So far I have been able to successfully use the API Management tester to make the desired api call that I want to apimanagement ListByService. However, when using a client credentials token in the call, I receive an InvalidAuthenticationTokenAudience error:
Below is the postman token request I am sending:
Additionally I enabled the permissions in API permissions for user_impersonation. Am I making a request to the wrong token endpoint? I'm unsure what I'm doing wrong here.
Related
I am try to approve the prividedge identity management (PIM) request through graph api but when i try to approve it the api is return forbidden. See the below screenshots
The pending request should be approved.
First, I want to know what API permission you consented for using this graph API, because to be honest, I didn't find this graph API, I only found this document which contained the API request you used.
According to the error message, I'm afraid you gave the wrong api permission or you used client credential flow to generate the access token to call the API. So it's better to provide the request you used to generate access token.
Finally, I found an answer here which successfully call the API but with Powershell script. According to this sample, we should give PrivilegedAccess.Read.AzureAD,RoleAssignmentSchedule.ReadWrite.Directory,PrivilegedAccess.ReadWrite.AzureAD delegated API permission and use it to generate access token. We need to use auth code flow/ROPC flow so that the token generated should contain scp claim with API permissions as value. Then using that token to call the API.
You may try request below to generate the access token for a test:
POST https://login.microsoftonline.com/{TenantId}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id=azure_ad_app_id_consented_api_permission
&scope=PrivilegedAccess.Read.AzureAD RoleAssignmentSchedule.ReadWrite.Directory PrivilegedAccess.ReadWrite.AzureAD
&username=user_name_better_to_use_account_with_Global_Administrator_role
&password=password
&grant_type=password
From Azure Data Factory, I'm trying to connect to a REST service that requires an access token (OAuth2).
Tried in Postman with the client credentials flow (client_id/client_secret) and it works fine:
Calling the token endpoint to get an access_token
Use the token in a subsequent request to retrieve data.
I configured the linked service like that as It supposed to support the OAuth2 client credentials flow:
But when testing the connection, it fails with this message:
The request body must contain the following parameter: 'client_secret'.
I don't really understand why the client_secret is not added in the request body as it is a client credentials flow.
Not sure if I'm missing some configuration ?
For the moment, I'm using Web Activity as a workaround.
This error may occurred because Allow public client flows is disabled for the application registered in Azure AD.
Enabling it may fixed the issue.
Refer - https://learn.microsoft.com/en-us/azure/data-factory/parameterize-linked-services?tabs=data-factory
Refer - https://learn.microsoft.com/en-gb/azure/active-directory/develop/scenario-desktop-acquire-token?tabs=python#username-and-password
I have set up an instance of Azure FHIR with an Azure FHIR proxy using this tutorial:
https://github.com/microsoft/health-architectures/tree/master/FHIR/FHIRProxy##configuration
I am unable to call the proxy without getting the following error message:
You do not have permission to view this directory or page.
I have created a token successfully using the following tutorial:
https://learn.microsoft.com/en-us/azure/healthcare-apis/access-fhir-postman-tutorial
I have created an app service principal in Azure with the permissions to access the FHIR proxy:
https://func-fhir-proxy-2.azurewebsites.net
I am generating the token using the following in postman:
Auth URL: https://login.microsoftonline.com/e34c8e67-182a-4085-9dc0-39a38dddea12/oauth2/authorize/?resource=https://func-fhir-proxy-2.azurewebsites.net
Access Token URL: https://login.microsoftonline.com/e34c8e67-182a-4085-9dc0-39a38dddea12/oauth2/token
Client ID: 4d138742-44c0-42cb-9878-8647a1d2ef17
Client Secret: Well..that's a secret!
Scope: openid profile
State: 12345
Postman returns 3 tokens: Access_token, Refresh_token, Id_token.
I have tried each token and all return the same 401 error.
ID token JWT looks like this:
I have tried calling the FHIR proxy API's, due to the tutorial I am not 100% which are the correct URLs:
https://func-fhir-proxy-2.azurewebsites.net/api/fhirproxy/Patient
https://fhir-test-apis.azurehealthcareapis.com/Patient/
None of this works, I just keep getting the same error. Does anyone know what I am doing wrong? Should I be calling the FHIR proxy API using the token? If so, why is the API not letting me in?
I managed to fix the issue. I found that the resource ID was needed in the auth URL:
This can be obtained from Enterprise Applications:
Also, creating two separate app registrations:
The link ending with ".../api/fhirproxy/Patient" is correct for the proxy deployment.
I'd suggest that you do a quick test that you can access the FHIR API without the proxy. You can use the existing deployment and follow instructions at https://learn.microsoft.com/en-us/azure/healthcare-apis/access-fhir-postman-tutorial.
Once you get that working, test the FHIR API with the proxy. You can start with the proxy that has the its security disabled (The FHIR api still requires security and you cannot disable it). Once you get that working, you can enable the proxy's security.
Since the proxy is a web app acting as a proxy, you will need two sets of credentials, one set for the FHIR api itself, which you specify in the proxy app, and one set for the proxy web app, which you specify in your client app, e.g. Postman or curl.
The reason for the error is actually very simple, you are using the wrong scope.
Usually the 401 error means that the audience of your token does not match your api. When you use the token to call the api, you will receive a 401 unauthorized error. The access token is issued based on the audience, so you must Make sure to set the scope to your api when you request the token. Of course you can also parse the token, check the aud claim, and make sure it is the api you want to call.
Therefore, according to your requirements, try to change the scope to: https://func-fhir-proxy-2.azurewebsites.net/.default
By the way, if you want to call api, you should use access token instead of refresh token and id token.
I have react app, which can login user via Azure AD. After that, I created from react app request into my .net core mvc app with header Authorize. But when I added [Authorize] attr into my controller, I get error:
Bearer error="invalid_token", error_description="The signature is invalid"
All I need that my backend app only check scope or role from JWT token and allow to get some data. I know that JWT is correct and react app login user without any problems.
Similar issue to this one:
https://forum.ionicframework.com/t/validating-token-signatures-in-asp-net-core/108226
I summarize the comments and post it as an answer:
Usually the 401 error means that the audience of your token does not match your api. When you use the token to call the api, you will receive a 401 unauthorized error. The access token is issued based on the audience, so you must Make sure to set the scope to your api when you request the token. Of course you can also parse the token, check the aud claim, and make sure it is the api you want to call.
When you expose an api protected by Azure, then you need to set the scope to your custom api, usually api://{api app client id}/scope name, and then you need to add the client application to the api application.
I am new to api gateway development and trying to integrate lambda authorizer to secure the api gateway. I already gone through different documents as mentioned below, but still didn't understand how client have bearer token generated already in the request and how lambda-authorizer validate this token?
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html
https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints/blob/master/blueprints/python/api-gateway-authorizer-python.py
so far i have created the lambda-authorizer with below code found in the github and have attached the key from the autho account. Then i have attached the authorizer in the api gateway and enabled the same in the 'Method Request'.
After i deployed, i invoked the api via postman, which return: "message": "Unauthorized'
https://github.com/serverless/examples/blob/master/aws-python-auth0-custom-authorizers-api/lambda_handlers.py
Now i confused on what needs to be provided in the request in order to get the response from the Lambda?
Appreciate if anybody can help on this with proper example in order to integrate and test it?
Thanks
Implement JWT Token approach.You will need an authentication provider that will return you the token. Example of authentication provider is Auth0 or you can roll out your own.
The flow would be:
Your client will perform user authentication with this provider. The provider will return the token to your client. The client need to pass the token via Authorization header in your request payload to API Gateway.
API Gateway will call Lambda Authorizer to authorize / validate the token. The Lambda Authorizer code must verify the token with the authentication provider and once authorized will return a policy that allows the API call to be made.