When running a GraphQL query with the GitHub CLI that uses the projectsV2, I get an error complaining about missing scopes:
Your token has not been granted the required scopes to execute this query. The 'projectsV2' field requires one of the following scopes: ['read:project'], but your token has only been granted the: ['admin:public_key', 'gist', 'read:org', 'repo'] scopes. Please modify your token's scopes at: https://github.com/settings/tokens.
Sample Query:
> gh api graphql -f query='{
organization(login: "MyOrg") {
projectsV2(last: 20) {
nodes {
title
}
}
}
}'
How can I elevate the permissions of GitHub's CLI?
By default, GitHub's CLI only requests a few scopes when authenticating via gh auth login. However, the new projectsV2 requires read:project as well.
This can be solved by requesting an additional scope during login, like so:
> gh auth login --scopes read:project
Or, if you also need to write to projects, you might even need full access to projects, like so:
> gh auth login --scopes project
Note that you might need to logout first: gh auth logout
Related
I'm working with Amplify, I added the authentication to my application and my graphQL schema is with rule private, all things work good in my local, each graphQl api called, It contains the access token and appSync accept my request.
But when I deploy my App, I get an error because all my graphQl request still with api-key not with access token.
my schema.graphQl
My AWSAppSyncClient
In the console I use this configuration:
In my local : all thins work good after authentication.
In production : graphQl still with api-key after authentication
Based on this documentation I ran amplify update api:
From there the command line prompts you to select the API type:
? Please select from one of the below mentioned services:
> `GraphQL`
? Select a setting to edit:
> `Authorization modes`
? Choose the default authorization type for the API
API key
Amazon Cognito User Pool
❯ IAM
OpenID Connect
I updated the default authorization type for the API to be Amazon Cognito User Pool instead of API key.
Then I had to run amplify push --appId YOUR_APP_ID --envName YOUR_STAGING_ENV to sync up the changes.
We have a Cognito User Pool which is connected to an AppSync API. In the graphql.schema we limit which users can access which endpoints like this:
type Mutation {
createProject(projectInput: CreateProjectInput!): Project!
#aws_auth(cognito_groups: ["StandardUsers"])
}
The AppSync endpoints fire Lambdas which get the details of the Cognito user used to authenticate like this:
const cognitoIdentity: AppSyncIdentityCognito = event.identity as AppSyncIdentityCognito
const user: User = {
id: cognitoIdentity.sub,
username: cognitoIdentity.username,
groups: cognitoIdentity.groups
}
We're authenticating using the Amplify JS library.
The user can happily hit the endpoint when part of the Cognito group, but if I remove them (via the AWS console) they can continue to hit the endpoint!!
If they logout and back in they are then denied access to the endpoint.
How can have an immediate "kill switch" to ensure users no longer have these privileges?
Cognito is a stateless authentication method by design. Once a user logs in they are given tokens for that particular session. So until these tokens expire they get all the privileges defined in these tokens. You cannot manually expire these tokens once issued, but you can blacklist them using your own implementation.
Your requirement is for stateful authentication. You will need to implement this yourself using a database and custom authorizers that check for "blacklisted" tokens.
So I'm trying to use the Home Graph API by calling the API endpoint
https://homegraph.googleapis.com/v1/devices:requestSync
It is a HTTP POST request and it needs an ACCESS_TOKEN and service account key.
Getting the service account key is easily done as per Google's documentation. The issue is getting the ACCESS_TOKEN.
As per this documentation by Google, I need to get ACCESS_TOKEN created using the following scope of permissions
https://www.googleapis.com/auth/homegraph
I opened OAuth 2.0 Playground to request a developer temporary ACCESS_TOKEN for testing. I wrote all the necessary urls and in scope I wrote this-
scope is written to be authorized
Now after this, I am navigated to my Authorization URL (ie, Google's sign in page). I login with email id and password.
If credentials are correct and scope mentioned is valid then I should have been redirected to OAuth playground page with authorization code which I would have exchanged for access token and refresh token.
But, what actually happens is after I enter my credentials, I get following error and I am never redirected to Oauth Playground page-
Authorization Error
Error 400: invalid_scope
Some requested scopes cannot be shown: [https://www.googleapis.com/auth/homegraph]
Request Details
access_type=offline
o2v=2
response_type=code
redirect_uri=https://developers.google.com/oauthplayground
prompt=consent
client_id=xxxxxxxxx.apps.googleusercontent.com
scope=https://www.googleapis.com/auth/homegraph**
I searched a lot online too, but couldn't find the actual reason.
So due to this issue with scope, I am not able to get ACCESS_TOKEN.
I have followed Google's documentation and the scope was mentioned there.
This is the pic from oauth 2.0 playground settings- OAuth 2.0 configuration
The issue is that you, a user, should not be getting and sending an access token. The service account should be getting and sending an access token. This is to make sure your service is authorized to talk to the Home Graph API.
You indicated you logged into the OAuth playground with "userid and password". But service accounts don't have passwords.
If you are using one of Google's libraries, it will take care of getting the access token for you, and this is the easiest way to do so. If you are just testing and need an access token, you can use something like oauth2l to get the access token based on the service account credentials.
I had implemented the REST approach to call HomeGraph Report State as below.
We need to follow the below steps:
Create a service account for your project and safely store the json file
Using the service account JSON, get the access token from Google
Using Oauth 2.0 token as Bearer authorization, invoke Report State API
Step 1:
This is straightforward. Please follow the steps in the below link
https://developers.google.com/assistant/smarthome/develop/report-state#expandable-1
Step 2:
Refer below code to get the Access token using service account json
GoogleCredentials credentials = GoogleCredentials
.fromStream(Helper.class.getClassLoader().getResourceAsStream("smart-home-key.json"))
.createScoped("https://www.googleapis.com/auth/homegraph");
credentials.refreshIfExpired();
AccessToken token = credentials.getAccessToken();
return token.getTokenValue();
Step 3:
Invoke Report State API
curl -X POST -H "Authorization: Bearer [[Access token from Step 2]]"
-H "Content-Type: application/json"
-d #request-body.json
"https://homegraph.googleapis.com/v1/devices:reportStateAndNotification"
Reference Links :
https://developers.google.com/assistant/smarthome/develop/report-state#http-post
https://cloud.google.com/endpoints/docs/openapi/service-account-authentication
https://developers.google.com/identity/protocols/oauth2/service-account#httprest_1
https://developers.google.com/assistant/smarthome/develop/report-state#expandable-1
I used this curl command to retrieve session details for a user in keycloak:
curl -X GET \
-H 'Authorization: Bearer $TOKEN' \
http://192.168.X.X:8080/auth/admin/realms/$REALM_NAME/users/$ID_OF_CLIENT/sessions
and in response we have:
[{
"id":"194d6b10-5b94-42c3-86d8-4d1780f70f52",
"username":"admin",
"userId":"e258f775-3597-4a72-a490-7bgd7c1cdfdb",
"ipAddress":"192.168.X.X",
"start":1589006511000,
"lastAccess":1589007060000,
"clients" :
{
"53d98bf8-fffd-484c-aae8-500a7cf7a8b6":"authz-servlet",
"9bc56128-972e-41fe-8946-3ce4b5660e24":"authz-client-app3"
}
}]
now I need to add some more details in the session information such as browser version for the logged-in user. Is there any way to add these details?
I suggest you to take a look at userinfo OIDC endpoint. Comparing to you current approach (utilizing Admin REST Api with administrative token) it accepts token issued for end user. If it ok for you, you will be able to customize endpoint output as you want. Customization available at Client Scopes and Mappers tabs in client settings.
Set of mappers available by default is quite wide but
i'm afraid by default Keycloak is not preserve information about UA, so you have to develop your own logic to extract it during login flow and than to store it in user session. If you are not familiar with implementing Keycloak Java SPI you can try to do implement your logic via JS mapper.
https://www.keycloak.org/docs/latest/server_admin/index.html#_protocol-mappers_oidc-user-session-note-mappers
https://www.keycloak.org/docs/latest/server_development/#_script_providers
AFAIK some examples should be in keycloak github
I am trying (and failing) to use OAuth2 to make calls to the admin.directory.group scope via a command line script. I tried configuring a Service Account to do this, but get this error message:
Error calling GET https://www.googleapis.com/admin/directory/v1/groups/foo%40example.com: (403) Not Authorized to access this resource/api
I also tried using an "Installed" application type, taking the manual step of obtaining an authorization code and subsequently a refresh token, but got the same Not Authorized error.
I do have "Enable API access" checked, and also have "Admin SDK" enabled in my project (though oddly it doesn't list admin.directory.group as one of Admin SDK's scopes).
What am I doing wrong?
Have you add the client ID in your Admin Console to grant Admin SDK third party client oauth access?
Here is an instruction on how to do that for task API:
https://developers.google.com/google-apps/help/articles/2lo-in-tasks-for-admins#manage
It should be similar for Admin SDK except you will have to put Admin SDK as the scope
I finally got this to work using a service account. I did have to grant 3rd party access as Emily Lam suggested, but by a different means:
Log in to admin console
Security -> Advanced settings -> Authentication ->
Mange third party OAuth Client access
Authorize a new client by setting the Client Name to the Client ID of the service account, and the the API scope to whatever you need from the Admin SDK (e.g., https://www.googleapis.com/auth/admin.directory.group)
The other thing I needed to do was make sure my request was being made on behalf on an administrative user. Using the PHP API, setting up the credentials object looks like this:
$cred = new Google_Auth_AssertionCredentials(
$clientEmail,
'https://www.googleapis.com/auth/admin.directory.group',
file_get_contents($keyFile));
$cred->sub = 'admin#example.com';
Now I am able to successfully make calls using the Google_Service_Directory class.