Develop Reference

Use nest-keycloak-connect with Client Id and Secret approach

New to keycloak, was able to get access_token with Client Id and Secret setup as credentials for a client but backend side always gives me:
WARN [Keycloak] Cannot validate access token: Error: Grant validation failed. Reason: failed to load public key to verify token. Reason: Expected "jwk" to be an Object
Digged a bit into it and found that it tried to find a matching kid from the list of kids returned by the /auth/realms/myrealm/protocol/openid-connect/certs
Checked that the kid in the jwt.headers(from the access_token i passed) indeed does not exist in the kids list provided by the /auth/realms/myrealm/protocol/openid-connect/certs response.
Is there a way to add the kid into the list to make it available for on the nestjs backend?
What would be suggested here? Forget about this credentials type?
Thanks in advance, any suggestions would be appreciated.

handling stripe webhook in multiple stripe account laravel

I've multiple stripe account on my site, and each stripe account is associated with a webhook.
My webhook is returning 403 Error "No signatures found matching the expected signature for payload"
i've checked the Cashier middleware and its getting the webhook secret key from the env file.
Since this project attached to multiple stripe account, we can't store the webhook secret in env file. so, we're placing the webhook secret key of each stripe account in a table.
I would like to get the secret key from database instead of this config file.
Is it possible to listen to multiple stripe account's webhook?
Any help will be appreciated.

I am not sure if this is a good approach but you can:
Send meta data in the checkout which gets posted to the web hook
Get the raw json posted by the web hook before you use the web hook key to validate that the post was from Stripe. Stripe.Net contains a parse method and a construct method. Parse does not require the key. Construct uses the key to validate the post was from Stripe.
So with Stripe.net:
string endpointSecret;
// get the json posted
var json = await new
StreamReader(HttpContext.Request.Body).ReadToEndAsync();
// convert the json into a stripe event object
var objStripeEvent = EventUtility.ParseEvent(json);
if (objStripeEvent.Type == Events.CheckoutSessionCompleted)
{
// get the session object and see if it contains the Meta data we passed
// in at checkout
var session = objStripeEvent.Data.Object as Session;
var met = session.Metadata;
if (met.ContainsKey("FranchiseGuid"))
{
// if the meta data contains the franchise guid get the correct
// wh secret from the DB
var FranchiseGuid= new Guid(met["FranchiseGuid"]);
endpointSecret = _repo.GetWebHookSecret(FranchiseGuid);
}
}
// Then you can go on to use the Construct method to validate the post with the correct key for the Stripe account where the web hook is based.
try
{
// check if was from Stripe
var stripeEvent = EventUtility.ConstructEvent(
json,
Request.Headers["Stripe-Signature"],
endpointSecret);
---- etc
I've requested help on this from Stripe support but they have promised to get back to me. I'll test out the above to see if it works. I don't think it's ideal though because if a hacker were able to get a valid franchise guid they could possibly fake posts and spam the endpoint. It would not be easy to guess a guid and these id's are not available in any way publicly. Plus https is used. But it still makes me nervous because the franchise guid would be one of a dozen or more. Not like a booking guid which is generated and sent once for the booking that is marked as paid. The franchise guid would be sent every time a payment was made for that franchise.
I think what I may do is use the booking guid since this is randomly generated for every booking. I can join to the franchise table from the booking and get the web hook secret.
We'll see if Stripe come back with something useful.

SharePoint API: Invalid Access Token Resource

I am trying to obtain an access token for use with the SharePoint Rest API. For my organizations base site. I am able to obtain a token and use that token to make subsequent requests successfully.
Next, I followed the same process and created more app permissions for a different site: {{tenant removed}}/sites/testsite. I was initially unable to create the request for the token because the resource parameter was not valid (see image below):
Per the URI encoding standards, I replaced the "/" in the site url with "%2f" and I am able to get a token (see image below):
Next however, the requests using that token to the API fail:
{
"error_description":
"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
}
In the response header:
3000003;reason="Invalid audience Uri
'00000003-0000-0ff1-ce00-000000000000/{{tenant
removed}}%2fsites%2f{{removed}}#{{realm
removed}}'.";category="invalid_client"
Did I encode the resource incorrectly? What am I missing? How can I use this method to get information from the other site?

I can see many developers making the same assumption when they create requests, since almost all documentation don't point out this scenario. You will be able to obtain a token for the site successfully as long as the resource is in a valid uri format, there is no validation done on the uri itself. Even if you get a token it will not work for any requests.
When fetching the access token for subsites (i.e: {{tenant}}/sites/testsite ). The resource part of the request body does not need to be modified.
So, for example, when you are getting a token for test.sharepoint.com/sites/testsite the resource of the request body should just be:
00000003-0000-0ff1-ce00-000000000000/test.sharepoint.com#{{realm}} (without /sites/testsite)
However, when you make HTTP requests to the API with the token, you should use the full site name. Example:
https://test.sharepoint.com/sites/testsite/_api/web/

Apple sign in, authorize method returns name only first time

Implementing Apple sign in in a web app (old fashion ASP.NET, but it doesn't matter - the question can be treated as simple HTML/JS POC), calling method authorize on Apple endpoint:
https://appleid.apple.com/auth/authorize?client_id=...&redirect_uri=...&response_type=code%20id_token&state=...&response_mode=form_post&scope=name%20email
I want to get the user's first and last name.
Method returns something like this:
{
"state": "xxx",
"code": "yyy",
"id_token": "zzz",
"user": {
"name": {
"firstName":"John",
"lastName":"Doe"
},
"email":"example#privaterelay.appleid.com"
}
}
id_token is JWT which consists of user's apple ID and email, there is no data regarding name or surname.
As you can see, I can get name and surname from the user property. That's the only way known to me.
The problem is, Apple returns this data only the first time I request it. It's not a bug, it's a feature: https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple :
Important
Apple only returns the user object the first time the user authorizes
the app. Persist this information from your app; subsequent
authorization requests won’t contain the user object.
So I store this data for later in the workflow, I will store it in database.
Now my problem/question:
When user deletes their account, I delete all their data from db (I have to, because of the contract, law etc).
When the user registers again through Apple sign in, I ping Apple endpoint, and I don't get user data (including name and surname) any more (because of the Apple policy quoted above)!
What should I do to get it?

I'm doing apple sign-in back-end part, faced the similar issue.
For IOS 13+
SDK provides apple user uuid, email and name for the first authorize request.
We are mapping this unique apple_user_uuid with the profile details in DB.
(In case of request failures, you can ask back-end to put this in queue and app should keep this in cache until back-end call is successful).
For ANDROID/WEB Flow/IOS Below 13
For the first time in apple callback, it sends us the name with a one time code (5 minute expiry).
Using this code when we call token API, it provides us id_token JWT.
In token the subject is apple_user_uuid.
Persist it in the same table.
So now in back-end you will always have email,firstName, lastName tagged with apple_user_uuid, which remains constant for an apple id.
And don't delete this mapping if the user deletes your account. Until apple provides a fix.

Unable to generate a jwt token using DocuSign Python code

I am using docusign for digital signature , where I have to create a jwt token. For this I have been using code from git repo https://github.com/docusign/docusign-python-client.
docusign version 3.1.0 , python version 3.5 and 3.6 in sandbox mode .
getting following error
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='https', port=443): Max retries exceeded with url http://account-d.docusign.com/oauth/token (Caused by NewConnectionError(': Failed to establish a new connection: [Errno -2] Name or service not known',))
i have followed the curl request using following url JSON Web Token (JWT) Grant
got an application token and while passing in auth giving me 401(401 UNAUTHORIZED
) error
postman
claim = {"iss": '4556e2f7-4a3d-41f9-a0c3-18535a28ab2a', "aud": 'account-d.docusign.com', "iat": now, "exp": later, "scope": " ".join(scopes)} token = jwt.encode(payload=claim, key=pkey, algorithm='RS256').decode("utf-8")
i getting application token using above code but when i pass all the required parameter i got {"error":"invalid_grant","error_description":"no_valid_keys_or_signatures"} but when i pasted my jwt token in jwt.io with my public and privte key its says signature verified.
I have added the links of screenshots, that might also help to understand more about the problem.
https://ibb.co/2yKXNCW https://ibb.co/cFTk6R1 https://ibb.co/t3YMkr2

The concept is to generate a key with 3 elements (Header RS256 Algorith, the Payload Data that contains the application date and token validity and the private and public key. On the site jwt.io we will put all this information and the site will retour an Base64 Key we can further entered on
Open the JWT.IO site jwt.io
Choose Algorithm RS256 on the top
For the second Pane : “Payload: Data”
https://admindemo.docusign.com/apps-and-keys
iss :
The integration key (also known as client ID) of the application.
sub : The User ID of the user to be impersonated.
(The person granting permission must have a DocuSign user account.)
The provided User ID must be in GUID (not email) format. You can look up a user’s GUID from their email using the users.list method.
Note: If you don’t already have the User ID of the user to act on behalf of, you can obtain it by completing the Authorization Code Grant flow begun in the Request the authorization code step.
https://admindemo.docusign.com/apps-and-keys -> Apps and Keys ->
aud : The URI of the authentication service instance to be used.
For demo environments, use account-d.docusign.com.
For production environments, use account.docusign.com.
Important: Do not include https:// in the aud value!
iat : The date-time when the JWT was issued
in Unix epoch format. You must include an iat value when creating a JWT, typically set to the current time.
You can convert a date to linux epoch format with the following link : https://www.epochconverter.com/
exp: The date-time when the JWT assertion will expire
in Unix epoch format. Defaults to one hour from the value of iat and cannot be set to a greater value. You must include an exp value when creating a JWT.
Use the epoch https://www.epochconverter.com/
⚠ Please note that this value must not be too far in time, in our example we are using 14 years of validity.
scope : The scopes to request. In our example “signature impersonation”.
All the scopes are defined on the following site https://developers.docusign.com/platform/auth/reference/scopes/
{
"iss":"ea670856-0422-4d8e-99bd-80560d323639",
"sub":"917c9fc5-d615-43bb-8a28-87e7ede3b8ac",
"aud":"account-d.docusign.com",
"iat": 1628496664,
"exp":1912493464,
"scope":"signature impersonation"
}
For the Pane “Verify Signature”
https://admindemo.docusign.com/apps-and-keys -> Actions -> Edit
… -> Click on “Generate RSA”
Select the Public and Paste it on the section
And make the same for the public key. If everything is OK, you must have the Tag “Signature Verified” at the left of the document, see the picture bellow.
For the final step, you obtain the key for stating using the API
Go to Postman
https://www.postman.com/use-cases/api-testing-automation/
Sign in (for me with my google account)
You must fille the following values
Select “Post”
Put the API Value : https://account-d.docusign.com/oauth/token
Click on the “Body” section
Add the key “grant_type”
Add the value “urn:ietf:params:oauth:grant-type:jwt-bearer” for the key “grant_type”
Add the key “assertion”
Add the generate value from the site jwt on the previous steps
Finally Click on Send for obtain the “access_token” necessary the the further call.
[enter image description here][1]

Here are the things that you must ensure:
You have an Integration key (clientID) that is configured correctly.
You have an RSA Private key. that key was copied/pasted exactly as given to your configuration file. New lines must be preserved
Your URLs are matching the environment. Meaning you use account-d and demo.docusign.net for the sandbox env endpoints.
You need the userId which is a GUid for the user that would be impersonated. That user must consent to the application. You have to ensure you pass userId and not accountId and that it is for the same account that you would be using.
If you confirm all of this and still get an error - I would consider to use our code example to start. I don't see code in your question, but our code example should be a good way to start.