Oauth2.0 setup for SAP Hybris - sap-commerce-cloud

I'm exploring hybris sales cloud trial version. I want to test oauth2 using postman, I don't know if this is the right way but I created a client application in SAP Cloud Platform cockpit by going to {subaccount} | Security | Oauth | Clients. What do I put in Subscription? And in postman, what should I put as the scope?

Click on Authorization tab and Click on get "New Access Token" button and configure the Oauth client as configured in hybris

First create OAuthClientDetails, for this, you can use Impex to create, below is one example
INSERT_UPDATE OAuthClientDetails;clientId[unique=true];resourceIds;scope;authorizedGrantTypes ;authorities ;clientSecret;registeredRedirectUri
;qwe ;hybris ;basic;implicit,client_credentials,password;ROLE_TRUSTED_CLIENT,ROLE_CLIENT,ROLE_CUSTOMERMANAGERGROUP,ROLE_CUSTOMERGROUP;secret;
This will create one OauthClientDetails, We have given authorization also, to access all the different types.
Next, go to Postman and do configuration as below
grant type : Password Credentials
Access Token URL : https://localhost:9002/authorizationserver/oauth/token
Username : admin
Password: nimda
Client ID: create your client details
Client secret : secret/password
scope: basic
Client Authentication: send as basic Auth header

Related

Authenticating with oAuth token from service principal, produces a "the audience is invalid" error

I'm authenticating with a service principal that was setup by another developer. I'm trying to authenticate against an internally developed API. The ASP is working when the other developer uses the SDK to authenticate. But when I try with Postman, I'm getting a 401 with this error.
The issue is that I don't really know which resource to use. I believe the client ID, secret, and scope is correct. But I can't seem to find any info on the type of resource to use. Is there any way to determine this for an internally developed API? I've used a ton of publicly available ones. Just as testing, as I can't find any info. And leaving it blank does not work.
Assuming you have two applications created in azure ad app registration, one representing the client application and the other representing the api application, (or in app registration you must have selected the required client application) and then you must be using the client application to call the Web api application.
NOTE: When you call web API , make sure you are sending Access token (not Id token)
you track the token you get in jwt.io .
Azure AD audience must match the “aud” claim when.
The Audience must equal the AppId or client id set for the application.
Check iss value of token in jwt.io and see the version of login url. If it is v2 set manifest json in the app registration for the API to 2, as it may be by default be 2.
"accessTokenAcceptedVersion": 2
In the app registration if your exposed api is something like : api://xxxx-xxx-xxx ,then the client id in appsettings.json of your app must be the same.
Note:Client id may be configured differently according to application.
If above doesn't work try client ID : instead of api://
You may need to grant application permissions to your client applications (this is the role permissions you define yourself, you can find it in My APIs when you add permissions).Then you need to click the admin consent button to grant administrator consent for this permission.
Here I exposed scope >> api://xxx-xxx-xxx/access_as_user. Make sure to use the same scope configured in portal is included in application configuration. The scope should include the exposing resource's identifier (the Application ID URI) in the code too.
Here Ex: scopes: "api://xxxx-xxx-xxxx/access_as_user "
In postman Set Authorization header to refer a global variable 'Bearer {{bearerToken}}' and add the authorization data to Request Headers,
If you are using postman call back uri , uncheck the authorize using browser for callbackurl in postman configuration.(see enable-azure-ad-authentication| csharpcorner )

Salesforce Authentication using Node JS API With Access Token

I have a requirement to retrieve the Auth Code from SalesForce API. I have created the scenario in Postman as below.
Configuring the new Token using the below parameters
Once I press "Get New Access Token", Postman opens a popup and asks to type the Username and Password in the login prompt. It shows the login page to SalesForce.
Once login success, Postman asks to use the token and it will be added here(See below image)
Then I hit the endpoint with the JSON body as a POST request.
I need to recreate this scenario in NodeJS in order to work the whole process as a single process bypassing all the login prompts.
I am using the below method to initiate this task in order to get the Token. However, the resources I found didn't match my requirement.
As the first step, I used salesforce-oauth2 npm package as below.
oauth2 = require('salesforce-oauth2');
var callbackUrl = "https://test.salesforce.com/services/oauth2/success",
consumerKey = "3MVG9sLbBx**********************2Qi.v***Vlhg3",
consumerSecret = "3MV**bBx**********************2Qi.v***Vlhg3";
var uri = oauth2.getAuthorizationUrl({
redirect_uri: callbackUrl,
client_id: consumerKey,
scope: 'api', // 'id api web refresh_token'
// You can change loginUrl to connect to sandbox or prerelease env.
//base_url: 'https://test.my.salesforce.com'
});
return response.redirect(uri);
When I debug I above code, it returns a URL pointing to the login page. I didn't want to pass this step since my requirement is to get the Auth-Code without opening any intermediate authentication popups.
How can I proceed with this? Any idea to program until the 3rd step to get the Auth Token from the SalesForce API?
Thanks in advance.
You tagged this salesforce-communities. It matters, is it really for community ("experience cloud") users or internals? Salesforce has lots of OAuth2 flows to chose from: https://help.salesforce.com/articleView?id=sf.remoteaccess_oauth_flows.htm&type=5
If you know the password and it's internal user (maybe real human, maybe you have some dedicated "Integration User") - you can work with Username-Password flow. There's no login page and no OAuth consent step. But
This flow doesn’t support scopes or refresh tokens. Experience Cloud
sites don’t support the OAuth 2.0 username-password flow.
You might be able to use JWT Flow. You need username (no password) and your Node app would be sending a message signed with certificate that you uploaded earlier to SF "connected app". You could even mark the users as preauthorised so there's no consent screen.
Other than that I think all OAuth2 flows available for community need a human to actually type the password in. You can pass login hint in the url to save them the username but pass they need to provide on SF login page before coming back to your app.
Dig a bit in help, happy to be proven wrong.

Integration with Microsoft Teams using apis

I try to integrate with Microsoft Teams like get class, add class ...
I have access as admin to Teams, and I get tenant id and client id, but require redirect_uri. I don't know what thas mean ? I can put a http://localhost ..? and how to do this , right now I download xammp ...
I use postman to get and post api , I need a brief step and information to do this, I look to official documentation of Microsoft Teams I don't understand all think so I need a good programmer to help understand every step.
Regards
To access any protected resource like Microsoft Graph API, you need to register in Azure AD, get a token. During the app registration you need to specify the Redirect URI/reply URL; it's the location where the authorization server sends the user once the app has been successfully authorized and granted an authorization code or access token. Authorization server sends the code or token to the redirect URI, so it's important you register the correct location as part of the app registration process. Here are the steps.

Access sharppoint online rest apis via external gmail user

Really need your help here. struggling with this for almost a week and still have not found how to do it.
Get access denied all the time.
Browser scenario works for me
I have a gmail user let's name it testuser#gmail.com which is registered in sharepoint and have permissions to access a site.
In the browser, when I enter https://mytenant.sharepoint.com/subSite2 it uses Ouath2, it prompts me to select the user
I select testuser#gmail.com and then it signs me in.
Then I run the following sharepoint rest api https://mytenant.sharepoint.com/subSite2/_api/web and it works!!!
I have no problem with none external users, I use the https://paulryan.com.au/2014/spo-remote-authentication-rest/
article and all works!!.
For external user I understand that I need to use the Oauth2 authentication.
I have an app registered in Azure AD with Sharepoint Sites.Read.All and Sites.Search.All.
I'm using java, and I tried to do it with code with all possible oauth2 authentication flows (https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows), using MSAL and ADAL.
I pass the client id and secret and manage to login, but when I run the rest api with the required headers:
Authorization: Bearer <token_access>
Accept: application/json;odata=nometadata
I get:
{"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}
Can anyone give me a clue how to do this?? This is the list of stuff I tried:
https://www.advaiya.com/blog/access-sharepoint-rest-api-using-oauth/
https://github.com/AzureAD/microsoft-authentication-library-for-java/wiki/Scenarios
Download the samples and none of it work for me
https://medium.com/#anoopt/accessing-sharepoint-data-using-postman-sharepoint-rest-api-76b70630bcbf
(but this does not include using a user :( )
Thank you very much!!!
Did you go for SharePoint App registration:
https://yourtenantname.sharepoint.com/_layouts/15/appregnew.aspx
, which basically involves creating an app and assigning permissions:
https://yourtenantname.sharepoint.com/_layouts/15/appinv.aspx
Permission XML Sample:
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web"
Right="FullControl"/>
</AppPermissionRequests>
and then trusting the app in SharePoint?
Then you can use generated client id and secret to get the access token that is further used in Authorization headers for SharePoint rest API requests.

Retrieving public data using YouTube Analytics API

I would like to create a website which will allow users to input a YouTube URL, and will then generate statistics on the video or channel.
I have researched on the YouTube Analytics API, however I am encountering errors after following the https://developers.google.com/youtube/analytics/v1/sample-application. I am being given a "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup." Error.
What I am after is an easy way to GET HTTP url requests, which will provide me with basic analytics (details which are public, such as likes, views etc.) So I could just execute this GET Request on the YouTube URL which is entered.
Any help would be greatly appreciated.
sounds like you need to follow the instructions and register your app
from https://developers.google.com/youtube/v3/
Register your application with Google so that it can submit API requests.
this page has the details
https://developers.google.com/youtube/registering_an_application
Obtaining authorization credentials
Your application must have authorization credentials to be able to use the YouTube Data API. This document describes the different types
of authorization credentials that the Google Developers Console
supports. It also explains how to find or create authorization
credentials for your project.
Create your project and select API services
Go to the Google Developers Console.
Select a project.
In the sidebar on the left, select APIs & auth. In the list of APIs, make sure the status is ON for the YouTube Data API v3.
In the sidebar on the left, select Credentials.
The API supports two types of credentials. Create whichever credentials are appropriate for your project:
OAuth 2.0: Your application must send an OAuth 2.0 token with any request that accesses private user data. Your application sends a
client ID and, possibly, a client secret to obtain a token. You can
generate OAuth 2.0 credentials for web applications, service accounts,
or installed applications.
Learn more
API keys: A request that does not provide an OAuth 2.0 token must send an API key. The key identifies your project and provides API
access, quota, and reports.
If the key type you need does not already exist, create an API key by selecting Create New Key and then selecting the appropriate key
type. Then enter the additional data required for that key type.

Resources