Keyclock is not returning the refresh_token - token

How do i get the refresh token ? I only get this response:
{
"state": "XXX",
"session_state": "XXX",
"id_token": "XXX",
"access_token": "XXX",
"token_type": "Bearer",
"expires_in": "86400"
}
https://URL/auth/realms/XXX/protocol/openid-connect/auth?client_id=XXX&redirect_uri=XXX&nonce=fe6c4327-ad30-4fd0-bd50-2e42d1537cd3&state=fe6c4327-ad30-4fd0-bd50-2e42d1537cd3&response_type=id_token+token&response_mode=fragment&scope=openid&login_hint=XXX
Does someone know what we have to do ? I am getting the URL from the backend. How do i get the refresh token out of it? Thanks in advance

you are only asking for the openid scope, you need to also ask for the offline_access scope, to get the refresh token.

Related

How to use Firebase authentication token to list user blogs using js

I'm trying to retrieve authenticated user blogs (granted scope):
var token = await firebase.auth().currentUser.getIdToken();
fetch('https://www.googleapis.com/blogger/v3/users/self/blogs', {
"headers": {
"Authorization": "Bearer " + token
},
"method" : "GET",
"muteHttpExceptions": true
}).then( r => console.log(r) );
but i get error:
{
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"errors": [
{
"message": "Invalid Credentials",
"domain": "global",
"reason": "authError",
"location": "Authorization",
"locationType": "header"
}
],
"status": "UNAUTHENTICATED"
}
}
Could you tell me please what I'm missing to achieve this without using back end ?
A Firebase Authentication ID token is a JWT. Blogger expects an OAuth 2 token, which the Firebase Authentication token isn't.
While it is possible within Firebase to create an ID Token based on an OAuth token, the reverse isn't possible. You will have to sign in the user with an OAuth 2 provider instead, and pass that token to blogger.

Loopback Error 401 (Unauthorized) while accessing APIs

I am facing an issue in loopback, 401 (Unauthorized). Initially all APIs are working perfectly.
Now I set ACL for some of the models. After that I got an error 401 (Unauthorized) while accessing APIs
Sample Code
Eg: One of my model.json file
"acls": [
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$unauthenticated",
"permission": "DENY"
}
I got the accesstoken after login. I think the access token is not getting in in my API headers.
you can also define ACS level. you DENY for all unauthorized user but also set permission for authorized user like.
"acls": [
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "admin",
"permission": "ALLOW"
},
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$unauthenticated",
"permission": "ALLOW"
}
]
principalId is define in my ROLE collection if you did't define any princepalId you can also use this.
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$authenticated",
"permission": "ALLOW"
}

Microsoft Graph API keeps returning 401 Unauthorized

Please do not report as duplicate because all other topics have not solved my issue, thanks.
I'm using Microsoft Graph API to list and create calendar events, however, I can't seem to make the findMeetingTimes endpoint work.
This is my authorization URL:
https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize
?client_id=xxxxx
&response_type=code
&redirect_uri=xxxxx
&response_mode=form_post
&scope=openid profile User.ReadWrite User.ReadBasic.All Sites.ReadWrite.All Contacts.ReadWrite People.Read Notes.ReadWrite.All Tasks.ReadWrite Mail.ReadWrite Files.ReadWrite.All Calendars.ReadWrite
&state=12345
Then I request an access token using the same scopes:
$request = json_decode($guzzle->post('https://login.microsoftonline.com/common/oauth2/v2.0/token', [
'headers' => ['Content-Type' => 'application/x-www-form-urlencoded'],
'form_params' => [
'client_id' => 'xxxxx',
'scope' => 'openid profile User.ReadWrite User.ReadBasic.All Sites.ReadWrite.All Contacts.ReadWrite People.Read Notes.ReadWrite.All Tasks.ReadWrite Mail.ReadWrite Files.ReadWrite.All Calendars.ReadWrite',
'code' => $auth_code,
'grant_type' => 'authorization_code',
'redirect_uri' => 'xxxxx',
'client_secret' => 'xxxxx'
],
])->getBody()->getContents());
After that I'm trying the findMeetingTimes endpoint using:
$request = json_decode($guzzle->post('https://graph.microsoft.com/v1.0/me/findMeetingTimes', [
'headers' => [
'Authorization' => 'Bearer ' . $accessToken,
'Content-Type' => 'application/json',
],
'body' => '{
"attendees": [
{
"type": "required",
"emailAddress": {
"name": "My Name",
"address": "myemail#hotmail.com"
}
}
],
"timeConstraint": {
"activityDomain":"work",
"timeslots": [
{
"start": {
"dateTime": "2019-04-02T09:00:00",
"timeZone": "Pacific Standard Time"
},
"end": {
"dateTime": "2019-04-03T17:00:00",
"timeZone": "Pacific Standard Time"
}
}
]
}
}',
])->getBody()->getContents());
However, it keeps returning:
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
Does anyone know what I'm missing? Note that I'm not using a Microsoft work/school account, just my regular one. (Does it matter?)
Its not possible to call this endpoint with personal accounts, this is metioned very cleary in the documentation

Creating a new user from Twitter using auth0 get nil email

I am using auth0 for my rails application,I tried to sign in with social connection using auth0, this works fine with google and facebook but when I tried with twitter I am getting blank email for user and not able to sign in with the user having blank email.
Here is the response which I am getting
{
"name": "XXXX",
"picture": "XXXX",
"lang": "en",
"screen_name": "XXXX",
"clientID": "XXXXXX",
"user_id": "XXXXX",
"nickname": "XXXX",
"identities": [
{
"access_token": "XXXX",
"access_token_secret": "XXXX",
"provider": "twitter",
"user_id": XXXX,
"connection": "twitter",
"isSocial": true
}
],
"created_at": "2015-04-07T06:00:51.515Z"
}
How do I get user email for twitter using auth0
Not possible. Twitter API doesn't give email address of the user.
Is there a way to get an user's email ID after verifying his/her Twitter identity using OAuth?

Google ruby api client error with youtube upload

I'm trying to set up a service that helps manage a user's youtube account, including scheduled video uploads even when the user is not logged in. I'm having some weird issues with authentication, and I can't seem to find a way to fix it.
My omniauth initializer:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :google_oauth2, ENV['GOOGLE_CLIENT_ID'], ENV['GOOGLE_CLIENT_SECRET'],
{
name: 'google',
scope: 'http://gdata.youtube.com, email, profile, plus.me, youtube, youtube.upload',
prompt: 'consent',
access_type: 'offline',
image_aspect_ratio: 'square
}
end
The brunt of my code for authorization:
YOUTUBE_SCOPE = 'https://www.googleapis.com/auth/youtube https://www.googleapis.com/auth/youtube.upload'
account = User.find(1234)
client = Google::APIClient.new(application_name: 'YouTube Delivery',
application_version: '1.0.0')
api = client.discovered_api('youtube', 'v3')
client.authorization.client_id = ENV['GOOGLE_CLIENT_ID']
client.authorization.client_secret = ENV['GOOGLE_CLIENT_SECRET']
client.authorization.grant_type = 'refresh_token'
client.authorization.refresh_token = account.refresh_token
client.authorization.scope = YOUTUBE_SCOPE
client.authorization.fetch_access_token! if client.authorization.expired?
All of this code appears to work. A user can sign in, and I've verified that the proper permissions are being asked for. A user is also prompted to give offline consent. I get back a refresh token, and I am able to get new access tokens with the refresh token when the current token is expired. No problems there.
The problems come in when I try to upload a video to youtube when the user is not present:
video = Video.find(1234)
request_body = {
snippet: {
title: video.title,
description: video.youtube_description,
tags: video.tags
},
status: { privacyStatus: 'private' }
}
response = client.execute!(
api_method: api.videos.insert,
body_object: request_body,
media: Google::APIClient::UploadIO.new(video.local_path, 'video/*'),
parameters: {
uploadType: 'resumable',
part: 'snippet,status'
},
authorization: client.authorization
)
This is where google throws back Google::APIClient::AuthorizationError: Unauthorized
Per the google docs, I can test the access token I have by running:
curl https://www.googleapis.com/youtube/v3/channels?part=id&mine=true&access_token=ACCESS_TOKEN
For me, this returns:
{ "error": {
"errors": [
{
"domain": "usageLimits",
"reason": "dailyLimitExceededUnreg",
"message": "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup.",
"extendedHelp": "https://code.google.com/apis/console"
}
],
"code": 403,
"message": "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup."
}}
I've made sure I've added the following apis to my project in the google api console: contacts, google+, youtube data, youtube analytics. I've also checked that all of my environment variables are properly set.
Not really sure where to go from here. Any guidance would be greatly appreciated!
My rails version: 4.1.6

Resources