Configuring OAuth 2 for Sendgrid event webhook - oauth-2.0

I’m totally new to OAuth 2 but my current task requires me to use it to authenticate request from Sendgrid event webhook.
The only manual I found is this:
https://docs.sendgrid.com/for-developers/tracking-events/getting-started-event-webhook-security-features#oauth-20
And I tried the following:
1. I tried creating a new OAuth 2.0 Client IDs from google cloud console
I got the json file which contains: client_id, client_secret, token_uri; then I inputted them to Sendgrid.
However, when I tested it (by clicking the “Test your intergration”), nothing was sent to my endpoint.
I think that sendgrid couldn’t get the access token from the OAuth service or authorization server so it didn’t send any request to my URL.
2. I tried creating a Auth0 account and I also got client_id, client_secret, token_uri
I tested it again and nothing is sent to my endpoint, but this time, when I checked the log from Auth0, I saw this error:
No audience parameter was provided, and no default audience has been configured.

Faced with the same issue.
On the Auth0 side, we can set 'default audience' on the Tenant level (not on each application). It isn't enjoyable.
On Sendgrid they don't send audience param (they expect that you can fetch access token only by client id and client secret)...

Related

Google oauth2Client.getToken is not returning id_token for other users

I'm implementing Google's 'code model' of Oauth2 and having trouble getting users' email - I wonder if this is a scopes problem or my misunderstanding about how to set up the code model. This sequence of events is already working:
Client loads https://accounts.google.com/gsi/client
Client starts call to google.accounts.oauth2.initCodeClient
Client gets code
Client passes code to one of my server endpoints
Server has an oauth2Client set up using the config with client_id, client_secret, and redirect URL = 'postmessage'
Server exchanges the code from the client for tokens
Server does oauth2Client.setCredentials(tokens) - this contains an access_token, which is enough for the client to make API calls to, e.g., retrieve the user's Google Calendar
Server is able to do oauth2Client.getTokenInfo(tokens.access_token);
There are various places along the way that involve scopes; I am probably getting something confused here. The client's initial call (step 2 above) uses
scope: 'https://www.googleapis.com/auth/calendar',
My code path on the server does define scopes anywhere.
In GCP, my project is set up with scopes
calendar.calendarlist.readonly, calendar.readonly and calendar.events.readonly
openid
/auth/userinfo.email
Here's the problem I'm encountering: when I go through this flow as a user and oauth with the account that owns the GCP project (this is a Google Workspace email, in case that matters), the tokens object that the server receives (step 6 above) has access_token, refresh_token and id_token - the id_token can be decoded to yield the user's email, and the user's email is also in the response to oauth2Client.getTokenInfo(token.access_token).
However, when I go through the flow with my other (personal) Gmail account, the tokens object that the server receives is missing the id_token but has the access and refresh tokens. Question 1: why are the responses different?
Question 2: How can I get the email of the user on the server in the personal Gmail account case? I've tried having the server make a call to https://www.googleapis.com/oauth2/v2/userinfo?fields=id,email,name,picture with the access_token, but this fails. I am not sure if I'm supposed to declare scopes for oauth2Client somehow, or tap a Google API using a different method on the server.
I think I've had a breakthrough: in step 2 in my original post, when I did "Client starts call to google.accounts.oauth2.initCodeClient", I had set the scope of initCodeClient to just the calendar scope. When I changed it instead to scope: 'https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/userinfo.email openid', (scope takes a space-delimited list in this case), it allowed my server call to get the id_token for this user and oauth2Client.getTokenInfo to get a response with the user's email in it.
When I updated the scopes like that, the popup asking for authorization also updated to request all the scopes I wanted - previously, it was only asking for the Calendar scope, so it makes sense Google didn't want to return the email.
What I still don't understand is why my previous setup was working for the account that owns the GCP project. In other words, when I was first building it out with that owner account, the client was only noting the Calendar scope while the server was asking for all three scopes (ie there was a mismatch), and the server was still able to get an id_token and the user's email in getTokenInfo. Maybe the owner account has some special privilege?

Azure Function AAD Authentication - Client Credentials Flow

I'm trying to figure out how to secure an azure function (service func) that should only be called from another azure function (client func) in the same tenant.
Here's what I've tried in the azure portal:
created a windows function app on a consumption plan
added a hello-world http triggered function with authorization level of "Anonymous"
tested I'm able to call the function anonymously
on the blade for the service func, selected "Authentication"
selected "Add identity provider"
chose "Microsoft"
"Create new app registration"
"Current tenant - Single tenant"
"Require authentication", "HTTP 401"
created a new app registration for the client func, making a note of the client_id and client_secret
I then configured postman to acquire a token from the azure ad (using the only tenant id in play), passing the client_id and client_secret from the app registration of the client func. In the post to the /token endpoint, I gave a grant_type value of "client_credentials".
On posting the request from postman, I received a response containing an access_token. I copied this and pasted into https://jwt.ms to check that all looked ok.
I configured another request in postman to issue a get to the hello-world function. This contained a "Authorization" header with a value of "Bearer " + the access_token received in the previous step.
Despite passing what seems to be a valid access token, the function app (which has no authentication bindings) return a 401 Unauthorized error.
I don't need authorization, just authentication.
Can anyone spot where I went wrong?
I now have this working. I found the following page helpful: Microsoft Doc
Key points:
App roles declared on the app registration of the service app
I didn't manually enter anything into the "Expose an API" page
No authorized client applications listed on the "Expose an API" page
When getting the access token, the scope should be set to the Application ID URI of the target service app registration + "/.default"
API permissions set on the app registration of the client service - these are "Application permissions" NOT "Delegated permissions"
From the function app, select Authentication then edit the identity provider. The value for "Allowed token audiences" needs to be the api://guid value from the "Application ID URI" value of the app registration for the target app service. I noticed that I had problems when using a non-guid value for this

How to connect custom API using own OAuth2 in Microsoft Power Automate?

I've been trying to connect Microsoft Power Automate to my API. My API has a OAuth2 Code Flow.
According to Power Automate, the connector can make a connection to my API. and execute a test. But the problem is that Microsoft sends a Bearer token that was generated by them, and not the one that I gave to them via OAuth2, resuting on my API giving a 401 Error (Invalid Token) as expected.
In the Power Automate Custom Connector page, in the security tab I have the following:
Authentication type
OAuth2.0
OAuth2.0 Settings
Identity Provider: Generic OAuth2
Client ID: SomeValue
ClientSecrect: SomeValue
Authorization URL: mydomain.com/auth/authorize
Token URL: mydomain.com/auth/token
Refresh URL mydomain.com/auth/token
Redirect URL: microsoft-flow.com/redirect (Not the real one)
When Microsoft makes a POST request to mydomain.com/auth/token, I return the following body:
{
access_token: "non JWT token", // simillar to a hash
refresh_token: "non JWT token",
expires_in: 3600
}
The request above is final request that microsoft before accepting as a valid connection. The token that microsoft sends me is a JWT one, not the one I provided.
I've seen some guys using Azure AD authentication within the APP, but I was trying to implement something simillar to other platoforms(e.g Github, Spotify, e.t.c)
So my question is it possible to connect Power Automate to a custom API with using OAuth2? If yes, how to do it?
It's possible.
In addition to the OAuth2.0 Settings you listed, there is another important property Scope which you have missed.
Since your API is protected in Azure AD, so I assume that you have created an Azure AD app for your API and exposed scopes.
After that, you can get the application ID URI (api://{clientId}) for your API.
You should put this value into the "Scope" in Power Automate, like this:
Then this access token will be considered valid by your API.
I've done two steps to fix this problem.
Step 1
Previously my API returned the body with access_token, refresh_token and expires_in, but then I added scope and token_type. Example:
{
access_token: "2346ad27d7568ba9896f1b7da6b5991251debdf2",
refresh_token: "4468e5deabf5e6d0740cd1a77df56f67093ec943",
expires_in: 3600,
scope: "none",
token_type: "Bearer"
}
Step 2
Delete the custom connector and create a new one with the same parameters. When I got to the "Test" section, Power automate finally could make the GET request successfully.
In my case, even if the the API was updated, Power automate was still using its faulty token, so I had to delete that custom connector and create new one.
Conclusion
By updating the API and deleting the old custom connector, I was able to get the connector working.

How to request access token from Battle.net OAuth with authorization code?

I have a hobby project in mind to use battle.net login. I'm wondering how I can obtain the access token from the API after receiving the authorization code.
This is Oauth flow question rather than a battle.net question.
Currently I can successfully authorize the user for my app which is registered in dev.battle.net and then I try to use the authorization code returned from the battle.net login to obtain the access token by sending a request to https://<region>.battle.net/oauth/token.
However I keep receiving this error:
{
"error": "unauthorized",
"error_description": "An Authentication object was not found in the SecurityContext"
}
I use postman extension to send post requests to that uri. I authenticate my request with my client id and secret. I pass redirect_uri (https://localhost), granty_type (authorization_code), code(the code returned from the previous authorization step). However I keep getting the error above.
I couldn't find much about battle.net online. There are other oauth related help articles but couldn't really find my way.
Wondering if you can help me with this easy stuff. I'm just wondering what I'm skipping here.
Here is the documentation:
https://dev.battle.net/docs/read/oauth
https://localhost is added in my mashery dev account's app settings.
Me again, I resolved this problem after trying almost every combination in the universe:)
Steps to apply:
Don't use the same authorization token for different access token trials, they are not valid
Always use https on every domain you test including localhost, you
redirect_uri must be https as well.
You must use the "basic authentication" in the header of your POST request while requesting the token from the authorization code you obtained from the previous step.
This is one of the most important ones: For requesting token, Pass redirect_uri, client key and secret as POST form parameters to the authenticated request. This is interesting because it's already an authenticated request; why would i need to pass my secret again? Anyways, that's how it works.
Here are the full text:
http://hakanu.net/oauth/2017/01/26/complete-guide-of-battle-net-oauth-api-and-login-button/
This is working prototype:
https://owmatch.me
Thanks.

Getting invalid oauth access token: where is the token I need?

I would like help obtaining/locating the correct access_token value for an API call.
I'm configuring an application that wants to search Facebook using the graph-api search request at https://graph.facebook.com/fql, for which I need an access_token. The application is a backend server so there's no UI and no users.
I registered a new 'app' using the developer pages 'Create a New App' link, so I now have an app at: https://developers.facebook.com/apps/<> and from that I get an 'app secret' token. Digging into the Advanced settings page for the app there is also a Client token.
However using either token results in the following JSON error:
{"error":{"message":"Invalid OAuth access token.","type":"OAuthException","code":190}}
Can anyone point me to where I've gone wrong?
==
The following 'curl' request demonstrates the command working correctly, but it's only usable token-less like this occasionally, so the app needs &access_token=...stuff... adding to the parameters.
$ curl 'https://graph.facebook.com/fql?q=select%20url,%20share_count,%20like_count,%20comment_count,%20click_count,%20total_count%20from%20link_stat%20where%20url%20=%20"http%253A%252F%252Felifesciences.org%252Fcontent%252F2%252Fe01233"'
{"data":[{"url":"http\u00253A\u00252F\u00252Felifesciences.org\u00252Fcontent\u00252F2\u00252Fe01233","share_count":0,"like_count":0,"comment_count":0,"click_count":0,"total_count":0}]}
The 'app secret' and 'Client token' will not work.
What you need is an Access Token, refer to this.

Resources