I'm in the context of an embedded devices that uses an HTTPS client to request an access token on behalf of a user (delegated permission needed for the app).
I'm currently using OAuth 2.0 ROPC (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc) to get my token and everything works fine.
But since this authentication is deprecated I'd like to change to a more secure solution that works in hybrid identity federation scenarios.
I see that many other solutions exists, but I can't find one that doesn't need to interpret an HTML/JS response.
Here a CURL example to explain my point:
ROPC request:
curl -X POST "https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token" --data "grant_type=password&scope=EWS.AccessAsUser.All&username=<username>&password=<password>&client_id=<client_id>&client_secret=<client_secret>" -H "Content-Type: application/x-www-form-urlencoded"
Response:
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"eyJ0eX....1234"}
Here I can extract the token directly from the response.
But using other ways to get delegated permission token such as OAuth 2.0 Implicit Grant flow (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow), responses are always an HTML that I can't interpret.
So here I am wondering if there is a solution to this situation.
Thanks in advance,
Aloïs KYROU
You cannot use the implicit flow to obtain the token in the tool, you can only run the request url in the browser. Because using the implicit flow requires you to log in. Please note that before this, you must enable id token and access token.
Request the id token and access token in the browser.
https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client id}
&response_type=id_token token
&redirect_uri={redirect_uri}
&scope=openid EWS.AccessAsUser.All
&response_mode=fragment
&state=12345
&nonce=678910
Related
I'm try to request call this route api.twitter.com/2/users/:id/following also getting the error :
Authenticating with OAuth 2.0 Application-Only is forbidden for this endpoint. Supported authentication types are [OAuth 1.0a User Context, OAuth 2.0 User Context].
I've trying to understand how I should generate an oauth token valid for this request, but i'm a bit lost! I've all the pipe line for the user authentication and for the last request I can get all user data including userToken and tokenSecret how i can use that info to generate the token for my request?
Also I've try to generate a token generate with apiKey and apiSecret withtou success
curl -u 'apiKey:apiSecret'
--data 'grant_type=client_credentials'
'https://api.twitter.com/oauth2/token'
I'm really lost using twitter api because of the multiples ways to authenticate
The curl command you're using will give an App-Only token, this won't work if you're trying the POST /2/users/:id/following endpoint. Follow this guide on generating an OAuth 2.0 User Access Token.
I was using apim 3-m18 previously and post'ing to localhost:9443/api/auth/oauth2/v1.0/token?grant_type=password&scope=apim:api_view with the basic auth token of clientid:clientsecret returned from /api/id4entity/oauth2/dcr/v1.0/register endpoint worked fine in giving me the oauth token for admin api's - e.g. the logic laid out at wso2 API-M 3.0 - how to get oauth token for product/admin api calls
However, I upgraded to latest rev (m24) and the dcr register endpoint still works fine, but when I then hit the token api with the base64-encoded clientid:clientsecret from dcr, the request hangs before i get a timeout error.
When I exit m24 and restart m18 and make the exact same requests (dcr call for clientid/secret, then token api call), it works. Then switching to m22 fails with same requests.
I didn't see any documentation or issues in github on this, so was curious if anyone knows what I might need to change to get the oauth token. Thanks.
Could you please use the following curl command
curl -X POST -H "Authorization: Basic N2Y4MzM0ODEtNjk1ZS00OWY4LTg0OTgtOGU0NjUwNzhmYjljOmU1NmZlOTM3LTQwZjYtNGEwMy04MDIzLTE4ZGE0YmZmNWU3OA==" -H "Content-Type: application/x-www-form-urlencoded" -d 'username=admin&password=admin&grant_type=password&scope=scope' "https://localhost:9443/api/auth/oauth2/v1.0/token" -kv
Authorization token is Base64 encoded(clientId:clientSecret)
I have a hobby project in mind to use battle.net login. I'm wondering how I can obtain the access token from the API after receiving the authorization code.
This is Oauth flow question rather than a battle.net question.
Currently I can successfully authorize the user for my app which is registered in dev.battle.net and then I try to use the authorization code returned from the battle.net login to obtain the access token by sending a request to https://<region>.battle.net/oauth/token.
However I keep receiving this error:
{
"error": "unauthorized",
"error_description": "An Authentication object was not found in the SecurityContext"
}
I use postman extension to send post requests to that uri. I authenticate my request with my client id and secret. I pass redirect_uri (https://localhost), granty_type (authorization_code), code(the code returned from the previous authorization step). However I keep getting the error above.
I couldn't find much about battle.net online. There are other oauth related help articles but couldn't really find my way.
Wondering if you can help me with this easy stuff. I'm just wondering what I'm skipping here.
Here is the documentation:
https://dev.battle.net/docs/read/oauth
https://localhost is added in my mashery dev account's app settings.
Me again, I resolved this problem after trying almost every combination in the universe:)
Steps to apply:
Don't use the same authorization token for different access token trials, they are not valid
Always use https on every domain you test including localhost, you
redirect_uri must be https as well.
You must use the "basic authentication" in the header of your POST request while requesting the token from the authorization code you obtained from the previous step.
This is one of the most important ones: For requesting token, Pass redirect_uri, client key and secret as POST form parameters to the authenticated request. This is interesting because it's already an authenticated request; why would i need to pass my secret again? Anyways, that's how it works.
Here are the full text:
http://hakanu.net/oauth/2017/01/26/complete-guide-of-battle-net-oauth-api-and-login-button/
This is working prototype:
https://owmatch.me
Thanks.
Trying to add twitter login using OAuth and it has been a nightmare to get the first step of requesting the token, which results in 401 error as always.
I used twitter's Test OAuth tool to compare the http request that my scala server sends.Curl request works while my server request fails. Pasting them below for comparison.
Curl Request
curl --request 'POST' 'https://api.twitter.com/oauth/request_token' --data 'oauth_callback=http%3A%2F%2F0.0.0.0%3A8081%2Fweb' --header 'Authorization: OAuth oauth_consumer_key="wRflKWWomJ9jKeK8wbTk0Jck3", oauth_nonce="46ef029600fcc2a6cbe068eb9711401c", oauth_signature="3ptB%2B6%2Fv9QYGgyQjO9DhuD7pmzA%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1422879905", oauth_version="1.0"' --verbose
Scala server Request
HttpRequest(POST,https://api.twitter.com/oauth/request_token,List(Authorization: OAuth oauth_consumer_key="wRflKWWomJ9jKeK8wbTk0Jck3", oauth_nonce="70449464359328", oauth_signature="yEni23tuzEveIMtDm7%2F8N2anU%2FM%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1422879900", oauth_version="1.0"),HttpEntity(application/x-www-form-urlencoded,oauth_callback=http%3A%2F%2F0.0.0.0%3A8081%2Fweb),HTTP/1.1)
Things I tried:
Made sure timestamp is within 5 minutes
Made sure "Allow this
application to be used to Sign in with Twitter" is set in twitter
settings.
Callback url is set - http://0.0.0.0:8081/web (even tried
proxy names for localhost by changing ip table)
Tried generating request token using Saclaj
Used custom OAuth signature request primarily using OAuth.scala
This 401 twitter request token seems to be a recurring theme for many folks, complicated by various failure points. Any help is much appreciated.
For anyone else facing this issue, I am listing down few things that you could benefit from.
After excruciating attempts of permutations and combinations,
oauth_token had to be a part of the signature (even if its value is
empty string). I am not sure if it is mentioned anywhere and particularly ironic that you had to remove access token and secret while using Twitter's OAuth testing tool (for the Curl command to work properly which took some bloody lot of time to figure out.)
It is good to validate your basestring - Tool
Validating if your signature process is correct - Check point (f)
Another possible scenario
In my Twitter client app settings screen, I set an option "Enable Callback Locking (It is recommended to enable callback locking to ensure apps cannot overwrite the callback url)" and this caused me getting 401 unauthorized error on trying to get request token.
Hoping someone can help me out here. I'm using Google Contacts API to fetch a list of contacts. To my understanding, this is done by sending a GET request:
https://www.google.com/m8/feeds/contacts/default/full?alt=json&max-results=9999&oauth_token=OATH_TOKEN_HERE
However, this is wildly insecure as any intruder can gain access to the oauth_token in the URL. To combat this, I'm trying to send this as a POST request with my parameters (alt, max-results, oauth_token) as the data. However, I simply get an error that "Authorization is required". I've tried adding "Authorization: OAuth" to my headers but to no avail (get an error that authorization type is not recognized).
Any advice? I need a secure way to send the oauth token to Google such that my security software won't complain about a security hole in my program ...
Thanks!
To answer your question directly, even though security is irrelevant as you are using HTTPS, you cannot POST to Google to get a list of contacts. Google requires you use Get.
The proper formatting for authorization (Because you can still use a Get and not pass the oauth_token as a query string is to use an HTTP Header formatted:
Authorization: Bearer 1/fFBGRNJru1FQd44AzqT3Zg
Using OAuth 2.0 to Access Google APIs