This question is related to the problem described in this question. During OAuth 2.0 authorization code with PKCE grant, Azure AD requires Origin header to be present on the request to /token endpoint. If header is not present, authorization flow fails with the following error:
Error: AADSTS9002327: Tokens issued for the 'Single-Page Application'
client-type may only be redeemed via cross-origin requests
Unfortunately, Postman is not adding this header to the flow, hence the request for a token fails.
Is there a way to add a custom header into the requests that are executed behind "Get new access token" flow? I have tried adding headers to the request that the token is attached to, as well as "pre-request script". Neither of these methods helped.
Attaching a screenshot for reference
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD SPA Application:
To generate the access token, I used Authorization-Code flow + PKCE like below:
To generate the auth_code, try using the below link:
GET https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize?
response_type=code
&client_id=Client_ID
&scope=Your_scope
&redirect_uri=Your_Redirect_URI
&code_challenge=Your_code_challenge
&code_challenge_method=S256
The auth_code will be generated after sign-in like below:
Now, by using the below parameters, when I tried to generate the token got the same error as below:
grant_type=authorization_code
redirect_uri=YourRedirectURI
client_id=****
code_verifier=S256
scope=YourScope
code= auth_code
To resolve the error, make sure to add the header in the Header tab like below:
origin = yourredirecturi
After adding the header, I am able to generate the token successfully like below:
Related
I'm trying to implement the authorization code model using the Google Identity Services SDK, as described in Use Code Model. I would like to use the popup mode.
I managed to initialize the code client and receive an auth code with this Javascript code:
tokenClient = google.accounts.oauth2.initCodeClient({
client_id: CLIENT_ID,
scope: SCOPES,
callback: '', // defined later
ux_mode: 'popup',
})
...
tokenClient.requestCode({prompt: 'consent'});
When I receive the auth code in my callback, I relay it to an endpoint on my platform, as described in Step 5: Exchange authorization code for refresh and access tokens and I try to exchange the auth code for a refresh and access token in Python:
flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
'client_secret.json',
scopes=scopes,
state=state
redirect_uri=redirect_uri
)
flow.fetch_token(code=code)
The problem is that I use this code with an empty redirect_uri, I get an error "missing redirect_uri parameter". If I specify a redirect URL defined in Google Cloud Console, I get an error "redirect_uri mismatch". And if I try to use the same redirect_uri as the one sent in the initial popup request (Google seems to use storagerelay://... in this case), I get an error that "it doesn't comply with Google Oauth2 policy".
It appears that in any authorization flow when you get an authorization code on the client side and then pass that to your server for token exchange you have to use the string literal "postmessage" as your setting for redirect_uri.
flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
'client_secret.json',
scopes=scopes,
state=state
redirect_uri="postmessage"
)
flow.fetch_token(code=code)
This very important fact seems to be curiously absent from the documentation from most of the google client libraries, but it works for me. Hope this helps!
I am trying to Authorize via OAuth with Trello and I can't seem to get it right, even in postman.
I have followed their API docs and have got myself a developer key and I have used a little link they have in this article to get a valid auth token.
I tried including the API key and Auth token in the header and (in a separate test) in the body, as per their documentation.
Everything I try results in "unauthorized permission requested".
What am I doing wrong?
Ok so I had obviously made a mistake when trying the Header route.
It works now if I provide a header key called Authorization and the API key and Auth Token in the following format OAuth oauth_consumer_key="{{apiKey}}", oauth_token="{{apiToken}}".
I have a hobby project in mind to use battle.net login. I'm wondering how I can obtain the access token from the API after receiving the authorization code.
This is Oauth flow question rather than a battle.net question.
Currently I can successfully authorize the user for my app which is registered in dev.battle.net and then I try to use the authorization code returned from the battle.net login to obtain the access token by sending a request to https://<region>.battle.net/oauth/token.
However I keep receiving this error:
{
"error": "unauthorized",
"error_description": "An Authentication object was not found in the SecurityContext"
}
I use postman extension to send post requests to that uri. I authenticate my request with my client id and secret. I pass redirect_uri (https://localhost), granty_type (authorization_code), code(the code returned from the previous authorization step). However I keep getting the error above.
I couldn't find much about battle.net online. There are other oauth related help articles but couldn't really find my way.
Wondering if you can help me with this easy stuff. I'm just wondering what I'm skipping here.
Here is the documentation:
https://dev.battle.net/docs/read/oauth
https://localhost is added in my mashery dev account's app settings.
Me again, I resolved this problem after trying almost every combination in the universe:)
Steps to apply:
Don't use the same authorization token for different access token trials, they are not valid
Always use https on every domain you test including localhost, you
redirect_uri must be https as well.
You must use the "basic authentication" in the header of your POST request while requesting the token from the authorization code you obtained from the previous step.
This is one of the most important ones: For requesting token, Pass redirect_uri, client key and secret as POST form parameters to the authenticated request. This is interesting because it's already an authenticated request; why would i need to pass my secret again? Anyways, that's how it works.
Here are the full text:
http://hakanu.net/oauth/2017/01/26/complete-guide-of-battle-net-oauth-api-and-login-button/
This is working prototype:
https://owmatch.me
Thanks.
I want users to request Uber rides from my app.
https://developer.uber.com/docs/rides/authentication
Under OAuth 2.0 section at the above url, there are 6 steps :
1. Authorize (done)
2. Receive Redirect (done)
3. Get an Access Token ('invalid_grant' error)
The following screenshot is from Postman.
I tried passing client_id, client_secret, grant_type, redirect_uri and code as params, form-data and x-www-form-url-encoded. But everytime it returns the same error.
I have put 'http://localhost:3000/auth/uber/callback' as redirect url in my Uber App dashboard.
I have even tried the following curl command in the terminal,but it returns the same 'invalid_grant' error
Can someone help me with this issue.
Your postman request looks correct to me. My best guesses at whats going on:
1) You have multiple redirects set up, and you're using one redirect url when you do the authorization phase and a different one when you try and do token exchange
2) You're doing authorization for one client_id, and trying to do token exchange for another
3) You're authorization code has already been used / expired. Keep in mind its only good for one request.
Could you try the following and tell me what happens:
1) Do the authorization flow and pay special attention that the client id and redirect uri you put in your authorization URL are correct
2) After your browser redirects, copy the authorization code out of the redirect URL
3) Put the authorization code into the postman request / curl statement and make sure that the client id / redirect URI is correct when you do it.
Status Code: 401 Unauthorized
{
"error": "invalid_grant"
}
You are using an invalid refresh_token. You can generate multiple
access tokens, but you can only use the latest generated
refresh_token.
You supplied an invalid code when exchanging an authorization code
for an access_token.
I want to use OAuth2 authentication in my application for calling Eloqua APIs using access token.
I'm following instructions given in the link http://docs.oracle.com/cloud/latest/marketingcs_gs/OMCAB/Developers/GettingStarted/Authentication/authenticate-using-oau… and using Resource Owner Password Credentials grant flow for getting access token.
POST https://login.eloqua.com/auth/oauth2/token
Authorization: Basic Q09NUEFOWVhcdXNlcjE6cGFzc3dvcmQxMjM=
{
"grant_type":"password",
"scope":"full",
"username":"testsite\\testuser",
"password":"user123"
}
But I'm getting exception "java.net.ConnectException: Connection timed out: connect" while calling get token endpoint https://login.eloqua.com/auth/oauth2/token from java code.
I tried the endpoint using browser but getting similar error. Also tried accessing the endpoint using REST client but again same connection error.
I'm unable to understand that why the endpoint is giving connection timeout exception. I also tried increasing timeout but same error.
Please guide me as I'm stuck.
Is there any other endpoint for getting Eloqua access token?
Below is a POSTMAN Screenshot in case it helps.
Also written out in case someday that screenshot isn't there. Don't use built in Auth in POSTMAN since you need to base64 encode the clientid:clientsecret with the : in the middle. These values are provided when you created an App in Eloqua.
Be sure to include the content type as application/json and the Authorization. Use a double backslash in the Json for the username in between the site and username (clientsite\\username).
JSON body should look like this:
{"grant_type":"password","username":"clientsite\\username","password":"password"}
Make sure you are doing a POST to login.eloqua.com/auth/oauth2/token
From the docs:
POST https://login.eloqua.com/auth/oauth2/token
Authorization: Basic Q09NUEFOWVhcdXNlcjE6cGFzc3dvcmQxMjM=
{
"grant_type":"authorization_code",
"code":"SplxlOBeZQQYbYS6WxSbIA",
"redirect_uri":"https://client.example.com/cb"
}
From your request, it looks like you are missing the redirect_uri and the code.
Try using the body contract from the docs: http://docs.oracle.com/cloud/latest/marketingcs_gs/OMCAB/index.html#Developers/GettingStarted/Authentication/authenticate-using-oauth.htm