Im trying to access an Outlook email using Oauth , Already set this permissions on Azure App:
So, using Oauth 2.0 client credentials grant I obtain the access Token:
But, when I try to authenticate with that token it fails, so I read that it was necessary to generate a second token call using that first one as a parameter and using imap and smtp scopes concatenated, and I tried like in the examples:
And as you see, I get this suffix error :
{
"error": "invalid_scope",
"error_description": "AADSTS1002012: The provided value for scope https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send
is not valid. Client credential flows must have a
scope value with /.default suffixed to the resource identifier (application ID URI).\r\nTrace ID: 41d2086b-f83e-41d8-b405-115249b27901\r\nCorrelation ID: 6afef855-3fc9-4259-864b-4ec8e293e9d0\r\nTimestamp: 2022-04-29 00:02:06Z",
"error_codes": [
1002012
],
"timestamp": "2022-04-29 00:02:06Z",
"trace_id": "41d2086b-f83e-41d8-b405-115249b27901",
"correlation_id": "6afef855-3fc9-4259-864b-4ec8e293e9d0"
}
Any idea what am I doing wrong ?, why the first token its not enough or how do I get the access one in the second call ?
Thanks in advance !!
Related
I am trying to obtain an authorization token to consume a published API in Azure API Management, for which I am performing the following steps:
Call the authorization URL as follows:
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=<CLIENT_ID>
&response_type=code
&response_mode=query
&redirect_uri=<REDIRECT_URI>
&scope=SCOPE
Immediately after, I call the following URL with the obtained authorization code and other parameters in the body and to send them as form-data:
POST https://login.microsoftonline.com/common/oauth2/token
client_id=<CLIENT_ID>
scope=SCOPE
grant_type=authorization_code
client_secret=<CLIENT_SECRET>
code=<AUTHORIZATION_CODE_PREVIOUS_STEP>
As a result, I get the following error and cannot continue:
{
"error": "invalid_grant",
"error_description": "AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token.\r\nTrace ID: f0264d85-2f41-4009-9e8e-1a211209e100\r\nCorrelation ID: c6b15ffb-82e8-49aa-941f-6c85be4d9601\r\nTimestamp: 2022-01-18 15:06:55Z",
"error_codes": [
54005
],
"timestamp": "2022-01-18 15:06:55Z",
"trace_id": "f0264d85-2f41-4009-9e8e-1a211209e100",
"correlation_id": "c6b15ffb-82e8-49aa-941f-6c85be4d9601"
}
I understand that the authorization code is for one use only but, in my case, on the first attempt I get this error.
Any help is appreciated
I'm trying to get the live chat of the live stream:
https://www.youtube.com/watch?v=xHtuITYCqcM.
So for that, I made the URL:
https://youtube.googleapis.com/youtube/v3/liveChat/messages?liveChatId=xHtuITYCqcM&key=...,
and it returns the following:
{
"error": {
"code": 400,
"message": "page token is not valid.",
"errors": [
{
"message": "page token is not valid.",
"domain": "youtube.liveChat",
"reason": "pageTokenInvalid"
}
]
}
}
If anyone knows why is this happening, please help me.
I'm new to this platform, so if I missed anything, please tell me.
According to the official specification of the LiveChatMessages.list API endpoint, its request parameter liveChatId is defined as follows:
liveChatId (string)
The liveChatId parameter specifies the ID of the chat whose messages will be returned. The live chat ID associated with a broadcast is returned in the liveBroadcast resource's snippet.liveChatId property.
Consequently, passing to this endpoint the respective stream's video ID -- xHtuITYCqcM -- is incorrect.
You'll have to invoke, as specified above, the LiveBroadcasts.list API endpoint, passing to it the request parameter id set to your stream's video ID -- that is xHtuITYCqcM -- by means of an URL like this one:
https://www.googleapis.com/youtube/v3/liveBroadcasts?id=xHtuITYCqcM&part=snippet&fields=items.snippet.liveChatId&access_token=$ACCESS_TOKEN
where $ACCESS_TOKEN is the access token obtained upon running to successful completion an OAuth 2.0 authentication/authorization flow.
Note that the OAuth flow is actually required (an API key does not suffice), because:
Authorization
This request requires authorization with at least one of the following scopes (read more about authentication and authorization).
Scope
https://www.googleapis.com/auth/youtube.readonly
https://www.googleapis.com/auth/youtube
https://www.googleapis.com/auth/youtube.force-ssl
Also note that above I used the fields request parameter for to get from the API only the info that's of actual use (a good practice).
In the manifest of my application registration I've configured to retrieve the given_name and family_name claims (through the UI, the resulting manifest looks like this):
"idToken": [
{
"name": "family_name",
"source": "user",
"essential": false,
"additionalProperties": []
},
{
"name": "given_name",
"source": "user",
"essential": false,
"additionalProperties": []
}
],
During the redirect I add the profile scope along with the given_name and family_name scopes, which results in the following error.
Message contains error: 'invalid_client', error_description: 'AADSTS650053: The application 'REDACTED' asked for scope 'given_name' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.
Any ideas? As I understand that is what is required to configure these optional claims on the v2.0 endpoint as described here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#v20-specific-optional-claims-set
You should only use the profile 'scope', which should result in you receiving the given_name and family_name 'claims'. That's standard behaviour for an Authorization Server, which will then either:
Return the name details directly in the id token
Or allow you to send an access token to the user info endpoint to get the name details
However, Azure v2 is very Microsoft specific, and user info lookup can be painful and involve sending a separate type of token to the Graph user info endpoint. Hopefully you won't have to deal with that and you will get the name details directly in the id token.
I had a scenario where my API (which only received an access token) needed to get user info, and I solved it via steps 14 - 18 of this write up, but it's a convoluted solution.
Once you configure optional claims for your application through the UI or application manifest. you need to provide profile Delegated permissions for the application.
I'm using Okta for identity management. As the client in authorization flow, I send an authorize request to Okta. This works successfully, and I get a JWT payload. I want to verify the JWT signature, so I make another call to Okta in order to fetch the keys. However, the key ids (kids) do not match and verification fails.
Initial authorize request:
https://{{site}}.okta.com/oauth2/v1/authorize
?scope=openid
&response_type=id_token
&client_id={{client_id}}
&redirect_uri={{redirect_url}}
&nonce=4euiv0v52at3la15e7qlu1mt43
&state=7c92bqulrmdk2jk0ro9rd3mf5j
Response is a 403, redirecting me to:
{{redirect_url}}/id_token={{id_token}}
The header of the id_token is decoded into:
{
"alg": "RS256",
"kid": "2YKtkekCjCRWN0YqGsjUrNwIQaxGg5ahfHW0_fK8t64"
}
So far so good. I know that the authorization has succeeded. Time to validate the JWT.
However, when this is followed up with:
https://{{site}}.okta.com/oauth2/v1/keys
Or
https://{{site}}.okta.com/oauth2/v1/keys?clientId={{client_id}}
(they both return the same response), I get back this:
{
"keys": [
{
"alg": "RS256",
"e": "AQAB",
"n": "gv1rI9A7mrOoViJZTzUfiZl7YdEzLEofvRoVbXCgeW7aOmoKcAkWGHvqNRGoFgi8auV5b_TSgTXKq_TV1fz643hpAtba3V0Uw2lXchTbqXpmVRYXI1t4FIwRMXLe4Q-kcvp9la21e3D1lszjdPbFNX5GLAhrCW0Thu2HYbTLg6TbDTMaiQCMo15hek0JgZqRGzCkt9kINnwPVLXV_bkSh_fHWo_6G1L0MKYYQcgE6zvPlULLek98-yZ6Nlg6nJUY9nHn0qjhzqqq-bz_Vin8qi3Bt7SjUKwk7HbaugM84AEgDxYE5JgsaALIl5SgIc3GgFEc69qKWymoD-w1a8f1HQ",
"kid": "SOxFkBSLWefjlZoDI49Hk0nqlYtC28cjhTlVAYEzAxs",
"kty": "RSA",
"use": "sig"
}
]
}
Where the kid does not match what I received in the original response.
Where is my mistake?
You need to create an authorization server and use it as the endpoint, for example:
https://{{site}}.okta.com/oauth2/{authorizationServerId}/v1/authorize
You should also be able to use the default one:
https://{{site}}.okta.com/oauth2/default/v1/authorize
Note that this is different than the route you were using (which does not specify an authorization server):
https://{{site}}.okta.com/oauth2/v1/authorize
You should specify an authorization server in your case (like example 1 and 2 above), for both OAuth 2.0 and OpenID Connect.
The problem was that this account was setup with pinned, not rotating keys. oauth2/v1/keys requires the client id to be passed in as a parameter if you are setup with pinned keys; the correct parameter name is "client_id", not "clientId." This results in the expected output.
I am using Laravel-php, I have following code :
$client = new Google_Client();
$client->setClientId(env('GOOGLE_ID'));
$client->setClientSecret(env('GOOGLE_SECRET'));
//$client->setRedirectUri($redirect_uri);
$client->addScope("https://www.googleapis.com/auth/youtube.force-ssl");
$client->addScope("https://www.googleapis.com/auth/youtube");
$client->addScope("https://www.googleapis.com/auth/youtube.readonly");
$client->addScope("https://www.googleapis.com/auth/youtubepartner");
$youtube = new \Google_Service_YouTube($client);
$searchResponse = $youtube->channels->listChannels('snippet', array('mine' => true));
//$subscriptions = Curl::to('https://www.googleapis.com/youtube/v3/subscriptions')->withData(['part' => 'snippet', 'mine' => 'true'])->get();
echo "<pre>";
print_r($searchResponse);
Above code gives me following error :
Google_Service_Exception in REST.php line 118:
{
"error": {
"errors": [
{
"domain": "usageLimits",
"reason": "dailyLimitExceededUnreg",
"message": "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup.",
"extendedHelp": "https://code.google.com/apis/console"
}],
"code": 403,
"message": "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup."
}
}
I have tried to use CURL call also but that also gives me same error, any suggestions will save my day
What am I missing in code ?
Your error means that you haven't set up a Google APIs console project. The resource you are accessing requires OAuth authorization. You need to obtain authorization credentials in the Google Developers Console to be able to use OAuth 2.0 authorization.
Open the Credentials page.
The API supports API keys and OAuth 2.0 credentials. In your case, use OAuth 2.0 for your project:
OAuth 2.0: Your application must send an OAuth 2.0 token with any request that accesses private user data. Your application sends a client ID and, possibly, a client secret to obtain a token. You can generate OAuth 2.0 credentials for web applications, service accounts, or installed applications.
See the Creating OAuth 2.0 credentials section for more information.
You may also check this related thread: list user subscriptions to all youtube channels after getting access token
First thing is that it needs to be an authenticated call.
So you need to get the person to "Authenticate" through the Oauth2 and collect the token.
Then with the token send this call
https://www.googleapis.com/youtube/v3/subscriptions?part=id,snippet,contentDetails&maxResults=50&channelId='.$channelId.'&access_token='.$access_token
Then you can access the JSON response and collect them.