Using REST builder I created some API endpoints. I am trying to access them using curl.
$ curl -X GET "http://localhost:8080/o/headless-xxx/v1.0/profile/12345" -H "accept: application/json" -H "x-csrf-token: xxx"
I retrieved the token from the browser after logged in with Liferay.authToken.
I get this error message.
"message" : "Access denied to com.xxx.headless.xxx.internal.resource.v1_0.ClassName#methodName"
I replaced actual names with xxx, ClassName and methodName. They all look correct.
Is there a setting I am missing? Am I authenticating incorrectly?
I was expecting to see the output of the api but I only get the error.
The message Access denied to might also result from a missing Service Access Policy. Please check it in the:
Control Panel -> Configuration -> Service Access Policy
If you have an oauth2 authentication, you could add
com.xxx.headless.xxx.internal.resource.v1_0.ClassName#methodName
or
com.xxx.headless.xxx.internal.resource.v1_0.ClassName#*
to AUTHORIZED_OAUTH2_SAP
I want to connect Superset to a Databricks for querying the tables. Superset uses SQLAlchemy to connect to databases which requires a PAT (Personal Access Token) to access.
It is possible to connect and run queries when I use the PAT I generated on my account through Databricks web UI? But I do not want to use my personal token in a production env. Even so, I was not able to find how to generate a PAT like token for a Service Principal.
The working SQLAlchemy URI is looks like this:
databricks+pyhive://token:XXXXXXXXXX#aaa-111111111111.1.azuredatabricks.net:443/default?http_path=sql%2Fprotocolv1%qqq%wwwwwwwwwww1%eeeeeeee-1111111-foobar00
After checking the Azure docs, there are two ways on how to run queries between Databricks and another service:
Create a PAT for a Service Principal to be associated with Superset.
Create a user AD account for Superset.
For the first and preferred method, I was able to advance, but I was not able to generate the Service Principal's PAT:
I was able to register an app on Azure's AD.
So I got the tenant ID, client ID and create a secret for the registered app.
With this info, I was able to curl Azure and receive a JWT token for that app.
But all the tokens referred in the docs are JTW's OAUTH2 tokens, which does not seems to work with SQLAlchemy URI.
I know it's possible to generate a PAT for a Service Principal since there is a mention on how to read, update and delete a Service Principal's PAT on the documentation. But it has no information on how to create a PAT for a Service Principal.
I prefer to avoid using the second method (creating an AD user for Superset) since I am not allowed to create/manage users for the AD.
In summary, I have a working SQLAlchemy URI, but I want to use a generated token, associated with a Service Principal, instead of using my PAT. But I can't find how to generate that token (I only found documentation on how to generate OAUTH2 tokens).
You can create PAT for service principal as following (examples are taken from docs, do export DATABRICKS_HOST="https://hostname" before executing):
Add service principal into the Databricks workspace using SCIM API (doc):
curl -X POST '$DATABRICKS_HOST/api/2.0/preview/scim/v2/ServicePrincipals' \
--header 'Content-Type: application/scim+json' \
--header 'Authorization: Bearer <personal-access-token>' \
--data-raw '{
"schemas":[
"urn:ietf:params:scim:schemas:core:2.0:ServicePrincipal"
],
"applicationId":"<application-id>",
"displayName": "test-sp",
"entitlements":[
{
"value":"allow-cluster-create"
}
]
}'
Get AAD Token for service principal (doc, another option is to use az-cli):
export DATABRICKS_TOKEN=$(curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&client_id=<client-id>&resource=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d&client_secret=<application-secret>' \
https://login.microsoftonline.com/<tenant-id>/oauth2/token|jq -r .accessToken)
Generate token using the AAD Token (doc):
curl -s -n -X POST "$DATABRICKS_HOST/api/2.0/token/create" --data-raw '{
"lifetime_seconds": 100,
"comment": "token for superset"
}' -H "Authorization: Bearer $DATABRICKS_TOKEN"
I am attempting to retrieve user details via the graph API Go SDK. I have a daemon application which has been setup with adequate permissions that I have validated via curl as shown below:
Get token
curl \
-X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
--data 'client_id={client_id}&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret={client_secret}&grant_type=client_credentials' \
https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
Request
curl -X GET \
-H "Authorization: Bearer XYZ...." \
"https://graph.microsoft.com/v1.0/users"
I successfully get a list of users.
However, when I attempt this via the Go SDK it fails.
I have set the required environment variables for authentication as per https://github.com/Azure/azure-sdk-for-go#more-authentication-details:
- `AZURE_TENANT_ID`: Specifies the Tenant to which to authenticate.
- `AZURE_CLIENT_ID`: Specifies the app client ID to use.
- `AZURE_CLIENT_SECRET`: Specifies the app secret to use
Code
func main() {
authorizer, err := auth.NewAuthorizerFromEnvironment()
if err != nil {
fmt.Println(err)
}
client := graphrbac.NewUsersClient(os.Getenv("AZURE_TENANT_ID"))
client.Authorizer = authorizer
if _, err := client.List(context.Background(), "", ""); err != nil {
fmt.Println("list users", err)
}
}
Error
list users graphrbac.UsersClient#List: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authentication_MissingOrMalformed","message":{"lang":"en","value":"Access Token missing or malformed."}}}]
The documentation here to me suggests that the authentication and token is handled by the auth package.
Update 1
I ran it debug mode by setting AZURE_GO_SDK_LOG_LEVEL=DEBUG and found that the GET request URL is different to what I used in my curl command:
(2020-06-16T15:31:49.3790420+10:00) INFO: REQUEST: GET https://graph.windows.net/{tenant_id}/users?api-version=1.6
User-Agent: Go/go1.13.11 (amd64-darwin) go-autorest/v14.1.1 Azure-SDK-For-Go/v43.2.0 graphrbac/1.6
Authorization: **REDACTED**
(2020-06-16T15:31:50.5191120+10:00) INFO: RESPONSE: 401 https://graph.windows.net/{tenant_id}/users?api-version=1.6
If I use that URL in my curl command I get:
{"odata.error":{"code":"Authentication_ExpiredToken","message":{"lang":"en","value":"Your access token has expired. Please renew it before submitting the request."}}}%
It seems the sdk uses azure ad graph api but not microsoft graph api in the backend.
Azure AD graph api shows like: https://graph.windows.net/{tenant_id}/users?api-version=1.6
Microsoft graph api shows like: https://graph.microsoft.com/v1.0/users
So you need to add the azure ad graph permissions for the application registered in your azure ad, but not add the microsoft graph permissions. Please add the permission by following the steps below:
1. Go to your application in your azure ad and click "API permissions" --> "Add a permission" --> "Azure Active Directory Graph".
2. Add the "Directory" permission.
3. Don't forget grant admin consent for it.
It seems that ADAL is already deprecated although MSAL is not yet ready (in an SDK).
Azure Console:
microsoft-authentication-library-for-go:
Which means that #hury-shen answer is still valid.
I have created a resource for Azure API for FHIR Server. I am able to get see the metadata information using the URL like https://fhir-server-url/metadata. As mentioned in the documentation https://learn.microsoft.com/en-us/azure/healthcare-apis/access-fhir-postman-tutorial to access other URLs like https://fhir-server-url/Patient, we need to get the Authorization token first. To get the authorization token we need ClientID which we can get by creating an application in Azure Active Directory. But I don't have access to it.
Is there any way I could access this URL without requiring the authorization token? By making some setup in Azure Portal.
If you are using the first party audience (e.g. https://azurehealthcareapis), which is the default when deploying the Azure API for FHIR, you can actually use a first party client application such as the Azure CLI to get a token. Check https://learn.microsoft.com/azure/healthcare-apis/get-healthcare-apis-access-token-cli for details.
First log in with the Azure CLI (https://learn.microsoft.com/cli/azure/?view=azure-cli-latest) :
az login
Get a token and store it
token=$(az account get-access-token --resource=https://azurehealthcareapis.com | jq -r .accessToken)
Use the token:
curl -X GET --header "Authorization: Bearer $token" https://<FHIR ACCOUNT NAME>.azurehealthcareapis.com/Patient
It looks like from the FHIR Server Doc you can turn this on or off based on the FhirServer:Security:Enabled config setting see https://github.com/microsoft/fhir-server/blob/master/docs/Authentication.md
"FhirServer" : {
"Security": {
"Enabled": true,
"Authentication": {
"Audience": "fhir-api",
"Authority": "https://localhost:44348"
}
}}
One way is to get your app registration in Azure Active Directory(AAD).
You would need two app registrations in AAD to get client Id & client secret for authorization token retrieval.
I want to use Groovy, HttpBuilder and REST API to access our company's onsidte GitHub appliance.
The GitHub developer's site: https://developer.github.com/v3/, shows this URL: https://api.github.com. So if my company's GitHub URL is: http://github.mycompany.com, what is my REST API endpoint URL? e.g. if I want to list all users, what's the correct URL?
When I access this URL: https://github.mycompany.com/api/v3, it gives me an error:
github.mycompany.com refused to connect.
ERR_CONNECTION_REFUSED
According to "API Enterprise 2.5":
All API endpoints—except Management Console API endpoints—are prefixed with the following URL:
https://hostname/api/v3/
But you need to authenticate:
Authentication
Your Enterprise installation's API endpoints accept the same authentication methods as the GitHub.com API. Specifically, you can authenticate yourself with OAuth tokens (which can be created using the Authorizations API) or basic authentication.
Every Enterprise API endpoint is only accessible to GitHub Enterprise site administrators, with the exception of the Management Console API, which is only accessible via the Management Console password.
TLTR; These are the endpoints
+----+------------------------------------------+--------------------------------+
| | Enterprise | GitHub |
+----+------------------------------------------+--------------------------------+
| v3 | https://[YOUR_HOST]/api/v3 | https://api.github.com |
| v4 | https://[YOUR_HOST]/api/graphql | https://api.github.com/graphql |
+----+------------------------------------------+--------------------------------+
Examples
Here you have some examples in case you want to try them. You'll need to create an ACCESS_TOKEN
Enterprise
curl -H "Authorization: bearer [ACCESS_TOKEN]" https://[YOUR_HOST]/api/v3/organizations
curl -H "authorization: bearer [ACCESS_TOKEN]" https://[YOUR_HOST]/api/graphql -d "{\"query\": \"query { viewer { login } }\"}"
GitHub
curl -H "Authorization: bearer [ACCESS_TOKEN]" https://api.github.com/organizations
curl -H "authorization: bearer [ACCESS_TOKEN]" https://api.github.com/graphql -d "{\"query\": \"query { viewer { login } }\"}"
If you are not using https, it's "http://github.mycompany.com/api/v3/".
You're getting that message because the request is not authenticated.
First you have to figure out what kind of auth your server accepts and then incorporate that into the header or the (query string) of your request.
For example, this is how I get a list (using the header approach) of organizations I can access:
`url -k -H "Authorization: token xxxxxx...xxx" \ https://git.acme.com/api/v3/organizations`
Note that xxxxx...xxx is a place holder for a personal access token I created with read-only access to my repos. The docs refer to this as OAUTH_TOKEN. You can opt for inserting the token as a query string. In neither case do you have to enter a user name because the server figures that out from the token.
if you need https://github.com/google/shaka-player it would be
https://api.github.com/repos/google/shaka-player
more info at https://api.github.com/
"current_user_url": "https://api.github.com/user",
"current_user_authorizations_html_url": https://github.com/settings/connections/applications{/client_id}",
"authorizations_url": "https://api.github.com/authorizations",
"code_search_url": "https://api.github.com/search/code?q={query}{&page,per_page,sort,order}",
"commit_search_url": "https://api.github.com/search/commits?q={query}{&page,per_page,sort,order}",
"emails_url": "https://api.github.com/user/emails",
"emojis_url": "https://api.github.com/emojis",
"events_url": "https://api.github.com/events",
"feeds_url": "https://api.github.com/feeds",
"followers_url": "https://api.github.com/user/followers",
"following_url": "https://api.github.com/user/following{/target}",
"gists_url": "https://api.github.com/gists{/gist_id}",
"hub_url": "https://api.github.com/hub",
"issue_search_url": "https://api.github.com/search/issues?q={query}{&page,per_page,sort,order}",
"issues_url": "https://api.github.com/issues",
"keys_url": "https://api.github.com/user/keys",
"label_search_url": "https://api.github.com/search/labels?q={query}&repository_id={repository_id}{&page,per_page}",
"notifications_url": "https://api.github.com/notifications",
"organization_url": "https://api.github.com/orgs/{org}",
"organization_repositories_url": "https://api.github.com/orgs/{org}/repos{?type,page,per_page,sort}",
"organization_teams_url": "https://api.github.com/orgs/{org}/teams",
"public_gists_url": "https://api.github.com/gists/public",
"rate_limit_url": "https://api.github.com/rate_limit",
"repository_url": "https://api.github.com/repos/{owner}/{repo}",
"repository_search_url": "https://api.github.com/search/repositories?q={query}{&page,per_page,sort,order}",
"current_user_repositories_url": "https://api.github.com/user/repos{?type,page,per_page,sort}",
"starred_url": "https://api.github.com/user/starred{/owner}{/repo}",
"starred_gists_url": "https://api.github.com/gists/starred",
"topic_search_url": "https://api.github.com/search/topics?q={query}{&page,per_page}",
"user_url": "https://api.github.com/users/{user}",
"user_organizations_url": "https://api.github.com/user/orgs",
"user_repositories_url": "https://api.github.com/users/{user}/repos{?type,page,per_page,sort}",
"user_search_url": "https://api.github.com/search/users?q={query}{&page,per_page,sort,order}"