I've created a bundle with integration & script in one account (A). Then I installed it in another account (B). Now I created an token in installed account (B) using bundle integration's consumer key & account (B) credentials.
By using that token I can able to access account (B) contents.
My questions are,
Whenever I uninstall that bundle from account B, then it also expire my token that I've created using bundle integration ?
How many tokens can be created for an account, Is there is any limitation?
Thanks in advance
I will try to reply your questions:
I do not think the token will expire when you uninstall your bundle, however I do not think the token will be useful anymore since the integration application will probably not exist anymore, so the consumer key and consumer secret used by the token will not longer work.
I am not aware of any limitation for the amount of tokens record created in an account.
It would be useful for you:
Tokens created in your production account are not copied to your sandbox during a refresh. To test token-based authentication in your sandbox, you must create tokens in the sandbox account. Each time your sandbox is refreshed, you will need to create new tokens in the sandbox
Source from suiteanswer
Related
I have a github bot with a personal access token that some github actions use to make commits during some action runs. I'd like to make a script that can automatically swap out this personal access token, and delete the old one via a cron job. Is this possible with the github API? If it's not possible, is there another mechanism I should be using instead perhaps?
No, not for personal access token, whose API is deprecated, and removed in Nov. 2020.
You could try instead an installation access token for an app, which does have an API for creation.
By default the installation token has access to all repositories that the installation can access.
To restrict the access to specific repositories, you can provide the repository_ids when creating the token. When you omit repository_ids, the response does not contain the repositories key.
But that token, valid only one hour from the time you create them, might not have access to the same kind of action a PAT would have.
I am trying to connect gitlab api from code to download artifacts.
To do so, i'm required to generate a private access token and send it with the request.
I don't want to set a permanent token because it is not secure, so i tried to find some api to delete and generate new token when the old is expired, but i couldn't find anything.
I also tried to use deploy-tokens but it has no permission to gitlab api.
Any suggestions?
I don't want to set a permanent token because it is not secure
Since 13.3 gitlab version there is available Project access tokens, which let you opportunity to issue a token for a specific project and limit it's scope. So it's definitely better than using yourself private token
Project level access tokens allow access to a project without the need to provision a new GitLab user. Project access tokens can be generated by project Maintainers or Owners and be used to authenticate with the GitLab API. Project access tokens will be authorized as Maintainers. This new functionality will make programmatic access to GitLab easier and more secure.
Previous answer:
Probably it would be less insecure if create extra user with permissions only for desired repository (from which we want to download artifacts) and issue personal-token for this user. So even the token will be compromised the offender will be capable only to download artifacts.
It is not possible yet, but they have an issue opened to add it
you can follow the discussion here https://gitlab.com/gitlab-org/gitlab/-/issues/17176
I am new to Shopify platform and have a doubt which I want to clarify.
We are developing a public app on Shopify. Currently we are facing a issue after app uninstall.
Our app contains a login page and we are using jwt based authentication. We are storing jwt token in local storage.
Now the issue is :
When ever our app is uninstalled, we get a uninstall webhook based on which we perform few database operations.
Now once the app is uninstall, We want to remove jwt token from local storage because after uninstallation of the app, if we try to access our public app specific APIs, they are accessed because JWT token in my local storage exists.
I Somehow want to restrict all kinds of these unethical activities and want to overcome all security flaws.
As I am new to shopify, Can anyone tell me what better solution for this problem could be ?
You cannot. How will you possibly control what the user is doing? Make the JWT dependent on some other identifier that changes on every install.
And it's not related to Shopify alone. It's basic principle of JWT.
Our scenario is that we have an API which is currently only secured by a subscription key in APIM.
We plan to change this to also secure it with OAuth 2 following this guidance from Microsoft, we will then use the JWT validation policies within APIM to ensure that the user requesting access is a member of the appropriate groups to access given endpoints etc.
However as part of our release process we need to run some automated tests which call the API and check that certain data is returned.
Because these tests are run as part of an automated release pipeline we are struggling to understand how OAuth will fit into this process - as a user is required to enter credentials for a token to be issued...
We originally thought that we could just request a token manually once and then hard code it into the tests, but as tokens are only valid for a short time this isn't a good solution.
Other things we are considering are :
Creating a "test user" in AD and storing their credentials in the test project and then when the tests run we can request a token using the "Password" grant type and passing the username and password" however this doesn't seem like the best from a security point of view, even though the user would only have access to a very limited subset of the APIs functionality it still doesn't seem like a good practice.
Requesting a token using the client secret, however the downside to that is this is that the JWT does not contain the groups claim so this token will not pass JWT Validation.
This must be something that others have encountered? What is best practice in this scenario?
As you can see in the article you reference, you will be using Azure API Management to be the entry point to access your API. So, using the API Management you will have subscriptions with keys for your API. You just need to create a subscription for your automated testing, and save the key in the Azure Key Vault. And then during the deployment, you pull your subscription key from your Key Vault, and use it to call the API Management Endpoint, that consequently will call your API.
The solution that we went with in the end was to create a new App Registration for the Test project, then in APIM we added a rule so that the JWT policy is not applied to connections from that app.
Might not be the best solution but it works.
I am posting this here, as Docusign has requested all docusign api questions be placed on StackOverflow:
REFERENCE
I have been working on a Docusign application that uses their OAuth flow. In order to test this, I have been using my free account (www.docusign.com) to get access tokens from the application I created on my developer account (demo.docusign.net).
The integrator key I am using is live.
In the process of my testing, I have obtained an access token 10 times using the free account. I did not keep track of those tokens as it states that they can be revoked in the web console. Docusign Reference
However, there is no such section in the www.docusign.com account. All it shows is 5 other accounts that I can connect to.
I now have lost all 10 of those tokens, and the response from the service tells me that I reached the maximum number of access tokens.
Now here's the interesting part, if I use my developer account credentials to authenticate to my application, I can see the access tokens that are active, with the option to revoke.
I know that there is a revoke token endpoint, but you need to know the token in order to use it.
How can I revoke these 10 tokens as I no longer know what they are (due to testing), and there is no interface to revoke them on www.docusign.com? Essentially, this account is now locked out of my application.
I cannot add screenshots to this post as I do not have high enough reputation