I am facing issues while provisioning Java application in Azure AD enterprise application. I have created SCIM api as per the azure documents but still I am getting below error.
Error code: SystemForCrossDomainIdentityManagementCredentialValidationUnavailable
Details: We received this unexpected response from your application: An HTTP/404 Not Found response was returned rather than the expected HTTP/200 OK response. To address this issue, ensure that the tenant URL is correct. The tenant URL is usually in a format like: https://<>/scim. If this does not resolve the issue, contact the application developer to ensure their SCIM endpoint conforms with the protocol https://www.rfc-editor.org/rfc/rfc7644#section-3.4.2 Please check the service and try again.
You would need to ensure your response is formatted like in section 3.4.2 for the RFC
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults": 0,
"Resources": [],
"startIndex": 1,
"itemsPerPage": 20
}
https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#response-3
Related
I'm getting 417 error when calling https://apple-pay-gateway.apple.com/paymentservices/startSession with body:
{
"merchantIdentifier": "merchant.com.***",
"displayName": "***",
"initiative": "web",
"initiativeContext": "***"
}
The response I get:
{
"statusMessage": "Payment Services Exception merchantId=2B4D7F37BB3374A2C6B9F28C1042C408F9727EFE09C21EE71297302EBC830DF0 not registered for service",
"statusCode": "417"
}
Strange thing is with the same setup approximately 1% of calls returned the correct session, but most of the time api responds with 417. I've already tried to remove whole merchant identntifier and created new with all the new certs and domain registration - didn't help, now I get 417 for all requests. Any ideas? I could not find any information on apple docs what this error actually means.
Config below:
I've already tried:
creating new apple merchant identifier, merchant certificate, payment processing certificate from scratch three times
I've added and validated domain for frontend website and api
I've tried to make a request locally from postman and from the deployed api on validated domain - in both cases I'm using mechant certificate and private key
I've also tried to cnofigure the merchant identifier I'm using as part of Apple App ID Configuration - so it's assigned to Apple Pay Payment Processing capability. I want to use apple pay web integration, so this step does not make much sense anyway.
I am trying to test the Google Cloud Logging API on the "Try this API" feature that Google Cloud Platform has on their documentation, but I get this response back:
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
I know that my response body is correct because it works with OAuth 2.0 but fails when I use API Key.
Auth 2.0:
Working request using OAuth 2.0
API Key:
Non-Working request using API Key
Google docs says that they generate their own API Key for this "Try this API" feature. https://developers.google.com/explorer-help/
Since Google is using their own API Key, I do not understand why I am getting a response status of PERMISSION_DENIED.
Edit:
Here is a link to the Try this API feature in Google Cloud Platform if you would like to give it a try. https://cloud.google.com/logging/docs/reference/v2/rest/v2/entries/write?apix_params=%7B%22resource%22%3A%7B%22entries%22%3A%5B%7B%22logName%22%3A%22projects%2F%5BPROJECT_ID%5D%2Flogs%2Frequests%22%2C%22resource%22%3A%7B%22type%22%3A%22http_load_balancer%22%2C%22labels%22%3A%7B%7D%7D%7D%5D%7D%7D
Here is the python request that I am using in my code to create an entry:
import requests
entry = {
"entries": [
{
"logName": "projects/[PROJECT_ID]/logs/requests",
"resource": {
"type": "http_load_balancer",
"labels": {}
}
}
]
}
requests.post('https://logging.googleapis.com/v2/entries:write?key=[YOUR_API_KEY]', data=json.dumps(entry))
The API key was created from my user that has "logs writer", "logs viewer", and "logging admin" permissions. This theoretically should be all the permissions I need to make the post request. However, it is still returning a "PERMISSION_DENIED" status.
Any help would be much appreciated. Thank you in advance.
It looks like you are making a request to write data which isn't publicly writable. API Keys have no concept of user, they are only identifying you are allowed to call an API. So it looks like your API key request is working to the extent it can, but the response is telling you: I don't know who you are so I can't let you do this.
OAuth 2.0 is the solution here, as it acts on behalf of your account (you have to give consent), allowing the API to verify you have permission to take this action.
Service accounts are another option, to act on behalf of your project instead of your user, but they aren't practical from a web UI.
We have a web application with Google calendar API using OAuth 2.0 client IDs.
The problem is that it works well with the Test app:
http://test.our-domain.com
BUT it doesn't work in the production that has SSL.:
https://app.ourdomain.com
Both are on the same server and on the same domain,
Both are authorized in the Credentials page as
http://test.our-domain.com/callback
and
https://app.ourdomain.com/callback
When the user sign in it looks like the process is OK but the Token does not being saved.
Here is the error we have on the production log - Please help...
2017-11-23 22:49:56,656 [ 33] ERROR DotNetOpenAuth.Http
- WebException from https://accounts.google.com/o/oauth2/token: { "error" : "redirect_uri_mismatch" }
2017-11-23 22:49:56,656 [ 33] ERROR
Client.Management.UserCalendarEntryController
- Failed to get google authenticator for XXXXXXXXXXXXXXXXXX
Blockquote
As referred with this thread, the redirect URI (where the response is returned to) has to be registered in the APIs console, and the error is indicating that you haven't done that, or haven't done it correctly.
Go to the console for your project and look under API Access. You should see your client ID & secret there, along with a list of redirect URIs. If the URI you want isn't listed, click edit settings and add the URI to the list.
Also, be noted that updating the google api console can take some time. Generally only a few minutes but sometimes it seems longer.
(I found your post on xplace, I don't have an account there) - I can help you debug the issue if you'd like. feel free to leave your email and I'll reach out.
I set up Google SDK to use Google API with Application Default Credentials. For my local machine, created a credentials json file and set its path as GOOGLE_APPLICATION_CREDENTIALS as environment variable. This is worked as expected without a problem.
However, when the app is deployed to Google Cloud VM, it throws the following error:
[Google_Service_Exception]
{
"error": {
"code": 403,
"message": "Request had insufficient authentication scopes.",
"errors": [
{
"message": "Request had insufficient authentication scopes.",
"domain": "global",
"reason": "forbidden"
}
],
"status": "PERMISSION_DENIED"
}
}
According to the documentation, the built-in service account should be associated with the virtual machine instance. To make it work, I tried to use credentials json file as I did on local machine (which worked fine) but it didn't work either.
To note, the error message is about scopes but not auth problem. What to do to make it work on Compute Engine VM instance?
To give client initialisation code:
$client = new Google_Client();
$client->useApplicationDefaultCredentials();
$client->addScope(Google_Service_Pubsub::PUBSUB);
Update
Now it is supported. You have to stop instance in order to change API scope.
https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes
Original answer
It turned out that I had to enable Cloud API access scope for the services on Google Cloud Console for VM instance details: https://console.cloud.google.com/compute/instances
Unfortunately, I couldn't changed it because Google Cloud doesn't support it for now. I had to start a new instance to enable a service API access.
https://googlecloudplatform.uservoice.com/forums/302595-compute-engine/suggestions/13101552-ability-to-change-cloud-api-access-scopes-on-launc
It is possible now. Your instance must be stopped and then it can have its scope list changed from the console in the edit vm page, or in the SDK by using :
gcloud compute instances stop [vmname]
gcloud beta compute instances set-scopes [vmname] --scopes="[scopes list]"
Just be aware that with the SDK way, the second command will reset with the scopes in the list. It is not currently available the ability to only append a new scope.
I am trying to manually write a log entry using Google Cloud Logging API.
Before doing this via code, I am first trying to do it using the Google APIs Explorer. Here is a screen shot of the request I've built using this tool:
In projectsId I have the Google Project Id that I've copied from the
Google Developer Console.
Likewise for metadata.projectId.
In metadata.userId I have the Client Id of the same Service account that I'm using to authenticate (OAuth2) against the Google Logging API.
Google Logging API is enabled for the project.
The Service account belong to the project and has the "Can edit" permission.
I'm 99% sure that I've setup OAuth2 correctly for the request.
When I execute this request, I get the following response:
{
"error":
{
"code": 400,
"message": "Unsupported service specified",
"status": "INVALID_ARGUMENT"
}
}
Why? and how can I fix this?
The error message was actually telling me exactly which argument was invalid - The serviceName I supplied was bogus ("test").
As soon as I set the serviceName to be "compute.googleapis.com", the problem went away and I received a 200 status code indicating success.