Trying to follow this tutorial to connect to Firestore but i got this error
"System.InvalidOperationException: 'The Application Default
Credentials are not available. They are available if running in Google
Compute Engine. Otherwise, the environment variable
GOOGLE_APPLICATION_CREDENTIALS must be defined pointing to a file
defining the credentials. See https://developers.google.com/"
They dont explain how to Authenticate to use the FireStore. Can you please let me know how to do it and avoid this error.
Thank you.
The tutorial you linked does point to the authentication mechanism, which is here.
In summary you will have to do following-
Create a Service account for your project from Google Cloud Console. Make Sure the service account has appropriate Role assigned so that it has permission to access firestore.
Create and download a service account key file for that service account.
Save the key file in a secure location in your server.
Create an environment variable named GOOGLE_APPLICATION_CREDENTIALS in your server, and use the file location of the key file as it's value.
For example, using powershell-
$env:GOOGLE_APPLICATION_CREDENTIALS="C:\Users\username\Downloads\service-account-file.json"
After that, requests will be automatically authenticated using those information.
Remember that You must keep your downloaded service account key absolutely secure and not distribute it.
Also as per the library documentation, if your server is in Google Cloud Platform, no action needs to be taken to authenticate.
Related
I have an app service in Azure operating as an API for a system I'm designing. As the API is responsible for accessing the database directly, I obviously don't want to be storing connection strings containing credentials anywhere if possible, so am looking to use Managed Identities to grant the App Service access to the database (also hosted on Azure).
Within the Azure portal, I've enabled System-Assigned Identity within the Settings section of the App Service, then given the service the role of owner of the SQL Server via SQL Server -> Access Control -> Role Assignments-> Add.
As I understand it, Active Directory Users shouldn't even come into this as they are user-assigned identities rather than system-assigned identities, and take more setting up (or storing their credentials in the connection string).
As for the code, it's pretty much a carbon copy of this >> https://github.com/medhatelmasry/JwtAuthentication, the only differences being that I've added
services.BuildServiceProvider().GetService<ApplicationDbContext>().Database.Migrate();
to the end of the ConfigureServices method within Startup.cs, and added the below to the constructor of ApplicationDbContext as per Microsoft's instructions:
var conn = (System.Data.SqlClient.SqlConnection)Database.GetDbConnection();
conn.AccessToken = (new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider()).GetAccessTokenAsync("https://database.windows.net/").Result;
When attempting to run this service in Azure, however, I get an exception when calling services.BuildServiceProvider().GetService<ApplicationDbContext>().Database.Migrate();:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
I've tried StackOverflow, MSDN, Azure Help, Pluralsight and whatever random forums turn up from Google, and not managed to find an answer on any of them. I've only just got through a whole week of staying up until stupid o'clock every day trying to fix connection string configurations only to find Azure was changing the name of the connection string parameter that I was giving it and not saying a word about it (and nothing in any Microsoft documentation about it either).
Azure is becoming a serious pain in my ass, I haven't even started adding endpoints to the API yet, let alone creating an actual application to use it, this is ridiculous.
Eventually found the answer here >> https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql#create-a-contained-user-in-the-database-that-represents-the-vms-system-assigned-identity
The App Service was indeed set as an owner of the server, but hadn't had a user provisioned on the database, so my problem was resolved by logging into the database via SSMS and running:
CREATE USER [My App Service Name] FROM EXTERNAL PROVIDER
then:
ALTER ROLE db_owner ADD MEMBER [My App Service Name]
However, I removed the ownership role of the App Service on the server's Access Control (IAM) page, and am still able to connect successfully, not sure why that is but this is probably just a lack of SQL user knowledge on my part. It actually suits me as at the moment my App Service has a provisioned SQL user with db_owner role assigned on the database itself, but not on the overall server.
From my understanding you have to go through the prerequisite process of creating, enabling and allowing Azure AD users and also setting SQL Admin to an Azure AD user.
There's a pretty comprehensive guide here including creating, accessing and using tokens for Managed Identities Tutorial: Secure Azure SQL Database connection from App Service using a managed identity
I'm working on a small application to connect to Microsoft Azure, list all databases belonging to a certain resource group, and export all said databases. I'm using the Microsoft.WindowsAzure.Management.Sql library for this.
Following this guide, I've managed to set up an app registration in AD for my application and assign it the Owner role (for testing), authenticate with Azure and get an access token.
However, when I try to use that token to perform any operations on the database (such as listing all databases, using IServerOperations.List), I get the following exception:
ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.
The tenant ID, subscription ID, client ID and client secret are all correct, and changing any of them results in a different exception, already at the authentication stage.
How can I fix this? If the correct answer is "switch to Microsoft.Azure.Management.Sql" I'm perfectly fine with that, but if possible I'd at least like to understand why this is happening.
HIf the correct answer is "switch to Microsoft.Azure.Management.Sql" I'm perfectly fine with that, but if possible I'd at least like to understand why this is happening.
Microsoft.WindowsAzure.Management.Sql implements the ASM API(Azure old API).
The reason you're getting this error is because you're trying to authenticate/authorize an Azure Resource Manager (ASM) API with application permission.
But Service Management API is a delegated permission and not an application permission.
For more detail information about how to authenticate for ASM and ARM Rest API, please refer to another SO thread.
How can I fix this?
Microsoft.Azure.Management.Sql implements the ARM API. As you mentioned that you could use the Microsoft.Azure.Management.Sql to instand of Microsoft.WindowsAzure.Management.Sql
or you could use X509 Certificate based authorization to authorize your ASM API requests.
For more information about how to authenticate using a management certificate, you could refer to this tutorial.
Note: It is recommanded that to use Microsoft.Azure.Management.Sql to instead of Microsoft.WindowsAzure.Management.Sql
I am trying to run GetAppConfigSettings.ps1 from the example in Microsoft Docs
The script asks me to supply values for
vaultName
resourceGroupName
applicationName
location
I am stuck on applicationName
I want my application to run locally in Visual Studio.
I do want to use Azure KeyVault for encryption
What do I set up for the applicationName ?
I did start to add an Application to the Azure directory but it required a Redirect URI
The tooltip mentions that this is "The URI to which Microsoft Azure AD will redirect in response to an OAuth 2.0 request. The value does not need to be a physical endpoint, but must be a valid URI.
If I do need to set up an application so that I can have an application name to give to Key vault, what do I put in the Redirect URI given that I am writing a console application to run on my own pc.
I am choosing Native for the application type since the help for Application type mentions
"Choose "Web app/API" to add an application that represents a web application, a web API, or both. Choose "Native" to add an application that can be installed on a user's device or computer.
So I guess Native = Edge and Web = Cloud
The script still fails maybe I need to do something about a self signed certificate.
It seems before I can use Key Vault I need to understand Azure Applications even though I am not writing one
And before I can understand Azure Applications I need to understand Self Signing Certificates
Well in order to access KV your app will need to be registered in AD as an application, where you will define the shared ID and client secret. You need to go through that process. App name is the name there.
Redirect URI is irrelevant, just add some valid URI like http://somedomain.com/appnane
Your app will need the client ID and secret to connect to KV. If I recall rightly you can do this easily based on sample code but it needs an AD nuget for the token and nuget for KV SDK
Does the C# .NET client library for the open source self hosted parse-server have support for calling Cloud Code functions? If so, how can this be done?
EDIT: I did find this http://parseplatform.github.io/docs/cloudcode/guide/ which does give an example of using the .NET library for calling a Cloud Code function, however it doesn't seem to provide any information on the client app providing authentication information so the Cloud Code function can check user permissions for a specific action. Is this possible?
Thanks!
You can access all your cloud code function from the client after you initialize Parse SDK with you appId and serverURL.
If your requirement is that only logged in users will be able to access one or more cloud functions then in your cloud code you can check the following:
if (request.user) {
// user is logged in
}
because in parse-server there is not Parse.User.current() anymore so the logged in user is being sent as part of the request.
Now in order to allow/prevent a user to read/write a specific object you need to use ACL (Access control list). When you create new ACL you can specify which users/roles can read/write this object. You can even decide if this object is public read or public write and it is any user will be able to read or write from/to this object.
You can read about ACL's and Roles in here
I am trying to test the sample code from office365 API, I could login to my account but after that i would always get this exception
AuthenticationFailedException was caught
AADSTS65005: The client application has requested access to resource 'https://outlook.office365.com'. This request has failed because the client has not specified this resource in its requiredResourceAccess list.
Trace ID: 7a39b0bd-1738-418f-984a-feffae5b5d9b
Correlation ID: 16da7c7f-9f0c-468f-a560-a51b1ac9b3bf
Timestamp: 2014-07-09 07:36:34Z
This is the code that I have been testing this code is generated by the API.
Authenticator authenticator = new Authenticator();
var authInfo = await authenticator.AuthenticateAsync("https://outlook.office365.com");
please help me or point-out what I'm doing wrong, this is my first time developing in office365 please help and thank you.
I just came across your question having run into the same error, so since nobody ever answered I figured I would post the answer I found. This error is related to the permissions set to be requested on the app in the Azure dashboard at https://manage.windowsazure.com.
If you go into your app configuration page and scroll to the bottom, you just need to add the corresponding items under the delegated permissions dropdown.
I got the same error. This is what fixed it for me:
Go to https://manage.windowsazure.com
Go to the corresponding app configuration page.
Scroll to the bottom to "permissions to other applications".
Add "Windows Azure Active Directory" application if it is not already there.
Under delegated permissions check "Enabled Sign-on and read user's profiles"
The consent framework associated with requesting authorization requires that your client application is configured with a static set of permissions to the resources (APIs) that it will call. For example, if your app needs to read the signed in user's mail and read and write to their calendar, you need to select Office 365 Exchange Online as a resource and pick the Read mail and Read and write calendar permissions.
This app configuration can be done in a couple of ways - one way is through your dev environment - like Visual Studio. VS2013 and up have a connector that allows you to register a client app and configure its access to O365 cloud resources. Another way is through the Azure Management Portal (under the AD extension, find your application, click on the configure tab, and configure access through the "permissions to other applications" section.
I recommend that you look through https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks and the following sections which show how register apps through Azure Management Portal and through Visual Studio. Also which sample are you trying here? The sample should contain instructions, including the instructions to set the resource and permission scopes your application needs