I'm trying to make a GitHub App that can view the private repositories and members of my organization that it's installed on. It has read access to "checks, members and metadata" on the installed apps page of the organization.
I can use the request curl -i -H "Authorization: token {token}" -H "Accept: application/vnd.github.machine-man-preview+json" https://api.github.com/installation/repositories to list the repositories and that seems to work, although I don't have private repositories on it right now to verify, but it does list the public ones.
However I can't seem to find an endpoint that lists the organization's private members for the installation, which is what I'm authenticated as. https://api.github.com/orgs/{org}/members shows just the public members of my organization, and if I try /members/{private member} I get a 302, which means my app is not a member of the organization. What am I doing wrong?
The access will be granted to user who is registered with the specific organization and similarly the application needs to have scope to access.
Refer scope in Organization Settings->Developer Settings-> Personal Access Tokens
Please find the reference below which are tested GITHUB APIs, please change the endpoint urls as per below suggestions.
Note: replace <> with your appropriate email, org details accordingly.
For accessing all the members(public & private):
curl -u "<user email address>" https://api.github.com/orgs/<organization name>/members
For accessing all the repos(public & private):
curl -u "<user email address>" https://api.github.com/orgs/<organization name>/repos?type=all
Related
Is there any way to allow user to get access of stream URLs and embed code of only one application and restrict access to other applications?
Yes, you can restrict your specific user. You just need to create a user according to below CURL command or Ant Media Server Dashboard Users section in Settings tab.
curl -X POST -H "Content-Type: application/json" -d '{"email": "test", "password": "testtest", "scope": "system", "userType": "ADMIN"}' "https://{YOUR_SERVER_ADDRESS}:5443/rest/v2/users"
Note: scope parameter can be system or specific application name such as LiveApp. If you use LiveApp, user will have permission only for LiveApp. system can access each application scope.
userType parameter can be ADMIN, USER or READ-ONLY.
Check this guide for more detail.
Design
Goal
Get calendar events for a given user.
Requirements
Application should have access to the MS Graph API.
Application should act like a daemon/background process and not depend on user's login.
Application should have access to the minimal number of users' data in the Azure Active Directory (AAD).
Application should be able to fetch user's calendar events and create them.
Implementation / Setup
to fulfill (1) Azure (Enterprise) App was created as described here.
to enable (2) client credentials flow was used with the setup of application permissions
to meet (3) a security group - as described here - was created with a limited number of users with the related policy that included related permissions (see here). The group was later connected to the app following this instruction.
to implement (4) the Calendar.Read and Calendar.ReadWrite as required by the actions here and here were added to the policy mentioned in the previous setup step.
Testing
Two HTTP requests were used: one to get the token and another to read events.
token request from the Identity Platform
curl --location --request POST 'https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token' \
--data-raw 'client_id=<APPLICATION_TOKEN>&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=<APPLICATION_SECRET>&grant_type=client_credentials'
Upon inspection of the token here I see that it contains required permissions:
"roles": [
"Calendars.Read",
"Calendars.ReadWrite"
]
fetch request of the calendar events from Graph API
curl --location --request GET 'https://graph.microsoft.com/v1.0/users/<USER_ID>/calendar/events' \
--header 'Authorization: Bearer <TOKEN>'
results in the following error:
{
"error": {
"code": "ResourceNotFound",
"message": "User not found",
"innerError": {
"date": "2022-02-08T08:25:39",
"request-id": "bfaca1f9-e79b-491c-8d75-5a62317e299b",
"client-request-id": "bfaca1f9-e79b-491c-8d75-5a62317e299b"
}
}
}
The user id is from my account that I found in the Azure Active Directory details of the Azure Tenant. I double-checked that after adding other users.
Before-asking investigation
This issue looks closest to my case as it uses the client credentials auth flow. But it uses global permissions for all users in the AAD, while we use more fine-grained approach with a security group. It also shows a different error "Resource could not be discovered." versus "User not found" in my case.
In order to call /{user-id}/calendar/events to work the user must have mailbox on Exchange Online if you are using client credentials for Daemon applications.
Also, It seems assigning license to a guest account (Personal account in this case) is not possible and hence the user account never gets access to the calendar service (part of o365 exchange online) due to which it cannot retrieve the calendar information of personal account.
Please refer my answer similar to this in Q&A for detailed description.
Short Version
I was missing the application permissions and assumed that they are assigned on the level of security group. Only restriction happen on that level.
Long Version
The updated mental model looks like this:
It means that the application permissions for MS Graph API are required.
The security group is only restricting / limiting the access to the users mentioned in the policy.
How can I get contributions.json of myself in a Gitlab CI pipeline with private contributions if "show private contributions" is off in the settings?
https://gitlab.com/users/GITLAB_USERNAME/calendar.json shows both public and private contributions if the logged in user is GITLAB_USERNAME.
https://gitlab.com/users/GITLAB_USERNAME/calendar.json shows only public contributions if the logged in user is not GITLAB_USERNAME and "show private contributions" is off for GITLAB_USERNAME.
I can do this with curl --cookie "_gitlab_session=..." https://gitlab.com/users/GITLAB_USERNAME/calendar.json where I have obtained the cookie by logging in through the web interface. The session cookie expires after 1 week by default.
I want an automated way to do this through a CI pipeline without simulating a log in and storing my password as a variable (insecure, and if I change my password, I need to update all of them).
I have tried using CI_JOB_TOKEN for authentication (like I do with API: curl --header "PRIVATE-TOKEN: $CI_JOB_TOKEN" "https://gitlab.com/api/v4/projects"), but only the public contributions are showing up.
You can't do it using calendar.json endpoint. You need to use events api.
You can collect all your events using personal token and events api curl --header "PRIVATE-TOKEN: <your_access_token>" https://gitlab.com/api/v4/users/:id/events
User id can be found using: https://gitlab.com/api/v4/users?username=YOUR_USERNAME
Instead of job token use personal access token to get access to gitlab api.
To filter out your results use parameters according to your needs. There is a lot more data than when gathering from https://gitlab.com/users/GITLAB_USERNAME/calendar.json url so you would need to process it.
NOTE:
https://gitlab.com/users/GITLAB_USERNAME/calendar.json is not api url but gitlab endpoint so gitlab token won't work for it.
I need to access a Web API which is secured via Azure Active Directory. I followed this documentation https://msdn.microsoft.com/sv-se/library/azure/dn645542.aspx
The first steps were successful, but at the end I can't access the required resource.
What I did:
First I call this link
https://login.microsoftonline.com/mytenantname.onmicrosoft.com/oauth2/authorize?response_type=code&client_id=3eec...32e5
and get redirected to the login portal.
After successful login I extract the code from redirected URL, which is something like this
https://localhost:8080/?code=AAABAAAAiL9Kn2Z27........RdzFpearqiAA
Then I use this code to acquire an access token. The first problem is here. According to the documentation (link above) the resource is optional. But it doesn't work if I omit the resource (error=Resource identifier is not provided.), so I have to provide it. Secondly, if I put the APP ID URI of my application registered in Azure AD to the recourse parameter, I got another error ( The client '3eec...32e5' and resource 'myapp.azurewebsites.net' identify the same application.). Therefore I put the graph.windows.net for resource parameter.
curl -s -X POST https://login.microsoftonline.com/akeliusdev.onmicrosoft.com/oauth2/token
-d grant_type=authorization_code -d client_id=3eec...32e5
-d client_secret=F%2BfpjpR............Wi8%3D
-d code=AAABAAAAiL9Kn2Z27........RdzFpearqiAA -d resource=https://graph.windows.net
This way I could get an access token. But then I am not able to access the resource using the access token. I did it this way:
curl https://myapp.azurewebsites.net/data
--header "Authorization:eyJ0eXAiOiJKV1QiLCJhbGciOiJ.............4WYr6xn"
Could someone help me on this issue?
Thanks.
To do this as a service to service call, without user interaction, you can follow Service to Service Calls Using Client Credentials
You need to create an AAD application and credentials. i.e. a Service Principal.
then to get the access token you make a POST call to
https://login.windows.net/<tenant ID>/oauth2/token
with the following data
grant_type=client_credentials&client_id=$username&client_secret=$password&resource=$resource
Where $username is your HTTP://localhost/whatever identifier
$password is your service principal password
$resource is https://management.core.windows.net/ (this might be graph, try it and see)
The access token will be in the JSON response as 'access_token'
You then add a header of Authorization: Bearer $AccessToken and hopefully you should get access!
I'm trying to do what the title says, using GitHub's API, I'm trying to get the list of orgs any user belongs to... my problem, is that I can't find a way to do it.
According to the API's doc: https://developer.github.com/v3/orgs/ using this endpoint:
/users/:user/orgs
That should list them, but it's not doing it for my user, so I'm guessing this only lists orgs created by the user.
If this is the case, is there a way around it somehow, so I can get the list of organizations that any user belongs to?
It should but, as mentioned
For my account, I don't belong to any organization: https://api.github.com/users/VonC/orgs
defunk, however, is part of public orgs: https://api.github.com/users/defunkt/orgs
Since the list orgs API will only list public memberships, regardless of authentication. (more precisely, GET /orgs/{org}/memberships/{username})
If you need to fetch all of the organization memberships (public and private) for the authenticated user, use the List your organizations API instead.
Maybe your user is not part of any public orgs, only private ones.
More recently, using gh, the GitHub CLI after a gh auth login:
gh api \
-H "Accept: application/vnd.github+json" \
/user/orgs \
--jq ".[].login"
One line:
gh api -H "Accept: application/vnd.github+json" /user/orgs --jq ".[].login"
Use the route /user/memberships/orgs. For instance, using GitHub Cli:
$ gh api /user/memberships/orgs --jq '.[0].organization.login'
etsii2
If you still want to get the user's organizations that your authorization allows you to operate on in some way, you can use the List organizations for the authenticated user endpoint.
In cURL
curl \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>"\
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/user/orgs
where you need to substitute the <YOUR-TOKEN> by the access_token you get in the response after authentication.
In my case, using Postman
just call /user/orgs to retrieve all organizations public or private