Use ms-rest-azure to authenticate with azure-keyvault? - azure
I have a node project and I am using these libraries:
import { KeyVaultClient } from "azure-keyvault";
import * as msRestAzure from 'ms-rest-azure';
Here are the link to them:
https://www.npmjs.com/package/azure-keyvault
https://www.npmjs.com/package/ms-rest-azure
I am trying to use the azure-keyvault to get secret in my vault.
let vaultClient = new KeyVaultClient(credentials);
vaultClient.getSecret(secretURI)
.then(function (result) {
CLogger.log("error", "Result: "+JSON.stringify(result));
return result.value.toString();
})
.catch(function (error) {
CLogger.log("error", "Error occurred while getting the secret "+secretName+": " + JSON.stringify(error));
throw "Error occurred while getting secret. Check log files" ;
})
I am using ms-rest-azure to get the credentials (tokens). This is mainly because I need to both login using ServicePrincipalSecret and MSI. As far as I can tell the adal library doesn't support MSI login.
import * as msRestAzure from 'ms-rest-azure';
msRestAzure.loginWithServicePrincipalSecret(clientID, clientKey, domainID)
And I am indeed getting a login token correctly:
{
"environment":{
"validateAuthority":true,
"name":"Azure",
"portalUrl":"https://portal.azure.com",
"publishingProfileUrl":"http://go.microsoft.com/fwlink/?LinkId=254432",
"managementEndpointUrl":"https://management.core.windows.net",
"resourceManagerEndpointUrl":"https://management.azure.com/",
"sqlManagementEndpointUrl":"https://management.core.windows.net:8443/",
"sqlServerHostnameSuffix":".database.windows.net",
"galleryEndpointUrl":"https://gallery.azure.com/",
"activeDirectoryEndpointUrl":"https://login.microsoftonline.com/",
"activeDirectoryResourceId":"https://management.core.windows.net/",
"activeDirectoryGraphResourceId":"https://graph.windows.net/",
"activeDirectoryGraphApiVersion":"2013-04-05",
"storageEndpointSuffix":".core.windows.net",
"keyVaultDnsSuffix":".vault.azure.net",
"azureDataLakeStoreFileSystemEndpointSuffix":"azuredatalakestore.net",
"azureDataLakeAnalyticsCatalogAndJobEndpointSuffix":"azuredatalakeanalytics.net"
},
"authorizationScheme":"Bearer",
"tokenCache":{
"_entries":[
{
"tokenType":"Bearer",
"expiresIn":3599,
"expiresOn":"2018-02-06T22:00:45.439Z",
"resource":"https://management.core.windows.net/",
"accessToken":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlNT...",
"isMRRT":true,
"_clientId":"51dc31c8-27e7-4a05-9d6b-62c0710c2ad3",
"_authority":"https://login.microsoftonline.com/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0"
}
]
},
"clientId":"51dc31c8-...",
"domain":"3a41ae53-...",
"secret":"k7JlWcPdpK...",
"context":{
"_authority":{
"_log":{
"_componentName":"Authority",
"_logContext":{
"correlationId":"ceb8d4fe-135c-48a3-8b19-f50310c026b9"
}
},
"_url":{
"protocol":"https:",
"slashes":true,
"auth":null,
"host":"login.microsoftonline.com",
"port":null,
"hostname":"login.microsoftonline.com",
"hash":null,
"search":null,
"query":null,
"pathname":"/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0",
"path":"/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0",
"href":"https://login.microsoftonline.com/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0"
},
"_validated":true,
"_host":"login.microsoftonline.com",
"_tenant":"3a41ae53-fb35-4431-be7b-a0b3e1aee3c0",
"_authorizationEndpoint":null,
"_tokenEndpoint":"https://login.microsoftonline.com/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0/oauth2/token",
"_deviceCodeEndpoint":"https://login.microsoftonline.com/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0/oauth2/devicecode",
"_isAdfsAuthority":false,
"_callContext":{
"options":{
},
"_logContext":{
"correlationId":"ceb8d4fe-135c-48a3-8b19-f50310c026b9"
}
}
},
"_oauth2client":null,
"_correlationId":null,
"_callContext":{
"options":{
},
"_logContext":{
"correlationId":"ceb8d4fe-135c-48a3-8b19-f50310c026b9"
}
},
"_cache":{
"_entries":[
{
"tokenType":"Bearer",
"expiresIn":3599,
"expiresOn":"2018-02-06T22:00:45.439Z",
"resource":"https://management.core.windows.net/",
"accessToken":"eyJ0eXAiOiJKV1QiLCJhbGciOi...",
"isMRRT":true,
"_clientId":"51dc31c8-27e7-4a05-9d6b-62c0710c2ad3",
"_authority":"https://login.microsoftonline.com/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0"
}
]
},
"_tokenRequestWithUserCode":{
}
}
}
But I am getting a 401 error, what am I doing wrong?
{
"statusCode":401,
"request":{
"rawResponse":false,
"queryString":{
},
"url":"https://myVault.vault.azure.net/secrets/mySecret/?api-version=2016-10-01",
"method":"GET",
"headers":{
"x-ms-client-request-id":"95251650-6fcc-467b-8cd7-a23bf22a7a3c",
"accept-language":"en-US",
"Content-Type":"application/json; charset=utf-8",
"user-agent":"Node/v6.11.2 (x64-Windows_NT-10.0.16299) ms-rest/2.3.0 ms-rest-azure/2.5.2 azure-keyvault/2.0.1-preview Azure-SDK-For-Node"
},
"body":null
},
"response":{
"body":"",
"headers":{
"cache-control":"no-cache",
"pragma":"no-cache",
"expires":"-1",
"server":"Microsoft-IIS/8.5",
"www-authenticate":"Bearer authorization=\"https://login.windows.net/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0\", resource=\"https://vault.azure.net\"",
"x-ms-keyvault-region":"westus2",
"x-ms-request-id":"75929ac8-f1ed-441d-9ed0-82ab23c86be5",
"x-ms-keyvault-service-version":"1.0.0.839",
"x-aspnet-version":"4.0.30319",
"x-powered-by":"ASP.NET",
"strict-transport-security":"max-age=31536000;includeSubDomains",
"x-content-type-options":"nosniff",
"date":"Tue, 06 Feb 2018 21:00:45 GMT",
"connection":"close",
"content-length":"0"
},
"statusCode":401
}
}
In your token, the resource is wrong.
You should use https://vault.azure.net instead of https://management.core.windows.net/.
This is mainly because I need to both login using
ServicePrincipalSecret and MSI. As far as I can tell the adal library
doesn't support MSI login.
Yes, msRestAzure.loginWithServicePrincipalSecret(clientID, clientKey, domainID) does not support MSI login, but you could use msRestAzure.loginWithAppServiceMSI({resource: 'https://vault.azure.net'});
More information about this see this link.
Related
Issue with Keycloak and nestjs
I have been trying to include Keycloak authentication with my NestJS app and this is driving me crazy. I keep getting an error
"WARN [Keycloak] Cannot validate access token: Error: Grant validation failed. Reason: failed to load public key to verify token. Reason: connect ECONNREFUSED ::1:8080"
My Keycloak.json file is:
{
"realm": "my-realm",
"auth-server-url": "http://localhost:8080/",
"ssl-required": "external",
"resource": "test",
"verify-token-audience": false,
"credentials": {
"secret": "my-secret"
},
"policy-enforcer": {}
}
This is being imported in Apps.module.ts as:
KeycloakConnectModule.register('./dist/keycloak.json', {
policyEnforcement: PolicyEnforcementMode.PERMISSIVE,
tokenValidation: TokenValidation.ONLINE,
}),
I am using Keycloak version 19.0.1 and nest-key cloak-connect v 1.9.0.
When I tried debugging. Grant-manager.js's public key is undefined. I checked with the well-known config and jwks-uri was defined as:
http://localhost:8080/realms/my-realm/protocol/openid-connect/certs
Any ideas on what might be wrong?
Trouble generating an Intent with delegateDirective from a TouchEvent handler (Alexa)
I need to confirm deleting a task from a button event. For this reason, I want Alexa to ask for confirmation, and therefore I need to generate a DeleteTaskIntent from my code.
I have tried this:
return handlerInput.responseBuilder.addDelegateDirective({
name: 'DeleteTaskIntent',
confirmationStatus: 'NONE',
slots: {
idTask:{
name: 'idTask',
value: idTask,
confirmationStatus: 'NONE'
}
}
}).getResponse();
In my TouchEventHandler, but after checking the request in the requestEnvelope, I see this:
request: {
type: 'System.ExceptionEncountered',
requestId: 'amzn1.echo-api.request.9c2cf5f4-2f2c-419c-898c-05bd5f096810',
timestamp: '2022-02-23T11:30:08Z',
locale: 'es-ES',
error: {
type: 'INVALID_RESPONSE',
message: 'Directive "Dialog.Delegate" cannot be used in response to an event'
},
cause: {
requestId: 'amzn1.echo-api.request.0494d80d-c6ac-41d6-b3a2-dffd97f427b5'
}
}
And the error
{
"name": "AskSdk.GenericRequestDispatcher Error"
}
also appears, which suggests that no handler can handle this case.
Any idea about what I'm doing wrong when trying to generate the Intent?
Moodle Web Service responses with invalid_parameter_exception
I created moodle and mariadb containers with Docker.
Moodle: 3.11.4
Mariadb: 10.3
I am trying following webservice to execute:
client:
wwwroot: 'http://localhost:8012',
service: 'moodle_mobile_app',
token: '8faf4879d2c654f11e404095032ae382',
strictSSL: true
call:
curl "http://localhost:8012/webservice/rest/server.php?wstoken=8faf4879d2c654f11e404095032ae382&moodlewsrestformat=json&wsfunction=core_user_get_users_by_field&moodlewsrestformat=json&id=2"
but getting follwing error:
{"exception":"invalid_parameter_exception","errorcode":"invalidparameter",
"message":"Invalid parameter value detected (Missing required key in single structure:field)",
"debuginfo":"Missing required key in single structure: field"
}
I tried it same with moodle client for node
... client.call({ wsfunction: "core_user_get_users_by_field", method: "POST", args: { id: 2 } })...
but also receiving same error.
I checked API documentation and id is valid parameter for this
webservice.
Can you please help?
Issue is resolved
client.call({
method: "POST",
wsfunction: "core_user_get_users_by_field",
args: {
field: "id",
values: ["2"]
}
}).then(function(info) {
var str = JSON.stringify(info, null, 4);
console.log(str);
});
How to disable webpack dev server auto reload for neutrino project?
Browser: Peruse
Type of project: SAFE network website
I need to turn it off because Peruse considers window.eval() to be a security issue and thus blocks it, which in turn stops my website from loading.
Peruse is the standard browser for Maidsafe as far as I know.
Both of my attempts to fix this have failed:
webpack.config.js
module.exports = {
devServer: {
hot: false,
inline: false
}
};
neutrinorc.js
module.exports = {
use: [
[
'#neutrinojs/vue',
{
html: {
title: 'SAFE Web App'
}
}
],
(neutrino) => {
neutrino.config.devServer
.hot(false)
.inline(false)
}
]
};
The error:
Uncaught Error: Sorry, peruse does not support window.eval().
at window.eval.global.eval (/opt/Maidsafe/Peruse/resources/app.asar/webPreload.js:9:82219)
at Object../node_modules/webpack-dev-server/client/index.js?http://localhost:5000 (http://localhost:5000/index.js:957:1)
at __webpack_require__ (http://localhost:5000/index.js:679:30)
at fn (http://localhost:5000/index.js:89:20)
at Object.0 (http://localhost:5000/index.js:1060:1)
at __webpack_require__ (http://localhost:5000/index.js:679:30)
at http://localhost:5000/index.js:725:37
at http://localhost:5000/index.js:728:10
package.json
...
"dependencies": {
"#babel/helper-module-imports": "^7.0.0-beta.44",
"vue": "^2.5.16"
},
"devDependencies": {
"#neutrinojs/vue": "^8.2.1",
"#vue/devtools": "^4.1.5",
"neutrino": "^8.2.1"
}
...
The eval() errror is not coming from webpack-dev-server.
It turns out that the the default source map mode used by #neutrinojs/web which #neutrinojs/web inherits from is cheap-module-eval-source-map and needs to be set to cheap-module-source-map.
Thus neutrinorc.js needs to be configured as such:
module.exports = {
use: [
['#neutrinojs/vue', {
// Existing options
}],
(neutrino) => {
if (process.env.NODE_ENV === 'development') {
// Override the default development source map of 'cheap-module-eval-source-map'
// to one that doesn't use `eval` (reduces incremental build performance).
neutrino.config.devtool('cheap-module-source-map');
}
}
]
};
'<all_urls>' is not a recognized permission
I request a permission by this code:
chrome.permissions.request({permissions:["<all_urls>"]},function(granted){
if(granted) {
;;
}
});
But I'm getting this error:
Unchecked runtime.lastError while running permissions.request: '<all_urls>' is not a recognized permission.
Is this a bug?
<all_urls> is an origin permission. You have to request the optional permission using "origins" instead of "permissions":
chrome.permissions.request({origins: ["<all_urls>"] }, function(granted) {
// ...
});