I have used the below instructions to create okta application
Create an Okta developer account at https://developer.okta.com/signup/
Set up your application in your Okta account using instructions
at https://developer.okta.com/docs/guides/implement-password/setup-app/. You may name the application "Millenium Care
Inc. API".
Navigate to Directory -> People. Add two users: Joe Intake (jintake#milleniumcare.com) and Joe Adjudicator (
jadjudictor#milleniumcare.com). Use "Set by Admin" option for creating the passwords. Make sure to take note of the
usernames and passwords from this step.
Navigate to Directory -> Groups. Add two groups: "Adjudicators" and "Intake". Add both users Joe Intake and Joe
Adjudicator to the Intake group. Add user Joe Adjudicator alone to the Adjudicators group.
Navigate to the "Manage Apps" option for each group, and add the "Millenium Care Inc. API" application to each group.
Navigate to Security -> API. Under "Authorization Servers", select the "default" authorization server. Select the "
Claims" tab. Add a new claim with the following values:
Name: groups
Included in token type: Access Token
Value Type: Groups
Filter: Matches regex .*
Disable claim: unchecked
Include in: Any scope
Navigate to Applications -> Millenium Care Inc. API. Take note of the Client ID, Client secret and Okta domain.
I used the following command to create bearer token
curl --location --request POST 'https://{{OKTA_DOMAIN}}.okta.com/oauth2/default/v1/token' \
--header 'accept: application/json' \
--header 'authorization: Basic {{CLIENT_CREDENTIALS}}' \
--header 'content-type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=jadjudicator#milleniumcare.com' \
--data-urlencode 'password=Password#1' \
--data-urlencode 'scope=openid'
But when I tried to create a bearer token, I get this
{
"error": "invalid_grant",
"error_description": "The credentials provided were invalid."
}
In step-2, okta's docs tells to create
Select Resource Owner Password as one of the allowed Grant type. But authorization is checked already.
What steps have I missed, or done incorrect?
CLIENT_CREDENTIALS is base64 encoded form of "$CLIENT_ID:$CLIENT_SECRET"
Environment: Windows 10, GIT Bash and/or Postman
FYI. I signed up with company-email which is different than domain in users
Related
I am building an Github OAuth app and attempting to see if I can validate the access_token returned by github upon login. The access_token is returned by github by making a POST call to the end point https://github.com/login/oauth/access_token and passing in CLIEND_ID and CLIENT_SECRET provided by github. Using this access_token, we can then access users information. My main question is, is there an end point to validate this token? I wanted this because I am running a node server which accesses files on github. As of now, the node end point is open and anyone can just call the functions in it. In each function, I would like to check if the user has a valid token or not before returning data to them and as such, have some form of security to my node API.
This is how I get the access_token in node
const params = "?client_id="+CLIENT_ID+"&client_secret="+ CLIENT_SECRET +"&code="+req.query.code;
await fetch("https://github.com/login/oauth/access_token"+params,{
method: "POST",
headers:{
"Accept": "application/json"
}
}).then((response) => {
return response.json();
}).then((data)=> {
res.json(data);
});
I have tried the following cURL end points, and it does return data
curl -H 'Authorization: token myGitHubAccessToken' https://api.github.com/user/repos
reference: https://onecompiler.com/questions/3uxsn58yz/how-to-test-a-github-access-token-is-valid
The above command does return data and my client ID, so it is somewhat useful. However, the access_token, which github returns a new one every time the user logs in, it itself seems to never expire. So I can copy a previously returned token to get the same data dump in the above command. I had read whats the lifetime of Github OAuth API access token that the token never expires, but then that itself is an issues. Is there some other method I should use to get around this issue? I dont want my API's to be open. If I could validate the access_token provided by github in every one of the node functions and also have it expire upon logging out, the issue will be resolved.
Also tried some options mentioned here: https://developer.github.com/changes/2/
of which, https://docs.github.com/en/rest/apps/oauth-applications?apiVersion=2022-11-28#check-a-token
made the most sense to me. But the cURL command given on that page:
curl \
-X DELETE \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>"\
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/applications/Iv1.8a61f9b3a7aba766/token \
-d '{"access_token":"e72e16c7e42f292c6912e7710c838347ae178b4a"}'
does not seem to work. It returns Bad Data.
Please advise! Thank you!!
Found the answer:
To check access token:
curl -H 'Authorization: token access_token' https://api.github.com/user/repos
The above command returns repos. For me, this is enough because I just want some reply from github using the token thats not a 404
To delete the token:
curl \
-X DELETE \
-H "Accept: application/vnd.github.v3+json" \
-u CLIENT_ID:CLIENT_SECRET \
https://api.github.com/applications/CLIENT_ID/token \
-d '{"access_token":"ACCESS_TOKEN"}'
Reference: Remove/revoke GitHub OAuth 'access_token'
Apologies for the bad editing. Cant get it to look just right.
How can I pass username and
Password in invoke http processor. ( I am invoking this nifi-api/token to generate token ) it’s required username and password to authorise .
I am passing username and password in request username and request password. But still it’s not working
When you want to generate a token for the NiFi API for it to be used in subsequent API calls of NiFi you need to pass the credentials as x-www-form-urlencoded.
This can be achieved like this using a cURL command
curl --location --request POST 'https://server_URL/nifi-api/access/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'username=<USER_NAME>' \
--data-urlencode 'password=<PASSWORD>'
If you are familiar with Postman then you can use the Body tab and select x-www-form-urlencoded and define the credentials as Key and Value pair. This would generate you the token for the NiFi.
This question is about the search-tweets-ruby client provided by twitter for use with their premium and enterprise API's.
I am following the instructions and run into a 'Bad Authentication data' error when running the app (via terminal - Mac OS X) to retrieve tweets with a single rule.
The 'bearer token' and 'dev environment' are correct because a Curl request works.
The following are the contents of my ./config/config.yaml file
auth:
app_token: my_generated_bearer_token
labels:
environment: my_dev_environment_name
options:
search_type: premium
archive: fullarchive
max_results: 500
write_mode: standard-out
out_box: ./output
I'm not sure what I'm missing here, but would appreciate an assist. I haven't worked with the Twitter API before, although I've reviewed the documentation before asking on SO.
Thanks, everyone.
Update:
The first sample call, from the provided link is:
$ruby ./search-app.rb -r "snow profile_region:colorado has:media".
This yields a 'bad authentication error'.
I provided the contents of my yaml file, because presumably that is the only difference between the Curl request and the client app, if the 'bearer token' and 'environment name' work with Curl.
curl --request POST \
--url https://api.twitter.com/1.1/tweets/search/30day/prod.json \
--header 'authorization: Bearer AAAAAAAAAAAAAAAAAAAAAMLheAAAAAAA0%2BuSeid%2BULvsea4JtiGRiSDSJSI%3DEUifiRBkKG5E2XzMDjRfl76ZC9Ub0wnz4XsNiRVBChTYbJcE3F' \
--header 'content-type: application/json' \
--data '{
"query":"from:TwitterDev lang:en",
"maxResults": "100",
"fromDate":"201811010000",
"toDate":"201811062359"
}'
There is no code.
I think the issue is that your YAML file is configured for the full-archive search endpoint, yet your CURL-based call is going to the 30-day search endpoint. If you update the YAML file to point to the '30day' endpoint, I suspect it will succeed.
I have tried both key 1 and key 2 from the Azure Resource Management > Keys page with the following, where foo is a direct copy/paste:
curl -X POST "https://api.cognitive.microsoft.com/sts/v1.0/issueToken?Subscription-Key=foo" --data ""
curl -X POST "https://api.cognitive.microsoft.com/sts/v1.0/issueToken" -H "Ocp-Apim-Subscription-Key: foo" --data ""
In both cases I get:
{ "statusCode": 401, "message": "Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription." }
Is there something I need to configure so I can I retrieve access tokens for my subscription? My ultimate goal is to use the access token to authenticate with a Custom Speech Service Endpoint. Thanks!
For some reason this URL worked instead of the one in the documentation:
https://westus.api.cognitive.microsoft.com/sts/v1.0/issueToken
Here's the complete command:
curl -X POST --header "Ocp-Apim-Subscription-Key:foo" --data "" "https://westus.api.cognitive.microsoft.com/sts/v1.0/issueToken"
In OKTA Admin screen, I expired the password associated with my username.
Tried the primary authentication (/authn) as described in http://developer.okta.com/docs/api/resources/authn.html. Got the proper status back as PASSWORD_EXPIRED and also a state token.
Invoked the change password API (ie /authn/credentials/change_password) with the above state token and old/new passwords. Instead of getting the success message, I am getting the error message "E0000011: Invalid token provided".
My developer API token and state tokens are correct. Not sure why I am getting this error. Can you please help?
Thanks
Nara
After you expire the password in the the UI, the user of the expired password is no longer in an ACTIVE state. Specifically, they're set to a PASSWORD_EXPIRED state which does not allow password resets. This is a security feature as the intent of explicitly setting a user in the state is to limit constrain their access to the system.
Note that the user event model is documented in the Okta Developer Guide at http://developer.okta.com/docs/api/resources/users.html#user-status
Before you can change a user password, you need to re-activate the user.
curl -X POST \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-H "Authorization: SSWS {{apikey}}" \
-H "Cache-Control: no-cache" \
-d '' https://{{url}}/api/v1/users/00u36pr8k9DMRAQBVMWZ/lifecycle/activate?sendEmail=false