I'm trying to follow the authentication flow for OAuth 2.0 PKCE as explained on the Twitter documentation, but I'm stuck in the last step.
I managed to get an authorization code from the callback URL, but I have no idea how to exchange it for an access token.
What URL am I supposed to query for this? How should the request look like?
Related
Implementation-
Enable OAuth2.0 flow between LinkedIn & Forgerock AM where FR AM acts as a client and LinkedIn is the OAuth provider.
Problem-
We are integrating "LinkedIn Sign" into one of our apps using OAuth2.0 with Forgerock AM as a client. Right now, Forgerock, which is acting as a client, passes PKCE parameters in the authorization request endpoint to LinkedIn (code challenge & code challenge method) and we receive the authorization code along with the state parameter. But subsequent request to retrieve access token fails with PKCE error.
Key info from the logs-
"ERROR: Exception in processing the tree
org.forgerock.openam.auth.node.api.NodeProcessException: Unable to get UserInfo details from provider
at org.forgerock.openam.auth.nodes.oauth.AbstractSocialAuthLoginNode.getUserInfo(AbstractSocialAuthLoginNode.java:338)
Caused by: org.forgerock.oauth.OAuthException: Unable to process request. {"error":"access_denied","error_description":"Not enough permissions to access Native PKCE protocol"}
at org.forgerock.oauth.clients.oauth2.OAuth2Client.lambda$mapToJsonValue$0(OAuth2Client.java:126)
at org.forgerock.util.CloseSilentlyFunction.apply(CloseSilentlyFunction.java:53)
at org.forgerock.util.CloseSilentlyFunction.apply(CloseSilentlyFunction.java:29)
at org.forgerock.util.promise.PromiseImpl.lambda$then$6(PromiseImpl.java:374)
at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:536)
at org.forgerock.util.promise.PromiseImpl.setState(PromiseImpl.java:577)
at org.forgerock.util.promise.PromiseImpl.tryHandleResult(PromiseImpl.java:258)
at org.forgerock.util.promise.PromiseImpl.handleResult(PromiseImpl.java:208)
at org.forgerock.util.promise.PromiseImpl.lambda$then$6(PromiseImpl.java:374)"
LinkedIn API reference & OAuth2.0 -
https://learn.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin/consumer/context
P.S. Forgerock AM when integrated with Google using OAuth2.0 [PKCE] is working absolutely fine.
Any help will be much appreciated.
Thank you.
As per microsoft doc: https://learn.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow-native you need to contact linkedin team to enable PKCE for you and then the authorization URL for PKCE is different as well - https://www.linkedin.com/oauth/native-pkce/authorization
You can see the video of the request I made to get the access token using Oauth2.0 Authorization Code grant flow. Although I am able to get code using the step 1, I could not get access token as described in the api documentation.
Find the jive api documentation at
https://jive.com/developer/
Find the video of the request I made using Postman at
https://youtu.be/b7B49n7sbpg
I think I see the issue. In both requests I make for the token I am not including any scopes. Now this will work for implicit Grant Flow but it will not work with the Auth Code flow. So in the initial requests be sure to add at least one valid scope or both public scopes like this:
https://auth.jive.com/oauth2/v2/grant?response_type=code&client_id=c7959b3f-b7a6-451b-8c98-252fcf950271&redirect_uri=https://promodaddy.com&scope=users.v1.lines.read%20calls.v2.initiate
I am looking for concrete information regarding the state of RFC7636 (proof key for OAuth token exchanges) in Google's OAuth2 APIs.
Google exposes an OAuth 2.0 and OIDC provider API where access tokens can be obtained. There is a proposed standard described in RFC7636 for using proof keys in token exchanges which we have started using in our integrations with major identity providers. Some accept the proof key, others ignore it; Google seems to be aware of it but fails to validate the proof key. I have not been able to find any mention of this wrt Google.
In concrete terms, when following the authorization code flow of OAuth 2.0 with Google as the provider we generate a random number, hash it using SHA256, base64 URL encode it, and then pass it to https://accounts.google.com/o/oauth2/v2/auth as parameter "code_challenge" and "code_challenge_method" as per the spec.
The endpoint accepts the parameters and issues an authorization token as usual. When obtaining the access token we call https://www.googleapis.com/oauth2/v4/token with the code_verifier; the endpoint returns the following HTTP 400 error which suggests that there is some awareness of code verifiers:
{
"error": "invalid_grant",
"error_description": "Missing code verifier."
}
Google's OAuth documentation at developers.google.com/identity/protocols/OAuth2 does not mention any of these parameters; the API playground does not extend to playing with the OAuth2 auth and token endpoints. Any insight would be greatly appreciated.
I was having this same problem using AppAuth and an Android clientId. In order to fix it I had to set a matching 'code_verifier' field on both the authorization and token requests. You can find a more in depth description in this post: invalid_grant trying to get oAuth token from google
I am trying to practice the examples in the book "mining the social web". Unlike the applications I had created in twitter and facebook, the Oauth token and secret in the linkedin never show up. I only see my client ID and client secret.
by the way, since I do not have any personal url, can someone explain to me what is the appropriate URL I should enter? In the twitter and facebook applications, I just randomly entered some URL, like www.twitter.com, and it worked. In this application for linkedin, I entered www.linkedin.com, but no Oauth token comes out.
I know this question is too basic for you guys, sorry for posting this. I did google the solution for a while, but it seems like no one has ever posted this question.
You can't directly get an OAuth Token. You have to follow the authentication procedure to receive an OAuth Token.
Steps involved:
Configure your LinkedIn application with a valid callback url which your server is listening to.
Request an Authorization Code
Exchange Authorization Code for a Request Token
This LinkedIn link will help you on what parameters to send in each request and the URL for the same.
https://developer.linkedin.com/docs/oauth2
In OAuth 1.0, 2-legged is pretty easily: Simply send the request as usual and omit the access_token header.
Things seems to have changed in OAuth 2.0 (drastically, as I found out today :)). In OAuth 2.0, the request no longer has headers such as the nonce, consumer key, timestamp etc. This is just replaced by:
Authorization: OAuth ya29.4fgasdfafasdfdsaf3waffghfhfgh
I understand how 3 legged authorizations work in OAuth 2.0 and the application flows. But how does 2-legged work in 2.0? Is it possible to design an API that can support both 2-legged and 3-legged OAuth 2.0?
I have been searching for information regarding this, but I have been finding a lot of stuff on 2-legged for 1.0 and almost nothing for 2.0.
After lots of research, I discovered that client_credentials grant type is for this scenario. Once you punch this term into google, you can find loads of very helpful resources.
This is the normal flow for 3-legged OAuth 2.0 (we want the user to sign in):
Assume we have the following endpoints in our app for authentication:
/oauth/auth
/oauth/token
Normally (for authorization code grant), we direct the user to /oauth/auth?state=blah&client_id=myid&redirecturl=mysite.com/blah
Then upon authentication, the user is redirected to mysite.com/blah?code=somecode
We then get somecode and exchange it for a token using /oauth/token?code=somecode&client_id=myid&client_secret=mysecret
We can then use the token to make calls.
This is the application flow for client_credentials to implement 2-legged OAuth 2.0, which is markedly simplier:
In this approach, we do not need to perform any authentication.
We simply POST to /oauth/token with the following form data:
grant_type=client_credentials&scope=view_friends
Note that scope is optional. The endpoint then directly returns an access token for us to use (no refresh token is provided). Since no refresh token is provided, when the token expires, you will need to reauthenticate and ask for a new one.
This leads to the following caveats:
Use this only for (very very) trusted applications such as internal applications.
You need to devise your own way to authenticate. For instance, the RFC's example uses basic auth.
Another solution is to use JWT (JSON web tokens) like the google OAuth API. It is a very complicated process, but there exists numerous libraries for generating your JWT. You then post the following form data (url encoded of course):
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=generated_jwt
This is posted to /oauth/token to get your token.
As for the question of whether you can create an API that supports 2-legged and 3-legged OAuth 2.0, Yes, it is possible.
Then /auth endpoint is only used when users need to authenticate against the service.
In the /token endpoint, simply check the value of grant_type in the GET parameters for urn:ietf:params:oauth:grant-type:jwt-bearer if using JWT or client_credentials for client_credentials.
Note that when generating the client_id and client_secret to give to the user, if you are supporting multiple grant_types, ensure that you have a database column to store what type of grant type the id and secret was generated for. If required to have multiple grant types per user, generate a different set of credentials for each grant type.
You can also check out Google's implementation of 2-legged OAuth2 (I believe this documentation has been published only recently).
The Google Drive SDK delegation docs should also help understanding Google's 2-legged OAuth2 implementation.