My requirement is that I have written a lambda function in AWS for automatically creating a repository in GitHub using the GitHub API and PAT Token authentication.
def create_automatic_repo(repo_name):
query_url = f"https://api.github.com/api/v3/orgs/{org_name}/repos"
params = {
"name": repo_name
}
headers = {
'Authorization': f'token {secret[secretKey]}',
}
response = requests.post(query_url, headers=headers, data=json.dumps(params))
print("creating new repository response ", response)
print("creating new repository response content ", response.content)
We successfully created a repo using the Github API with PAT Token. Now we need to change authentication from PAT Token to the Github Apps.
I am trying to authenticate Github Apps using AppId and PrivateKey. I have generated the jwt token with the jwt token. I am trying to hit "https://api.github.com/app/installations/installation_id/access_tokens" this GitHub api for getting access_token. I am getting a 200 response but it is redirecting to the SAML authentication page.
$ curl -i \
-H "Authorization: token YOUR_INSTALLATION_ACCESS_TOKEN" \
-H "Accept: application/vnd.github+json" \
https://api.github.com/api/v3/orgs/{org_name}/repos
This is the curl command I have found in the official document. If I have access_token, I can use the GitHub API for creating a repo through a lambda function in AWS.
I am attaching the flow which I have followed for Authentication for Github Apps. Here I am attaching the official document which I have followed : https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps
Created Github Apps by giving homepage url as GitHub Organization url
Installed Github App under the organization level
Wrote python code for generating jwt token
Here I am attaching the Python code for generating the JWT token and triggering the GitHub API for installation_Id. I am getting 200 responses but it is redirecting to the SAML authentication page.
import json
import os
import time
import jwt
import requests
from cryptography.hazmat.backends import default_backend
cert_bytes = open(r'first.txt', "r").read().encode()
print("prtinging cert_bytes ", cert_bytes)
private_key = default_backend().load_pem_private_key(cert_bytes, None)
time_since_epoch_in_seconds = int(time.time())
payload = {
# issued at time, 60 seconds in the past to allow for clock drift
"iat": time_since_epoch_in_seconds - 60,
# JWT expiration time (10 minute maximum)
"exp": time_since_epoch_in_seconds + (10 * 60),
# GitHub App's identifier
"iss": 231726,
}
encoded_payload = jwt.encode(payload, private_key, algorithm="RS256")
print("printing encoded_payload ", encoded_payload)
headers = {
'Authorization': f'Bearer {encoded_payload}'
}
resp = requests.get("https://api.github.com/app/installations/installation_id/access_tokens", headers=headers)
print('Code: ', resp.status_code)
print('Content: ', resp.content)
This is the Image which I am redirecting to the SAML Authentication Page:
I read the GitHub official documentation, and they mentioned that we needed to activate a SAML session to authenticate Github Apps:
https://docs.github.com/en/enterprise-cloud#latest/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on#about-oauth-apps-github-apps-and-saml-sso
But I didn't see the option to enable to SSO SAML authentication as mentioned in the document. : https://docs.github.com/en/enterprise-cloud#latest/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization#enabling-and-testing-saml-single-sign-on-for-your-organization
This is the Image where I did not find option for enabling the SAML Authentication:
[]
Can you please help us on enabling SAML authentication for accessing Github Apps Authentication Process without PAT Token or is there any other way for GitHub authentication from lambda function in aws using GitHub api's apart from PAT Token.
Related
I m running below code to fetch to get Odata query but getting auth error
import requests
import json
endpoint_url = "https://analytics.dev.azure.com/pbi0280/TestOdata/_odata/v4.0-preview/WorkItems?$select=WorkItemId,WorkItemType,Title,State"
pat = "vch3ufmtbnimclfumrms5vgulcktrtakhp2hig3p7v3cs3ormi7q"
headers = {"Authorization": "Bearer " + pat}
response = requests.get(endpoint_url, headers=headers)
data = json.loads(open(response.text,encoding='utf-8-sig'))
print(data)
Error :
No such file or directory: '\ufeff{"$id":"1","innerException":null,"message":"TF400813: The user 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' is not authorized to access this resource.","typeName":"Microsoft.TeamFoundation.Framework.Server.UnauthorizedRequestException, Microsoft.TeamFoundation.Framework.Server","typeKey":"UnauthorizedRequestException","errorCode":0,"eventId":3000}'
When I m running same url in web, its working fine and json output.
Azure DevOps does not support Authorization: Bearer with personal access tokens (PAT). They must be supplied using basic authentication. The user name can be left blank but the PAT must be supplied as the password.
Switch over to basic authentication and your code should work fine.
Do we have a solution in python to list job runs that are created using Azure VM managed identity in Azure Databricks.
Appreciate the help!
I am getting http 403 error when using managed identity library in python
from azure.identity import ManagedIdentityCredential
credential = ManagedIdentityCredential()
# Obtain an access token
from azure.identity import DefaultAzureCredential
credentials = DefaultAzureCredential()
access_token = credentials.get_token("management.azure.com/")
headers = { 'Authorization': 'Bearer ' + access_token,
'Content-Type': 'application/json' }
# Set the URL for the Databricks REST API
endpoint url = "databricks_url" + '/api/2.0/clusters/list'
# Make the REST API call to the Databricks endpoint
response = requests.get(url, headers=headers)
print(response.json())
If managed identity isn't added into the Databricks workspace yet, then having only access token isn't enough - you also need to provide an additional access token for accessing Azure management API (the https://management.core.windows.net/ resource URL), and it should be provided as the X-Databricks-Azure-SP-Management-Token header, together with Databricks Workspace Resource ID as the X-Databricks-Azure-Workspace-Resource-Id.
And then you need to generate the access token to the for Databricks workspace resource (2ff814a6-3304-4ab8-85cb-cd0e6f879c1d) that should be sent as bearer token.
This specific scenario is described in the details the official documentation.
that is my first try with an API, said API being called OPS.
I would like to get information using the API (OAuth 2) within my python code.
The ressource URL is :
http://ops.epo.org/3.2/rest-services/register/{publication}/{EPODOC}/{EP2814089}/biblio
I also received :
Consumer Key: O220VlTQqAmodifiedsf0YeqgM6c
Consumer Secret Key: swWmodified3edjORU
The documentation states that:
OPS uses the OAuth framework for Authentication and Authorization. At this point in
time, only the “Client Credentials” flow is supported using a Consumer key and
Consumer secret.
The actual steps to follow are:
Step 1: Client converts Consumer key and Consumer secret to
Base64Encode(Consumer key:Consumer secret).
This should be done programmatically using the language you are developing the client
application in. For the purposes of this example, a public website was used to perform
this conversion.
By entering the colon separated Client credentials, an encoded response is generated.
This response is then be used for basic Authentication.
Step 2: Client requests an access token using Basic Authentication, supplying its
Consumer key and Consumer secret with base64Encoding over encrypted HTTPS
connection:
OPS authenticates the client credentials passed in the Authorization header using basic
authentication method.
If credentials are valid, OPS responds with a valid access token.
Step 3: Client accesses OPS resources with access token in authorization header
(bearer tokens) over encrypted HTTPS connection
I tried a few samples of code with requests but, until now, nothing worked.
The client credentials flow is described in the OAuth2 RFC-6749. The client id and secret are base64 encoded in a Basic authentication scheme as described in RFC-7617
You should be able to get a token using Python code like:
import requests
import base64
url = 'https://ops.epo.org/3.2/auth/accesstoken'
data = {"grant_type": "client_credentials"}
creds = base64.b64encode("O220VlTQqAmodifiedsf0YeqgM6c:swWmodified3edjORU".encode())
headers = {'Authorization': 'Basic ' + creds.decode('UTF-8'), 'Content-Type': 'application/x-www-form-urlencoded'}
response = requests.post(url, headers=headers, data=data)
access_token = response.json()["access_token"]
When using the previous response I can obtain a token. (Thanks a lot for your answer)
So I tried :
myUrl = 'http://ops.epo.org/3.2/rest-services/register/publication/EPODOC/EP2814089/biblio'
header = {'PRIVATE-TOKEN': myToken}
response = requests.get(myUrl, headers=header)
print(response.text)
but I obtained a 403 error.
I finally got a specific library to do the job :
EPO OPS Library
But I still don't know how to do it on my own...
How can I authenticate to Azure DevOps REST API in a python script?
I found that there are 2 methods :
Using personal access token (PAT)
Using OAuth 2.0
I am using the second method. Followed the steps in this documentation:
https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops
I wrote this function to autherize to azure DevOps using OAuth 2.0:
def get_authenticated():
client_id = < my client ID as a string >
state = "user1"
scope = "vso.graph_manage%20vso.identity_manage%20vso.profile_write%20vso.project_manage%20vso.tokenadministration%20vso.tokens"
callback_URL = < Callback URL to my azure devops account >
# Azure DevOps Services authorization endpoint
Auth_URL = "https://app.vssps.visualstudio.com/oauth2/authorize?client_id=" + client_id + "&response_type=Assertion&state=" + state + "&scope=" + scope + "&redirect_uri=" + callback_URL
headers = {'Accept': 'application/json;api-version=1.0'}
print(Auth_URL)
response = requests.get(Auth_URL,headers = headers)
print(response)
print(response.status_code)
print(response.headers['content-type'])
response.raise_for_status()
But when calling this function, output I am getting is:
<Response [203]>
203
text/html; charset=utf-8
The auth URL is correct because when I tried to access the same URL in a browser it successfully redirects to a form to enter azure user credentials.
The expected behavior of the script is, when the auth_url is requested, Azure DevOps Services should ask the user to authorize. I think that should be done by prompting for username&password in terminal/via a browser.
I am totally new to python scripting and REST APIs.
Can someone help me by pointing out the faults in my code or pointing to some samples?
The http error 203 indicates that the returned metainformation is not a definitive set of the object from a server with a copy of the object, but is from a private overlaid web. In your code,you added headers = {'Accept': 'application/json;api-version=1.0'}, but in fact the content type should be application/x-www-form-urlencoded.
You can use some OAuth2 library for python to authenticate to Azure DevOps REST API, such as OAuthLib. It includes sevelral samples.
Also, you can refer to following topic, hope it is helpful for you.
Tutorial for using requests_oauth2
We have our jenkins authentication setup using google oauth using OpenId Connect in Apache (Reference: https://cloudavail.com/2014/06/07/apache-auth-oidc-google-apps-2/).
In order to automate some of the jenkins jobs, we have to authenticate first.
I got the access token and refresh token using client-secrets.json in a python script during which authentication to google mail is already done.
I am using the following script to auto refresh the token using the refresh token and then use the new token to list all of the jobs or projects in Jenkins.
Why is it redirecting me to google login when I have already authorized with gmail during the authorize step while fetching the access token. It will be a great help, if anyone can help me resolve this.
Following is the script (token.json and extra.json contains token and client details)
#!/usr/bin/env python
import requests_oauthlib, json
from requests_oauthlib import OAuth2Session, TokenUpdated
protected_url='<jenkins_url>/api/json?pretty=true'
refresh_url='https://accounts.google.com/o/oauth2/token'
#Start here
TOKEN_FILE='token.json'
EXTRA_FILE='extra.json'
with open(TOKEN_FILE, 'r') as f:
token = json.load(f)
with open(EXTRA_FILE, 'r') as f:
extra = json.load(f)
client_id=extra['client_id']
def token_saver(token_temp):
token = token_temp
from requests_oauthlib import OAuth2Session
client = OAuth2Session(client_id, token=token, auto_refresh_url=refresh_url,auto_refresh_kwargs=extra, token_updater=token_saver)
token=client.refresh_token(refresh_url, **extra)
token_saver(token)
client = OAuth2Session(client_id, token=token)
r = client.get(protected_url)
print r.content
token.json contents
{
"access_token": "{access_token}",
"refresh_token": "{Refresh_token}",
"id_token": "{id_token}",
"token_type": "Bearer",
"expires_in": "5"
}
extra.json contents
{
"client_id":"{client_id}",
"client_secret":"{client_secret}"
}