I try to consume a CF destination defined as Oauth2ClientCredentials, where the authentication server needs only user/password and not clientid/clientsecret to generate the token. I have a dummy clientid and client secret in the destination configuration as it is mandatory, but it seems that it takes in consideration only the client id/secret and not the token user/password.
The stack trace is:
com.sap.cloud.sdk.cloudplatform.connectivity.exception.DestinationAccessException: Failed to get authentication headers. Destination service returned error: unauthorized_client.
at com.sap.cloud.sdk.cloudplatform.connectivity.ScpCfHttpDestinationPropertyFactory.getAuthTokenHeaders(ScpCfHttpDestinationPropertyFactory.java:376) ~[cloudplatform-connectivity-scp-cf-3.0.0.jar:na]
at com.sap.cloud.sdk.cloudplatform.connectivity.ScpCfHttpDestinationPropertyFactory.getHeadersFromDestination(ScpCfHttpDestinationPropertyFactory.java:328) ~[cloudplatform-connectivity-scp-cf-3.0.0.jar:na]
at com.sap.cloud.sdk.cloudplatform.connectivity.ScpCfHttpDestination.getHeaders(ScpCfHttpDestination.java:288) ~[cloudplatform-connectivity-scp-cf-3.0.0.jar:na]
at com.sap.cloud.sdk.cloudplatform.connectivity.HttpClientWrapper.wrapRequest(HttpClientWrapper.java:86) ~[cloudplatform-connectivity-3.0.0.jar:na]
at com.sap.cloud.sdk.cloudplatform.connectivity.HttpClientWrapper.execute(HttpClientWrapper.java:97) ~[cloudplatform-connectivity-3.0.0.jar:na]
at com.demo.destinationtest.MainController.worksoft(MainController.java:111) ~[classes/:na]
The ScpCfHttpDestination value in debugger is:
ScpCfHttpDestination(destinationType=HTTP, name=test, description=test connection, propertiesByName=ScpCfDestination(destinationType=HTTP, name=test, description=test connection, propertiesByName=DefaultDestination(properties={tokenServiceURLType=Dedicated, clientId=dummy, Description=test connection, tokenServiceUser=mymail#domain.com, tokenServiceURL=http://domain/executionmanager/api/Token, URL=http://domain/executionmanager/api/Requests, Name=test, tokenServicePassword=(hidden), authTokens=[ScpCfDestinationServiceV1Response.DestinationAuthToken(type=, value=, error=unauthorized_client, expiresIn=0)], Type=HTTP, certificates=null, Authentication=OAuth2ClientCredentials, clientSecret=STOTest3, ProxyType=Internet})))
Another destination where I have a good client secret/client id works fine.
The only OAUTH destination supported by cloud foundry is client credentials and not password flow, so this is not a cloud sdk limitation.
Related
I'm developing a WSO2 API to invoke a specific service protected by SAML token. For the security, this is a two-step authentication process. First the service consumer (me) has to authenticate to the
SecurityTokenService using X.509 direct authentication. The STS issues a signed SAML token claiming the consumers identity. In a second request the service consumer
calls the business service and includes the received SAML token and a timestamp within the wsse:Security header.
So, I need to access SAML-secured service via WSO2 ESB.
For the first part, I successfully got the token. For the 2nd request I included this process of generating a token (as a Issuer) to a policy:
https://pastebin.com/jgUDzDT6
But my code for the second part doesn't work in ESB, it returns ErrorInObtainingToken.
And I don't understand how to send already received token in a proper way. Could you please help me?
I used the policy file provided by the service, compared it to the one generated automatically in WSO2 Integration Studio, added and deleted lines, the result is always the same:
[PassThroughMessageProcessor-126] ERROR {org.apache.rahas.client.STSClient} - errorInObtainingToken
Caused by: org.apache.rahas.TrustException: Error in obtaining token from : "http://localhost:8280/.../token"
[-1234] [] [PassThroughMessageProcessor-130] ERROR {org.apache.axis2.engine.AxisEngine} - Message Receiver not found for AxisOperation: requestSecurityToken
org.apache.axis2.AxisFault: Message Receiver not found for AxisOperation: requestSecurityToken
I am using Azure Container apps with Azure Blob Store as a state store. It is a simple Hello World (weather service) app using dotnet 6. App starts up fine, on Post I am trying to save the generated weather information to Azure Blob Store as JSON. I have configured Dapr components in Azure Container Apps for StateStore using Azure blob storage. I am using storage key (secondary key) as explained in this Microsoft documentation
Upon doing a Swagger and looking at log I get the following error.
Dapr.DaprException: State operation failed: the Dapr endpoint indicated a failure. See InnerException for details.
2022-07-17T01:10:35.716245402Z ---> Grpc.Core.RpcException: Status(StatusCode="Internal", Detail="failed saving state in state store statestore: -> github.com/Azure/azure-storage-blob-go/azblob.newStorageError, /home/vsts/work/1/go/pkg/mod/github.com/!azure/azure-storage-blob-go#v0.10.0/azblob/zc_storage_error.go:42
2022-07-17T01:10:35.716524109Z ===== RESPONSE ERROR (ServiceCode=AuthenticationFailed) =====
2022-07-17T01:10:35.716795515Z Description=Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
2022-07-17T01:10:35.716812515Z RequestId:863bcef4-401e-0069-5f7a-99724b000000
2022-07-17T01:10:35.716820115Z Time:2022-07-17T01:10:35.7137648Z, Details:
2022-07-17T01:10:35.716825516Z AuthenticationErrorDetail: Issuer validation failed. Issuer did not match.
2022-07-17T01:10:35.716831516Z Code: AuthenticationFailed
Error is Authentication Failed. I am unsure what I am missing since I am not making any additional config in storage account such as VNET service end point etc. Account is enabled for Key access. Any help is appreciated.
Below is the code that I am using
using var client = new DaprClientBuilder().Build();
var forecast = new WeatherForecast()
{
Date = DateTime.Now.AddDays(1),
TemperatureC = Random.Shared.Next(-20, 55),
Summary = Summaries[Random.Shared.Next(Summaries.Length)]
};
await client.SaveStateAsync<WeatherForecast>(stateStoreName,key,forecast);
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
i think i found the answer. The issue was with metadata since the key set in metadata of the component.yaml as mentioned in the Microsoft documentation is not working. I changed it to use secretref and referred in metadata directly in the portal. Not sure why the error was showing Authentication error but it is finally working.
I am trying to deploy an ARM template for ADF using Azure DevOps CI/CD
The deployment was successful but while trying to test the linked services, I am not able to connect successfully.
The linked service is to get connected to the ADLS location under same subscription and the authentication method is using service principal and using key vault secret name to get the connection.
key vault is also under the same subscription and resource group.
While trying to connect the LS to ADLS location I am getting the below error.
Failed to get access token by using service principal. Error: invalid_client, Error Message: AADSTS7000215: Invalid client secret is provided.
Trace ID: 67d0e882-****-****-****-***6a0001
Correlation ID: 39051de7-****-****-****-****6402db04
Timestamp: 2020-11-** **:**:**Z Response status code does not indicate success: 401 (Unauthorized). {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: 67d0e882-****-****-****-***6a0001\r\nCorrelation ID: 39051de7-****-****-****-****6402db04\r\nTimestamp: 2020-11-** **:**:**Z","error_codes":[7000215],"timestamp":"2020-11-** **:**:**Z","trace_id":"67d0e882-****-****-****-***6a0001","correlation_id":"39051de7-****-****-****-****6402db04","error_uri":"https://login.microsoftonline.com/error?code=7000215"}: Unknown error .
AADSTS7000215: Invalid client secret is provided.
The linked services which is to connect clusters are working fine for which connection secrets are stored in the same key vault.
I was confused some secrets(for cluster connection) in the same key vault is working and few (for adls connection) are not working.
Had a check for the application under same principal id in Azure active directory and secret is valid till 2022.
Any Idea about the root cause of the error and how to resolve the issue?
I have encountered a similar problem before, you need to make sure that the client secret belongs to the application you are using, or you can also try to create a new client secret, it should work for you.
I have an instance of Db2 on IBM Cloud. I would like to use my local CLP to connect to it. I set everything up to be able to connect using a username and password. Now, however, I would like to make use of either an APIKEY or ACCESSTOKEN as documented.
My attempts result in either
SQL30082N Security processing failed with reason "25" ("CONNECTION
DISALLOWED"). SQLSTATE=08001
or
SQL30082N Security processing failed with reason "24" ("USERNAME
AND/OR PASSWORD INVALID"). SQLSTATE=08001
I have successfully create an APIKEY and also was able to generate an access token using that API key. But what is needed to connect?
connect to clouddb ACCESSTOKEN "my long token here"
It was a matter of the right setup and correct steps:
IAM support only works with SSL connections
for SSL, I had to use the right port number (50001) and keywords (security ssl) when cataloging the node and database
my Db2 client required additional setup for GSKit and encryption key database
I wrote up a blog post with all the steps and a collection of error message on how to setup a Db2 client to authenticate using either API key or access token. Basically, it is to catalog the server:
db2 catalog tcpip node Db2oCfra remote db2host-fra02-xxx.services.eu-de.bluemix.net
server 50001 security ssl
Then catalog the database:
db2 catalog db bludb as fradb at node db2ocfra
Thereafter, connect:
db2 connect to fradb APIKEY myIBMCloudplatformApiKey
There might be additional steps in order to install GSKit and properly configure SSL support.
I have an Azure Function that I have secured using Azure Active Directory (using express settings)
I generated an secret key and was able to get the other bits required (client id, tenant etc).I followed this guide to test the Client Credentials
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds .
I was able to get an access token but when I try to access the function using the Bearer Token I get error code 403 with 'You do not have permission to view this directory or page.'
How can I fix this? I want to secure my Azure function using a secret key.
Edit ----------
I want to access my Azure function http endpoint.
The requests I have used:
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token/
With body:
client_id:{Application Id in Azure AD}
scope:https://{functionname}.azurewebsites.net/.default // This might be the source of the problem
client_secret:{Key Generated}
grant_type:client_credentials
This returns an access token eyJ0eXAiOiJKV1QiLCJhbGciOiJS.....
Then
Get http endpoint of my AzureFunction
https://{functionName}.azurewebsites.net/api/endpoint?Params
The Header contains Authorization Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJS.....