I am using Salesforce LiveAgent Chat, and below are our configurations,
Chat Deployments:
Allow access to Pre-Chat API: yes
Permitted Domain: I have 4 domains each on new line formatted as "domainname.com"
When a request is placed from my livechat application: https://d.la1-c2-iad.salesforceliveagent.com/chat/rest/Visitor/Availability?Availability.ids=<agent_id>&deployment_id=<chat_id>&org_id=<org_id>
I am gettting response as {"messages":[{"type":"Error","message":{"text":"Domain is not whitelisted for this deployment"}}]}
Though I am getting exception in browser console, Generic Agent Chat is working fine, However Dedicated Agent chat(with specific agent_id) it is not working.
I tried removing permitted domains from chat deployment setting and error no longer appear.
Related
I got stuck on trying to access Azure blob storage from React app (thus from browser) with credentials.
And firstly I want to admit, that I am newbie in Azure, so maybe I misunderstood some basic concepts...
My current situation and goal:
I am developing React app (lets say MyReactApp). This app uses some files from Azure blob storage (lets say MyBlobStorage) -> it reads, creates and deletes blobs.
I started to develop it on my local and for this dev purpose I was connecting to MyBlobStorage with SAS - this worked perfectly.
MyReactApp is browser only, so it does not have any backend.
After finishing local development, I deployed it as Azure web app with SAS. What have I done:
created App service (lets say MyAppService)
register app in Azure Active Directory and use it as Identity Provider in MyAppService
After this the app works from Azure url perfectly too.
But my app on Azure should fulfill 2 conditions:
User has to log in with AAD account before access to MyReactApp
App itself must get rid of SAS (because it is not secure as it can be obtained from browser) and use some Azure credentials to connect to Azure blob storage
First condition - user log in:
I enabled "easy" logging in MyAppService -> Authentication and chose users, who can have access.
in Authentication section of app in AAD I set up Web type Redirect Uri as /.auth/login/aad/callback
Still everything works great - the user, who is assigned to the app, can log in and work with the app - so far so good, but now the problem comes
Second condition - I wanted to get rid of the SAS to access MyBlobStorage and use DefaultAzureCredentials:
I turned on managed identity for MyAppService and add it as Storage Blob Data Contributor for MyBlobStorage
I obtained user_impersonation and User.Read Api permissions for my app
I removed SAS and tried to add DefaultAzureCredentials to my code -> but it seems, that they can't be used in browser and only option is InteractiveBrowserCredentails
so I tried to use InteractiveBrowserCredentails like this:
this.interactiveBrowserCredential = new InteractiveBrowserCredential({
tenantId: "<appTenant>", // got from app registration on AAD
clientId: "<appClient>", // got from app registration on AAD
redirectUri: <MyAppServiceURi>/.auth/login/aad/callback // the same as in Azure AAD app,
});
this.blobSC = new BlobServiceClient(Constants.STORAGE_PATH, this.interactiveBrowserCredential);
My current result:
This shows login popup after getting to the page and after another signing in it results in error:
AADSTS9002326: Cross-origin token redemption is permitted only for the
'Single-Page Application' client-type.
I googled it of course and according to some answers I tried to change the Web type of redirect URI to SPA.
I tried it, but some other error showed up:
AADSTS9002325: Proof Key for Code Exchange is required for
cross-origin authorization code redemption.
Surprisingly this should be solved by changing from SPA to Web type...:) So I am trapped...
My expected result
In ideal world, I want to connect MyReactApp to MyBlobStorage without popup and with some secret credentials, just to say something like this.blobSC = new BlobServiceClient(Constants.STORAGE_PATH, credentials);
and be able to work with blobs.
Is it possible to access blob storage from browser without errors of course and ideally without popup, which needs another log in for user?
My complementary questions
Can I use somehow the logging info from the user (from his "easy" AAD logging)? I can get his info with GET call to /.auth/me, maybe it can be utilized, so I can use his info to access the blobs?
The solution should be working on localhost too (I tried to add http://localhost:3000/ to redirect uri, but without success), can it be done?
Thank you all, who read the whole story!
I've been using Azure Active Directory and adal.js to authorize web apps client side and it's worked great. Recently had a request to have user photo instead of a generic user icon.
I added Microsoft Graph permissions to the app registration. And tried to get a token for the user photo request like...
authContext.acquireToken('https://graph.microsoft.com', callback);
Which resulted in the response_type 'token' is not supported for the application error. So I found ADAL JS - response_type="token" is not supported suggesting setting "oauth2AllowImplicitFlow": true in the app manifest, which I did. Now I get Token renewal operation failed due to timeout error.
I've also added 'https://graph.microsoft.com': 'https://graph.microsoft.com' to the endpoints prop of the context config.
What do I have to do get this working? Way too much time spent just trying to get users' photos. Thanks.
SOLVED: For other people having this error, please check this:
I configured my endpoint/reply address as http:// whilst my app was running https://.. After changing it to https things worked as expected and I could login on the v2 endpoint as well as query the graph api.
It's also a restriction on the v2 endpoint, so beware of that. It just needs to be in https, see the docs:
Restrictions on redirect URIs
Currently, apps that are registered in the Application Registration Portal are restricted to a limited set of redirect URI values. The redirect URI for web apps and services must begin with the scheme https.
source: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-limitations
I have configured an application via the apps.dev.microsoft.com portal as described in this sample project.
I was running under a different port though, so when I set up the URLs in the app registrations I changed them to match my port number.
Now I'm receiving this error after the flow is trying to connect back to my application.
How can I debug this, or how do I know what is happening?
Additional technical information:
Correlation ID: 145d8f37-7229-4dce-8ace-c777e4aeef94
Timestamp: 2017-11-02 08:41:21Z
AADSTS50011: The reply address 'http://localhost:60761/signin-oidc'
does not match the reply addresses configured for the
application: '8b640f9d-e7d8-4c41-8a40-15069f5712ee'.
More details: not specified
I also get the notification that this application will be fed to the Azure AD Portal (app registrations) - but I can't find it there.
I had created few APIs earlier and published the same through API Publisher in WSO2 API Manager(APIM) , I was able to view them in Publisher Dashboard and Store Dashboard as well.I had subscribed them and was able to use the APIs.
Recently, I am unable to see any of those created APIs in Publisher Dashboard or Store Dashboard as well in API Manager.
I have not made any changes to configuration of API Manager.
I tried to publish APIs using REST APIs exposed by WSO2 APIM but I got following error message.
Publisher Response :
{
"error" : true,
"message" : "Failed to change the life cycle status : An exception occurred while executing handler chain. SolrCore 'registry-indexing' is not available due to init failure: Error opening new searcher"
}
I have checked Thrift ports (Both are on 10397 and I have tried disabling them too as per other posts on stack overflow).
I have checked API Gateway credentials it is as they were by default i.e
<APIGateway>
<!-- The environments to which an API will be published -->
<Environments>
<!-- Environments can be of different types. Allowed values are 'hybrid', 'production' and 'sandbox'.
An API deployed on a 'production' type gateway will only support production keys
An API deployed on a 'sandbox' type gateway will only support sandbox keys
An API deployed on a 'hybrid' type gateway will support both production and sandbox keys. -->
<!-- api-console element specifies whether the environment should be listed in API Console or not -->
<Environment type="hybrid" api-console="true">
<Name>Production and Sandbox</Name>
<Description>This is a hybrid gateway that handles both production and sandbox token traffic.</Description>
<!-- Server URL of the API gateway -->
<ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
<!-- Admin username for the API gateway. -->
<Username>${admin.username}</Username>
<!-- Admin password for the API gateway.-->
<Password>${admin.password}</Password>
<!-- Endpoint URLs for the APIs hosted in this API gateway.-->
<GatewayEndpoint>http://${carbon.local.ip}:${http.nio.port},https://${carbon.local.ip}:${https.nio.port}</GatewayEndpoint>
</Environment>
</Environments>
</APIGateway>
I am unable to create new APIs as well since it seems there is some problem with Registry.
P.S : It also gives message that MQTT is disabled
Can anyone please help out ?
Please check screenshots for more clarity
Looks like an indexing issue. Shall we try what is mentioned in here. This will reindex the APIs.
Following the instructions in https://cloud.google.com/storage/docs/object-change-notification#_Authorize_Endpoint I'm trying to set a watchbucket notification.
I'm running:
gsutil notification watchbucket https://-------.appspot.com gs://-----
(with my real application id and bucket)
The error string reported by gsutil suggest an internal bug:
BadRequestException: 400 No valid domain for WebHook callback: https://https://...
Note the double https:// in the error report
trying to remove the https:// ends with an error:
CommandException: The application URL must be an https:// URL.
I believe I've done all the things needed. I'm working with a service account of the application. the application URL is listed in https://console.developers.google.com/project/ywz-gcs-watch/apiui/notification. The service account has access to the watch bucket (tried it also with a bucket belong to the application project)
Is that a gsutil bug?
I've faced the exactly same problem here. The issue was that my allowed domain was registered like 'https://example.com' while it should be 'example.com'.
Go to your google developer console and open your project page.
In the sidebar on the left, click APIs & auth, then click Push.
Double check if your domain is correct. If not, enter just the domain without the protocol part and wait a few minutes before test again. Hope it helps!
Kindly Regards,
VinÃcius Miasato