server Error
< Date: Thu, 23 Jan 2014 21:34:39 GMT
* Server Apache/2.4.6 (Ubuntu) is not blacklisted
< Server: Apache/2.4.6 (Ubuntu)
< X-Powered-By: PHP/5.5.3-1ubuntu2.1
< Cache-Control: no-cache
< X-Debug-Token: b7c386
< X-Debug-Token-Link: /app_dev.php/_profiler/b7c386
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
I get the impression that the Response object doesn't seem to support this code (looking through the list of constants defined in the class) but from the Response class code itself I can't detect any logic that wouldn't allow me to send a 419.
I'm currently falling back on the 511 Network Authentication Required but I prefer to use the 419 instead. How can I do this?
[1] http://en.wikipedia.org/wiki/List_of_HTTP_status_codes
Look at the Response constructor, it throws an InvalidArgumentException exception if the status code is not valid. You will need to use a different status code (take a look at the class constants for the valid codes in Symfony)
I am a bit stuck in authenticating my app and get an access token, when following this instructions: http://developers.flattr.net/v2/
Step 1, Authenticate works fine. I get back the code, and my app is listed in my Settings/Applications with the correct scope.
Then I try to get the access token via the following curl command:
curl -v --user MY_KEY:MY_SECRET -H "Content-Type: application/json"\
-X POST -d '{"grant_type": "authorization_code",\
"redirect_uri": "http://localhost/", "code": "MY_CODE"}'\
https://flattr.com/oauth/token
Unfortunately I always get "invalid_request"
< HTTP/1.1 400 Bad Request
< Strict-Transport-Security: max-age=500
< Set-Cookie: PHPSESSID=d9972s9r5a7t4p0ch4chc4dqh2; path=/; domain=.flattr.com; HttpOnly
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store
< Pragma: no-cache
< Content-Type: application/json; charset=utf-8
< Content-Length: 291
< Connection: close
< Date: Wed, 16 Nov 2011 22:38:30 GMT
< Server: lighttpd
<
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed."}
Thanks!
I found a bug in the process and it is now smashed. Should be working smooth if you try the request again!