What should I enter for callback URL when trying to generate a new access token in Postman? I'm using a Client ID and Client Secret from my Twitter Developer account.
It should be the same callback URL that you registered on Twitter when generating a client ID and secret. If you haven't provided any URL there, then you can use anything (e.g. http://localhost).
If you're calling the token endpoint from postman (as I think you are), so you want to exchange the code for tokens, then you should use the same callback URL that you used in your authorization request.
Related
I am having trouble understanding how to accomplish this. I have Firebase functions running on my application. I am using an external API in which I can configure Webhooks to hit an endpoint on my Firebase functions to perform an action. To make sure that the call comes from this external API, they recommend using an oauth2 flow. Mainly they ask me for:
Provide us (the external API) with an ID and an access token;
these are used to access a URL which provides a bearer token;
this bearer token is then used to access the provided webhook URL until the bearer
token expires after a pre-determined period of time.
And there are 4 input fields:
1. OAuth2 access token url
2. OAuth2 client id
3. OAuth client secret
4. OAuth2 Scope. <---- NOT SURE WHAT THIS ONE MEANS
My question is how do I generate the access token and the client id for this external API?
What value should I put for the oAuth2 scope?
Thanks!
I was able to figure this out using auth0. In one of their documentations, they cleared explained what I was trying to accomplish. Posting here to future reference in case any one needs it.
Thanks all!
reference: https://auth0.com/docs/authorization/flows/client-credentials-flow#learn-more
You can generate the client ID and client secret in the Console > Credentials.
Cloud Functions API oAuth2 scope is https://www.googleapis.com/auth/cloud-platform.
We are using VB.NET and developing one Windows Form based application. Where we need to send email using gmail.
Appropriate scope has been approved by Google: scope=https://www.googleapis.com/auth/gmail.send
Using below URL via browser, we are able to retrieve code.
https://accounts.google.com/o/oauth2/v2/auth?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fgmail.send&access_type=offline&include_granted_scopes=true&state=state_parameter_passthrough_value&redirect_uri=**********&response_type=code&client_id=******************
At this point, we have client id, client secret, and code.
But we are unable to send email.
Can someone please share any sample POST request or sample code?
Lanugage used: VB.NET and first URL was called using webbrowser object.
You are using OAuth2 Authorization Code Grant flow. This flows returns you just a code that you need to exchange for an access token and a refresh token using the /token endpoint. The code is just a random identifier and cannot be used for anything else. Without an access token, you cannot access protected resources (GMail). The /token endpoint requires authentication, so you will need your client ID and secret when calling it.
The workflow, request parameters, responses and examples are covered in the OAuth2 RFC.
Can anyone help me on generating OAuth token using QuickBooks API and postman?
I am not able to create one using API.
and can u help me to get sample account data from an account QuickBooks API ?
You can refer the following blog which shows how to generate OAuth1 tokens using OAuthPlayground tool and use those tokens in POSTMAN to make any API calls.
https://developer.intuit.com/hub/blog/2016/04/25/quick-start-to-quickbooks-online-rest-api-with-oauth1-0
You can try the entire QBO POSTMAN collection from the link below.
https://developer.intuit.com/docs/0100_quickbooks_online/0400_tools/0012_postman?isExpand=false#/1500
You can't generate OAuth tokens via Postman.
The whole point of OAuth is to give the end-user a UI-based process to click through and provide tokens.
Use the UI components Intuit provides to get your tokens.
https://developer.intuit.com/docs/0100_quickbooks_online/0100_essentials/000000_quickbooks_online_overview
I recently had to download QBO's postman collection to debug an integration issue with my app. I use OAuth2.0 with Authorization Code as the grant type to authenticate a user from my app to QBO. This is what QBO offers now and its not upto the app developer's discretion.
You can download the QBO's Postman collection from here.
To access QBO's endpoint from Postman, you must first create and register an app entry with QBO. Doing so will give you ClientID and ClientSecret which are needed for authentication purposes. Also put https://www.getpostman.com/oauth2/callback as the RedirectURI for your app since you will be authenticating using Postman. If you have your website up and running, you can put the link to your website as the RedirectURI.
Once you open the collection in Postman, open the Accounts endpoint and switch to the Authorization tab
Click on Get New Access Token.
CallbackURL is going to be what you put in the RedirectURL you registered your sample QBO app with.
AuthURL and AccessTokenURL are taken from the QBO link I mentioned above. Paste these as is.
ClientID and ClientSecret are the keys you get once you register your sample app with QBO.
Scope can be used as is since you need to access the accounting endpoint.
State can be any string that is returned intact after a successful authentication with QBO. It is something that your app can use for an extra check to ensure that you got a response from the right authorization server. Put any length string(do not leave it blank) in this case because we are only accessing the endpoints using Postman.
ClientAuthentication is set to Send client credentials in body as instructed by QBO.
Once you click on Request Token, you will be redirected to QBO's login page inside Postman itself in a new popup window. Successful authentication will close the popup window and give you an Access Token. Clicking Use Token will set the token in the body at the time of Send Request.
Make sure you know your companyid and that you are targeting the right baseurl. Notice that Im using minorversion 9 because thats what my app uses. You can choose to stick with 14.
Hitting Send Request should get you some accounts objects in the response.
In the Google developer console, when you create new app credentials for use in OAuth 2.0, and you specify a web app, it requests that you register callback URI and JavaScript origins.
I don't have a precise understanding of the need to register these.
For the callback URI, presumably this prevents a 3rd party who presents a malicious page to a user from getting the authorization code. However, the client id and secret are still hidden in the app server, so isn't the malicious application unable to do anything anyway?
Furthermore, if the callback URI is already registered, what does registering the JS origins separately accomplish. Unlike the callback URI registration, this is not mentioned by the OAuth 2.0 spec, it's something Google chose to implement.
Thank you for your help!
When you request a token, that token will be passed to the callback URL. By only permitting callback URLs that you have configured in the API console, you are preventing malicious users from spoofing the request and having the token sent to a third party. I suspect the aspect of OAuth that you've missed is that the callback is sent via a browser redirect, so is easy to fake.
Callback URLs are part of the OAuth server flow.
JS Origins come into play when you are using the client (Javascript) OAuth flow. They ensure that any OAuth request has come from a page that originated on your site.
The server flow is ...
OK I think I understand a bit more from reading the spec. https://www.rfc-editor.org/rfc/rfc6749#section-10.6
It is to prevent an attack by a user of the same client An attacker can create an account at the same client and initiate auth flow, but he replaces the redirect URI with his own URI.
He then tricks a victim into following the link to authorize the same legit client they are using. However, the auth code is now sent to the attacker URI.
The attacker then completes the flow by providing the auth code back to the client, which the client uses to complete the flow obtaining the token. However, this token may be associated by the client with the attacker, allowing him to impersonate the victim.
We have a desktop app (Delphi XE2) that gets an oauth request token from Intuit and fires off the URL call to Intuit where the user authorizes our app. This half of the oauth dance seems to be working.
The problem we are running into is getting the Access Token and Access Token Secret. We never seem to get it.
Details:
This is for QuickBooks v3 API.
We have a web service setup to handle the callback whose URL we pass along when we make the call to get with request token to https://appcenter.intuit.com/Connect/Begin
That opens the Intuit web page with our test company and our app listed. When we grant access to our app from the Intuit site the web browser is redirected to our callback URL and that contains an oauth token (which I'm not really sure is our access token) but we never get the access secret. That's the missing thing for us.
Is the token we are getting in the callback our access token?
If so how do we get the access secret? Is that token another token to be used to make another call to https://oauth.intuit.com/oauth/v1/get_access_token where we would obtain our access token and secret?
I tried using the token returned to our callback URL as a token for the "get access token" url and that gave me unauthorized errors.
If the token returned to our callback URL is not the access token where/how the heck do we get it?
Any help or direction is appreciated.
UPDATE:
So, it turns out I was missing one entire step of the OAuth dance.
After the user authorizes access and that passes the original request token and a verifier key to our web service. That verifier key is used with the original token in yet another call to Intuit to get the access token and access token secret.
Cheers!
TJ
The initial callback returns to you a request token, which you then have to send back to Intuit via the get_access_token URL to get an access token and secret.
Intuit instructions:
Implement OAuth in Your App
The OAuth spec it refers to is RFC 5849.
You can refer the sample V3 APP.
https://github.com/IntuitDeveloperRelations/QuickbooksV3API-Java
To be specific, please refer
OAuthController.java and OAuthHelper.java
Thanks