As I am on my way to switch from using the legacy header authentication method to the JWT Token method, I have used the following example found here.
However, I get the following error :
Error calling Login: {
"errorCode": "PARTNER_AUTHENTICATION_FAILED",
"message": "The specified Integrator Key was not found or is disabled. An Integrator key was not specified."
}
Below is my C# code.
string oauthBasePath = "account-d.docusign.com";
string privateKeyFilename = "./private.pem";
int expiresInHours = 1;
ApiClient apiClient = new ApiClient(docuSignUrl);
apiClient.ConfigureJwtAuthorizationFlow(
"IntegratorKey",
"USER ID GUID",
oauthBasePath,
privateKeyFilename,
expiresInHours);
AuthenticationApi authApi = new AuthenticationApi(apiClient.Configuration);
return authApi.Login();
I have found this thread that shows the similar error but it doesn't seem resolved
Update 05/07/2018: I have validated the domain used in my account but I still get the same error message
Update 05/11/2018: When I use my code but that I replace the IntegratorKey, UserID and private key used in the DocuSign Unit Tests here, my code now works !? Hence, I can only conclude that the issue doesn't come from my code but maybe a configuration issue on the DocuSign side ? do I need to configure my Integrator Key a specific way ?
After more investigation, the reason with such an error is that I was not generating the Authorization Code Grant prior to executing my code.
Based on the information found here, I had to perform the following HTTPRequest example :
GET /oauth/auth?
response_type=token
&scope=signature
&client_id=YOUR_INTERGRATOR_KEY
&state=a39fh23hnf23
&redirect_uri=http://www.example.com/callback
Once it is approved, then I can run my code successfully.
In the end, the initial error message is really misleading (I might argue it could be considered a bug ?).
Related
I'm trying to use the Azure REST api to create role assignments, but it's giving an error:
Exception: {"error":{"code":"PrincipalNotFound","message":"Principal 83ad8925d1714aa380a8555cec2d400c does not exist in the directory ####-####-####"}}
var url = $"https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Authorization/roleAssignments/{Guid.NewGuid()}?api-version=2015-07-01";
object payload = new
{
properties = new
{
roleDefinitionId = role.id,
principalId
}
};
await PutAsync<object>(url, payload);
Switching the API version to 2018-09-01-preview does not prevent the issue from occurring.
Related links
https://stackoverflow.com/a/60517687/11141271
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template#new-service-principal
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-rest
https://learn.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0&tabs=csharp
Seems to be an issue caused by replication delay on Microsoft's side.
Attempting to create the role assignment right after creating the security group principal can sometimes result in this error.
I resolved this by just putting my API call in a try-catch with 20 retries with a 20 second delay between each attempt. Eventually it just succeeds.
Note that the error message provided by the API doesn't contain the hyphens/dashes in the GUID, this does NOT mean you passed a bad GUID, the error message is just misleading.
I had reproduced a library to verify firebase token base on this respo. My app uses the azure function like a backend, so after the user logged in, every action will send to the azure function with the token, and the azure function will validate that token then respond to the results. The library takes the public key from here. I had created an azure function to test this library. My request:
var client = new RestClient("http://localhost:7071/api/test-connection");
client.Timeout = -1;
var request = new RestRequest(Method.GET);
request.AddHeader("x-requested-with", "XMLHttpRequest");
request.AddHeader("Authorization", "Bearer <My Firebase Token>");
IRestResponse response = client.Execute(request);
Console.WriteLine(response.Content);
I encountered an exception
IDX10516: Signature validation failed. Unable to match key:
kid: 'System.String'.
Exceptions caught:
'System.Text.StringBuilder'.
token: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'. Valid Lifetime: 'System.Boolean'. Valid Issuer: 'System.Boolean'
I had spent over 2 days researching the reasons and solutions. A week before my code worked well. Is the problem caused by the public keys I got from google?
I was getting the same error, and was having a really hard time debugging it.
Based on this answer, I added the following code to my Startup.cs:
if (env.IsDevelopment())
{
IdentityModelEventSource.ShowPII = true;
}
Once I made this change and reproduced the error, I was able to see the actual value for kid (instead of kid: 'System.String' in my error message, I saw kid: 'ABCDEF' - not the real value, but hopefully you get the idea).
Next, I compared that value to the kid values listed here - and sure enough, that value was not present, hence the "unable to match key" error.
In my case, it turns out that I was not obtaining the token from Firebase correctly. I was making a request to https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword, but from the documentation I found this:
returnSecureToken boolean - Should always be true.
I was not setting this property in my request. After using a token obtained when setting this property correctly, I stopped getting the "IDX10516: Signature validation failed. Unable to match key" error in my C# code.
I am currently trying to handle the exception, when a subscription request can't be validated in time, using the Graph SDK. Unfortunately i am not really sure how to achieve this. The exception thrown when a subscription isn't validated in time is:
Microsoft.Graph.ServiceException: Code: InvalidRequest
Message: Subscription validation request failed. Must respond with 200 OK to
this request.
The HttpStatusCode in the ServiceException is "BadRequest" but just this isn't enough to distinguish the error from other common errors since i want to handle them differently. The ServiceException also contains an Error property with a string property called "Code", which contains "InvalidRequest" in my case. The GraphErrorCode enum in the Graph SDK contained this code so i used it with the "IsMatch" method in the ServiceException:
catch (ServiceException serviceException)
{
var invRequest = GraphErrorCode.InvalidRequest.ToString();
if(serviceException.StatusCode == HttpStatusCode.BadRequest)
{
if (serviceException.IsMatch(invRequest))
{
// do something
}
}
}
"InvalidRequest" is defined in the graph documentation as:
The request is malformed or incorrect.
Considering this i still think my ErrorHandling isn't enough to just catch this specific error.
What i want to know is:
Is using the "GraphErrorCode" enum even correct.
Is there a way to handle this specific error without just comparing the exception message ("Subscription validation request failed. Must respond with 200 OK to this request") with a hard coded string.
You're referencing an outdated library (by over 2 years). The correct SDK for this is the Microsoft Graph .NET Client Library. It includes an far more recent error code enumeration.
As for processing the error, the code is typically enough for handling exceptions. The message content is useful for debugging since it often includes more granular information (what exactly failed, which properties were invalid, etc.). My general rule of thumb is to use the code for handling errors but log both code and message properties for debugging.
The import piece to understand is that different endpoints may surface the same error code for different reasons. A BadRequest may mean something different when issuing a GET against a user resource than it does when issuing a POST to /events. Your handler should take into account both the action and the error.
Here is an example error returned when sending an invalid request (/v1.0/me/a):
{
"error": {
"code": "BadRequest",
"message": "Unsupported segment type. ODataQuery: users/48d31887-5fad-4d73-a9f5-3c356e68a038/a",
"innerError": {
"request-id": "fd4c8b27-26af-4b07-a5be-5efb139d1eb7",
"date": "2018-05-22T14:39:02"
}
}
}
If all I handled was the BadRequest, my handler would likely sufficient. I can handle the error and keep the user moving forward. In my log however I store both BadRequest and Unsupported segment type. ODataQuery: users/48d31887-5fad-4d73-a9f5-3c356e68a038/a so that I can properly file a bug in the code.
Another option might be to do some additional parsing. Lets say that /a doesn't always return an error. Maybe /a works fine for AAD accounts but not for MSA users (FTR, /a is entirely fictitious). If this were the case, I might also want to parse the message and see if the BadRequest included "Unsupported segment type" and handle it a bit differently than a BadRequest that didn't include that message.
I have already tried with free trial keys associated with two different email addresses and a "Pay as you go" billing. They all returned this same message:
Access denied due to invalid subscription key. Make sure you are subscribed to an API you are trying to call and provide the right key.
I am using this FACE API getting started tutorial
private readonly IFaceServiceClient faceServiceClient = new FaceServiceClient("39a8b...0fd1");
var faces = await faceServiceClient.DetectAsync(imageFileStream);
I have an endpoint defined in the Portal "eastus2.api.cognitive.microsoft.com/face/v1.0"; but I don't know how to associated this endpoint with my service calls. What am I missing, please?
If you got the endpoint, you could put it in the constructor of FaceServiceClient. Code below is for your reference.
private readonly IFaceServiceClient faceServiceClient =
new FaceServiceClient("your_key", "https://eastus2.api.cognitive.microsoft.com/face/v1.0");
I have changed the URL to "https://westcentralus.api.cognitive.microsoft.com/face/v1.0" and it works
It seems that the KEYs are not replicated to all locations
I have the following error when using DropNet library to make connection to DropBox.
Trying to implement it for my CMS and also for my knowledge :)
trying the current documentation of DropNet.
Source:https://github.com/DropNet/DropNet
Current code:
var _client = new DropNetClient(Core.DropBoxAPI, Core.DropBoxKeySecret);
UserLogin login = _client.GetToken();
_client.UserLogin = login;
String Url = _client.BuildAuthorizeUrl();
Produces:
Received Response [Unauthorized] : Expected to see [OK]. The HTTP
response was [{"error": "Unauthorized"}].
Exception: DropNet.Exceptions.DropboxRestException: Received Response
[Unauthorized] : Expected to see [OK]. The HTTP response was
[{"error": "Unauthorized"}].
I want to let the user connect to the Url returned by _client.BuildAuthorizeUrl(); but it even won't let me get to url
and i also have a Key and Secret generated from DropBox.com
if i try to set the method _client.BuildAuthorizeUrl(); as first statement it gives also an error on the DropBox page itselfs.
I tried to find an another post on Stackoverflow but i didn't find any solution so fare.
Its still using the basics of the documentation and it goes wrong.
If you have any ideas that would be nice.
Thanks for the advices.
I was filling the secret the same as the APP key.