I'm currently trying to get the authorization token from Okta using a GET request from my app using fetch API. The first step works well and I get the sessionToken. The next step requires me to pass this sessionToken in the url of a get request . Once this is done I should be getting an html object but what I instead get is a 404 message from the server on the console and the id_token embedded in the failed url which also is on the console. I have tried every possible fix and yet it doesn't seem to work.
async function getAccessToken(url = '', sessionID= ''){
const response = await fetch(url + sessionID);
return response
}
ON THE CONSOLE: Failed to load resource: the server responded with a status of 404 () the failed url with the id_token
When I copy this URL and run it in the browser it works. Response contains the callback url alone and I don't seem to have anyway to access the id_toke. Any way to access this id_ token would do for now.
Related
i have an Oauth app that im trying to get synced to strava, but am getting the below error:
Request failed with code: 400, message: {"message":"Bad Request","errors":[{"resource":"Application","field":"client_id","code":"invalid"}]}
the request looks like this:
https://www.strava.com/oauth/authorize?approval_prompt=force&client_id=60232&response_type=code&redirect_uri=https%3A%2F%2Fyourway.local%2Fuser%2Fsecurity%2Fauth%3Fauthclient%3Dstrava&xoauth_displayname=Your%20Way&state=d7bacc541e1bbc39ec956adbce63e1b15a00a9817367726e663d02e354df883d
i get the Strava Authorize screen but then get that error, the client ID does match and the return URI matches the domain in Strava
I worked it out that it was a subsequent call without the required params.
I am attempting to get an OAuth2 access token from ZOHO using RestSharp code. The Postman simulation works correctly so I know there is something I'm missing in my code.
I always get an "invalid client id" result status. However in Postman, it works and returns a code when I click the "Get new access token". I have the same items as in the Postman authorization tab (client_id, client_secret, etc). In Postman, "Body" is set to "none", and there are no parameters or headers. The only difference between my code and postman, is that Postman requires the Callback URL. My code is trying to get the code using "self-client", which bypasses the callback URL.
I have tried several different alternatives to the request call including ParameterType.Body, and ParameterType.GetOrPost. Is GetOrPost the same as a form?
client = New RestClient(ZOHO_API_URL)
request = New RestRequest(TokenUrl, Method.POST)
request.AddHeader("content-type", "application/x-www-form-urlencoded") ' also tried: "application/json")
request.AddParameter("grant_type", "authorization_code",
ParameterType.GetOrPost)
request.AddParameter("client_id", Client_ID, ParameterType.GetOrPost)
request.AddParameter("client_secret", Client_Secret,
ParameterType.GetOrPost)
request.AddParameter("code", Grant_Token, ParameterType.GetOrPost)
response = client.Execute(request)
This is the translated Postman code for RestSharp:
var client = new RestClient("http://");
var request = new RestRequest(Method.POST);
request.AddHeader("Postman-Token", "xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx");
request.AddHeader("cache-control", "no-cache");
IRestResponse response = client.Execute(request);
Any ideas on what I am doing wrong. I have tried to view the raw data coming across with Fiddler, but when I do that, Postman indicates a failure.
What code do I need to use to duplicate what Postman is doing?
How do I implement a callback URL if that is also required?
I quickly checked ZoHo REST API docs and it seems like you should use the Limited Input Device authentication flow.
From what I can understand from their help page, you indeed need to do a POST request, but parameters must be specified as query parameters:
https://accounts.zoho.com/oauth/v3/device/code?
client_id=1000.GMB0YULZHJK411248S8I5GZ4CHUEX0&
scope=AaaServer.profile.READ&
grant_type=device_request
You will also get better off with JSON set as a default for serialisation and content type just by using client.UseJson().
It maybe that Postman is following a redirect from your API endpoint as the functionality is different Postman verses RestSharp (possibly missing a trailing slash or similar).
Try adding
client.FollowRedirects = false;
to your RestSharp code and analyse the result.
I am trying to generate an access token for the API which I have hosted locally in my machine.I am able to retrieve the Access token using Postman. But I am unable to do the same using RestAssured.
Below is the code snippet I wrote for the same.
Response authentication = RestAssured.given().auth()
.basic("admin", "password123").header("content-type", "application/json")
.when()
.post("http://localhost:3001/auth/");
Response :
{"reason":"Bad credentials}
Please help me to figure out this if am missing anything in this.
Response authentication = RestAssured.given().auth().preemptive()
.basic("admin","password123")
.header("content-type", "application/json")
.when().post("http://localhost:3001/auth");
https://github.com/rest-assured/rest-assured/wiki/Usage#basic-authentication
I'm new to keycloak and tyring to get access token from keycloak using GET request method through postman but experiencing http 405 error (Method not allow)
I already have tried this but it's not working and throwing HTTP 405 error method not allowed
MEHTOD: GET
URL: https://keycloak.carbook-dev.gocarbook.com/auth/realms/carbook/protocol/openid-connect/token
{
"realm":"carbook",
"bearer-only":true,
"grant_type":"password",
"client_id": "web_app",
"username":"admin*****",
"password":"a*****"
}
I'm expecting access token upon successfully completion of that request such as
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJJQk1YWTd0TGpfejg5c1p2Z2JrUHp.....
I can achieve the same using postman GET NEW ACCESS TOKEN form but i want to achieve this through rest call so that later on i could use the same request in cypress to access the token for subsequent calls.
Shouldn't you POST the request instead of GET ?
The message seems to tell that GET method is not allowed for this endpoint...
I have a use-case where I need to spoof a white-listed Redirect URL locally when performing OAuth 2 authentication.
I'm running a very basic web-server coupled with a hosts file entry for the domain I'm spoofing. I'm able to correctly negotiate my tokens and return them to Paw, but Paw isn't picking up my access_token or refresh_token, it simply displays the raw response:
Here's my server code (with placeholders for sensitive data):
var http = require('http'),
request = require('request');
var PORT = 6109;
var server = http.createServer(function(req, res) {
var code = req.url.split('?')[1].split('=')[2];
request({
url: 'https://<access token URL>/oauth2/token?code=' + code,
method: 'POST',
form: {
'client_id': <client_id>,
'client_secret': <client_secret>,
'grant_type': 'authorization_code',
'redirect_uri': <spoofed redirect URL>
}
}, function(err, response, data) {
data = JSON.parse(data);
res.writeHead(200, {'Content-Type': 'application/json'});
res.write(JSON.stringify(data.result));
// I also tried this with the same end-result
// res.writeHead(200);
// res.write('access_token=' + data.result.access_token + '&token_type=' + data.result.token_type + '&refresh_token=' + data.result.refresh_token);
res.end();
});
});
server.listen(PORT, function() {
console.log('Server listening on port %d', PORT);
});
What am I missing? Why isn't Paw finding my tokens?
Here's my configuration for reference:
Some other noteworthy points:
The OAuth provider is non-standard and flubs quite a few things from the spec (my proxy exists in part to patch up the non-standard bits)
The domain for the Redirect URL is real, but the URL does not resolve (this is a part of the reason for the local hosts entry)
I'm not showing this part of the flow, but I am correctly completing the authorization step prior to being given the code value
I think you're probably confused between the Authorization URL and Access Token URL. When you're in Authorization Code grant type for OAuth 2, you're expected to have a user confirmation step in a web page (the Authorization URL).
Which makes me guess that instead, you're expecting instead to use the Password Grant or Client Credentials? Otherwise, if you want to use Authorization URL, you'll need to specify a webpage at the Authorization URL.
Note: I've tried your Node.js script in Paw using the two last grants I mentioned (Password Grant & Client Credentials), and it works nicely.
Update: Following the comments below, I understand more what you are doing. The Authorization Request should (if successful) return a 302 redirect response to the Redirect URL page, and append a code URL query param to it. It seems like you're returning a JSON response with the code instead, so Paw isn't catching it.
According to the OAuth 2.0 spec (RFC 6749), section *4.1.2. Authorization Response*, if granted, the code should be passed as a URL query param (i.e. a ?key=value param in the URL) to the Redirect URL when doing the redirection.
If the resource owner grants the access request, the authorization
server issues an authorization code and delivers it to the client by
adding the following parameters to the query component of the
redirection URI using the "application/x-www-form-urlencoded" format
Quoting the example from the spec, here's how the response of the Authorization Request should look like if it's a success (code is granted):
HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA
&state=xyz
I saw that the Redirect URL contains "my Spoofed Uri".
When we need to use authorization code flow, we provide the authorization code and redirect Uri.
When the URI you are providing does not match the URI saved for the client in Identity server, you will not be able to get the token as the URI does not match with the client authorization code.
For example : Consider client identity in the Identity server be:
Auth Code: "xyx"
Redirect Uri: "www.mylocalhost.com\xyz"
And in your example the combination you are providing is:
Auth Code: "xyx"
Redirect Uri: "<my spoofed uri>"
As these 2 wont match there will be no token received.
I believe if you use the correct URI that is registered with the client in the Identity server, you will be able to receive the token.