I have to get login credentials from a 3rd service which require a PKCE to authenticate.
I was thinking to use django-allauth to do it but I can't find a way to send the pkce in my request. There is nothing fancy in the way I'm doing it.
I generate a PKCE but where can I add it in the allauth request ?
The configuration is quite simple atm, I did a custom SOCIALACCOUNT_PROVIDERS in my settings.py. It contact the server but the PKCE ( code_challenge ) is missing.
SOCIALACCOUNT_PROVIDERS = {
"auth0": {
"AUTH0_URL": provider,
"APP": {
"client_id": client_id,
"secret": secret
"key": "",
"code_challenge": code_challenge
}
}
}
Any idea ? Thanks
Try adding AUTH_PARAMS
SOCIALACCOUNT_PROVIDERS = {
"auth0": {
"AUTH0_URL": provider,
"APP": {
"client_id": client_id,
"secret": secret
"key": "",
},
'AUTH_PARAMS': {
'code_challenge_method': 'S256',
'code_challenge': '362t6atUC1Fz'
}
}
}
Related
I need to create a new user using postman
I use the address: http://localhost:1337/api/users, make a POST request to it with the following data:
{
"data": {
"username": "Rafael",
"email": "rafael#rafael.com",
"password": "1234",
"confirmed": false,
"blocked": false
}
}
But I get
{
"data": null,
"error": {
"status": 500,
"name": "InternalServerError",
"message": "Internal Server Error"
}
}
And in VS Code I get: error: Forbidden access
What could it be?
Forbidden access 403, can be caused by several things:
You didn't pass API token (jwt) to the request header (Bearer token)
You have to allow the user/admin role to access User collection.
You can find all the config in the Admin Panel Settings menu.
Create and manage API token in Strapi: https://docs.strapi.io/developer-docs/latest/setup-deployment-guides/configurations/optional/api-tokens.html#api-tokens
Configure admin role access: https://docs.strapi.io/user-docs/latest/users-roles-permissions/configuring-administrator-roles.html
Configure end-user role access: https://docs.strapi.io/user-docs/latest/users-roles-permissions/configuring-end-users-roles.html
Hope it helps!
I've a drf view with a signup that takes:
{
"github": "",
...
"user": {
"username": "john", "password": "pass"
}
}
ok, now I need to build a new endpoint that will accept no password:
{
"github": "",
...
"user": {
"username": "john"
}
}
The password is required, the serializer is much more bigger and complex. I've created a view like this:
#api_view(["POST"])
def add_user_no_pass(request):
request_data = copy.deepcopy(request._request)
request_data.get("user").update({"password": "12345"})
return SignUp.as_view()(request_data)
I've try a lot of things, that was my last try, basically I just need to add password to the user in the request before forward to the next view, I'm using drf.
Thanks.
tried to add the password in many ways to the request. But drf request is a little different from django.
I'm working on a Microsoft Teams tab and am planning to use some of the new RSC endpoints to retrieve members of the Team/group the app has been added to.
I have followed all steps from the RSC docs looked at the RSC sample code but still have an issue making Graph API calls to the beta rsc endpoints.
I have listed the RSC permission in the Teams manifest:
"webApplicationInfo": {
"id": "{AD_APP_CLIENT_ID}",
"resource": "https://notapplicable"
},
"showLoadingIndicator": true,
"authorization": {
"permissions": {
"orgWide": [],
"resourceSpecific": [
{
"name": "Member.Read.Group",
"type": "Application"
},
{
"name": "TeamSettings.Read.Group",
"type": "Application"
},
{
"name": "ChatSettings.Read.Chat",
"type": "Application"
},
{
"name": "ChatMember.Read.Chat",
"type": "Application"
},
{
"name": "ChannelSettings.Read.Group",
"type": "Application"
},
{
"name": "TeamMember.Read.Group",
"type": "Application"
}
]
}
}
Query Graph API like so:
GET https://graph.microsoft.com/beta/teams/{{group_id}}/channels/{{channel_id}}
Authorization: Bearer {{access_token}}
content-type: application/json
Where access_token is retrieved like so:
POST https://login.microsoftonline.com/{{ad_tenant_id}}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id={{ad_app_client_id}}&client_secret={{ad_app_client_secret}}&scope=https://graph.microsoft.com/.default
When I make the GET request to a group+channel which is in the same AAD as where the AAD Application is registered it works fine and information is returned. However, when I run the exact same code on a group+channel which is in a different AD it returns 403 Forbidden.
{
"error": {
"code": "Forbidden",
"message": "Missing role permissions on the request. API requires one of 'TeamMember.Read.All, TeamMember.ReadWrite.All, Group.Read.All, Group.ReadWrite.All, TeamMember.Read.Group, Member.Read.Group'. Roles on the request 'Group.Selected'. Resource specific consent grants on the request ''.",
"innerError": {
"date": "2022-04-06T14:13:26",
"request-id": "ce212ed2-48dc-4a8e-a7ea-4172d0cfd4c4",
"client-request-id": "ce212ed2-48dc-4a8e-a7ea-4172d0cfd4c4"
}
}
}
The response mentions "Resource specific consent grants on the request ''." which seems to suggest it's either missing a header or another access token.
As mentioned before, this exact same code works perfectly fine when I use a group_id and channel_id from within the same AD tenant.
What other steps need to be done to get RSC calls working?
I've found the following documentation on how to send email using Office 365 rest API.
This is the example given on the doucmentation:
POST https://outlook.office.com/api/v2.0/me/sendmail
{
"Message": {
"Subject": "Meet for lunch?",
"Body": {
"ContentType": "Text",
"Content": "The new cafeteria is open."
},
"ToRecipients": [
{
"EmailAddress": {
"Address": "garthf#a830edad9050849NDA1.onmicrosoft.com"
}
}
],
"Attachments": [
{
"#odata.type": "#Microsoft.OutlookServices.FileAttachment",
"Name": "menu.txt",
"ContentBytes": "bWFjIGFuZCBjaGVlc2UgdG9kYXk="
}
]
},
"SaveToSentItems": "false"
}
This works fine if the user authorizes the application to act on it's behalf. However, I am using client crednetial to build a daemon application that acts on behalf of all users in the given tenant hence "POST https://outlook.office.com/api/v2.0/me/sendmail" couldn't work because its is referencing the "me" and can't tell which user is sending the email.
I would appericiate if you can help with sample example. FYI: I am using Java but your answer doesn't have to be in Java.
Replace the /me bit of the URL with /users/<userid>. You can not use /me for any API call with a token from client credentials.
I'm trying to get my head around oAuth2/IdentityServer4.
Using the sample application at
https://github.com/IdentityServer/IdentityServer4.Samples/tree/dev/Quickstarts/3_ImplicitFlowAuthentication
The following code in the MVC application:
#foreach (var claim in User.Claims)
{
<dt>#claim.Type</dt>
<dd>#claim.Value</dd>
}
Returns what appears to be identity token claims
nbf
1467173142
exp
1467173442
iss
http://localhost:5000
aud
mvc
nonce
636027699106782287.MDI0YzI5MTQtYmQxNy00MDllLWJmYzQtZjBhYzI2MGNjYmE3MDFmNzg1YmUtM2Y5ZC00YjBiLWEzOGItN2Q3ODRiODJlYjFl
iat
1467173142
c_hash
H2i5QeJKlHM5-s8vUTYlOw
sid
42b58d38e2b7c6cc653492742a08840b
sub
818727
auth_time
1467170555
idp
idsvr
name
Alice Smith
given_name
Alice
family_name
Smith
website
http://alice.com
amr
pwd
The following code in the API project
var claims = User.Claims.Select(c => new { c.Type, c.Value });
return new JsonResult(claims);
Returns what appears to be access token claims
{
"Type": "nbf",
"Value": "1467173142"
},
{
"Type": "exp",
"Value": "1467176742"
},
{
"Type": "iss",
"Value": "http://localhost:5000"
},
{
"Type": "aud",
"Value": "http://localhost:5000/resources"
},
{
"Type": "client_id",
"Value": "mvc"
},
{
"Type": "scope",
"Value": "openid"
},
{
"Type": "scope",
"Value": "profile"
},
{
"Type": "scope",
"Value": "api1"
},
{
"Type": "sub",
"Value": "818727"
},
{
"Type": "auth_time",
"Value": "1467170555"
},
{
"Type": "idp",
"Value": "idsvr"
}
Notice the code is essentially the same (return claims in the user identity principle) and lack of name/email but the inclusion of scope claims in the API example.
The token flow is essentially IdentityServer4 => MVC Project => API Project. Obviously the MVC project has both the identityToken and access token but it's not load the access token int User.Claims.
My goal is to have the scope claims available in User in the MVC project so that I can setup policies to work the Authorize attribute section off my MVC methods.
Startup for the API project is here: https://github.com/IdentityServer/IdentityServer4.Samples/blob/dev/Quickstarts/3_ImplicitFlowAuthentication/src/Api/Startup.cs
Startup for the MVC project is here:
https://github.com/IdentityServer/IdentityServer4.Samples/blob/dev/Quickstarts/3_ImplicitFlowAuthentication/src/Api/Startup.cs
Thanks,
dave
The question is kind of invalid, but I'll leave it here with reasons why and a solution to save others time.
Firstly, there are two tokens for two different purposes.
The Access Token: Describes the client, which is the software that uses the API. Any claims in here are granting the client access to API endpoints.
The Identity Token: This describes the User, or the human that uses the software that uses the API.
The original question was asking how to view Client related scopes in an Identity token, which obviously isn't valid.
However, you can include Identity scopes in an Identity token.
To do this, set Type to ScopeType.Resource and set IncludeAllClaimsForUser to true, as follows
new Scope()
{
Name = "ManageUsers",
IncludeAllClaimsForUser = true,
Type = ScopeType.Resource
},