I have a service account that I need to use to access GitHub.
This service account has two-factor authentication enabled.
I do not have access to the UI.
I do have the password for that service account.
I need to create a personal access token and to accept transfer of a GitHub app to this service account.
Is this possible using the GitHub API v4?
There is a feature request pending using the official GitHub CLI gh
Create/Revoke Personal Access Tokens #2531
Proposed solution
Calling gh token create will create a new token and output the token value
Calling gh token revoke will revoke the token passed in
But there is no obvious existing API to create/revoke a PAT, only SSH keys, which could be a workaround, if you can use SSH URLS: the PAT is only needed for HTTPS URLs.
However, for checking an OAuth App token, you do need indeed a token.
Related
I am creating a app on azure and I am using azure data factory as a data integration tool, in my app I want to retrieve data from salesforce using the access token that I generated, the access token was generated by asking the system admin in my app to add his client Id and app secret of a connected app that he creates for my app and then my app uses server-to-server oauth to generate this access token.
However when I configure the salesforce linked service in azure data factory, it asks me for username, password and optional security token as mentioned in this link
salesforce configuration from microsoft docs.
Is the username and password the same as client Id and app secret used to generate the access token ? and if no, how can I use them to integrate with salesforce or there is no way but using another flow.
note: I don't know what is the flow that used username + password with security token.
I just don't want to rewrite my code just for this, so any help would be appreciated.
UPDATE: Microsoft uses username/password flow to generate the access token with salesforce, I don't know why they didn't use another flow because OAuth says that this flow is not recommended for security reasons.
In this case, the username and password should be the credentials of a Salesforce User which will be the one that the system will use to establish the context user. It is common to create an "Integration User" for this purpose in Salesforce.
So basically, the username and password should be the credentials of an active Salesforce User.
I have an secured API student API which I am able to access via OAuth2.0 client credentials flow which creates an access token using IConfidentialClientApplication app and accesses secured app.
Now comes to access the secured API using OAuth 2.0 Resource Owner Password credentials. I have mostly used the code in microsoft github page.
https://github.com/azure-samples/active-directory-dotnetcore-console-up-v2
I am able to sign in using username and password, able to generate access token as well. But this access token is not able to access my secured student API. Though the sample code is able to access the Microsoft graph API, it is not able to access my secured API.
I tried to allow public client flow for my secured student API as well and decrypted both the access tokens to see the difference. There is a lot of difference. What I noticed here is in ROPC flow are using IPublicClientApplication where I am not able to give the ResourceId while acquiring token. So "aud" is different in ROPC token and other fields as well.
Can anyone tell where I may be going wrong or how to fix the above scenario?
I think you may need to perform these 2 steps to get a token valid for your own API:
Expose an API scope in your Azure AD API Configuration
Add an API permission in your Azure AD Password Client Configuration
See step 6 of my Azure AD Blog Post for how this looks. The article also explains some token differences.
I'm creating a Xamarin.forms mobile app with Azure. I have enabled Authentication/Authorization in Azure to protect the APIs in Backend.
What I need is that to ask user to login with Facebook or Google and get some information of the user such as name, email and... and then save this data in a table as user information. I like to ask user just once for login and get the data and I don't need to keep the token provided by Facebook for example and refresh it always (which I red refreshing is not supported by Facebook), but also need to keep the user logged in and has access securely to Backend APIs. I am new in this and completely confused of using Azure AD, facebook and...
What is the best way to do that? I have followed this tutorial and now am able to login with Facebook.
Maybe what you are looking for is Azure AD B2C (Business to Customer), which will provide facilities to allow your customers to create an account for your app, but also login with Facebook (see here) or Google (see here).
Since Azure AD B2C implements OAuth2, integrating it in a Xamarin.Forms app by means of Xamarin.Auth should be possible (see here). Once you have acquired the OAuth2 token, you can include the token in the headers of your HTTP requests in the Authorization header with the Bearer type (see here)
Authorization: Bearer <token>
On the server side you can then validate the token. I have not used Xamarin.Auth with Json Web Tokens (JWT), but maybe you'll be able to retrieve a JWT with Xamarin.Auth, which you'll be able to validate on yourself. Otherwise, if Xamarin.Auth is restricted to access tokens, you might have to contact the authentication server to verify the token. If the token is verified successfully, you can grant the user access, otherwise, answer them with a 401.
I am trying to gather metrics info of azure resources. For that i need an access token to authorize. But to get an access token i have to give client id, client secret, subscription id, tenant id.I was wondering if i could get this access token without giving so many details except username and password of my azure account.
Basically you need the parameters. Azure's APIs are protected by Azure AD so you have to authenticate against it first. If you want to make calls as the user, you still need to authenticate with one of the few ways available. The password grant (as shown in #4c74356b41 answer) is one option, though it is not really recommended. The reason is that if the user's password has expired or has MFA enabled, it won't work.
What you usually do is request the user to login via Azure AD sign-in page (via redirect or web view), and then exchange the resulting authorization code for an access token and refresh token. Then you can make calls against the APIs as the user.
Another option is to register your app in Azure AD and grant its service principal some roles in your Azure subscriptions/resource groups/resources. Then it can authenticate with client credentials (using only its client id and secret + your Azure AD tenant id).
it is possible, but it is considered not safe. And you would still need a lot of parameters:
Name Description
grant_type The OAuth 2 grant type: password
resource The app to consume the token, such as Microsoft Graph, Azure AD Graph or your own Restful service
client_id The Client Id of a registered application in Azure AD
username The user account in Azure AD
password The password of the user account
scope optional, such as openid to get Id Token
Reference:
https://blogs.msdn.microsoft.com/wushuai/2016/09/25/resource-owner-password-credentials-grant-in-azure-ad-oauth/
ps. Don't mind Walter, he is wrong like 50% of the time in his answers.
It really depends on your need and if you want this fully automated or not.
If you want to have a token for a ServicePrincipal, the answer of 4c74356b41 is a great way to do it.
However if you would want to obtain a bearer token for a user (you or another AAD user) that is already authenticated in a PowerShell session, you could do this very easily if you use this piece of code that I wrote.
https://gallery.technet.microsoft.com/scriptcenter/Easily-obtain-AccessToken-3ba6e593
Basically what it does, it fetch the current token from the token cache and return it to you. This way you don't have to deal with clientId, cliendSecret or certificate. I use this all the time when I need to call the Azure REST API on a Just In Time fashion.
I'm trying to create a script which connect to OneDrive (consumer) in order to get some file.
However, between consumer and enterprise and all those different azuread stuff I'm lost.
Is there a simple explanation on how do I get a token to access OneDrive in a daemon app?
To interact with OneDrive for the personal account, we can use the Microsoft Graph via acquiring the token form Azure AD V2.0 endpoint.
However, this endpoint doesn't support such scenario. The client credentials flow for Azure AD v2.0 endpoint only work for the organizational account.
As a workaround, you may consider get the access token and refresh token via the code flow and then using the refresh token to renew the access token. And you need to acquire the refresh token before it is expired. And based on the document the lifetime of refresh token for the personal account is up to 1 year(refer here).
And to acquire the access token and refresh token for OverDrive personal account you can refer the code flow from this document.