How to add user attribute values to token when impersonating in Keycloak - spring-boot

I am trying to impersonate a user (tony123) using a superadmin(superadmin). The steps I am following are as follows.
Get access token for superadmin as below.
curl --location --request POST 'http://localhost:8180/auth/realms/tenant/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=superadmin' \
--data-urlencode 'password=<superadmin-password>' \
--data-urlencode 'client_id=<source-client-id>' \
--data-urlencode 'client_secret=<source-client-secret>'
With the above token, I am getting the impersonated user's (tony123) token as follows.
curl --location --request POST 'http://localhost:8180/auth/realms/tenant/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<source-client-id>' \
--data-urlencode 'client_secret=<source-client-secret>' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'subject_token=<access token got in step one>' \
--data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:access_token' \
--data-urlencode 'requested_subject=<user id of tony123>'
I am able to get the correct impersonate token by following the above two steps. This impersonate token only contains preferred_username and email attributes of tony123 in the token. I would like to further customise the impersonate token by adding some phone_number from the user attributes map. I am unable to do so.
I tried adding a mapper for phone_number in the source-client in Keycloak admin. This was an unsuccessful attempt. How to achieve this?

First you create your custom attributes then in client mappers, add Token Mapper with User Attribute type.
Take a look at this page.

Related

pinterest access token giving error authentication failed

I using below command to get access token
curl -X POST https://api.pinterest.com/v5/oauth/token
--header 'Authorization: Basic {base64 encoded string made of client_id:client_secret}'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'grant_type=authorization_code'
--data-urlencode 'code={YOUR_CODE}'
--data-urlencode 'redirect_uri=http://localhost/'
I am getting
{"code":2,"message":"Authentication failed."}
client_id and secret are correct. Any pointers will be helpful.
Regards,
Rita

Send HTTP POST request to InfluxDB manually with browser

Hello,
I'm currently using grafana to visualize data from InfluxDB, and would like to use a hyperlink in form of a HTTP request from a dashboard to insert data into the database.
Is something like this possible?
This is possible.
In InfluxDB v1.X, you could do:
curl -i -XPOST 'http://localhost:8086/write?db=mydb' --data-binary 'cpu_load_short,host=server01,region=us-west value=0.64 1434055562000000000'
In InfluxDB v2.X, you could do:
curl --request POST \
"http://localhost:8086/api/v2/write?
org=YOUR_ORG&bucket=YOUR_BUCKET&precision=ns" \
--header "Authorization: Token YOUR_API_TOKEN" \
--header "Content-Type: text/plain; charset=utf-8" \
--header "Accept: application/json" \
--data-binary '
airSensors,sensor_id=TLM0201 temperature=73.97038159354763,humidity=35.23103248356096,co=0.48445310567793615 1630424257000000000
airSensors,sensor_id=TLM0202 temperature=75.30007505999716,humidity=35.651929918691714,co=0.5141876544505826 1630424257000000000
'
See more details here and there.

Keycloak: After logout, the logout session NOT active

I have to implement biometric authorization which is based on our current Keycloak(SSO) system.
So I tried to create a long-lived refresh token which is activated even when I logout.
Here is curl:
curl --location --request POST
'http://localhost:8089/auth/realms/EXTERNAL/protocol/openid-connect/token?prompt=consent&scope=offline_access'
--header 'Content-Type: application/x-www-form-urlencoded'
--header 'prompt: consent'
--header 'scope: offline_access'
--data-urlencode 'client_id=client-credential'
--data-urlencode 'refresh_token=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI4NGRkZDM1OC1kMDFjLTRjODQtYmE2OC00ODA1MzVlNmM5OWIifQ.eyJleHAiOjE2NTY5MDY5NDQsImlhdCI6MTY1Njg5OTc0NCwianRpIjoiMTkzM2IxNzktOWQxMC00ODI5LTlkY2EtZGRiNGM5ZGM1YzY0IiwiaXNzIjoiaHR0cHM6Ly9kZXYtaWQuc2FmaW4udm4vYXV0aC9yZWFsbXMvRVhURVJOQUwiLCJhdWQiOiJodHRwczovL2Rldi1pZC5zYWZpbi52bi9hdXRoL3JlYWxtcy9FWFRFUk5BTCIsInN1YiI6ImZkMTY3NWVjLWY5YjgtNDRjMS04Yjk5LWJlOTU2M2Y2NTgyMiIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJjbGllbnQtY3JlZGVudGlhbCIsInNlc3Npb25fc3RhdGUiOiI2NDExYzQ2ZC1hMGVmLTRiMDEtOTU0Yi00ZTU4ZTE5Mjc2ZDAiLCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJzaWQiOiI2NDExYzQ2ZC1hMGVmLTRiMDEtOTU0Yi00ZTU4ZTE5Mjc2ZDAifQ.c3ZdvnrG_Y3nuHKIWUGqo-beN-S5MNE-Ywufqym2D54'
--data-urlencode 'grant_type=refresh_token'
--data-urlencode 'scope=offline_access'
--data-urlencode 'client_secret=58f28165-1553-4543-9c66-c2e8c65fexxx'
But I received: "Session not active"
How can I fix that problem?

How to use Bash command line to curl an API with token and payload as parameters

I am novice and first timer to bash. Trying to run bash under command line to invoke an API, by passing token and payload received from two different APIs and are set as parameters. Below is my command. I am trying to add this bash script to a task in AzureBatch service job.
It has 3 curl requests,
First one (Line#1 in the code snippet below)- gets payload by
calling an API. ---- This is working fine, I am able to verify the
payload using the echo statement following the first curl command.
Second one(Line#3 in the code snippet below) - gets token by
calling the token provider ----- This is working fine as well,
verified using the echo statement.
Third one (Line#5 in the code snippet below),This is the problematic command. I am trying to pass the token and payload received from the above two commands and the curl is not able to resolve them.
both token and payload or not resolving to their values..
My Bash COmmand
/bin/bash -c
"payload=$(curl --location --request GET 'http://url/OutreachData')
&& echo -e \"The value of payload is: "'$payload'"\"
&& token=$(curl --location --request POST 'https://login.microsoftonline.com/<<tenantId>>/oauth2/v2.0/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'client_id=<<clientId>>' --data-urlencode 'scope=api://<<applicationId>>/.default' --data-urlencode 'client_secret=<<clientSecret>>' --data-urlencode 'grant_type=client_credentials' --data-urlencode 'Audience=api://<<applicationId>>'|jq -j '.access_token')
&& echo -e \"value of token is "'$token'"\n\"
&& result=$(curl --location --request POST 'https://url/api/<<Resource>>' --header 'accept: */*' --header 'Content-Type: application/json' --header 'Authorization: Bearer '"'$token'" --data-raw "'$payload'")
&& echo -e \"Result is "'$result'"\""
This is how the third Curl is resolving to, payload and token are not getting replaced as we can see in the authorization header and data-raw elements
++ curl --location --request POST https://url/api/ --header 'accept: /' --header 'Content-Type: application/json' --header 'Authorization: Bearer ' --data-raw ''''''''
There should be no need to explicitly run this with bash -c unless you are in a very constrained environment where you simply cannot run Bash by any other means.
The immediate problem is that code like
bash -c "echo "'$token'" && true"
ends up with $token being single-quoted in the shell which you run bash -c from. But the blazingly obvious fix is to not have this complex quoting in the first place.
payload=$(curl --location --request GET 'http://url/OutreachData')
echo "The value of payload is: '$payload'"
token=$(curl --location --request POST \
'https://login.microsoftonline.com/<<tenantId>>/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<<clientId>>' \
--data-urlencode 'scope=api://<<applicationId>>/.default' \
--data-urlencode 'client_secret=<<clientSecret>>' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'Audience=api://<<applicationId>>' |
jq -j '.access_token')
echo "value of token is "'$token'"
result=$(curl --location --request POST \
'https://url/api/<<Resource>>' --header 'accept: */*' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer '"$token" \
--data-raw "$payload")
echo "Result is "'$result'"
If your current shell is not Bash and you need these commands to be run in Bash, a simpler workaround is to put the script in a here document, which drastically simplifies the quoting needs (or if this is in an interactive session, just run bash and run these commands at the interactive Bash prompt, then exit when you no longer want to be in Bash).

Yammer Activity changes Message

Is it possible to use a URL in both a message and an activity in Yammer ?
Using the messages API, it is possible to construct a message which is:
Properly linked (in this example clicking on Title goes to example.com/id/1/); and
Includes an image (placehold.it/100x100).
For example:
#!/bin/bash
GROUP={GROUP}
TOKEN={TOKEN}
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
--data "body=hello" \
--data "group_id=$GROUP" \
--data "og_fetch=false" \
--data "og_url=http%3A%2F%2Fwww.example.com%2Fid%2F2%2F" \
--data "og_title=Title" \
--data "og_image=http%3A%2F%2Fplacehold.it%2F100x100" \
--data "og_description=Description" \
--data "og_object_type=page" \
--data "og_private=true" \
https://www.yammer.com/api/v1/messages.json
Using the activity API it is possible to make an Open Graph object:
Example:
#!/bin/bash
TOKEN={TOKEN}
EMAIL={EMAIL}
curl -X POST \
-H "Content-type: application/json" \
-H "Accept: application/json" \
-H "Authorization: Bearer $TOKEN" \
-d '{"activity":{"actor":{"email":"'$EMAIL'"},"action":"create","object":{"url":"http://www.example.com/id/1/","image":"http://placehold.it/110x110","title":"Title","type":"page"}},"private":"false","message":"This is an update"}' \
https://www.yammer.com/api/v1/activity.json
The problem is that now the original message from Step 1:
No longer links to the actual content (it links to https://www.yammer.com/{network}/graph/{id})
Loses its image (it is now mug0.assets-yammer.com/mugshot/images/75x75/3rd_party.png)
As an aside, the open graph object doesn't update for the new image provided in the activity post (110x110 vs 100x100). The docs (https://developer.yammer.com/v1.0/docs/open-graph) say "when an OG object exists (with the same URL), it is updated appropriately."
In one example you have the open graph object set to private and the other is to public. That may be causing the weird issue you are seeing.
"og_private=true"

Resources