I have a problem to generate the token, use the command you passed in tutorial
curl -X POST -H "Content-Type: application/json" \
-H "Authorization: Bearer access-token" \
-d '{"foo": "bar"}' \
"https://.cloudfunctions.net/get"
When enter in my link /get return " No authorization token found." IT necessary i inform token?
https://github.com/tnguyen14/functions-datastore/
Is your access token, access-token?
A proper jwt format is something like this.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.XbPfbIHMI6arZ3Y922BhjWgQzWXcXNrz0ogtVhfEd2o
Your http request using curl looks ok. But I doubt that access-token is a valid token. Normally there's some form of /login route you need to obtain the token, which later on should be provided using the Authorization: Bearer $TOKEN.
You can get help from https://jwt.io/ where you can specify your payload and pass the secret under VERIFY SIGNATURE to get a valid jwt token. Then you can use this in your curl requests.
Related
We are using Sign In with Apple. The automated token renewal has failed in the past. I want to query the Graph API for the token expiration date so it can be tracked in our monitoring system.
EDIT: After contacting Azure support, the root cause for the token failing to auto renew is that we are using a custom user flow (IEF) policy
While generating the access token, you can see an attribute called expires_in along with access token.
You can make use of below CURL script to get the Apple JWT token:
curl -v POST "https://appleid.apple.com/auth/token" \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'client_id=CLIENT_ID' \-d 'client_secret=CLIENT_SECRET' \
-d 'code=CODE' \-d 'grant_type=authorization_code' \
-d 'redirect_uri=REDIRECT_URI'
You will get response like below:
{ "access_token": "adg61...67Or9",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "rca7...lABoQ"
"id_token": "eyJra...96sZg"}
In the above response you can find expiration time in expires_in attribute.
Otherwise, you can decode the token by using JSON Web Tokens - jwt.io site like below:
Copy the access token and paste it in encoded field.
Under payload section, you can find expiration date in exp attribute.
For more information, please refer below link:
Generate and Validate Tokens | Apple Developer Documentation
How to I get a bearer token for a Dialogflow v2beta1 API call?
I want to integrate Dialogflow APIs so now I can't even test APIs in postman without bearer token. For testing I have generated API Key for my agent in GCP project but I didn't found any solution for getting bearer token.
POST https://dialogflow.googleapis.com/v2beta1/[PARENT]/intents?key=[YOUR_API_KEY] HTTP/1.1
Authorization: Bearer [YOUR_ACCESS_TOKEN] Accept: application/json Content-Type: application/json
I guess you already have a Service Account with proper permissions to project/product/resource. If no, you can find a guide on how to create it in Creating and managing service accounts.
Regarding Bearer Token you should read about it in Authenticating as a service account.
If you have a Service Account with proper access and key.json you can use Bearer token.
In GCP console you can print default token using command:
### for default SA
$ gcloud auth application-default print-access-token
### for other SA
$ gcloud auth print-access-token SA_NAME#PROJECT_ID.iam.gserviceaccount.com
More details can be found in this docs.
Request for default SA should looks like this:
curl -X POST /v2beta1/{parent=projects/*}/agent:train \
-H "Authorization: Bearer $(gcloud auth application-default print-access-token)"
For specific one time request you should use below example:
curl -X POST /v2beta1/{parent=projects/*}/agent:train \
-H "Authorization: Bearer $(gcloud auth print-access-token <YourSAaccount>)"
SA account might looks like: <SAname>#<projectID>.iam.gserviceaccount.com
Please keep in mind that this SA must be active. You can do it using command to activate SA:
$ gcloud auth activate-service-account SA_NAME#PROJECT_ID.iam.gserviceaccount.com --key-file=/path/to/SAkey/key.json
###or using just key
$ gcloud auth activate-service-account --key-file=/path/to/SAkey/key.json
And command for listing active SA is:
$ gcloud auth list
I chose a random POST from Dialogflow API.
I have a token with computer vision included in the scope and audience. But when a send an OCR request it always returns "Unauthorized. Access token is missing, invalid, audience is incorrect or have expired". What is wrong with my code?
curl --location --request POST 'https://westeurope.api.cognitive.microsoft.com/vision/v3.0/ocr'
--header 'Content-Type: application/json'
--header 'Authorization: Bearer myToken'
--data-raw '{"url":"imageUrl"}'
Pls just try the request below to get an access token from Azure AD for the vision OCR service:
I'm working on creating an Outlook Add-in using this architecture.
I'm trying to handle the scenario where Azure Active Directory Access Token expires. According to the official documentation, the token's life time is 1 hour.
So I was thinking about changing the token's life time as described in this question. But I cannot do so, as I don't have the right to edit Azure policies. Also, I believe there is a cleaner way to test this scenario.
How can I test/debug this scenario?
Whenever your access token expires you can use your refresh token to exchange for new access/refresh token pair. Refresh token has a maximum inactivity time of 90 days.
You can get refresh token in your result while requesting access token by specifying offline_access in the scope parameter while making the request.
curl --location --request POST 'https://login.microsoftonline.com/common/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id={clientid}' \
--data-urlencode 'refresh_token={refreshtoken}' \
--data-urlencode 'redirect_uri={redirect_uri}' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'client_secret={client_secret}'
I'm currently implementing a node.js module for Keycloak which uses the keycloak auth utils internally. For fine-grained authorization it should be possible to retrieve the entitlements. This works like a charm for "clientId + clientSecret" JWTs.
Additionally it should be possible to retrieve those entitlements for signed JWTs. When upload the key to my keycloak instance and sign the JWT with the private Key, it validates successfully with the help of the server and the stored public key. So the signed JWT is definitely valid (of course I changed the client's authenticator).
The issue is:
When I pass the signed JWT to the entitlement endpoint I get the following error:
{
"error": "invalid_bearer_token",
"error_description": "Could not obtain bearer access_token from request."
}
The request:
curl -k -L -H 'Content-Type: application/json' -H 'Authorization: bearer <signed_jwt>' '<realm_url>/authz/entitlement/foobar'
Now the question:
Is it possible to retrieve entitlements for signed JWTs and if yes, how?
What's my fault?
Thanks!
The solution is to include the kid header while signing the token.