I want to retrieve an OpenShift Access Token with cUrl (or Python).
Authentication to our OpenShift Console is provided with AzureAD; that makes the earlier proposed solution with username and password impossible:
curl -u joostd -kv 'https://oauth-openshift.apps.ocp4.example.com/oauth/authorize?client_id=openshift-challenging-client&response_type=token'
Now I am trying to find a way to get an AD token from https://login/microsoftonline.com/<<tenant-id>>/oauth2/authorize and use that to get an access token.
Related
I'm new to Snowflake and my objective is to use the SQL API to execute queries.
Using curl I'm able to create an access token and a refresh token. I can then use the access token in the snowsql connection parameter "--token" to start a snowsql session and execute SQL statements. This all works fine.
However, when I try to use curl to POST a request to the /api/statements endpoint (as documented on https://docs.snowflake.com/en/developer-guide/sql-api/guide.html#example-of-a-request) and I use the same access token, then I'm getting an "JWT token is invalid" error.
Am I missing something here? Do I need to generate and use a different access token for the SQL API than the one I can use with snowsql?
If so, how can I generate such access token?
Any idea or hint is greatly appreciated.
Thanks.
There are 2 mechanisms for authorizing the users for SQL API, one is the External Oauth and the other is key-pair mechanism.
From what I presume, it seems that you have used the External OAuth token for Key pair auth for SQL API hence the error is seen.
In the SQL API request that is being tested, remove this line:
-H "X-Snowflake-Authorization-Token-Type: KEYPAIR_JWT" \
Now, run the curl command and it should work successfully.
When no parameter value for Auth token type is passed, it defaults to external OAuth.
I have a user managed identity, for which I want to generate a token
I tried in user's context
az login
az account get-access-token --resource "<client-id of user managed identity>"
I get the error
Get Token request returned http error: 400 and server response: {"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '04b07795-8ddb-461a-bbee-02f9e1bf7b46' named 'Microsoft Azure CLI'. Send an interactive authorization request for this user and resource.
Regarding the above error, I have come across threads which suggest to add Azure CLI as preAuthorizedApplication. However I did not find this managed identity in App RegistrationsI did find an entry in `Enterprise Applications, but did not find how to pre-authorize Azure CLI here.
I tried to achieve the same in a non-user context
az login --service-principal -u <capp-id> -p <client-secret> --tenant <tenant-id>
az account get-access-token --resource "<client-id of user managed identity>"
This works.
Why does the command fail in user context? How can I make it work?
Managed Identities do not have app registrations, only a service principal (aka enterprise app).
The way you are trying to use them is not the way they are meant to be used in my opinion.
The second one working is actually just the feature of Azure AD that allows an application using the client credentials flow (client id + secret) to acquire a token for any app in the tenant.
The token won't have any permissions though, so it wouldn't be valid if you are doing authorization correctly.
You usually don't want to use the managed identities as token targets, only for acquiring tokens.
So if you need to protect an API, you'd need an app registration, where you can then allow Az CLI to call it.
You can also define application permissions and allow applications using client credentials flow to access the API with proper authorization.
I wish to use the Google Cloud Platform (GCP) REST API locally, starting with the apps.services.versions.instances.list method.
The route works when I use "Try this API" here, but how would I use this method locally with curl?
"https://appengine.googleapis.com/v1/apps/$APPSID/services/$SERVICESID/versions/$VERSIONSID/instances?key=$YOUR_API_KEY" \
--compressed \
--header 'Accept: application/json' \
--header "Authorization: Bearer $YOUR_ACCESS_TOKEN"
#=>
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
How do I access $YOUR_API_KEY and $YOUR_ACCESS_TOKEN? I have been unable to find either in the official GCP docs.
The fastest way is use Cloud Shell:
List projects to get project id
gcloud projects list
# save you project id
PROJECT_ID="YOURS_PROJECT_ID"
Get ACCESS_TOKEN
ACCESS_TOKEN=$(gcloud auth print-access-token)
Get API_KEY
API_KEY=$(curl -X POST https://apikeys.googleapis.com/v1/projects/$PROJECT_ID/apiKeys?access_token=$ACCESS_TOKEN | jq -r ".currentKey")
Print API_KEY and ACCESS_TOKEN
echo $ACCESS_TOKEN
echo $API_KEY
To run above commands on local machine first you need authenticate using command gcloud auth login and follow instructions.
Alternatively api key could be readed or created from console go to Navigation Menu -> APIs & Services -> Credentials and next click on CREATE CREDENTIALS -> API Key.
By reading the documentation (clicking on question mark next to Credentials) we can read:
[YOUR_API_KEY] - "Include an API Key to identify your project, used to verify enablement and track request quotas."
[YOUR_ACCESS_TOKEN] - "Include an access (bearer) token to identify the user which completed the OAuth flow with your Client ID."
You no longer need an API key. It's a legacy feature of Google APIs, provide only an access token is enough.
In command line you can do this
curl -H "Authorization: Bearer $(gcloud auth print-access-token)" https://....
All the Google Cloud APIs are compliant with access token authentication. Few are still compliant with API keys.
About APIKeys API
This API has been published in beta and now closed. At least the documentation part. I don't know if this API is stable or subject to change. You can create an API key per API like this (very similar to Bartosz Pelikan answer)
curl -H "Authorization: Bearer $(gcloud auth print-access-token)" \
-X POST https://apikeys.googleapis.com/v1/projects/PROJECT_ID/apiKeys
As you can see, I reuse the access token authentication mode
The above answers are using an API that isn't publicly available (I reached out to GCP support an confirmed.
I recommend using the CLI tool like so:
gcloud app instances list --service core-api --project my-project-name
docs: https://cloud.google.com/sdk/gcloud/reference/app/instances/list
You'll have to a gcloud auth first and probably set your project.
I am new to Salesforce and SF workbench.
I have been given read access and login credentials to the SF workbench for one of out clients.
I know I can use SF Rest API to extract data from Salesforce object, but I guess I would need OAuth token to be able to do that.
Is there a way to extract those tokens from the workbench to do simple rest api curl commands?
If you setup a Connected App in Salesforce (any org, including a developer org) and enable OAuth then you can use the following curl command to create an OAuth token from a username and password:
curl https://login.salesforce.com/services/oauth2/token \
-d "grant_type=password" \
-d "client_id=YOUR_OAUTH_CONSUMER_KEY" \
-d "client_secret=YOUR_OAUTH_CONSUMER_SECRET" \
-d "username=YOUR_USERNAME" \
-d "password=YOUR_PASSWORD"
From Workbench if you select Session Information from the Info menu and expand the Connection folder you will see a Session Id value this is your current session token and it can be used for Curl REST commands.
You could also use the REST Explorer found under the Utilities menu to do your simple REST API commands.
i'm trying to use the jhipster tool in order to create a new project with the oauth2 authentication. The project example work fine, i can login with the angularjs interface, but can't understand how can i create a new user and then get the access token via Curl command line for this new user.
Thanks for your help
Step #1: Register the user.
Register a user at http://localhost:8080/#/register and make sure you can log in via the web interface.
Step #2: Obtain an OAuth2 token.
Information required for obtaining an OAuth2 token:
OAuth2 client id (see application.yml)
OAuth2 secret (see application.yml)
The user name and password used to register the new
user.
Required scope/s
Then, obtain an OAuth 2 token from the server:
curl -X POST -vu client:secret http://localhost:8080/oauth/token -H "Accept: application/json" -d "username=username&password=password&grant_type=password&scope=read&client_id=clientid&client_secret=secret"
.. returns something like this:
{"access_token":"7916d326-0f7f-430f-8e32-c5135a121052","token_type":"bearer","refresh_token":"2c69ca58-a657-4780-b5d8-dc965d518e9e","expires_in":1037,"scope":"read"}
Step #3: Use the token in calls to protected resources:
Then, the auth token must be supplied in the header on every call:
curl http://localhost:8080/app/rest/books -H "Authorization: Bearer 7916d326-0f7f-430f-8e32-c5135a121052"