I tried to test the translate api. Adm.py on Microsoft git-hub (https://github.com/MicrosoftTranslator/Python-Speech-Translate) requires a client_id and a client_secret. I only have a subscription ID and 2 keys. I have tried every combination but nothing works. Where do I get a client_id and client_secret?
Here's the link to the Microsoft Cognitive Services API, you need to register there and obtain an API key.
You need to set up Service Principal for API to API authentication. You can visit this link to configure the same. Keys in the article is the client secret that you require. More information about this can be found here
Related
I am trying to create an online meeting with a web application using the Microsoft Graph API.
When I try to initiate an authorization request to get permissions from the end-user to create a token with a similar URL to:
https://login.live.com/oauth20_authorize.srf?state=xxx&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&response_type=code&approval_prompt=auto&client_id=xxx
I get the following error message from the Microsoft API:
The client does not have a secret configured. If you are the client
application developer, configure a secret through the application
management site at https://go.microsoft.com/fwlink/?linkid=2083908.
I have a secret configured for the application in the "Certificates & secrets" part under the "Client secrets":
I have no clue what I am missing here and the Microsoft documentation is not really helpful.
The solution was to change the authorize and token endpoint to https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize and to https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token respectively as it is described here.
In my case - since I want to support multiple tenants - I could not fill out the {tenant} part of the URL with the actual tenant id, but I needed to set organizations since as it is described here only work or school accounts are supported.
So the final URLs changed to the following:
Authorize: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
Token: https://login.microsoftonline.com/organizations/oauth2/v2.0/token
-Been trying to get into binance oauth. The doc didn't mention where can i get my client id.
From the docs that you linked:
To begin, your application should identify the needed permissions (scope) firstly. Setup and register your application with Binance Accounts, and get your client_id . For now, please contact us.
So according to the docs, there's currently no automated process and you'll need to contact Binance to get the OAuth2 client_id for your app.
I am using the below REST API to enable azure PIM at the moment.
API endpoint : https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/azureResources/roleAssignmentRequests
Body:
{
"roleDefinitionId":"sdfsa4324-7b46-sdfa234-8db9-c32423354",
"resourceId":"243-4a58-4sdf1e-a0f4-234234dfds",
"subjectId":"sdfasd-9af3-42f5-9699-dfasd243",
"assignmentState":"Active",
"type":"UserAdd",
"reason":"Evaluate Only",
"ticketNumber":"Evaluate Only",
"ticketSystem":"Evaluate Only",
"schedule":{"type":"Once","startDateTime":null,
"endDateTime":null,"duration":"PT0M"},
"linkedEligibleRoleAssignmentId":"2423asdf-c271-4342342-8859-11243dfsaf",
"scopedResourceId":null
}
The problem I am facing at the moment is I am not sure how to generate the bearer token automatically to pass as an authorization header. Currently, I am just fetching the token from the Chrome developer console. Can anyone help me to point an API in which I can use my creds and generate a bearer token which I can use for PIM?
Thanks,
Tintu
According to your description, I assume that you'd like to call an API to enable PIM, so you need an access token, here an official doc recommend you to use MSAL to obtain the token you need.
we recommend you use the supported Microsoft Authentication Libraries
(MSAL) instead to acquire tokens and call secured web APIs. Also take
a look at the sample apps that use MSAL.
I have another answer which used msal.js to generate access token for calling graph api for azure key vault, the difference is the scopes, and according to this document, it says the api soope is :
Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All PrivilegedAccess.ReadWrite.AzureAD
So you need to create an azure ad application and add above api permissions and change the 'scope' in the code. And if you need a sample in other program language, you can refer to this doc to choose another sample.
Before you compose the code, I think you can generate a test token to test if this token could help you to call the api, using tools like postman.
I'm enabling OAuth2 for my Azure API Management instance. I click Add to add OAuth2, and it's asking me to enter name, and description of authorization service, so my thinking is I am creating an authorization service here.
Why is it asking me to provide client id, client secret, resource owner user, and resource owner password. I understand the concepts of OAuth2 and how these are used, but I am setting up API Management to handle OAuth2 authorization, so the job of the Authorization server will be to validate authorization codes and client secrets. The clients will have their own Client IDs and Client Secrets. Resource Owner should be an Azure AD identity with it's own user name and password.
Why, when I am setting up the authorization server for API Management is it asking me to enter Client ID and Client Secret as well as Resource Owner credentials. It doesn't make sense to me. Can someone explain?
So....what gives? Am I in the wrong screen because API Management
APIM can't be used as OAuth server. The only reason at the moment to configure OAuth/OIDC server in APIM is to make sure it's included into exported specification of an API and that developer portal has a convenient UI to let users obtain tokens, nothing else. That's why it's expected to provide client id and secret, because APIM is effectively a client.
Step 1 : Choose an OAuth provider such as Auth0
Step 2 : Configure various OAuth scenarios as API's in your OAuth provider (API is the term Auth0 uses, other providers might refer to them with other terms)
Step 3 : Create APIM OAuth 2 records, filling in the fields in your question (client id, client secret). Create a record for each API you have configured in your OAuth provider (in Step 2).
Step 4 : In the APIM edit the details of the various API's choosing the appropriate OAuth record you setup in Step 3. Here you are choosing the OAuth scenario for each of your APIs. Many APIs may use the same scenario, but obviously an individual APIM API entry can only link to 1 OAuth scenario
Thus you have configured various APIs in the APIM against various OAuth scenarios. Usually the details behind the OAuth setup are invisible to the API and are so setup and exposed only by their ClientID, secret and urls for token and authorise.
Auth0 has a good tutorial for seting up Azure APIM: HERE
apim should have it's own identity. Have you created an app registration for the instance? The credentials from the app reg on aad used will identify apim and allow validation of the token.
I was working on a JS app which talks to Azure AD app using OIDC. Here is the flow of authentication and validation -
Redirect user to common login end point
Get access token, id_token etc. on callback url
Validate response with jwt keys retrieved from discovered url - https://login.microsoftonline.com/common/discovery/keys
Get user info from discovered userinfo url - https://login.microsoftonline.com/common/openid/userinfo
Store the information in local / session storage, depending upon settings.
The problem with Azure AD is, we can not complete step 3 and 4. Both the urls do not support CORS. We are not able to validate the tokens we get and can't retrieve the user information.
Is there any better way to get userinfo in Microsoft's implementation of OpenID for Azure AD?
You are correct, Azure AD does not support CORS for either the metadata URL or the keys URL.
The general guidance is to not validate the id_token since you should only be using those claims for display purposes and not to drive any core functionality.
For core functionality (aka API calls) you should use access_tokens which should be validated by your back end which does not need CORS enabled endpoints.
You'll see these principals in action in the Azure AD SPA sample where authContext.getCachedUser() in adal.js is used to obtain the read the user and its claims without any validation.
If you want more validated user info, the guidance is to call the Graph to obtain user info via the Microsoft Graph's /me endpoint. You can see this pattern in the Azure AD Xamarin Sample.
You can vote for the request in the Azure AD feedback forum: Add CORS support for discovery and json web key set endpoints.
I ran into the same problems a while ago and the solution to these problems was to double hop the JWKS and UserInfo calls via an API.
I also used the certified and widely respected OIDC Client library, which has features for SPA silent token renewal and id token validation.
Personally I like to keep my apps coded in an Open Standards manner as much as possible, rather than being locked into one vendor.
PS. If you think this type of solution would work for you, here is a GitHib Sample and some documentation.