I am currently developing a method which requires a call to an API. To make the request, I need bearer token, and I am stuck at the HTTP request part for the token. I can get a token easily with postman, but I have no idea how to do on C#. I have access to the following parameters:
Callback URL
Authentication URL
Access Token URL
Client ID
Client Secret
Scope
I am familiar with RestSharp, and open to use any other libraries as well.
Related
I aim to fetch purchases from googleapis by using a service account on server-side.
Method: purchases.products.get api requires an oauth2 authentication.
Therefore I create an oauth2 token -from the client-secret.json I am provided from consolce.cloud.google- inside of my server-side backend java spring application.
GoogleCredentials googleCredentials = GoogleCredentials.fromStream(new FileInputStream("src/main/resources/client_secret.json")).createScoped("https://www.googleapis.com/auth/androidpublisher");
googleCredentials.refresh();
AccessToken accessToken = googleCredentials.getAccessToken();
The token I generate is like 'ya29.c.b0AXczHcuLszNI................'
It ends with multiple dots I don't know why.
https://androidpublisher.googleapis.com/androidpublisher/v3/applications/{packageName}/purchases/products/{productId}/tokens/{token}
After I get the token I do the GET request to this URL.
I gets the following error:
"message": "Request is missing required authentication credential.
Expected OAuth 2 access token, login cookie or other valid
authentication credential. See
https://developers.google.com/identity/sign-in/web/devconsole-project.",
Why my token is not working? The way I use it, Is it wrong? And/or oauth2 token generation way is it wrong?
The access token is sent as an authorization header. The access token should be prefexed with the term bearer as it is a bearer token.
I am trying to connect netsuite using Postman's get auth code functionality. According to NetSuite help center a POST request needs to be sent to the token endpoint with the JW token and grant type.
But if we go to postman and select Oauth 2.0 client credentials in the Authorization then we get a button "get auth code" And fields like client id, client secret and the urls. After entering all the details its not working.
Only the POST request is working.
The reason I am asking this is I am trying call some restlets from Appian. But in the Appian screen we only get client id, client secret, auth url and token url field.
Any idea on this
I am trying to connect netsuite using Postman's get auth code functionality. According to NetSuite help center a POST request needs to be sent to the token endpoint with the JW token and grant type.
But if we go to postman and select Oauth 2.0 client credentials in the Authorization then we get a button "get auth code" And fields like client id, client secret and the urls. After entering all the details its not working.
Only the POST request is working.
The reason I am asking this is I am trying call some restlets from Appian. But in the Appian screen we only get client id, client secret, auth url and token url field.
Any idea on this
I have an API /code-for-token that accepts an OAuth2.0 Authorization code and exchanges it for an access token.
Using the Postman Authorization tab I'm able to complete the entire auth flow and retrieve a token, however, what I want is just the authorization code to pass to my /code-for-token endpoint.
Is it possible to trigger Postman's browser to access the authorization login portal and then capture the code that will be inside the query params of the redirected url?
Is there some other way to accomplish retrieving the authorization code?
Suppose i am calling webapi from my machine in angular and get token from server, can i call api from other machine using same token will server be able to authenticate it.
Bearer token allows any party in possession of the token to use it. Using a bearer token does not require the bearer to prove the possession of token. However API implementation may add another layer checking, like one time use only, or bind token to first calling client.
Here is my plan (authorization code flow) of implementing such login/register logic. (The third-party only provided the OAuth2 API)
First the SPA frontend will send a GET request to the third-party
GET https://www.example.com/oauth2
client_id=dummyclient
redirect_uri=https://mysite/callback
response_type=code
scope=openid
Then if the user agree to give his/her openid to mysite then the fronend will get a 301 HTTP response.
---> 301 https://mysite/callback?code=dummycode
Then the browser will redirect the page to mysite/callback and it will reload SPA and expose the code in URL which can be captured by the SPA then it will send the code to the real backend callback.
GET https://mysite/api/real-callback?code=dummycode
When the backend get the code, it will send the code to the third-party to exchange an access_token. When the backend get the access_token, it will fire an API request to get the user's openid then decide whether to let the user login or register as a new user. At last it will give back a HTTP response to our SPA frontend which contains the access_token in my OAuth2 system or a 401 unauthorized response.
So my question is how to prove that the real callback is invoked by my own clients (Because if some attacker get my frontend embedded client_id then he can fake the OAuth2 request and phishing the user to agree. After that the attacker will get a valid code then he send back the code to my real callback. Finally, he will get the user's access_token in my system.) How can I use OAuth2 to do authentication without the end user's providing additional information like password.
I would suggest you to change the OAuth2 flow to Implicit and ask for both access_token and id_token (OpenID Connect). Your SPA will get the tokens, send the ID token to your backend, which can use it to decide whether it's possible to create such user. The SPA can use the access token to call protected resources.
This way,
only the SPA will be an OAuth2 client - tokens will not be used by two applications (SPA and backend),
you will have just one redirect URI,
you will not need to transfer tokens from the backend to the SPA.
Update: Without OpenID Connect
If you cannot use the id_token, you could send the access_token to your backend and the backend can get the user's username by sending to token to the Introspection endpoint https://www.rfc-editor.org/rfc/rfc7662 (from the response username attribute). The username attribute is optional. Your OAuth2 server may return even more info (such as name and email).
This Introspection endpoint requires authentication, so to use it, your backend will have to be a registered OAuth2 client with its own client_id and a secret.