I'm trying to build an app that posts sentences to Blogger. However I'm stuck at the oAuth part which requires a client ID and client secret. I don't know where to find these values.
The values are required in the following line:
GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow.Builder(httpTransport, jacksonFactory,
CLIENT_ID, CLIENT_SECRET, scopes).setAccessType("online").setApprovalPrompt("auto").build();
How do I find the proper CLIENT_ID and CLIENT_SECRET values?
All right, I found it. It involves going to https://console.developers.google.com/apis/api/blogger.googleapis.com/ and then I can create tokens by clicking on the left hand menu.
Related
I have a Kubernetes cluster with kube-prometheus-stack (which includes Grafana) deployed via Helm. I am trying to set up single sign on (SSO) to Grafana using AzureAD. I've found the Grafana configuration pages (https://grafana.com/docs/grafana/v9.0/setup-grafana/configure-grafana and https://grafana.com/docs/grafana/v9.0/setup-grafana/configure-security/configure-authentication/azuread/) and I think I have an initial idea of what I need to add to my Helm chart's values.yaml file.
There are some details, however, that I am not sure about. If I had access to the "schema" for this configuration, that might help me figure this out. Unfortunately, I have been unable to find anything that defines this. There are examples, but I cannot find anything that describes what the fields mean. Also, keep in mind that everything I have found shows examples for the grafana.ini file. I need to "translate" this to YAML for the values.yaml file used by the Helm chart.
Here is an example:
...
[auth.azuread]
name = Azure AD
enabled = true
allow_sign_up = true
client_id = APPLICATION_ID
client_secret = CLIENT_SECRET
scopes = openid email profile
auth_url = https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token
allowed_domains =
allowed_groups =
role_attribute_strict = false
I have translated this into the following YAML:
auth.azuread:
name: Azure AD
enabled: true
allow_sign_up: true
client_id: APPLICATION_ID
client_secret: CLIENT_SECRET
scopes: openid email profile
auth_url: https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize
token_url: https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token
allowed_domains:
allowed_groups:
role_attribute_strict: false
I suspect that scopes expects a list based on its plurality, but how can I be sure? Also, what are the valid values? Apparently openid, email and profile are valid, but what do these values represent and are there others? On a similar note, what do allowed_domains and allowed_groups expect?
I've tried to find a reference for the Grafana configuration data structure and definition, but have not had any luck. Does anyone have an idea where (if) this can be found?
We have an external vendor that requires us to include a bearer token in the http request header when we communicate with the API. This token shouldn't be left in the code unencrypted so where is the best place to store it? The Named Credential type doesn't seem to support storing a simple token and the Custom Setting option seems overly complicated and unnecessary. This is a single token string that will be used for every API call regardless of which user. I have searched high and low on google and haven't found an obvious solution that works.
There are some options but they're limited for your code as end user. A determined developer/sysadmin will learn the value eventually.
If you'd build a managed package you could use a protected custom setting (managed package's code could see it but not the client code, even sysadmins)
Check some of these:
https://developer.salesforce.com/page/Secure_Coding_Storing_Secrets
https://salesforce.stackexchange.com/questions/226110/what-is-the-best-way-of-storing-username-and-password-in-salesforce
https://salesforce.stackexchange.com/questions/478/using-transient-keyword-to-store-password-in-hierarchy-custom-setting
https://salesforce.stackexchange.com/questions/55008/is-encrypting-passwords-in-protected-custom-settings-a-security-requirement
You could make a custom setting with 2 text fields, 1 with encryption key and 1 with encrypted value in it. Look at Crypto class.
Blob exampleIv = Blob.valueOf('Example of IV123');
Blob key = Crypto.generateAesKey(128);
Blob data = Blob.valueOf('Data to be encrypted');
Blob encrypted = Crypto.encrypt('AES128', key, exampleIv, data);
Blob decrypted = Crypto.decrypt('AES128', key, exampleIv, encrypted);
String decryptedString = decrypted.toString();
System.assertEquals('Data to be encrypted', decryptedString);
Your initialisation vector could be org's id or something else that's easy to access and unlikely to change (I don't know if your vendor's API has test and prod endpoints but it's an added bonus that after sandbox refresh this will fail to decrypt OK until you change the custom setting... you wouldn't want to send test messages to production API), you'd generate key once & store it in setting.
I'm currently working on revising the registration procedure of our recruitment ATS, made with AngularJS and Meteor, and I need to verify the new user's email during the registration procedure.
The logic would go as followed:
1- User fills in a form on the 'get-started' page and when clicking on 'sumbit', the ATS sends a verification email(I'll be using 'sendVerificationEmail' from Meteor)
2- After the user clicks on the link from the email, they'll get redirected to the 'register' page where additional information is required and the registration procedure is concluded.
As mentioned above, I'm planning to use 'sendVerificationEmail' to verify the user but I also want to use it to send back the userID.
From what I read on the Meteor API, I can pass extra data to the token with 'extraTokenData'
Accounts.sendVerificationEmail(userId, [email], [extraTokenData])
Now how do I declare the 'extraTokenData' object?
Could I do it like this: Accounts.sendVerificationEmail(userId, "", { _id: userId })
And how do I retrieve the 'userId' with 'Accounts.onEmailVerificationLink'?
your help will be greatly appreciated.
The email and the extra tokens are optionals, but if you want to send them send it as a string.
If you want to send the extra token but no emails you can try using Accounts.sendVerificationEmail(userId, undefined, "extra token") or if it doesn't work you can request the user's deatil user Meteor.user(). then call user.emails[0].address.
To retrieve information you have to get user by token and all data are there on user document under services.password.reset field. Look here how Accounts.generateResetToken is implemented https://github.com/meteor/meteor/blob/1e7e56eec8414093cd0c1c70750b894069fc972a/packages/accounts-password/password_server.js#L609.
I'm developing a Word Add-in and using auth.getAccessTokenAsync for authentication as defined here: https://dev.office.com/reference/add-ins/shared/office.context.auth.getAccessTokenAsync.
I obtain the access token successfully but then I'm encountering an error in the "on behalf of" flow described here: https://learn.microsoft.com/en-us/office/dev/add-ins/develop/authorize-to-microsoft-graph.
While using MSAL (Microsoft.Identity.Client) to validate the bootstrap access token and get a token for Microsoft Graph I get an error. Code and error details below.
Code:
var cl = new ConfidentialClientApplication(<client ID>,
"https://login.microsoftonline.com/" + <tenant ID>,
<redirect uri>,
new Microsoft.Identity.Client.ClientCredential(<client secret>),
new Microsoft.Identity.Client.TokenCache(),
new Microsoft.Identity.Client.TokenCache());
var authResult = await cl.AcquireTokenOnBehalfOfAsync(new[] {
"Sites.Read.All"
},
new Microsoft.Identity.Client.UserAssertion(accessToken));
Error:
AADSTS50013: Assertion contains an invalid signature. [Reason - The provided signature value did not match the expected signature value., Found key 'Start=02/18/2018, End=02/19/2020, Thumbprint=oZkMJ7Omv9GN7JVM', Configured keys: [Key0:Start=02/18/2018, End=02/19/2020, Thumbprint=oZkMJ7Omv9GN7JVM;Key1:Start=03/31/2018, End=03/31/2020, Thumbprint=xq4mEGikJ5Bkblfw;Key2:Start=11/16/2016, End=11/16/2018, Thumbprint=i1DVz66b9dfpPV3Z;]]\r\nTrace ID: 6ec996c8-517c-4baa-815b-54cee7913f00\r\nCorrelation ID: 4cc9d7dd-3879-4be4-a067-ed80eaaaad1d\r\nTimestamp: 2018-04-24 07:10:23Z
If I make a regular web app (not an Office add-in) and use MSAL.js to get an access token, that token validates fine.
As far as I can tell, there's a difference in the signature of the MSAL.js token versus the Word Add-in token. I'm using the same scopes, client ID and tenant ID.
The solution was to make sure that I'm getting the token correctly from the Word Add-in. IE11 F12 Developer Tools truncates strings when outputting a variable in the console window, so I just printed it on the UI instead and it works fine now.
Thanks Wayne Yang for helping me get to this point. :)
i have got Access token from "https://oauth.intuit.com/oauth/v1/get_request_token" using rest api in apex. when i pass the response to the authorizaiton url as shown below
https://appcenter.intuit.com/Connect/Begin?oauth_token_secret=xEtlEPu7ljKAeWRYM6pZwY02e8ewZcZ2txR1xpix&oauth_callback_confirmed=true&oauth_token=qyprdc5t2G9j8TcR8AW1123BCD3iy4M0PSBwsk84Rl8WhmCa
i get this error
Oops! An error has occurred.
Please close this window and try again.
Error Code: no_such_database
Message: Application not found by appToken
Any kind of help will be much appriciable
I am not sure if you figured it out but the URL for authorization actually seems different from documentation :
https://appcenter.intuit.com/Account/DataSharing/Authorize?oauth_token=YYYY
I used this url for authorization and it worked.
Instead of old user authorization link (https://appcenter.intuit.com/Connect/Begin ) use the new link (https://appcenter.intuit.com/Account/DataSharing/Authorize)
After generating the request token and secret , redirect to the new link. This will lead to the user authorization pages. Once authorized it will redirect back to our callback url.
Code Example :
$userAuthUrl = "https://appcenter.intuit.com/Account/DataSharing/Authorize";
$signedUrl = "{$userAuthUrl}?oauth_callback={$callBackUrl}&oauth_consumer_key={$consumerKey}&oauth_nonce={$nonce_random}&oauth_signature_method=HMAC-SHA1&oauth_timestamp={$timestamp}&oauth_token={$reqToken}&oauth_version=1.0&oauth_signature={$signature}";
header("Location:$signedUrl");
Authorized URL is not correct.
It should be like -
https://appcenter.intuit.com/connect/begin?oauth_token=qyprdsGhfVztCxWPDIXbPYjVybkwxNAvUdNNaiaTabcde
Here oauth_token is actually request_token (not request_secret) which you get as part of the first call OAuth1.0a flow.
ie. https://oauth.intuit.com/oauth/v1/get_request_token
Please refer this sample Java code which shows all the 3 steps required to generate accessToken and accessSecret (OAuth1.0a).
https://gist.github.com/manas-mukh/b6450bb28506e1302463