So, I've followed the documentation found here.
I then created an oauth 2.0 web application here.
After I took the client ID and I used it in the Manage API Client Access for the GSuite Admin following the documentation here to add the scopes. However, when I go to my app and I hit the "Sign in with Google" I get a:
400 Invalid Scopes
{invalid=['https://www.googleapis.com/auth/userinfo.profile, https://www.googleapis.com/auth/userinfo.email']}
Both of the scopes above have been added to the Manage API Client Access screens.
Any steps I might be missing?
TLDR; Github pipeline + docker build args with spaces are a no-go. Use secrets and envs.
Found the solution. The issue was that I was defining my scopes in the CI pipeline (github yml) and passing it to my docker file as a build arg which was being converted to an ENV. This didn't work well since there was a space in the string. I moved the two scopes to a github secret and exported it as an ENV which is then secure env'd in the docker file.
Related
I have followed the solution explained in the Azure SSO related question in the forum
After that i checked in the Portal Azure try testing from the portal itself but it keeps redirecting me to the login page only if doing it first time so its new to me though. am i missing something or i need to write login handler for my application to handle this as for now i have not created any handler for login because as per the description in the link it supposed to work .
I tried by having dd in the service provider that has been created but its not reflecting as i am confused and stuck here i am not getting where i need to write the logic where i need to handle users with type in this as for login now it is redirecting me to login route when i test it from azure portal.
Any guidance on this would be helpful !
• I would suggest you follow the Github documentation below for configuring the lavarel SAML SSO in Azure AD as it uses Lavarel package for SAML2 integration as a service provider itself. Also, as you have added the service provider in your case, it doesn’t need to if you are using v 5.5 and higher of Lavarel as it gets automatically registered. Its just for older versions that you need to add the service provider in ‘config/app.php’.
https://github.com/aacotroneo/laravel-saml2
• Thus, once you do the above and publish the config files accordingly by executing the php commands, then you will need to modify the IDP settings in PHP app’s configuration and in here, please ensure that you are entering the ACS(Reply) URL and Identifier (Entity ID) from the Azure AD created application correctly. Also, ensure that the required SAML URLs and certificate keys are correctly entered in the environment variables required in the aad_idp_settings.php
Also, please check the actual routes in the metadata, by navigating to ‘http(s)://{laravel_url}/{idpName}/metadata’ as they must be reachable for your application to pass the authentication claims to AAD for get the authentication token and since, you are configuring SSO, please check the IDP metadata for ‘http(s)://{laravel_url}/single_sign_on/mytestidp1/metadata’ and finally please ensure that ‘RedirectIfAuthenticated.php’ is configured to redirect to ‘/routesPrefix/myIdp1/login’ and the same in '/Exceptions/Handler.php'
By following the above steps, your issue should be resolved.
I want to make an http request from bot composer but one thing to pass while making http request needs to be kept a secret. So I want to fetch that value from key vault. Can someone tell how to integrate bot composer with key vault.
I'll assume you are using Azure to run the bot, so I'll answer with that in mind. Otherwise let me know and I can expand the answer.
Take the secret from the settings of the bot. It's just like how you access turn.activity.text, but using settings scope instead of the turn scope. So: settings.apiSecret.
Local Env
Now in development, local environment, you can just put the secret in the settings file.
In Azure
When you deploy to your azure app service, you can use Key Vault References in the Configuration blade. Remember you need to give the app service Secret Get permission to that Key Vault.
This is the easiest way since you don't need to write code to query KeyVault via the API.
From DevOps to Azure
There's a way to get the secret in the pipeline, but I believe this is not something you need in this scenario, you just want to set the variable in the App Service. So in the App Service Deployment task, under Application and Configuration settings -> App Settings: you can add the same thing you'd put in the Configuration blade in the azure portal.
So you can add to the textbox: -apiSecret #Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/) or click on the button with the elipsis on the right and enter it on the form
I'm currently trying to set up a service account to run a google cloud vision OCR sample but for some reason the print-access-token command keeps failing to find my key. I've completed the following steps 3 times already just to make sure I've followed the exact steps in the docs:
Init gcloud SDK with project i had already created
Enabled billing
Create a JSON file containing key for service account with project owner as its role
set GOOGLE_APPLICATION_CREDENTIALS="C:\path\to\file\file.json"
run gcloud auth application-default print-access-token
I've also tried using gcloud auth application-default login just to be safe as it seemed to work for others who had different issues with print access token, but still no luck.
This is the error i receive from using print-access-token
ERROR: (gcloud.auth.application-default.print-access-token) File "C:\path\file.json" was not found.
I've tried running the the code samples regardless of this and receive the following exception:
Exception in thread "AWT-EventQueue-0" com.google.api.gax.rpc.PermissionDeniedException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the vision.googleapis.com.
I haven't been able to find a solution anywhere. I understand it might be a stupid problem with an easy fix, but I'm really quite confused at the moment because I'm sure I've done everything fine so far. Thanks for any help in advance.
I received the message about the file was not found, but I fixed this by using the command set GOOGLE_APPLICATION_CREDENTIALS without double quotation marks for example
I recommend use paths without spaces or special characters, for example C:\creds\cred1.json
set GOOGLE_APPLICATION_CREDENTIALS=C:\path\to\file\file.json
this environment variable only applies for the current CMD window is not system wide environment variable
The command gcloud auth application-default login creates a system wide credential based on an user account that allows test some APIs, but for others like vision it is necessary to use service account credentials
To fix this issue you need to define the environment variable GOOGLE_APPLICATION_CREDENTIALS as user session or system wide environment variable
After this step, your code going to recognize the credentials stored on the environment variableGOOGLE_APPLICATION_CREDENTIALS in this case C:\path\to\file\file.json
I want to integrate Keycloak authentication into a Play2 project. Here is what I did until this point:
I downloaded Keycloak: keycloak-1.6.1.Final.zip, unpacked, run it and set up by creating a test realm and some roles
I downloaded, configured and run the example js-console (https://github.com/keycloak/keycloak/tree/master/examples/js-console)
I was able to create a user and to log in with the js-console. The user show up in the keycloak admin as expected
Now I would like to protect my backend also, which is a Play2 project with maven build (using the play2-maven-plugin: https://code.google.com/p/play2-maven-plugin/)
The backend publishes a REST API, and these calls need to be available only for authenticated users posessing several roles.
Until this point I was unable to find a solution to do this. I came across Deadbolt, which can declaratively express the restrictions that need to be applied to the users and the roles, but I was unable to find an adapter for keycloak to use with Play2.
Is there anybody who did something similar? I guess a solution would be to create a custom adapter, by configuring and then calling the core Keycloak methods.
Does anybody have some thoughts on creating this "Keycloak Standalone Adapter"?
These 2 Blog Entries helped me:
User Authentication with Keycloak
KeyCloak with akka-http
https://blog.scalac.io/user-authentication-with-keycloak-part1.html
https://blog.scalac.io/user-authentication-with-keycloak-part2.html
Build and Secure APIs with Scala and the Play Framework
Auth0 with play framework
https://auth0.com/blog/build-and-secure-a-scala-play-framework-api/
It depends on which authentication mechanism you want to use (openid-connect or SAML). For the application I was working on we chose openid-connect. At the moment, the only play2 library which supported the protocol was https://github.com/pac4j/play-pac4j. The tricky part was figuring out the way keycloak was encoding the information in the token it sent back to the play server. It does it by doing Base64 encoding. We translated the algorithm from the keycloak-js-adapter to extract the user information.
After that, we can use Security trait or create a custom request wrapper which will contain the authorized user information.
I am trying to access google adwords api with 'google-adwords-api' ruby gem.
I have configured as per required. I have also set an test mcc account and api application. But still I am not able to access the api. It is giving following error
QuotaCheckError.ACCOUNT_INACTIVE
Also I am trying to set the environment to sandbox which gives following error
Environment 'SANDBOX' does not support version 'v201306' (AdsCommon::Errors::Error)
In documentationn it is mentioned that we can access api with test account even before approval.
Thanks in advance
I got fixed this.
The developer token needed for accessing the ad-words api should be created from production account and not from test account.