I am trying to obtain oauth tokens in order to use the CAD API, however, I keep getting this error:
Signature on SAML token is INVALID commentary: [Verification against Static Certificate not supported in this scenario.
Since they dont have an NPM or NodeJS I have started to create one, however, I am getting hung up on the SAML assertion request. So far I have ported over this ruby gem for making the saml request to get the new oauth token which is found here:
https://github.com/cloocher/aggcat/blob/master/lib/aggcat/base.rb (line 70) def saml_message...
My first stab at this is not neat, but I'm just trying to verify I can make a SAML request with NodeJS and get a response back containing oauth token.
My source code for this NodeJS script can be found at:
https://github.com/britztopher/intuit-cad/blob/master/server/saml2.js
And the Intuit documentation for making this request can be found here:
Intuits CAD Doc which is lacking any kind of sample of what is needed to produce the assertion message.
If any clarification is needed please comment, as I am just trying to jump this first hurdle.
OK, so after cloning the aggcat repo for the ruby script and modifying the template for the assertion message to use constants instead of variables then comparing the that assertion message to the one my script was generating I finally found the reason why this was failing. To make sure the sha1 digest was the same and the signature was the same I had to make the assertion messages were the same.
The reason for failure was that sample Assertion Sample in the documentation is wrong all over the place:
https://developer.intuit.com/docs/0020_customeraccountdata/009_using_customeraccountdata/0010_gettingstarted/0025_making_your_first_connection/saml_assertion_sample
There are spaces missing and the one thing that got me was this element:
This is not a terminating element and needs a closing tag. For example:
In addition, the xml doc type () is not needed either.
After all this aggravation with intuit's developer documentation, I decided to save everyone the trouble of trying to follow it to confusion, and made an NPM module called intuit-cad, which builds the SAML assertion and performs all the authentication in order for you to make clean API calls easily. Also, this module is built on top of promises, which make error handling and callback hell prevention a breeze. In addition to the library I have a simple blog post about it here: intuit-cad blog post
Related
I am implementing load testing in Jmeter for my web application which uses google oauth.
I have generated access token and refresh token and passed it to my HTTP request, but the request fails with an Invalid state parameter.
I checked various posts on passing a random string of 30 characters but the value is not being recognised.
I am not sure how to use the google API library for python to generate one as there is only snippet available in the official site and am quite unsure if that value will be recognised.
Any suggestions on how to achieve my usecase?
We are not telepathic enough to guess how exactly you "generated" the tokens and how they're "passed to your HTTP request"
My expectation is that you need to pass only one token: the "access" one "to your HTTP Request", refresh token can be exchanged for the new access token when the previous one expires. Passing 2 tokens doesn't make sense and may cause the problem you're facing.
As per the main page of JMeter project
The Apache JMeter™ application is open source software, a 100% pure Java application designed to load test functional behavior and measure performance. It was originally designed for testing Web Applications but has since expanded to other test functions.
hence you cannot use Python libraries directly in JMeter, either look for a Java library, I think this one is a good choice and use it from JSR223 Test Elements
If you still want (or have to) use Python - you can run Python scripts from JMeter using OS Process Sampler
I am new to JMetet and I am having a lot of difficulties in understanding how it works.
I created a TC to add an object to my system using Blaze meter. Then, I imported the TC in Jmeter.
This TC fails when it should not (at least thats what I think) because whenever I use the system it works correctly:
This is the thread group if you need it to help me:
Am I doing something wrong? AM I missing something?
IMPORTANT: Should I be able to see my object added to the system if the TC passes?
As per HTTP Status Code 403 Forbidden description:
The HTTP 403 Forbidden client error status response code indicates that the server understood the request but refuses to authorize it.
This status is similar to 401, but in this case, re-authenticating will make no difference. The access is permanently forbidden and tied to the application logic, such as insufficient rights to a resource.
If your script assumes authentication most probably it fails somewhere somehow due to missing or improperly working correlation, for example this eedd968fe... bit
looks utterly suspicious, most probably you need to replace it with a some form of dynamic parameter extracted from the previous request using a suitable JMeter Post-Processor
Normally the flow looks like:
Open login page
Identify and extract all dynamic parameters and save them into JMeter Variables
Send the parameters along with credentials in the 2nd request
Check out Using Regular Expressions to Extract Tokens and Session IDs to Variables article for example challenge and solution
I'm using ruby-trello gem for creating cards in a Trello list.
For my testing credentials this works fine, for the credentials I use on a production setup I get "Trello::Error - Malformed URL:"
The "Malformed URL" is a direct response from Trello, and I can't get my head around why, and how to fix this.
There is little to no documentation on API response errors by Trello.
Maybe you should watch what you application is sending to Trello.
You should also aread the API that Trello offers and search for the specific request and its response. Also you can probe if the Keys are correct in Trello's Sandbox.
As last option write an issue on Github's gem or ask for assistance to Trello.
Hope it helps.
I'm developing an iOS app that makes frequent requests to a web server, and I'm using AFNetworking (which I very much like). However, I'm running into a problem with authorization that I just can't solve.
The server requires me to provide an authorization header in order to get the response that I want. Specifically, the authorization headers should be like so:
Authorization = "ApiKey some-user-name:someNumericalApiKey"
I'm using AFNetworking throughout the project, and everything works fine, except for this authorization issue. I'm using the following code:
[myClient setDefaultHeader:#"Authorization" value:#"ApiKey some-user-name:someNumericalApiKey"];
where myClient points to an AFHTTPClient object. Strange enough, when I log the request in XCode using AFHTTPRequestOperationLogger, the logger claims that I have the correct headers set. However, the authorization header does not seem to reach the server - I can't see it in the server log.
To isolate the problem, I've tried to make the exact same request using good old NSURLRequest, as well as curl, and the requests library in Python - all of these work fine, i.e. the authorization header is sent & received (i.e. I can see it in the server log), and the server response is what it should be.
If anyone has run into the same problem (and has found a solution) I would very much appreciate to hear from you.
Thanks.
Sometimes (especially with Django) this is caused by redirection stripping of header parameters. For instance, /Object redirects to /Object/ in the background and removes the necessary auth parameter during the switch.
If you're using AFNetworkActivityLogger with level AFLoggerLevelDebug then you should be able to check this out in the console. If you see a POST request with /Object and the response with /Object/ then this might indicate redirection stripping is taking place.
If you construct your operation manually then the defaultHeaders are not applied, that might be the cause of your problem.
As part of a people search project I'm currently participating in, I need to write a ruby script that can send search queries to the Google Custom Search API and store the search results for processing. I found the Ruby google-api-client gem (http://code.google.com/p/google-api-ruby-client/) and installed it, but, despite having thoroughly read the documentation, I am at a loss as to how to execute a Custom Search API call. This is my first attempt at using Google APIs and I'm finding the process a bit overwhelming, is there anyone out there with any experience that could provide some sample code for me to study? Thanks
While I haven't tested this, something like this should work:
require 'google/api_client'
# Creates an instance of the client.
client = Google::APIClient.new
# Authorization setup goes here.
# Fetch the discovery document and obtain a reference to the API we care about.
search = client.discovered_api('customsearch')
# Make an API call using a reference to a discovered method.
response = client.execute(
search.cse.list, 'q' => 'your query'
)
status, headers, body = response
Note that I've omitted all the setup code for authentication, which you can find in the docs for the Ruby client.
There's a few ins and outs with authentication when using an api key as opposed to OAuth thats outlined at the code abode.
You have to explicitly set the authorzation param to nil when constructing the client, otherwise the gem tries to use OAuth to authenticate, so if calling from a server using an api key only, you will always get a 401 Unauthorized. Full Code using the customsearch api is given (copy paste into irb). the code abode - google-api-client for ruby
https://developers.google.com/google-apps/calendar/firstapp
This walks you through getting setup to access the api and setting up keys in google's api console.
It has a tab for ruby - so this is what you need to get started.