I have just set up Guacamole 0.9.9 with a MySQL user database and LDAP authentication and it all works flawlessly so far.
However, I want to be able to create new users and connections in the MySQL database from outside of Guacamole. Is there a way to use the API to perform these tasks?
All I'm reading about the API is creating a new web application which embeds remote connections.
You can use the following MySQL commands in your code to create new users.
SET #salt = UNHEX(SHA2(UUID(), 256));
INSERT INTO guacamole_user (username, password_salt, password_hash, password_date) VALUES ('testuser', #salt, UNHEX(SHA2(CONCAT('testpass', HEX(#salt)), 256)), NOW());
You can create users with Guacamole REST API.
Firstly you need create a token:
Endpoint:
POST {{baseURL}}/api/tokens
x-www-form-urlencoded:
username: guacadmin
password: guacadmin
Sample Response:
{
"authToken": "8144B9B1EBAF73E8EDCE08EF5C145F49C1C9F563F13E21BF7A1CEC43E74011A4",
"username": "guacadmin",
"dataSource": "postgresql",
"availableDataSources": [
"postgresql",
"postgresql-shared"
]
}
After then you can create a user with using the token.
Endpoint:
POST {{baseURL}}/api/session/data/{{dataSource}}/users?token={{authToken}}
Sample Request Body:
{
"username": "testuser",
"password": "password",
"attributes":{
"disabled":"",
"expired":"",
"access-window-start":"",
"access-window-end":"",
"valid-from":"",
"valid-until":"",
"timezone": ""
}
}
Related
https://api.twitter.com/1.1/account_activity/all/prod/webhooks.json?url=https://test.com not working
I have followed all steps to create a new application and getting consumer key, secret keys and also token details and try to create webhook via postman. I am getting follwing error
{
"errors": [
{
"code": 32,
"message": "Could not authenticate you."
}
]
}
I have tried delete and get methods for webhook and it is working fine.
They probably goofed in their example. You just need to move the url parameter from the query string to the form data. Use the x-www-form-urlencoded body.
Also - if you leave the nonce and timestamp blank, then Postman will auto-generate them for you.
enter image description here
I'm searching for a way to call the firestore import/export functionality programmatically from java code.
What i found so far is that the nice firestore client library does not yet support the import/export calls. But the more low level rest/grpc api already supports them. Using the java library i tried the following:
Firestore firestoreApi = new Firestore
.Builder(UrlFetchTransport.getDefaultInstance(), new GsonFactory(), null)
.setApplicationName(SystemProperty.applicationId.get())
.build();
GoogleFirestoreAdminV1beta2ImportDocumentsRequest importRequest = new GoogleFirestoreAdminV1beta2ImportDocumentsRequest();
importRequest.setInputUriPrefix(String.format("gs://{}/{}/", BUCKET, image));
GoogleLongrunningOperation operation = firestoreApi
.projects()
.databases()
.importDocuments("projects/" + SystemProperty.applicationId.get() + "/databases/(default)", importRequest)
.execute();
Which sadly ends with missing permissions when run in app engine:
com.google.api.client.googleapis.json.GoogleJsonResponseException: 401
{
"code": 401,
"errors": [
{
"domain": "global",
"location": "Authorization",
"locationType": "header",
"message": "Login Required.",
"reason": "required"
}
],
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
I cannot get the official way to login to work, because the firestore builder does not have a method to accept a instance of AppEngineCredentials.
I already checked the python client library which also seems not support these methods (yet).
Does anyone have a idea how i can either login with the old rest api or get a client library which supports these methods (some language which runs on app engine please :) )
Thanks for reading!
Carsten
You can adapt this Cloud Datastore example for Cloud Firestore. See how they get an access token here:
import com.google.appengine.api.appidentity.AppIdentityService;
import com.google.appengine.api.appidentity.AppIdentityServiceFactory;
// Get an access token to authorize export request
ArrayList<String> scopes = new ArrayList<String>();
scopes.add("https://www.googleapis.com/auth/datastore");
final AppIdentityService appIdentity = AppIdentityServiceFactory.getAppIdentityService();
final AppIdentityService.GetAccessTokenResult accessToken =
AppIdentityServiceFactory.getAppIdentityService().getAccessToken(scopes);
connection.addRequestProperty("Authorization", "Bearer " + accessToken.getAccessToken());
Environment: Cloud Foundry Trail
I deployed my business & approuter applications using help
Now my requirement is get below user profile after XSUAA login.
Is there any API to get user profile details?
{
"lastName": "XXXXX",
"passwordStatus": "enabled",
"mail": "XXXXX#gmail.com",
"displayName": "XXXX XXXX XXXXX",
"uid": "XXXXXX",
"photoUrl": "https://www.gravatar.com/avatar/760fcd379cf60090e1e27b052f9e49bd?d=mm",
"firstName": "XXXX",
"contactPreferenceEmail": "unknown",
"status": "active",
"spUsersAttributes": [
{
"ServiceProviderName": "sapcpcf",
"NameID": "XXXXX",
"Status": "ACTIVE",
"ActivationTime": "20181026050006Z"
}
]
}
Updated answer:
The IdP used by default on Cloud Foundry does not use SAML. Thus, mapping of SAML attributes does not work. Use the approach listed below only when using an IdP that supports SAML.
Instead, when using the default IdP, there three fields (given_name, family_name, email), that can be accessed as follows:
AuthTokenAccessor.getCurrentToken().get().getJwt().getClaim("email").asString();
Original answer:
you can do the following:
First, add a role template to your xs-security.json you used to configure your XSUAA instance like this:
{
"name": "Authenticated",
"description": "All authenticated users",
"attribute-references": [
"given_name",
"family_name",
"email"
]
}
Note that you need to recreate the XSUAA instance with the new config in order for this change to work.
Now, in the roles section of your Identity Provider (if you use the default Cloud Foundry IdP you can find that under the "Security" tab on the left of the Cloud Cockpit), you can configure how these fields should be filled. Choose "Identity Provider" there.
Of course make sure that this role is assigned to every user.
Finally, you read the information using the UserAccessor:
final User currentUser = UserAccessor.getCurrentUser();
currentUser.getAttribute("email");
This should help you get the necessary information!
Currently, there is no dedicated API to get all of these user profile details. You can use the AuthTokenAccessor to access the current JWT which should contain this information.
I have a web application that enables a user to manage AWS resources easily like start an Ec2 instance using GUI. Different users can use this web application. I have implemented my own user management. It is possible that some users don't want to create an account to my web-app and store their credentials to make requests to AWS resources. It may not be secure for them. So, I want to build a mechanism using following flow.
User login to my web-app using login with amazon
Login with amazon will provide an access token to me
Fetch temporary credentials using this token
Use these credentials for future request to AWs resources
In this way, there will be no permanent credentials stored in my web-app.
I'm using java for my backend services. So is there any AWS APi's to do so?
I have tried the following code:
val client = new AmazonCognitoIdentityClient(new AnonymousAWSCredentials())
val idRequest = new GetIdRequest();
idRequest.setAccountId(account-id);
idRequest.setIdentityPoolId("us-east-1:xxxx");
// If you are authenticating your users through an identity provider
// then you can set the Map of tokens in the request
val logins = new HashMap[String, String]()
providerTokens+=("www.amazon.com"->"Atza|IwE-xxxxxxxxxxxxxxxxxxx")
idRequest.setLogins(logins);
val idResp = client.getId(idRequest)
val identityId = idResp.getIdentityId()
// Create the request object
val tokenRequest = new GetOpenIdTokenRequest();
tokenRequest.setIdentityId("us-east-1:xxxxxx");
//
val tokenResp = client.getOpenIdToken(tokenRequest);
// get the OpenID token from the response
val openIdToken = tokenResp.getToken()
// you can now create a set of temporary, limited-privilege credentials to access
// your AWS resources through the Security Token Service utilizing the OpenID
// token returned by the previous API call. The IAM Role ARN passed to this call
// will be applied to the temporary credentials returned
val stsClient = new AWSSecurityTokenServiceClient(new AnonymousAWSCredentials());
val stsReq = new AssumeRoleWithWebIdentityRequest();
stsReq.setRoleArn("arn:aws:iam::account-id:role/Cognito_Auth_Role");
stsReq.setWebIdentityToken(openIdToken);
stsReq.setRoleSessionName("AppTestSession");
val stsResp = stsClient.assumeRoleWithWebIdentity(stsReq);
val stsCredentials = stsResp.getCredentials();
i get the following error:
Access to Identity 'us-east-1:xxxxxxxxxxxxxxxx' is forbidden. (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: NotAuthorizedException
Following is the Cognito_Auth_Role role policy in IAM roles:
{
"Version": "2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":"cognito-sync:*",
"Resource":["arn:aws:cognito-sync:us-east-1:xxxxxxx:identitypool/${cognito-identity.amazonaws.com:aud}/identity/${cognito-identity.amazonaws.com:sub}/*"]
}]
}
And here is the trust relationships for this role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:xxxxx"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "www.amazon.com"
}
}
}
]
}
Please point me out, what is wrong here?
Thanks
You can use AWS Cognito to handle most of the plumbing, or you can connect your own OpenId Identity Provider or a provider service you subscribe to.
Here's the docs for Identity and Access Management (IAM):
https://aws.amazon.com/documentation/iam/
Or you can have them do some of the plumbing for you with Cognito:
http://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html
While it looks like that's only for mobile, they have docs on using their JavaScript SDK in the browser:
http://docs.aws.amazon.com/AWSJavaScriptSDK/guide/browser-intro.html
I have create an OAuth application, it gives me Client ID:xxx Client Secret:yyy
Redirect URIs, Authorize URL, Access Token URL now what should I do? In coding wise, I am working in Java.
Thanks for your interest in working with our API!
I think the best explanation of how to work with our API using would is in the documentation on our developers site.
Take a look at that, and let us know if you have any other questions.
Particularly useful from that page is this sample flow that your app might go through:
# Redirect the user to this page
https://www.coinbase.com/oauth/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_CALLBACK_URL&scope=user+balance
# If the user accepts, they will be redirected to:
YOUR_CALLBACK_URL?code=CODE
# Initiate a POST request to get the access token
https://api.coinbase.com/oauth/token&
grant_type=authorization_code&
code=CODE&
redirect_uri=YOUR_CALLBACK_URL&
client_id=CLIENT_ID&
client_secret=CLIENT_SECRET
# Response containing the 'access_token'
{
"access_token": "...",
"refresh_token": "...",
"token_type": "bearer",
"expire_in": 7200,
"scope": "universal"
}
# Now you can use the 'access_token' to initiate authenticated requests
https://api.coinbase.com/v1/account/balance?access_token=...
# Response
{
"amount": "50.00000000",
"currency": "BTC"
}