I have created an instance of Azure API for FHIR with an Azure FHIR proxy following this tutorial:
https://github.com/microsoft/health-architectures/tree/master/FHIR/FHIRProxy##configuration
I am able to browse to the proxy URL through a browser after being prompted to log in to view the metadata as shown below:
FHIR Meta data image
However, when trying to access it through the Postman API tool I keep getting the same error:
You do not have permission to view this directory or page.
I have tried generating an authorization Bearer token using the following:
curl --location --request GET 'https://login.microsoftonline.com/{TENANT_ID}/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--form 'grant_type="client_credentials"' \
--form 'client_id="{CLIENT_ID}"' \
--form 'client_secret="{CLIENT_SECRET}"' \
--form 'resource="{MY PROXY RESOURCE ID}"'
The authorization token looks fine, but when adding it to my API call it errors as shown below:
API error image
Does anyone have any idea how I can successfully call my API with a proper authorization token that works or know a tutorial that actually explains this part of the process?
The tutorial does not give much information.
EDIT:
WWW-authenticate-header:
Bearer realm="func-fhir-proxy-2.azurewebsites.net" authorization_uri="https://login.windows.net/000000/oauth2/authorize" resource_id="0000"
Thanks
Related
I have a token with computer vision included in the scope and audience. But when a send an OCR request it always returns "Unauthorized. Access token is missing, invalid, audience is incorrect or have expired". What is wrong with my code?
curl --location --request POST 'https://westeurope.api.cognitive.microsoft.com/vision/v3.0/ocr'
--header 'Content-Type: application/json'
--header 'Authorization: Bearer myToken'
--data-raw '{"url":"imageUrl"}'
Pls just try the request below to get an access token from Azure AD for the vision OCR service:
I was trying to Configure Microsoft Azure AD for External OAuth as per the Snowflake tutorial: https://docs.snowflake.com/en/user-guide/oauth-azure.html
The configuration steps went ahead without a hitch and I was able to use the final step: https://docs.snowflake.com/en/user-guide/oauth-azure.html#testing-procedure to obtain the access token from AAD.
However, when I tried to use the access token with Snowflake using a JDBC driver, I obtained the error: "net.snowflake.client.jdbc.SnowflakeSQLException: Invalid OAuth access token.
The Snowflake integration created is of the form:
create security integration ext_oauth_azure_ad
type = external_oauth
enabled = true
external_oauth_type = azure
external_oauth_issuer = '<issuer-url>'
external_oauth_jws_keys_url = '<keys-url>/discovery/v2.0/keys'
external_oauth_audience_list = ('https://<app-id-uri>')
external_oauth_token_user_mapping_claim = 'upn'
external_oauth_snowflake_user_mapping_attribute = 'login_name'
external_oauth_any_role_mode = 'ENABLE';
I tried playing around with this config by changing the external_oauth_token_user_mapping_claim to email since that was the attribute in the decoded JWT access token that matched the login_name but to no avail.
The scope provided in AD is the session:role-any which should be valid for any scope.
Not sure how to proceed post this.
Edit:
The command used to obtain access token is:
curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --data-urlencode "client_id=<ad-client-id>" --data-urlencode "client_secret=<ad-client-secret>" --data-urlencode "username=<ad-user-email>" --data-urlencode "password=<my-password>" --data-urlencode "grant_type=password" --data-urlencode "scope=<scope-as-in-ad>" 'https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token'
Update:
Tried using the command:
select system$verify_external_oauth_token('<access_token>');
to validate if the token was valid in Snowflake and obtained the result:
Token Validation finished.{"Validation Result":"Failed","Failure Reason":"EXTERNAL_OAUTH_INVALID_SIGNATURE"}
This is strange because I have added the correct issuer based on the configuration step(entityId from the Federation metadata document
)
I have created a Azure Data Factory pipeline which have multiple pipeline parameter,which I need to enter all the time when pipeline trigger.Now I want to trigger this pipeline from postman in my local system and i need to pass parameters to pipeline from post.
Do you really need to use postman? I've posted examples of doing this with Powershell and with Python.
Powershell: How to pass arguments to ADF pipeline using powershell
Python: https://gist.github.com/Gorgoras/1fe534fd9b454412f81c8203c773c483
If your only option is to use the rest api, you can read about it and get some examples here: https://learn.microsoft.com/en-us/azure/data-factory/quickstart-create-data-factory-rest-api
Hope this helped!!
You can trigger Azure Data Factory via a policy in API Management.
I've added a sample here: https://github.com/Azure/api-management-policy-snippets/blob/master/examples/Trigger%20Azure%20Data%20Factory%20Pipeline%20With%20Parameters.policy.xml
Azure Docs doesn't provide examples on how to pass a parameter which I find weird also nowhere else on the internet have I found an example of how to pass multiple parameters via REST API, I guess most people use ADF shell to trigger it or python script.
Anyway, if someone else stumbles on the same question then here's the solution (which is quite simple).
Firstly, Create an Azure App Registration and generate client ID and client secret value.
Authenticate via REST API to get the Bearer Token
curl --location --request POST 'https://login.microsoftonline.com/${TENANT_ID}/oauth2/token' \
--form 'grant_type="client_credentials"' \
--form 'client_id="${CLIENT_ID}"' \
--form 'client_secret="${CLIENT_SECRET_VALUE}"' \
--form 'resource="https://management.azure.com/"'
The response will contain a Bearer token, use it to trigger the pipeline. Replace subscription id, resource group name, and adf name.
curl --location --request POST 'https://management.azure.com/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.DataFactory/factories/${ADF_NAME}/pipelines/trigger-pipeline-from-rest/createRun?api-version=2018-06-01' \
--header 'Authorization: Bearer ${BEARER_TOKEN}' \
--header 'Content-Type: application/json' \
--data-raw '{
"date":"2022-08-22",
"param1":"param1 value",
"param2":"some-value"
}'
Note: The app should have contributor access to ADF to trigger the pipeline.
I can't upload images to my imgur account for a 400 forbidden response.
I tried many times to upload images to my Imgur account in China, but failed all the time with a 400 response. Like,
{
"data": {
"error": "These actions are forbidden."
},
"success": false,
"status": 400
}
Here is my steps,
Register an application
(1) Request https://api.imgur.com/oauth2/addclient in browser, then add a callback redirect URL.
(2) Getting client id and secret.
Do authorization and get token
In "https://api.imgur.com/oauth2", it shows three response_type like code, token, and pin.
But I can and only can use token type to get access token and refresh token directly.If I use code or pin type to do authorization and then request token with postman, got a 400 error, "These actions are forbidden."
So Here is what I request an access code using response_type with token.
(1) Enter the following URL in the web browser and allow the application to connect with my account.
https://api.imgur.com/oauth2/authorize?response_type=token&client_id=xxxx&state=state
(2) Then get access token and refresh token in the redirect URL,
https://app.getpostman.com/oauth2/callback?state=state#access_token=xxx&expires_in=315360000&token_type=bearer&refresh_token=xxx&account_username=xxx&account_id=xxx
Upload image
(1) Until now, I can simply use postman to upload an image.
(2) The relative curl command generated by postman like.
curl --request POST \
--url https://api.imgur.com/3/image \
--header 'Authorization: Bearer xxxx' \
--header 'Postman-Token: 7edabb12-7f1f-4f30-9e9b-e87ad1cae0ee' \
--header 'cache-control: no-cache' \
--header 'content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW' \
--form image=#/xxx/xxx/IMG_3310.JPG
I tried to upload images with different size, in different machines, using different IP addresses in China or the USA, but failed.
I also don't know why I cann't using code or pin to exchange token.
Maybe your images are too large.
I've been trying to upload a 12MB GIF on there and it always gave back 400. Then I tried cutting it and then uploading another under 5.7MB size, and it worked.
I'd suggest looking into the territory of what imgur supports and allows as content, not just authentication and stuff.
I'm working on creating an Outlook Add-in using this architecture.
I'm trying to handle the scenario where Azure Active Directory Access Token expires. According to the official documentation, the token's life time is 1 hour.
So I was thinking about changing the token's life time as described in this question. But I cannot do so, as I don't have the right to edit Azure policies. Also, I believe there is a cleaner way to test this scenario.
How can I test/debug this scenario?
Whenever your access token expires you can use your refresh token to exchange for new access/refresh token pair. Refresh token has a maximum inactivity time of 90 days.
You can get refresh token in your result while requesting access token by specifying offline_access in the scope parameter while making the request.
curl --location --request POST 'https://login.microsoftonline.com/common/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id={clientid}' \
--data-urlencode 'refresh_token={refreshtoken}' \
--data-urlencode 'redirect_uri={redirect_uri}' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'client_secret={client_secret}'