i'm trying to use the jhipster tool in order to create a new project with the oauth2 authentication. The project example work fine, i can login with the angularjs interface, but can't understand how can i create a new user and then get the access token via Curl command line for this new user.
Thanks for your help
Step #1: Register the user.
Register a user at http://localhost:8080/#/register and make sure you can log in via the web interface.
Step #2: Obtain an OAuth2 token.
Information required for obtaining an OAuth2 token:
OAuth2 client id (see application.yml)
OAuth2 secret (see application.yml)
The user name and password used to register the new
user.
Required scope/s
Then, obtain an OAuth 2 token from the server:
curl -X POST -vu client:secret http://localhost:8080/oauth/token -H "Accept: application/json" -d "username=username&password=password&grant_type=password&scope=read&client_id=clientid&client_secret=secret"
.. returns something like this:
{"access_token":"7916d326-0f7f-430f-8e32-c5135a121052","token_type":"bearer","refresh_token":"2c69ca58-a657-4780-b5d8-dc965d518e9e","expires_in":1037,"scope":"read"}
Step #3: Use the token in calls to protected resources:
Then, the auth token must be supplied in the header on every call:
curl http://localhost:8080/app/rest/books -H "Authorization: Bearer 7916d326-0f7f-430f-8e32-c5135a121052"
Related
I want to retrieve an OpenShift Access Token with cUrl (or Python).
Authentication to our OpenShift Console is provided with AzureAD; that makes the earlier proposed solution with username and password impossible:
curl -u joostd -kv 'https://oauth-openshift.apps.ocp4.example.com/oauth/authorize?client_id=openshift-challenging-client&response_type=token'
Now I am trying to find a way to get an AD token from https://login/microsoftonline.com/<<tenant-id>>/oauth2/authorize and use that to get an access token.
I wish to use the Google Cloud Platform (GCP) REST API locally, starting with the apps.services.versions.instances.list method.
The route works when I use "Try this API" here, but how would I use this method locally with curl?
"https://appengine.googleapis.com/v1/apps/$APPSID/services/$SERVICESID/versions/$VERSIONSID/instances?key=$YOUR_API_KEY" \
--compressed \
--header 'Accept: application/json' \
--header "Authorization: Bearer $YOUR_ACCESS_TOKEN"
#=>
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
How do I access $YOUR_API_KEY and $YOUR_ACCESS_TOKEN? I have been unable to find either in the official GCP docs.
The fastest way is use Cloud Shell:
List projects to get project id
gcloud projects list
# save you project id
PROJECT_ID="YOURS_PROJECT_ID"
Get ACCESS_TOKEN
ACCESS_TOKEN=$(gcloud auth print-access-token)
Get API_KEY
API_KEY=$(curl -X POST https://apikeys.googleapis.com/v1/projects/$PROJECT_ID/apiKeys?access_token=$ACCESS_TOKEN | jq -r ".currentKey")
Print API_KEY and ACCESS_TOKEN
echo $ACCESS_TOKEN
echo $API_KEY
To run above commands on local machine first you need authenticate using command gcloud auth login and follow instructions.
Alternatively api key could be readed or created from console go to Navigation Menu -> APIs & Services -> Credentials and next click on CREATE CREDENTIALS -> API Key.
By reading the documentation (clicking on question mark next to Credentials) we can read:
[YOUR_API_KEY] - "Include an API Key to identify your project, used to verify enablement and track request quotas."
[YOUR_ACCESS_TOKEN] - "Include an access (bearer) token to identify the user which completed the OAuth flow with your Client ID."
You no longer need an API key. It's a legacy feature of Google APIs, provide only an access token is enough.
In command line you can do this
curl -H "Authorization: Bearer $(gcloud auth print-access-token)" https://....
All the Google Cloud APIs are compliant with access token authentication. Few are still compliant with API keys.
About APIKeys API
This API has been published in beta and now closed. At least the documentation part. I don't know if this API is stable or subject to change. You can create an API key per API like this (very similar to Bartosz Pelikan answer)
curl -H "Authorization: Bearer $(gcloud auth print-access-token)" \
-X POST https://apikeys.googleapis.com/v1/projects/PROJECT_ID/apiKeys
As you can see, I reuse the access token authentication mode
The above answers are using an API that isn't publicly available (I reached out to GCP support an confirmed.
I recommend using the CLI tool like so:
gcloud app instances list --service core-api --project my-project-name
docs: https://cloud.google.com/sdk/gcloud/reference/app/instances/list
You'll have to a gcloud auth first and probably set your project.
I'm trying to create a new project in the Google Cloud Platform using the Cloud Resource Manager API.
It all works fine when I use it through the API explorer however I don't quite understand how to use it as an http request outside of API Explorer.
I run the request like this:
curl -H "Content-Type: application/json" -X POST -d '{"name": "project example","projectId": "my-project-example-1234"}' https://cloudresourcemanager.googleapis.com/v1/projects?fields=response&key={MY_APY_KEY}
Response:
{
"error": {
"code": 401,
"message": "The request does not have valid authentication credentials.",
"status": "UNAUTHENTICATED"
}
}
The documentation says that this request requires an OAuth scope and that's when things get confusing to me.
Reading the documentation I could not understand how one of the required OAuth scopes can be passed with the URL when making the http request to the rest API which I'm only assuming is what I'm missing.
Rather than just tell you how to test with a working token, I'm going to try to more broadly answer what you're aiming to do.
At a pretty high level, you will need to:
Enable the Resource Manager API for your Cloud Console project.
Create an OAuth client ID for Web applications in the Cloud Console. You will need to register your authorized redirect URI. This is where your app will get the OAuth response back from Google when the end user authorizes your app. Note the client ID, you will need that next.
Start the OAuth flow by assembling your URL:
https://accounts.google.com/o/oauth2/v2/auth?
response_type=code&
client_id=<123456789example>.apps.googleusercontent.com&
scope=https://www.googleapis.com/auth/cloudplatformprojects&
redirect_uri=http://<YOUR-APP-URL>/<YOUR-OAUTH-HANDLER>
Replace in that URL the client ID and the redirect URI. I assume you'd have a button or link on your site where you would have the user click to start this flow.
Code your OAuth handler. Some more in-depth code for doing this in Go can be gleaned from this Go Sample, which was originally for G+ sign-in but much of the logic is going to be the same. You are going to get a code query parameter passed to your application, the value is a one-time authorization code that your application must exchange for your OAuth tokens that you use to make API calls on behalf of the user.
If appropriate for your app and situation, securely store your tokens for use later or for processing while your user is not active on your site (might be appropriate for batch processing).
Now that you have an access token, you can pass that to the Resource Manager API and create projects on behalf of the user. You might use the Go client library or you could call the HTTP endpoints directly in your code.
If you want more testing with curl, I'd follow the process that we wrote up accessing the App Engine Admin API. Substitute Admin API URLs and names for Resource Manager and you've got the overall flow. The difference from what's above, is I used a code flow above because I assume you want server-side and possibly refresh tokens if you need to be able to make these API calls while the user is not active on your site.
Like Alex says, you ask for scopes during OAuth authentication. One way to easily authenticate and obtain a Oauth access token is doing:
gcloud beta auth application-default login --scopes=https://www.googleapis.com/auth/cloudplatformprojects
As you can see, you can specify the scopes you want to gcloud and it will take care of authentication for you.
Then, you should be able to create a project calling:
curl -H "Content-Type: application/json" -H "Authorization: Bearer $(gcloud beta auth application-default print-access-token)" -X POST -d '{"name": "project example","projectId": "my-project-example-1234"}' https://cloudresourcemanager.googleapis.com/v1/projects?fields=response
Here, you are passing the access token obtained when you made Oauth authentication. This should be taken care of by the client libraries for you when you get the application default credentials.
I am new to Salesforce and SF workbench.
I have been given read access and login credentials to the SF workbench for one of out clients.
I know I can use SF Rest API to extract data from Salesforce object, but I guess I would need OAuth token to be able to do that.
Is there a way to extract those tokens from the workbench to do simple rest api curl commands?
If you setup a Connected App in Salesforce (any org, including a developer org) and enable OAuth then you can use the following curl command to create an OAuth token from a username and password:
curl https://login.salesforce.com/services/oauth2/token \
-d "grant_type=password" \
-d "client_id=YOUR_OAUTH_CONSUMER_KEY" \
-d "client_secret=YOUR_OAUTH_CONSUMER_SECRET" \
-d "username=YOUR_USERNAME" \
-d "password=YOUR_PASSWORD"
From Workbench if you select Session Information from the Info menu and expand the Connection folder you will see a Session Id value this is your current session token and it can be used for Curl REST commands.
You could also use the REST Explorer found under the Utilities menu to do your simple REST API commands.
How to tell if instance specific Salesforce URL is from Sandbox or Production, if I have the URL and Session Id only?
If you know the instance & sessionId, then you can call the REST api's discovery service at {instance}/services/data/v25.0 passing the sessionId in a Authorization header, e.g. using curl this would be
curl -v -H "Authorization: OAuth {sessionId}" https://{instance}/services/data/v25.0/
This returns you the discovery data, including the users Identity Id, e.g.
"id": "https://login.salesforce.com/id/00D300000000QSfEAM/00530000000dImzAAE"
If the host is login.salesforce.com its production, if its test.salesforce.com its sandbox.