I am using a multi user rest server with ldap based authentication on. I can successfully login , get an access token and perform any number of transactions. Chaincode running for this transaction can also run the queries generate by me. But the issue is I am not able t run this queries directly from my Web browser while using same access token. I am facing this error which says that access_token is invalid or extraneous parameter while running query. But when I try to run query without access token it gives me error as "AUTHORIZATION_REQUIRED" Which as per my understanding is okay. Also this queries are running fine in single user rest server.
Do i need to perform something different while running queries using multi user rest server with access token generated from LDAP.
"{"error":{"statusCode":500,"name":"Error","message":"2 UNKNOWN: error
executing chaincode: transaction returned with failure: Error: Invalid
or extraneous parameter access_token has been
specified","code":2,"metadata":{"_internal_repr":{}},"details":"error
executing chaincode: transaction returned with failure: Error: Invalid
or extraneous parameter access_token has been
specified","stack":"Error: 2 UNKNOWN: error executing chaincode:
transaction returned with failure: Error: Invalid or extraneous
parameter access_token has been specified\n at new
createStatusError
(/home/composer/.npm-global/lib/node_modules/composer-rest-server/node_modules/grpc/src/client.js:64:15)\n at
/home/composer/.npm-global/lib/node_modules/composer-rest-server/node_modules/grpc/src/client.js:583:15"}}"
Actually We have made some changes to make it work actually issue is with the way we were passing the access token. In hyperledger Documents there are 2 ways through which we can pass token :
curl -v http://localhost:3000/api/system/ping?access_token=xxxxx
curl -v -H 'X-Access-Token: xxxxx' http://localhost:3000/api/system/ping
I was using the 1st method to pass access token and all my transactions were working fine but query failed seems access token was passed on to query and it was not able to identify parameter. So I tried second way and was able to run the query. I Suppose Hyperleder forums should mention such limitations.
Related
I am trying to migrate authentication via auth0 from a jvm based solution which uses auth0 rest api to a node based solution using node-auth0.
At present its a 2 step process:
Get token via POST /oauth/token
Get user profile via /userInfo
In the node application, I am constructing AuthenticationClient while providing clientId, clientSecret and domain as AuthenticationClientOptions and able to get the token successfully using passwordGrant but when I use the same authenticationClient object to call getProfile while providing the token obtained from passwordGrant, I get this error:
Request failed with status code 401
What’s confusing is that in Auth0 dashboard, this request is successful.
I am using node-auth0 SDK Version: 2.42.0 on Node 15.14.0
The token obtained via passwordGrant will be processed to respond for userInfo. Hence, the token must have in its audience claim <your-auth0-domain>/userInfo.
I'm able to update/create the function key using the API as per document.
https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/create-or-update-function-secret
My main aim is to update the function key every hour so I'm creating a http trigger (with the above api inside it) and scheduling the trigger.
For testing purpose I stored the url in one parameter.
URL:
'https://management.azure.com/subscriptions/xyz1/resourceGroups/xyz2/providers/Microsoft.Web/sites/func_appname/functions/func_name/keys/poc_testing1?api-version=2021-02-01{"Properties":{"Name": "poc_testing1","Value": "asdsda"}}'
Note: Value here is updating via random gen lib of python
Generated a bearer token using the service principal (which I'm already using to connect my stg acc) storing it in auth_token
header_auth= {'Authorization' : 'Bearer ' + auth_token }
Now running the below command in python
import requests
requests.post(url, headers=header_auth)
I'm getting 403 forbidden error
I'm thinking that it is not because of the bearer token, Did google the error and it is with the IP address. Can someone help me out here
I was referring the (https://learn.microsoft.com/en-us/troubleshoot/azure/general/request-throttling-http-403) doc but I'm not using any APIM service
Till now I referred the doc from MSFT.
https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/create-or-update-function-secret
I was able to create new function key.
I'm trying to do the same using python for which I performed the above steps.
Currently ran the above issue steps in my local Visual studio and tried az cli as well but same 403 error.
Why do you want to update the function key every hour?
If you aim to increased security use AzureAD Auth/OAuth2 rather than the function key.
Regarding the 403 error, please ensure you have assigned proper permissions to the service principal which allow the service principal to modify the azure function.
I am able to fetch the data from Bigquery using gcs-connector and spark-bigquery-in Spark application. But getting below error while trying to load data into Bigquery in GCP by using spark application.
Exception in thread "main" java.io.IOException: Error getting access token from metadata server at: http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token
Code:
df_bigquery.write.format("bigquery").option("credentialsFile", "D://input/absolute-vertex-321015-a78e81ae77a0.json").option("parentProject", "absolute-vertex-321015").option("temporaryGcsBucket","emp_demo_1").save("absolute-vertex-321015.org.employee_loaded")
Any help is deeply appreciated.
Thanks in Advance.
May I help you with this?
This Metadata endpoint /computeMetadata/v1/instance/service-accounts/default/token Returns the auth token that can be used to authenticate your application to other Google Cloud APIs.
As the error is: Exception in thread "main" java.io.IOException: Error getting access token from metadata server at: http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token
Use curl to request an access token and send a request to an API:
On the instance where your application runs, query the metadata server for an access token by running the following command:
$ curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" \
-H "Metadata-Flavor: Google"
The request returns a response similar to:
{
"access_token":"ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_QtAS08i85nHq39HE3C2LTrCARA",
"expires_in":3599,
"token_type":"Bearer"
}
Copy the value of the access_token property from the response and use it to send requests to the API. For example, the following request prints a list of instances in your project from a certain zone:
$ curl https://compute.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/[ZONE]/instances \
-H "Authorization":"Bearer [ACCESS_TOKEN]"
where:
[PROJECT_ID] is the project ID for this request.
[ZONE] is the zone to list instances from.
[ACCESS_TOKEN] is the access token value you got from step 1.
Note:
You can use the access token only for scopes that you specified when you created the instance. For example, if the instance has been granted only the https://www.googleapis.com/auth/storage-full scope for Cloud Storage, then it can't use the access token to make a request to BigQuery.
For information about the parameters that you can set in your request, see the parameters documentation.
If you want to Authenticating applications with a client library use this reference.
I am happy to help, let me know if these steps resolve your issue.
I have been following this Tutorial and I am able to complete it. I issue a new identity, to an existing participant and I create a business card for this identity with the following command:
composer identity issue --card admin#tutorial-network -f usr001#tutorial-network.card -u usr001 -a "resource:org.acme.biznet.Trader#usr001" -x true
Then, I import that business card via POST /wallet/import and I am able to call different REST API operations. After that, I stop the composer-rest-server and after a few minutes I start the composer-rest-server again with the command composer-rest-server -c admin#tutorial-network -m true -a true
Then, I authenticate to the REST API using the configured authentication mechanism (in this case passport-github strategy) and if I try to call one operation fro REST API it throws a A business network card has not been specified error message, then I import the previous business card via POST /wallet/import getting a no content which is supposed to be correct.
Finally, when I try to call another REST API operation I get the following error:
{
"error": {
"statusCode": 500,
"name": "Error",
"message": "Error trying to ping. Error: Error trying to query business network. Error: chaincode error (status: 500, message: Error: The current identity has not been registered: usr001)",
"stack": "Error: Error trying to ping. Error: Error trying to query business network. Error: chaincode error (status: 500, message: Error: The current identity has not been registered: usr001)\n at _checkRuntimeVersions.then.catch (/home/username/.npm-global/lib/node_modules/composer-rest-server/node_modules/composer-connector-hlfv1/lib/hlfconnection.js:679:34)\n at <anonymous>"
}
}
This is the main issue, I don't know why my identity is not being recongized by the REST API if I used it previously to call some operations.
the problem is one of persistence as captured here -> https://hyperledger.github.io/composer/v0.16/integrating/enabling-multiuser.html and the link for persisting identities (ie instructions) is captured here -> https://hyperledger.github.io/composer/v0.16/integrating/deploying-the-rest-server.html
All user information is persisted in a LoopBack data source by using a LoopBack connector. By default, the REST server uses the LoopBack "memory" connector to persist user information, which is lost when the REST server is terminated. The REST server should be configured with a LoopBack connector that stores data in a highly available data source, for example a database.
Following this guide: https://azure.microsoft.com/en-us/documentation/articles/resource-manager-api-authentication/#_get-objectid-of-application-service-principal-in-user-azure-ad
I've reached the stage where I call graph.windows.net to Get the ObjectId of the service principal in user Azure AD.
When I do the call, however, I'm getting the following message:
{"odata.error":{"code":"Authentication_MissingOrMalformed","message":{"lang":"en","value":"Access Token missing or malformed."},"values":null}}
I've already tried replacing the clientId with the 'onmicrosoft.com' address too (so graph.windows.net/appname.onmicrosoft.com/...), still got the same message.
To extend on my comment, we have seen this when the app secret contains characters that need encoding. Such as "+" and "="
If you are not using some of the client helpers available or are testing with Fiddler or Postman you will need to URL encode the secret before calling the graph api, so it looks it becomes:
"7hIkYG5m7xJQnocThxMc4yPjtbRP7bO41aNC%2bbrEzvo%3d"