I'm working on a small application to connect to Microsoft Azure, list all databases belonging to a certain resource group, and export all said databases. I'm using the Microsoft.WindowsAzure.Management.Sql library for this.
Following this guide, I've managed to set up an app registration in AD for my application and assign it the Owner role (for testing), authenticate with Azure and get an access token.
However, when I try to use that token to perform any operations on the database (such as listing all databases, using IServerOperations.List), I get the following exception:
ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.
The tenant ID, subscription ID, client ID and client secret are all correct, and changing any of them results in a different exception, already at the authentication stage.
How can I fix this? If the correct answer is "switch to Microsoft.Azure.Management.Sql" I'm perfectly fine with that, but if possible I'd at least like to understand why this is happening.
HIf the correct answer is "switch to Microsoft.Azure.Management.Sql" I'm perfectly fine with that, but if possible I'd at least like to understand why this is happening.
Microsoft.WindowsAzure.Management.Sql implements the ASM API(Azure old API).
The reason you're getting this error is because you're trying to authenticate/authorize an Azure Resource Manager (ASM) API with application permission.
But Service Management API is a delegated permission and not an application permission.
For more detail information about how to authenticate for ASM and ARM Rest API, please refer to another SO thread.
How can I fix this?
Microsoft.Azure.Management.Sql implements the ARM API. As you mentioned that you could use the Microsoft.Azure.Management.Sql to instand of Microsoft.WindowsAzure.Management.Sql
or you could use X509 Certificate based authorization to authorize your ASM API requests.
For more information about how to authenticate using a management certificate, you could refer to this tutorial.
Note: It is recommanded that to use Microsoft.Azure.Management.Sql to instead of Microsoft.WindowsAzure.Management.Sql
Related
Trying to follow this tutorial to connect to Firestore but i got this error
"System.InvalidOperationException: 'The Application Default
Credentials are not available. They are available if running in Google
Compute Engine. Otherwise, the environment variable
GOOGLE_APPLICATION_CREDENTIALS must be defined pointing to a file
defining the credentials. See https://developers.google.com/"
They dont explain how to Authenticate to use the FireStore. Can you please let me know how to do it and avoid this error.
Thank you.
The tutorial you linked does point to the authentication mechanism, which is here.
In summary you will have to do following-
Create a Service account for your project from Google Cloud Console. Make Sure the service account has appropriate Role assigned so that it has permission to access firestore.
Create and download a service account key file for that service account.
Save the key file in a secure location in your server.
Create an environment variable named GOOGLE_APPLICATION_CREDENTIALS in your server, and use the file location of the key file as it's value.
For example, using powershell-
$env:GOOGLE_APPLICATION_CREDENTIALS="C:\Users\username\Downloads\service-account-file.json"
After that, requests will be automatically authenticated using those information.
Remember that You must keep your downloaded service account key absolutely secure and not distribute it.
Also as per the library documentation, if your server is in Google Cloud Platform, no action needs to be taken to authenticate.
EDIT:
Please note two things: application will be publicly available and users won't need to have any accounts. You can also suggest other solution than WCF, if it's better.
I'm developing an application in C# which could install other applications easily. The list of programs supported by this application will be stored on a database on a public server. Only my application should be able to access this database. Everyone can install this application, and users do not need to have any accounts.
Now, I'm wondering how should the communication between app and server look like. I'm thinking of developing a WCF service, but everyone can connect easily to this service (only my program should access this service).
Is there any way to protect WCF service from unauthorized access? Or maybe do you have any better idea how should the communication between this app and server look like?
Thanks in advance for any help!
You can check below links for help in this topic
https://msdn.microsoft.com/en-us/library/ms731925.aspx
https://msdn.microsoft.com/en-us/library/aa702565.aspx
You can configure your bindings to perform username and password based Authentication where you validated if the username and password are valid then only you can grant access to the service.
NET has built in features for ensuring that the code calling yours is authorized to do so. For example, take a look at this snippet of code:
[PrincipalPermission(SecurityAction.Demand, Role = "MyLocalSecurityGroup"]
public SearchResults Find(string contractNumber)
{
// ...
}
Notice the [PrinciplePermission] attribute. This attribute tells .NET that only principals who are members of the "MyLocalSecurityGroup" role are allowed to run this method (where a principal is a user/service account, and a role is a locally defined security group on the server). In other words, in order to run this method, the caller must be running under an account that is a member of the local security group specified.
For more details of how to create the group click here: https://msdn.microsoft.com/en-us/library/ms731200(v=vs.110).aspx
I am trying to create a user using Stripes Connect Api following the Deferred Account Activation
https://stripe.com/docs/connect/deferred-accounts
I am providing the request with what I believe is what is known as the "Platform_Secret_Key" which I think is found in the dashboard's Account Settings > Connect > Platform Settings > ClientId
When I use this in my request as the 'apiKey' I get "Invalid Api Key" error.
However, if I use my account ApiKey, as suggests here https://stripe.com/docs/api#create_account
it errors too with
"You cannot use this method on your own account: you may only use it on connected accounts."
Has anyone been successful? How is this done?
You need to use your platform's secret API key (found in the API keys tab of your dashboard). The client_id (found in the Connect tab) is used to connect standalone accounts via the OAuth flow -- this doesn't apply here since you're directly creating accounts (aka "deferred accounts"), not going through the OAuth flow.
Simply using the create account API endpoint with your platform's secret API key should work. Unfortunately I'm not sure if Stripe.net supports this. The documentation mentions support for the OAuth flow but not for deferred accounts or managed accounts. You might have better luck asking directly on the GitHub tracker for the project: https://github.com/jaymedavis/stripe.net, or maybe someone else will have a better answer for you here!
I am using ADAL in order to log in to my app which is being made in Xamarin.Forms against Azure AD. That is all working fine, however I now want to be able to register a new user and to do this need an access token to pass to the constructor of one of my methods.
However, as the user hasn't yet been registered, I need to be able to get an access token from Azure AD without actually supplying any user credentials. I have been told that in a normal web app, I'd be able to send the client id and app key so that Azure AD would know who I was and then send me back an access token but I can't figure out how to implement this in a cross-platform Xamarin app.
If anyone has come across this before, your help would be greatly appreciated.
Thanks.
Use of an app key in a native application is not recommended, regardless sof the dev stack you use to implement it. The reason is that generally devices should not be trusted with secrets. Furthermore, secret distribution is complicated (you can't embed it in the app code).
As a result, ADAL for Xamarin (and all the other flavors of ADAL meant to be used in native apps) does not expose any method for acquiring tokens with an app key.
From a antive app you really need to bootstrap secure communication with a user identity. Once you have that, you can do all sorts of interesting things on the server side (e.g. you API can, given that is running on the server, obtain tokens as an app).
HTH
V.
I'm writing a set of Powershell Cmdlets that allow a user to run admin functions on their domain. Using gData I have been able to do provisioning calls to create new users, list groups and other things of that nature. When trying to list another user's documents (as admin) I hit a roadblock with the DocsList api, so I turned to the Google Drive api instead.
I've since been able to get the Drive API working and have a Cmdlet running based on their QuickStart for DotNet and File List Example. However, I can't seem to figure out how to make it list docs for another user. Everything I've found so far seems to point to the use of Service Accounts for delegation or using the old DocList api instead which is depreciated in favor of the Drive API anyways.
My problem is the Service Accounts seem to be an alternative to the Installed Application, not something I can use at the same time. Or, if I were able to get it working I would have to have each user create their own project and service account, if I'm understanding things.
How can I do this without inconveniencing the users? They've already authenticated themselves as admins, I don't understand why they have to create an API project and service account to achieve the same thing. Would I create a single service account for my API Project? If so, how do I handle the public key it generates and needs access to? That doesn't seem very safe if I'm throwing around the key file.
You can impersonate a user only with service accounts. Once you configure your service account for domain-wide authority, you can make requests with your administrator account as you mention. But, I'm not sure Google Apps allow multiple administrator accounts or not. If they do, all you need is setup a single project and a single service account.