By default apiconnect adds security to be required on all the paths. How can I allow a hit on a path without requiring authentication first?
I've tried unchecking the "Use API security definitions" in the Security section of on my User.count path, but when I use the browser on the URL https://localhost:4002/api/Users/count I get back
Error
401 Authorization Required
code: AUTHORIZATION_REQUIRED
Error: Authorization Required
at D:\PeteSoft\node\test3\node_modules\loopback\lib\application.js:433:21
at D:\PeteSoft\node\test3\node_modules\loopback\lib\model.js:359:7
at D:\PeteSoft\node\test3\node_modules\loopback\common\models\acl.js:536:16
at D:\PeteSoft\node\test3\node_modules\async\dist\async.js:3888:9
at D:\PeteSoft\node\test3\node_modules\async\dist\async.js:473:16
at iteratorCallback (D:\PeteSoft\node\test3\node_modules\async\dist\async.js:1064:13)
at D:\PeteSoft\node\test3\node_modules\async\dist\async.js:969:16
at D:\PeteSoft\node\test3\node_modules\async\dist\async.js:3885:13
at D:\PeteSoft\node\test3\node_modules\loopback\common\models\acl.js:518:17
at D:\PeteSoft\node\test3\node_modules\loopback\common\models\role.js:447:21
at process._tickCallback (internal/process/next_tick.js:61:11)
How can I get the count returned instead of the Authorization Required error?
If you are using the free version, you have to include the IBM client Id (and IBM client secret is optional)..
However, the Authorization error can be catched, so if you properly configure the catch to capture that error, you could work withouth the IBM Client id.. (it is a bad practice, but might solve your problem).
Catch Auth Error
If you want to work with out those keys, you have to buy the product, and in the Design Tab, it will allow you to remove it...
Related
I cannot resolve this error, i have a .net core web api, with a react application inside of it ( net core react template )
I have also added cors:
services.AddCors(options =>
{
options.AddPolicy("AllowMyOrigin",
builder => builder.WithOrigins("https://localhost:44300")
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials()
);
});
I have tried multiple things but i cant get past this error.
I have found loads of material online to try and nothing seems to work i feel like i am missing something really obvious?
Can someone point me in the right direction.
I expect that there should be an allow origin header:
I also tried using the Mosif browser extension to turn cors on, this stoped the cors error from showing but now i have a 404 (notfound ) on:
https://login.microsoftonline.com/tfp/domainname.onmicrosoft.com/b2c_1_sign_up/v2.0/.well-known/openid-configuration
You mention that you get an 404 error when opening the openid-configuration url. This means that part of your configuration is incorrect. You must be able to open this url in your browser and get back a JSON document. Copy it to a new tab and tweak it until you get back a result.
Please double check your configured policy and tenant name. The full url usually looks like this:
https://tenantname.b2clogin.com/tenantname.onmicrosoft.com/<policy-name>/v2.0/.well-known/openid-configuration
https://tenantname.b2clogin.com/tenantname.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=<policy-name>
https://login.microsoftonline.com/tfp/tenantname.onmicrosoft.com/<policy-name>/v2.0/.well-known/openid-configuration
All of these are equally valid and can be used depending on your scenario.
The config should then look something like this:
authentication.initialize({
instance: 'https://tenantname.b2clogin.com/',
tenant: 'tenantname.onmicrosoft.com',
Another issue might be if your B2C tenant quite new, Microsoft could be blocking support for microsoftonline for your tenant. In this case, try switching to the b2clogin.com domain as your instance.
You can see a possible value for this url when opening the user flow in the Azure Portal.
As a sidenote, I would suggest switching to a different react library. The one you are using is not really being maintained. We are currently using https://github.com/syncweek-react-aad/react-aad
I'm trying to use the example project, but I keep getting this message:
DocuSign Exception!
Reason: 0
Error Reponse: null
I have configured everything following the instructions in the repository page.
I have tried debugging the class responsible for the HTTP Post, but so far I got nothing.
Probably you need to grant consent for the integration key to impersonate the user.
See https://github.com/docusign/docusign-java-client/issues/111#issuecomment-513537950
I'm using the Admin SDK, Auth feature.
When calling admin.auth().verifyIdToken(token) and the token is expired I get the error
Firebase ID token has expired. Get a fresh token from your client app and try again. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve an ID token.
With error code
auth/argument-error
First of all, should the error code not be "auth/user-token-expired"?
Second, the error code I received is not in the Admin Authentication API Errors
I have a hard time handling all firebase errors properly so I can reply with proper error messages to the consumers of my API.
Expired tokens and invalid signatures are reported with the AuthClientErrorCode.INVALID_ARGUMENT error code. It seems the value of this constant is defined as argument-error in source. This can be fixed in a future release (or alternatively update the documentation to reflect the correct value of the constant, and avoid a potentially breaking change).
There is no such error code as auth/user-token-expired in Admin SDK. Suggest you report a feature request in the Github repo if that is important to you.
I'm attempting the final assignment for my course but not getting anywhere due to Oauth2 authentication difficulties. I'm having a great deal of difficulty resolving this! I think it may be due to the fact I'm using a work laptop which is SOE'd and pretty locked down.
I just don't know where to look to resolve this. Any suggestions?
Steps to replicate
1. I've set my Oauth2 application up in Facebook and with Site URL setting as https://localhost:3443/users/facebook/callback
2. When I attempt ANY method (get, post, put etc) on this url, I get the below.
I've tried:
1. bypassing my company's firewall and hotspotting my phone; note that this a workaround I use to install NPM packages as my company seems to block NPM
2. my course's forum\Stack exchange. It seems that I'm the only person in the galaxy that this has affected.
3. F12 in CHrome - there are no messages in the console
4. inserting debug clues in the user route, viz;
router.get('/facebook', passport.authenticate('facebook'),
function(req, res){
console.log('routergetfacebook');//------------------------debug
});
router.get('/facebook/callback', function(req,res,next){
console.log('router.get-facebook-callback');//------------------------debug
In Chrome
This site can’t be reached
In Postman:
Could not get any response
There was an error connecting to https://localhost:3443/users/login.
Why this might have happened:
The server couldn't send a response: Ensure that the backend is working properly
Self-signed SSL certificates are being blocked: Fix this by turning off 'SSL certificate verification' in Settings > General
Client certificates are required for this server: Fix this by adding client certificates in Settings > Certificates
Proxy configured incorrectly Ensure that proxy is configured correctly in Settings > Proxy
Request timeout: Change request timeout in Settings > General
recently in one of my applications I needed to access currently logged-in user data for saving in another model (something like the author of a book or owner of a book). in my googling, I encountered these references but none of them was useful.
https://github.com/strongloop/loopback/issues/1495
https://docs.strongloop.com/display/public/LB/Using+current+context
...
all of them have this problem about accessing context or req object. after three days I decided to switch to afterRemote remote hook and add Owner or Author on that stage.
but something was wrong with this solution.
in strongloop's documentations (https://docs.strongloop.com/display/public/LB/Remote+hooks) there is a variable as ctx.req.accessToken that saves current logged-in user access token. but in the application this variable is undefined.
instead, I found accessToken in ctx.req.query.access_token and it was currently access_token variable that is sent to the server.
here is my problem:
is this variable (ctx.req.query.access_token) always available or
it's just because loopback-explorer send access_token as GET
variable?
in production mode do applications need to send access_token as
GET variable or it should be sent as Authorization in the header?
why ctx.req.accessToken is undefined?
could these things change over time? cause most of users encounter this problem due to deprecation of app.getCurrentContext()
Is this variable (ctx.req.query.access_token) always available or
it's just because loopback-explorer send access_token as GET
variable?
Well if your application always sends in the querystring, then it'll be always available for you, but it also sent in the header, or cookie or in the request body, but I don't suggest using it because it if the user logged in and the access token is valid and ctx.req.accessToken should be available and you can use it.
In production mode do applications need to send access_token as
GET variable or it should be sent as Authorization in the header?
I believe Authorization header is preferred, as if you send it in a GET variable, well it'll be visible in the logs and someone with the access to the logs can access the session(well unless you trust everyone), other than this it's fine to have it in a GET variable. Though I believe loopback client SDKs(Angular, Android, iOS) all send it via Authorization header by default, so you might have to configure them(maybe not possible).
Why ctx.req.accessToken is undefined?
Sometimes the context is lost thanks to the database drivers connection pooling, or the context req is lost(ctx.req) and they are null.
Assuming ctx.req is defined(because sometimes it's not), then probably that means the user is not logged it, or it's access token wasn't valid(expired or not in database). Also it could be a bug(maybe misconfiguration on your side), which also means for you that you will authentication problems.
Could these things change over time? cause most of users encounter this problem due to deprecation of app.getCurrentContext()
app.getCurrentContext is risky to use and I don't suggest unless you have no other solution. If you use it and it works, it might stop working if the database driver changes or in some corner cases that you haven't tested it, it might not work.
In the updated doc https://loopback.io/doc/en/lb3/Using-current-context.html
add this in your remoting metadata
"accepts": [
{"arg": "options", "type": "object", "http": "optionsFromRequest"}
]
then
MyModel.methodName = function(options) {
const token = options && options.accessToken;
const userId = token.userId
}
but it says
In LoopBack 2.x, this feature is disabled by default for compatibility reasons. To enable, add "injectOptionsFromRemoteContext": true to your model JSON file.
so add "injectOptionsFromRemoteContext": true on your model.json file