Folks,
Can anyone provide a working example of how to do SSL client authentication in ruby 1.8.7? For the record, I am attempting to use a GoDaddy certification to perform an authenticated post request to the Windows Phone push notification service. In this case, my command-line client is using a certificate like an API key or bearer token.
I supply GoDaddy a mydomain.com.key file, and GoDaddy supplies me with a gd_bundle.crt file and a mydomain.com.crt file.
On my Net::HTTP object, I have set these parameters:
my_cert = File.read(File.join(File.dirname(__FILE__), "mydomain.com.crt")) # from godaddy
my_key = File.read(File.join(File.dirname(__FILE__), "mydomain.com.key")) # i made
http.use_ssl = true
http.cert = OpenSSL::X509::Certificate.new(my_cert)
http.key = OpenSSL::PKey::RSA.new(my_key)
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
But the push notification service continues to report a 403 error saying "You do not have permission to view this directory or page using the credentials that you supplied".
Since someone out there is doing push successfully I assume the way I have configured my Net::HTTP object in ruby is incorrect. Does anyone have sample code for how I can use ruby to perform SSL client authentication?
Related
I am trying to build a Ruby Daemon service to access the Office 365 rest API. It was recently made possible to do this via the OAuth 'client_credentials' flow, as detailed in this blog post: https://learn.microsoft.com/en-us/archive/blogs/exchangedev/building-daemon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow
I am struggling to generate a valid access token. The token endpoint returns me a JWT however when using this token I received a 401 with this message:
The access token is acquired using an authentication method that is too weak to allow access for this application. Presented auth strength was 1, required is 2
I understand that the client_credentials flow requires you to present a X.509 cert, unfortunately all the examples in the blog post are for C#.
I am using a generated self signed cert and private key to do a client assertion when requesting the token. I followed the steps in the blog post to generate the cert and update the manifest to use this cert.
This is the ruby code for reference:
def request_token
uri = URI.parse("https://login.windows.net/== TENANT-ID ==/oauth2/token?api-version=1.0")
https = Net::HTTP.new(uri.host, uri.port)
req = Net::HTTP::Post.new(uri.request_uri)
req.set_form_data(
:grant_type => 'client_credentials',
:redirect_uri => 'http://spready.dev',
:resource => 'https://outlook.office365.com/',
:client_id => '== Client ID ==',
:client_secret => '== Client secret =='
)
https.use_ssl = true
https.cert = client_cert
https.key = client_key
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
resp = https.start { |cx| cx.request(req) }
#access_token = JSON.parse(resp.body)
end
Obviously I have removed certain bits of information for security. Even though it is ruby you can see I am using my cert to validate the client using an SSL connection.
Here's some more infomation on the error:
"x-ms-diagnostics" => "2000010;
reason=\"The access token is acquired using an authentication method that is too weak to allow access for this application. Presented auth strength was 1, required is 2.\";
error_category=\"insufficient_auth_strength\"",
"x-diaginfo"=>"AM3PR01MB0662",
"x-beserver"=>"AM3PR01MB0662"
Any help would be appreciate.
Edit
For others looking to do something similar in Ruby here's a Gist of the code I use: https://gist.github.com/NGMarmaduke/a088943edbe4e703129d
The example uses a Rails environment but it should be fairly easy to strip out the Rails specific bits.
Remember to replace YOUR CLIENT ID, TENANT_ID and CERT_THUMBPRINT with the correct values and point the cert path and client key methods to the right file path.
Then you can do something like this:
mailbox = OfficeAPI.new("nick#test.com")
messages = mailbox.request_messages
Instead of a client_secret in your request body, you need a client_assertion. This is a bit more complex, but it's the reason you need that certificate.
Basically you need to build a JSON Web Token and sign it with your certificate using a SHA256 hash. The token is going to look something like this:
Header:
{
"alg": "RS256",
"x5t": "..." // THUMBPRINT of Cert
}
Payload:
{
"aud": "https:\\/\\/login.windows.net\\/<The logged in user's tenant ID>\\/oauth2\\/token",
"exp": 1423168488,
"iss": "YOUR CLIENT ID",
"jti": "SOME GUID YOU ASSIGN",
"nbf": 1423167888,
"sub": "YOUR CLIENT ID"
}
If you're still with me, you now need to base64-encode both pieces (separately), then concatenate them with a '.'. So now you should have:
base64_header.base64_payload
Now you take that string and sign it with your certificate, using a SHA256 hash. Then base64-encode the result of that, url-encode it, then append to the string, so now you have:
base64_header.base64_payload.base64_signature
Finally, include this in your POST to the token endpoint as the client_assertion parameter, and also include a client_assertion_type parameter set to "urn:ietf:params:oauth:client-assertion-type:jwt-bearer":
req.set_form_data(
:grant_type => 'client_credentials',
:redirect_uri => 'http://spready.dev',
:resource => 'https://outlook.office365.com/',
:client_id => '== Client ID ==',
:client_assertion_type => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
:client_assertion => 'base64_header.base64_payload.base64_signature'
)
I hope that helps! This is all based on my research into how ADAL does it, and I haven't tested it myself in Ruby.
I just managed to get this working, so I thought I'd throw one more piece of advice into the mix. All the instruction articles out there say that you should add your certificate to the manifest file. I had trouble with that, but here is what I did that finally made it work:
In Azure, go to Settings > Management Certificates
Upload the public key as a .cer file (google around if you don't know how to convert it). This should be a binary file that your text editor barfs on.
Now that it's uploaded, Microsoft will give you the thumbprint. It's in the "Thumbprint" column. But, it's in hex, not base64. So, convert it like this:
# Hint: use your actual thumbprint, not this fake one
echo '5292850026FADB09700E7D6C1BCB1CD1F3270BCC' | xxd -r -p | base64
Finally, use this base64 encoded thumbprint as the value for x5t in the JSON header.
I added a function in HomeController on the git to demo how to request an access token by hand using client assertion w/o ADAL. It might be easier to port using this: https://github.com/mattleib/o365api-as-apponly-webapp/commit/12d5b6dc66055625683020576139f5771e6059e1
Just some additions: The audience claim in the assertion is the same as the endpoint you address with the token request. As Jason correctly identified, this is the token endpoint of AAD: https://login.windows.net/{the tenant you want an app token for}/oauth2/token. Also the nbf and exp are the time you created the assertion in unix epoche time, e.g. in .net you would do something like "WebConvert.EpocTime(DateTime.UtcNow)". For "not before" (nbf) maybe subtract a buffer for clock skew, e.g. 5 minutes; and for expires in (exp) add some time, e.g. 15 minutes (so the assertion remains valid for that time).
Here is a fiddler trace of a token request (raw):
POST https://login.windows.net/0e49ef1f-ca07-45f1-b4c0-ac9409d3e576/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
client-request-id: a8108f88-275b-424d-ac28-f675aabe548e
return-client-request-id: true
x-client-SKU: .NET
x-client-Ver: 2.12.0.0
x-client-CPU: x64
x-client-OS: Microsoft Windows NT 6.2.9200.0
Host: login.windows.net
Content-Length: 983
Expect: 100-continue
Connection: Keep-Alive
resource=https%3A%2F%2Fgraph.windows.net%2F&client_id=f17bb8a5-2bef-4ad5-a83f-cd7113449fc2&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJhbGciOiJSUzI1NiIsIng1dCI6ImY4S2JVY0xtMnItS2s4b1Z3ZVZYTFU0NzhJcyJ9.eyJhdWQiOiJodHRwczpcL1wvbG9naW4ud2luZG93cy5uZXRcLzBlNDllZjFmLWNhMDctNDVmMS1iNGMwLWFjOTQwOWQzZTU3Nlwvb2F1dGgyXC90b2tlbiIsImV4cCI6MTQyMjk4NDMzNSwiaXNzIjoiZjE3YmI4YTUtMmJlZi00YWQ1LWE4M2YtY2Q3MTEzNDQ5ZmMyIiwianRpIjoiZTI3OTA5YTctZGYwMC00NjBhLTlmZjctOGZkNDExOWVmNTYzIiwibmJmIjoxNDIyOTgzNzM1LCJzdWIiOiJmMTdiYjhhNS0yYmVmLTRhZDUtYTgzZi1jZDcxMTM0NDlmYzIifQ.g9bo4-lxpNJ4kEOMuQxODU-5iakwSVIzyRQEPLdbpuNn_XD4lcvt2yBIWT12EQaUVKkMyqFrDiIh4Oav565-Po7HfhmSPF3URXVj8Kx5lx17Zh0nWiaNkRXEi1vhwswsfjm1o-8B8LGUJTtT6JXTognrueuSL1aEE_-4qSG1y74aoc949Un1pQCjwuBtao4vs4CPJLu9Y9mVbirVRRtiIfxkUMmzf6yfMtuhugoGmrvUYntUo4x6N2fu4LxGjuIs7czyrMMAmDRo-XK4sAhDo5uof10HKb8ETEU8mhObwNZcz86MYHWbZm3Z_HDOwzC9kA_tp6hWqmlJ3c-gLg5VXA&grant_type=client_credentials
Hope this helps!
Good luck!
Matthias
Context: I'm trying to interact with Twitter via JSON and no libraries as i'm practicing to interact with a newly released receipt printer(themprinter.com) which has no helper libraries. I need to OAuth with the printer then make the appropriate calls to register my device, print, verify online/offline status etc.
I've successfully authenticated with Twitter via OmniAuth's Twitter Gem. I can pull all the data from the Authentication Hash here - https://github.com/arunagw/omniauth-twitter
...now what? I want to be able to make a JSON call with my OAuth credentials to Twitter and pull my timeline or any other such data. Can anyone provide any sample code that will allow me a starting point to tinker with and work off of?
Twitter provides REST API. Here's how you might create a GET REST request
request = Net::HTTP::Get.new(url, initheader = header)
http_request = Net::HTTP.new(host, port)
response = http_request.start {|http| http.request(request)}
here's an example of the request URL:
https://api.twitter.com/1.1/statuses/user_timeline.json?screen_name=twitterapi&count=2
I'm using savon to communicate with a soap web service.
It all works well, and I now need to get the ruby code into production where we have to go through a proxy server.
This proxy server requires authentication.
So my question is, how can I go ahead to specify proxy server authentication details with savon?
Some further info:
I've figured out that you can specify a proxy server as such:
client = Savon::Client.new do
...
http.proxy = "http://proxy.example.com"
end
Looking through the code for savon, I found that the http variable in the client block refers to the following:
def http
#http ||= HTTPI::Request.new
end
Unfortunately, going through the code for HTTPI::Request, I couldn't see a way to specify authentication for the proxy itself. Here's the code for the httpi request: https://github.com/rubiii/httpi/blob/master/lib/httpi/request.rb
Just to be clear: I'm not trying to do HTTP authentication, I'm attempting to perform proxy authentication.
When specifying the proxy server, I get the following error, because I can't find a way to specify the proxy authentication credentials:
407 "Proxy Authentication Required"
Thanks in advance for any help.
Try this:
http.proxy = "http://username:password#host:port"
Managed to resolve it with the following code:
#proxy_path = '<insert your proxy url here>'
#wsdl_path = '<insert your wsdl url here>'
#client = Savon.client do |variable|
variable.proxy #proxy_path
variable.wsdl #wsdl_path
end
#client.operations #to list operations
I've a Cisco IP-Phone 7945 and I want to control it from my CLI. For example I want to start a command like
call start 12345 #12345 is the number I want to call
or
call cancel
Anybody knows a tool or something similiar?
I'm writing a rails app and I want to start a call from within the app after a certain action.
The 7945 has a web interface that permits execution of commands, including a "Dial" command, by authenticated users.
Your rails app would connect to the phone at http://phone-ip-address/CGI/Execute and POST some XML that looks like this:
<CiscoIPPhoneExecute>
<ExecuteItem URL="Dial:12345" />
</CiscoIPPhoneExecute>
The authentication is done with HTTP Basic Auth and the back-end authenticator is determined by what phone system your 7945 is connected to. If Cisco Call Manager, it uses the assigned Call Manager user information.
Look for the IP Phone Services guides on cisco.com for details. Quick links:
HTTP Requests and Header Settings
CiscoIPPhone XML Objects
Internal URI Features
Short answer: it's not a CLI but it is straightforward to program a dialer by interacting with the phone over HTTP.
I know this is an old thread, but thought I'd post this working code example in Ruby. Tested on the CP-8941 phone. Username & password schemes will vary. Our system is set up to interface to Active Directory, so the username and password are those of our Windows login.
require "net/http"
require "uri"
phone = "ip-of-your-phone"
user = "your-username-goes-here"
secret = "your-password-goes-here"
prefix = "91"
todial = "number-to-dial-goes-here"
uri = URI.parse("http://#{phone}/CGI/Execute")
http = Net::HTTP.new(uri.host, uri.port)
request = Net::HTTP::Post.new(uri.request_uri)
http = Net::HTTP.new(uri.host, uri.port)
request = Net::HTTP::Post.new(uri.request_uri)
request.basic_auth(user, secret)
request.set_form_data({"XML" => %(<CiscoIPPhoneExecute><ExecuteItem URL="Dial:#{prefix}#{todial}" /></CiscoIPPhoneExecute>) })
response = http.request(request)
I'm trying to get a Ruby script to download a file off a server, but I'm getting a 401.2 from IIS:
You do not have permission to view
this directory or page using the
credentials that you supplied because
your Web browser is sending a
WWW-Authenticate header field that the
Web server is not configured to
accept.
I've checked that basic auth is enabled. Is there something special about how Ruby handles basic auth? Is there a way for me to see what the server actually gets and what the headers say is acceptable?
This is my code:
Net::HTTP.start(url, port) {|http|
req = Net::HTTP::Get.new('/file.txt')
req.basic_auth 'username', 'password'
response = http.request(req)
puts response.body
}
Snippet from the Microsoft website
HTTP 401.2: Denied by server configuration
Description
The client browser and IIS could not agree on an authentication protocol.
Common reasons
* No authentication protocol (including anonymous) is selected in IIS. At least one authentication type must be selected. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
253667 (http://support.microsoft.com/kb/253667/ ) Error message: HTTP 401.2 - Unauthorized: Logon failed due to server configuration with no authentication
* Only Integrated authentication is enabled, and an older, non-Internet Explorer client browser tries to access the site. This happens because the client browser cannot perform Integrated authentication. To resolve this problem, use one of the following methods:
o Configure IIS to accept Basic authentication. This should only occur over SSL for security purposes.
o Use a client browser that can perform Integrated authentication. Internet Explorer and new versions of Netscape Navigator and Mozilla Firefox can perform Integrated authentication.
* Integrated authentication is through a proxy. This happens because the proxy doesn't maintain the NTLM-authenticated connection and thus sends an anonymous request from the client to the server. Options to resolve this problem are as follows:
o Configure IIS to accept Basic authentication. This should only occur over SSL for security purposes.
o Don't use a proxy.
You should also try to look at ruby-httpclient - Simple HTTPClient library for Ruby which can use NTLM auth.