I have an api and i have gained access to the bearer token by sending username and password . I need to use the token to then send send another request using Oauth2 gem(ruby). H I have the endpoint
below is an example of something i think it may look like. I don't know the syntax or how to send this token to the url
it would be great if someone could give me an example of how to set up the method. Where to plug in the bearer token that i have saved to an instance variable, etc.
req = Net::HTTP::Get.new(url.to_s)
You need to add Authorization to the header, where the value is the bearer token. A header can be set like so req["header_name"] = header
You seem fairly new to this, I suggest you use RestClient instead https://github.com/rest-client/rest-client. Much more user friendly and the documentation is easier to read.
Related
I'm trying to understand OAuth 2.0 which is scarcely, badly documented and I'm trying to implement OAuth 2.0 client call in my App. I am using Postman to simulate API calls, which works. Postman shows big orange button "Get New Access Token", where I select Grant Type, URL, Client ID, Client Secret, Scope and Authentication type. Upon clicking button Request Token, new bearer token is returned by the API, meaning the authentication succeeded. This of course is completely useless approach to me, because I have no idea what just happened. I need to create actual request that shows me exactly how it is formed, so that successful response with bearer token is returned. Postman, for absolutely no reason, will not let me see that or convert it's useless UI into a functional API request. All I have is black box with orange button "Request Token", which does who knows what.
Does anyone know, how to form a working OAuth 2.0 bearer token request in Postman, preferably to convert their useless token request dialog directly into a request?
After some research I have been able to form a valid OAuth2 token request. For clarity, here is a code sample, which we need to convert to Postman response:
var client = new RestClient("https://api_address/token");
client.Timeout = -1;
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "Basic hash");
request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
request.AddParameter("grant_type", "client_credentials");
IRestResponse response = client.Execute(request);
Console.WriteLine(response.Content);
The hash part of the request is formed from client_id and client_secret values. In Postman, this is defined as such:
Create a simple POST request with token API url.
Go to Authorization tab.
Select Basic Auth
Enter client_id and client_secret into corresponding fields as username and password.
Go to Body tab.
Select x-www-form-urlencoded.
Enter key grant_type with value of client_credentials.
This example is for the client credentials flow. OAuth2 authors felt that calling auth scenarios as auth scenarios isn't cool enough, so they are called flows, which is nonsense, but sounds cooler.
Process one:
Process two:
First, determine whether your token is passed through the header
It could be:
else process:
In order to use Discord's API I need a token, and to get it I open a link such as
https://discordapp.com/api/oauth2/authorize?client_id=<client_id>&redirect_uri=<redirect_url>&response_type=token&scope=identify
Then I set the token as authorization (in format Bearer <token>) header of requests that are issued to the Discord's API.
Let's say I want to "logout", so that a certain token can't be used anymore to do such requests. In this case I have to revoke that token, right?
So after reading Discord's documentation and making some adjustments I decided that I have to make a POST request to a URL such as
https://discordapp.com/api/oauth2/token/revoke, and content-type header of this request should be set to x-www-form-urlencoded.
When I do it I'm getting an error message from discord's server with message saying {error: "invalid_client"}
What do I do wrong?
If you come by this question and are wondering what is the full API call to revoke the token, here it is:
POST https://discord.com/api/oauth2/token/revoke
Content-Type: application/x-www-form-urlencoded
data:
client_id: <client_id>
client_secret: <client_secret>
token: <access_token>
So the problem was in actual format of the data I was sending. I was sending JSON data because I thought that setting specific headers would automatically turn the data into the right format, but it turns out I had to use FormData object to create the data in the right format, and after that I also removed the lines where I'm setting the header explicitly, after these steps everything worked fine.
I'm calling the Freshdesk API to update a ticket by adding tags. I'm having trouble authenticating the call. I have encoded username and password to base64(using an external tool).
I've tried the following:
Basic Auth: In Zapier's BasiAuth field, I tried username|password
In the header field, I added a key Authentication with value BasicUsername:password
In both cases I get the error You have to be logged in to perform this action.
Zapier's basic auth field should work if everything is set up correctly (and there's no | in your password). In that field, you should be using your actual password, not the base64 encoded pair: david:mypass.
If you want to do it manually, that's fine too. the Authentication header should be something like Basic asdfasdf==. Note the space between the word "basic" and the "base64" encoded username:password.
For everyone looking for the solution here...
I did a header and then did this with my API token
headers
Authorization
Token token=yourapicode
FreshDesk API - Authentication
I found this when trying to get Postman to work with their API, turns out you need to set Authorization type to Basic Auth, have your API token from FreshDesk as your username and just 'X' (without the apostrophes) as your password. Hope it helps someone else.
I am trying to write the exchange and access endpoints and the docs here (https://developer.amazon.com/public/solutions/alexa/alexa-skills-kit/docs/linking-an-alexa-user-with-a-user-in-your-system#h2_login) are not clear on a couple of things:
how is the call to exchange a grant code for access token made - is it GET with credentials in QS or is it a POST with credentials in a body?
Is the access token delivered only in the JSON for an intent call or is it set properly as a bearer token?
It's a POST with credentials in the request body. Amazon follows the Oauth2 RFC correctly in this case.
The access token is delivered by Amazon only in the JSON for the intent request and not properly set as a bearer. This is annoying.
In my case, I had to hack around it by first validating if the request was a valid alexa request which contained a session with an access token, then setting the HTTP_AUTHORIZATION header to Bearer <token>, then using existing request auth logic to authenticate (I was using Django with django-oauth-toolkit, so YMMV if you're using something else).
That code looks something like this:
# get the access_token from the POST request
if access_token is not None:
request.META["HTTP_AUTHORIZATION"] = "Bearer " + access_token
if not hasattr(request, 'user') or request.user.is_anonymous():
user = authenticate(request=request)
if user:
request.user = request._cached_user = user
if request.user.is_authenticated():
# Do whatever with the logged in user
I followed the tutorial on https://dev.twitter.com/docs/auth/implementing-sign-twitter to use OAuth on my homepage. Everything worked and after the last step I have an oauth_token (after converting it to an access token) and an oauth_token_secret. Now I want to post a new status on twitter. So I did everything on this page https://dev.twitter.com/docs/auth/authorizing-request which is just a post request to /1/statuses/update.json. On that page nothing is said about the oauth_token_secret, so I haven't used it in my request and just have put the oauth_token in it. After submitting the post request twitter gives me the status code 401 Unauthorized. Why that? Do I have to use the oauth_token_secret somewhere?
The token secret is used to hash the signature base. Something like a password. You don't send the password, you use it to compute a secure hash of the thing the service sent to you. You send that secure hash, then the service checks that secure hash against the request you sent. If they match, you're authorized.
The gory details are described in the OAuth spec, RFC 5849.
Twitter uses OAuth1.0a, but is mostly consistent with that spec.
here's the relevant bit:
https://www.rfc-editor.org/rfc/rfc5849#section-3.4.2