S/4HANA Extension - Multitenancy - s4sdk

I'm trying out the S/4HANA extension development exercises for multi-tenancy (Week 2 - Unit 4 of this course). I was able to setup Postman as described in the video, but when I execute PUT tenant after executing GET csrf token, I get an error that says Forbidden and do not get a status of 204 as shown in the video, but get 403 instead. Could you please let me know what I might be doing wrong here. Many thanks.
Please find attached a copy of the response received via Postman.
In the logs of approuter, I can see this one message stand out (but my destination seems to be set)
Msg: "Error during loading of destination service credentials. Verify Destination service is bound"
Could there be any other reason why I am getting a 403 Forbidden response instead of it creating a tenant successfully? Any pointers to proceed would be appreciated.

Access is forbidden because the backend is again being protected by a CSRF filter - in addition to the CSRF protection which the approuter provides. Likely, you will see a header x-csrf-token: Required in the 403 response.
Fo fix this, in your backend application, remove the RestCsrfPreventionFilter in line 47 of web.xml.
Background: the approuter has its own CSRF protection mechanism. By providing a CSRF token in your request, you only deal with the approuter's CSRF protection. If the backend is again protected against CSRF, nothing is providing a CSRF token to the backend. Additionally, the CSRF protection on the backend is no longer necessary as you have protected the backend so that it can only be accessed via the approuter.

Related

How to get new acess token from refres token for google api in postman

I am trying to get new access token from my refresh token for google drive api. In my google playground it works but when I want to create the same request in postman or my code it doesn't work and I always get error "Invalid grand type". I don't know to find what is problem.
google developers playground
postman headers and body
You need to understand that there is three steps to the Oauth2 dance.
step one is requesting access of the user and getting the authorization code.
HTTP GET https://accounts.google.com/o/oauth2/auth?client_id={clientid}.apps.googleusercontent.com&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=https://www.googleapis.com/auth/analytics.readonly&response_type=code
Note &response_type=code tells the server you want an authorization code returned.
step two is to exchange that code for an access token and refresh token.
POST https://accounts.google.com/o/oauth2/token
code=4/X9lG6uWd8-MMJPElWggHZRzyFKtp.QubAT_P-GEwePvB8fYmgkJzntDnaiAI&client_id={ClientId}.apps.googleusercontent.com&client_secret={ClientSecret}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code
Note the part where it says &grant_type=authorization_code. this tells the server you are giving them an authorization code.
3 the final step is refreshing your access token.
POST https://accounts.google.com/o/oauth2/token
client_id={ClientId}.apps.googleusercontent.com&client_secret={ClientSecret}&refresh_token=1/ffYmfI0sjR54Ft9oupubLzrJhD1hZS5tWQcyAvNECCA&grant_type=refresh_token
Note &grant_type=refresh_token you are telling the server you are sending them a refresh token.
You appear to be sending a refresh token with the wrong grant type.
I have a video on how to set up postman to use google oauth2
How to set up Oauth2 in PostMan.
Google 3 Legged OAuth2 Flow
Note: Due to a recent change with Making Google OAuth interactions safer by using more secure OAuth flows redirect uri of urn:ietf:wg:oauth:2.0:oob is going to stop working soon.

Access GitHub API from Nifi

I'm trying to access info within GitHub's API from a NiFi Process. Essentially, I'm using GenerateFlowFile to set the target URL and the Authorization header for the token. I then pass it to the InvokeHTTP and every time it gets a 401 error saying it needs to be authenticated, despite providing my personal token (the one I use when programming locally and with Terminal). Any tips on how I can get this working? I can provide more detail if needed
I'm not sure which endpoint you're trying to access in the GitHub API, but it appears you are using an endpoint from GitHub Enterprise 2.22 from the error message.
The docs for authentication show you should prefix the token with token i.e:
Authorization: token OAUTH-TOKEN
In your specific case, this means you should set the Authorization header to token ${github_token}.

Django-allauth + reactjs+ linkedin login redirect uri issue + Not enough permissions to access: GET /me

I am using drf + ReactJs to do social login am able to integrate google login and facebook login using django allauth package , but when I tried to integrate linkedin login getting error :
invalid redirect uri
TO be more precise am getting this error
allauth.socialaccount.providers.oauth2.client.OAuth2Error: Error retrieving access token: b'{"error":"invalid_redirect_uri","error_description":"Unable to retrieve access token: appid/redirect uri/code verifier does not match authorization code. Or authorization code expired. Or external member binding exists"}
----few updates after tying out few fixes -----
Tried fetching the access token from backend and login the user using a seprate api it showed the redirect uri issue.
Tried directly calling the linkedin token url from postman and now I get Invalid request error.
First method worked after few tryouts but now getting incorrect value error.
Tried fetching code with scope as r_liteprofile but now getting 403 forbidden
{'serviceErrorCode': 100, 'message': 'Not enough permissions to access: GET /me', 'status': 403}
I tried changing url to backend and frontend both showing same error. Can anyone get me how to fix this issue ?
I am not sure what all additional details needed for sorting this out, Please let me know if any needed.
Finally able to find the solution
the issue was with the code generated from the sdk used to implement linkedin login in reactjs, which has only scope
r_emailaddress
r_liteprofile
Adding additional scope
w_member_social
And regarding redirect uri issue
we are suppose to use the same redirect uri in both frontend and backend
made things working , posting this here since it will help someone in future facing same problem.
thank you all

CSRF token not sent from Angular to Spring

We are building a web application using Angular and Spring Boot. As one of our security measures, we use CSRF tokens. The issue is that, on our local machines, the token validation works, but on our staging server, the tokens aren't sent by the frontend. The problem has suddenly occurred; we didn't have this problem for the first few months of using the tokens. After a certain build, they started failing. Then after a while, they were working again, but now have ceased working once more.
So, it seems like there is an environment issue that we fail to see.
What we can see
Spring is creating the CSRF token and sending it on preflight (OPTIONS) requests. It encapsulates the token in the Set-Cookie header, which Angular reads using the CookieXSRFStrategy. Again, locally this works fine, but on our staging server this fails. The issue is that Angular doesn't set the cookie after receiving the token. We checked this by inspecting the cookies in the Google Dev Console.
The specific error given by Spring is:
Invalid CSRF Token was found on the request parameter '_csrf' or
header 'X-CSRF-TOKEN'
The issue this causes
We can't login, since Spring doesn't receive a CSRF token. Therefore we can't do anything with the application unless we turn off CSRF protection completely.
We have tried
Specifically whitelisting cookies for the application in Chrome.
Clearing cookies and cache.
Trying in different browsers, on different machines. This happens in Chrome, IE11 and Firefox. We haven't tried any other browsers.
Making sure the origin is allowed through CORS, which it is. We do this with the Access-Control-Allow-Origin header.
Exposing more headers, like Set-Cookie using the Access-Control-Expose-Headers header. This doesn't change anything.
Allowing more headers, using Access-Control-Allow-Headers. This doesn't change anything either.
Simulating the login process using cURL (with the Postman application). This works. So it's an issue of Angular not being able to process the token properly.
Reading the headers manually with JavaScript/TypeScript. This didn't seem to work since the header wasn't exposed.
After struggling with the issue, we decided to integrate Docker, in an effort to mirror our staging and local environments. This didn't resolve the issue.
Reverting back to a previous build didn't work either.
Important notes
Both locally and on the staging environment we use an SSL certificate. Locally, we use a self-signed certificate.
All of the application runs on a Wildfly server. Both the Angular and Spring code is built and distributed using WAR files, which Wildfly deploys.
We are using a corporate proxy. The staging server is hosted in-house, and is only accessible when you're on the corporate network.
Versions
Angular: 4.2.2
Spring Boot: 1.4.1
Wildfly: 10.1.0.Final
Our current workaround is that we have disabled CSRF protection completely, so as to be able to continue development while we are looking for a solution.
Does anyone have any idea what could be going wrong?
The exception Invalid CSRF Token was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN' occurs when an invalid CSRF token is passed. If Spring would receive no CSRF token at all, it would print a different message "Could not verify the provided CSRF token because your session was not found." That means frontend is sending old or invalid CSRF token.
Possibly your corporate network proxy applies some login mechanism and override your X-CSRF-TOKEN header.
According to Spring Security documentation, cookieHttpOnly=false is needed to allow AngularJS to read the XSRF-TOKEN cookie.

Spring template connect to OpenSSO/JAAS secure endpoint

I'm trying to access a REST service via a server-to-server GET request that is secured by OpenSSO/Spring Security and am unable to. It's like my Spring Rest Template client is not stateful to hold the cookies it should as I get redirected through the authentication workflow.
When doing this with a browser, the initial request is redirected to OpenSSO, I'm challenged for my cert (PKI), I present it, get a response with my authentication cookie header. Then I am redirected back to my original destination, I present my auth cookie in the request header and I'm on my way.
This isn't happening in my server-to-server invocations.
I've searched for quite a while now and can't seem to find any solutions that hold onto this state across redirects!
Following the link in zagyi's comment may have worked, but I spent some more time and found the following solution, which does not involve overriding anything:
To handle the authentication cookie in the REST controller, you have to explicitly tell it to accept cookies. Before handling the call, add the following line of code:
CookieHandler.setDefault(new cookieManager(null, CookiePolicy.ACCEPT_ALL));

Resources