I want to read some files in one project existing in gitlab from the application via gitlab API. I create deploy token in the project through
settings -> Repository -> Deploy Tokens.
I then try
/api/v4/projects/MY_ID?private_token=MY_TOKEN
and
/api/v4/projects/MY_ID?access_token=MY_TOKEN
, and none of them work - Both return 401
Can't this deploy token use as an authentication token, and I have to create a new user to achieve it?
But the documentation describes that this deploy token is used for accessing this project, or?
You need to use a Personal Access Token not a Deploy Token. These are created from:
profile -> settings -> access tokens
And in the API request the ID you pass is the Project ID, eg:
curl "https://your-host/api/v4/projects/<project-id>?private_token=<your-private-token>"
To find the Project ID either go to the project page or query all projects you have access to, eg:
curl "https://your-host/api/v4/projects?private_token=<your-private-token>"
Cheers
S
Related
I am researching the feasibility of porting an existing Vue 2 app to be an Azure Static Web App (SWA). A requirement is the ability to run the Vue app locally and authenticate against our Auth0 tenant to retrieve a access/bearer token to send along with our HTTP requests.
It appears that a SWA can utilize custom authentication (Auth0), and I was able to complete that successfully by following this article. However, I'm not seeing any information around capturing the access token. There is an /.auth/me/ endpoint which has user information, but that does not contain the access token:
I also looked into the Azure Static Web App Emulator which allows for defining an identity profile when running locally, but I'm not seeing a way to specify an access token here either.
Is it possible at the moment with a SWA to obtain an access token using a custom auth provider when running locally and when published live?
Managed Authentication in Azure is really only useful for fairly simple use cases. I think you're going to want to implement your security directly inside your Vue application.
https://auth0.com/docs/quickstart/spa/vuejs/01-login
You mentioned needing an access token but didn't say where it comes from or what you're doing with it. Are you trying to call an Auth0-secured API?
https://auth0.com/docs/quickstart/spa/vuejs/02-calling-an-api
We've recently adopted the GitLab dependency proxy for our project on a self-hosted GitLab instance.
This works fine for normal users, but fails for pipelines created via the API using a project or group access token, regardless of access level.
We've tried with a project token that has API permission and a developer role as well as a group account with that permission and developer role.
We also tried to grant the tokens permission for read_registry, write_registry to no avail.
The outcome is always the same: Any pipeline triggered by a Token/Bot user runs into a wall where it says you're not authenticated to access the dependency proxy because no credentials were specified. If I restart the very same job as a human user from the UI everything works just fine.
How do I need to configure my access tokens so that their corresponding bot users can access the dependency proxy?
The issue is most likely about using wrong credentials.
According to the documentation, it won't work with project access token, or group access token – only personal access token & group deploy token besides username & password are supported.
Now let's say we want to use group deploy token. The docker-machine executor usually uses $CI_DEPENDENCY_PROXY_USER & $CI_DEPENDENCY_PROXY_PASSWORD (source) to authenticate to $CI_DEPENDENCY_PROXY_SERVER, as those variables are set up automatically.
Those credentials are the same as $CI_REGISTRY_USER & $CI_REGISTRY_PASSWORD (source) – the password in both cases is the job token. The job token has the same permissions as the user, and as mentioned above, group access token and project access token do not have access to the dependency proxy.
According to the deploy token documentation, you should authenticate to dependency proxy using the username (of the group deploy token) & token instead. To achieve that, I think the only option would be to embed deploy user & token inside $DOCKER_AUTH_CONFIG CI/CD variable.
I have not tried such scenario but I think it should work.
For docker-in-docker, you should be able to set DEPLOY_TOKEN_USERNAME & DEPLOY_TOKEN_TOKEN in CI/CD variables (using values from group deploy token) and then just login with those:
before_script:
- echo $DEPLOY_TOKEN_TOKEN | docker login -u $DEPLOY_TOKEN_USERNAME --password-stdin $CI_DEPENDENCY_PROXY_SERVER
script:
- docker pull $CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX/alpine
I have a nodejs webapp with many users with a custom login process. I would like gitlab to accept that authentication and not force users to create a new app. What is the best way to accomplish this?
I would go for OAuth 2.0 Single Sign On (SSO). Below you can find the architecture diagram taken from here. As you can see the client is redirected to log in in the OAuth2 provider to get a valid token for authentication. The OAuth2 server must be configured for the application requesting access including the secret, the client id and the callback URL.
You can configure GitLab CE to sign in with almost any OAuth2 provider. Only be careful with the limitations:
It can only be used for Single Sign on, and will not provide any other access granted by any OAuth provider (importing projects or users, etc)
It only supports the Authorization Grant flow (most common for client-server applications, like GitLab)
It is not able to fetch user information from more than one URL
It has not been tested with user information formats other than JSON
You also need to configure your node js web application as an OAuth2 server. There are npm availables with the source code here.
Recommendation
I would install some open source Identity Management to separate the user management from your webapp, provides better integration with other third parties and forget about encryption and other stuff you need to take care in your webapp. There are multiple options such as KeyCloak for instance.
You have to define a dedicated user , and use the private_token of this user to login for ALL users that will use your application.
The restricition would imply all users will have the same rights ....
The other solution is to use the Private Token of the user at login. In this case , only the rights of these particular users will be used.
Question
How can my Github App get an access token that have the permission to create an issue?
What i tried
I enabled all the permissions in the Settings-> Developer settings -> GitHub Apps -> Permissions and webhook page, follow the instructions to get access token, then make a request referring the docs,but get the response below:
{
"message": "Resource not accessible by integration",
"documentation_url": "https://developer.github.com/v3/issues/#create-an-issue"
}
but everything work out fine when I use personal access token to make this request.
Details
Create a Github App
I enabled all the permissions
Subscribe all the events
Get access token
https://github.com/login/oauth/authorize?client_id=Iv1.abfa65bfc68dc75a
https://github.com/login/oauth/access_token
Request Create an issue
when I replace access_token I got from previous steps with my personal access token, everything work out fine.
Great, detailed write up of the issue you're encountering!
follow the instructions to get access token
I think this may be the cause of the issues you are running into. You've created a GitHub App, but you are looking at the instructions for authorizing OAuth Apps.
The docs for "Authenticating with GitHub Apps" are probably what you are looking for: https://developer.github.com/apps/building-github-apps/authenticating-with-github-apps/
I'd like to use Visual Studio 2017 to build Azure Function App with HttpTrigger. However, I can't find the way how I could add Azure Active Directory authentication to secure the end point.
Will it work if I just add jwt token to the http request and then call ClaimsPrincipal.Current.Claims inside the method? Is there any other solution?
AFAIK, the authentication for the external identity data provider only can config on the Azure portal. And if you host the Azure function on Azure, the answer is yes. However if you host the Azure function on local, there is no way we can config for the authentication using Azure Active Directory.
As a workaround, you need to get the token from headers and verify the token manually before run the function code. And if you want to support to config the authentication for host Azure function on local, you can submit the feedback from here.
You can use the Microsoft OpenID Connect and JWT libraries to validate the token and get claims based on a received access token. Here's an example: https://github.com/azure-samples/ms-identity-dotnet-webapi-azurefunctions/tree/master/
Create an app registration in AD
Issue a browser request to get an access code
Issue an HTTP POST request for an access token using the code and the secret via cURL
Send the access token as an Authorization Bearer header to the local function endpoint
I had issues using newer versions of Microsoft.IdentityModel.Protocols.OpenIdConnect with .NET 6.0 and Azure Functions 4 and had to fall back to version 6.10.2.