I have created an app in developer tools and performing step1 to get the authorization code on callback url
step1:
https://app.smartsheet.com/b/authorize?response_type=code&client_id=vztdl8m9evf73v4fumz&scope=READ_SHEETS%20WRITE_SHEETS&state=MY_STATE
step1 will call redirect url and gives code which is used in step2 below
step2:
https://api.smartsheet.com/2.0/token?grant_type=authorization_code&client_id=vztdl8m9evf73v4fumz&code=i58077psfhsglxru&client_secret=jstivmg6zwvffhhdlib
With the refresh_token from above I am getting refresh_token to access the smartsheet data.
step3:
https://api.smartsheet.com/2.0/token?client_id=vztdl8m9evf73v4fumz&client_secret=jstivmg6zwvffhhdlib&grant_type=refresh_token&refresh_token=qhetlorupehbdob3ujfjo7q0r3
But code generated in step1 expires in 599531.How to get new authorization code again? I want to automate all this process in Mule 4 with HTTP requests. Step2 and step3 I am clear. But I am unable to automate the step1. Calling this on postman is giving some html response
Related
I am trying to configure a third party web application to use Azure AD as the OIDC provider. The authentication works fine, however I am looking for some claims and not able to find an ID or Access Token. Here is the flow as I am seeing it
Call to the login page of the web application. This gets a 302 redirect to the Microsoft OAuth endpoint as below
The URL is https://login.microsoftonline.com/-tenantid-/oauth2/v2.0/authorize?client_id=-clientid-&redirect_uri=-encodedCallbackURI-&response_type=code&scope=openid+email+profile&state=123 This does a 302 to below URL
Next call is to https://login.microsoftonline.com/-tenantid-/oauth2/v2.0/authorize?client_id=-clientid-&redirect_uri=-encodedCallbackURI-&response_type=code&scope=openid+email+profile&state=123&**sso_nonce=O.eyJ0eXAiOiJK......**&client-request-id=-guid-&mscrid=-guid- This returns a 200
Next is the redirect back to the hosted web application indicated in teh callback - https://webApplicationURL/callback?code=0.AQ4Ayjxg80......&state=123&session_state=5b7c2e43-9eab-4bb1-9f24-d020f144d30d
At this point, the user has successfully been authenticated. However, I would like to find the ID or Access Token received.
The sso_nonce(in #3) is in a JWT format but has no claims.
The code(in #4) doesn't have any of the claims either and doesnt really seem to be a JWT token format.
So where is the ID Token or Access Token that I can use to decode and see what claims are getting passed (or not)?
Thanks in advance,
Jake.
To get tokens while calling login page of the web application, you can execute the below request in browser by including response_type as id_token+token:
https://login.microsoftonline.com/<tenant_ID>/oauth2/v2.0/authorize?
client_id=da5daf42-xxxx-xxxx-xxxxxx04a52 //your AppID
&response_type=id_token+token //Required
&redirect_uri=https://jwt.ms //your Redirect URL
&response_mode=fragment
&scope=openid+profile+email
&state=12345
&nonce=678910
Make sure to enable tokens for your web application before executing the above request like below:
Go to Azure Active Directory -> App Registrations -> Your App -> Authentication -> Enable tokens -> Save
I tried to reproduce the same in my environment and got the below results:
When I executed the above-mentioned request in the browser, it asked me to sign in like below:
After successful sign-in, it took me to the redirect URL with tokens in the address bar like below:
When you copy-paste the above in Notepad or any, you can find both access_token and id_token like this:
I got the claims successfully when I decoded the token like below:
Reference:
OpenID Connect (OIDC) | Microsoft Docs
I want users to request Uber rides from my app.
https://developer.uber.com/docs/rides/authentication
Under OAuth 2.0 section at the above url, there are 6 steps :
1. Authorize (done)
2. Receive Redirect (done)
3. Get an Access Token ('invalid_grant' error)
The following screenshot is from Postman.
I tried passing client_id, client_secret, grant_type, redirect_uri and code as params, form-data and x-www-form-url-encoded. But everytime it returns the same error.
I have put 'http://localhost:3000/auth/uber/callback' as redirect url in my Uber App dashboard.
I have even tried the following curl command in the terminal,but it returns the same 'invalid_grant' error
Can someone help me with this issue.
Your postman request looks correct to me. My best guesses at whats going on:
1) You have multiple redirects set up, and you're using one redirect url when you do the authorization phase and a different one when you try and do token exchange
2) You're doing authorization for one client_id, and trying to do token exchange for another
3) You're authorization code has already been used / expired. Keep in mind its only good for one request.
Could you try the following and tell me what happens:
1) Do the authorization flow and pay special attention that the client id and redirect uri you put in your authorization URL are correct
2) After your browser redirects, copy the authorization code out of the redirect URL
3) Put the authorization code into the postman request / curl statement and make sure that the client id / redirect URI is correct when you do it.
Status Code: 401 Unauthorized
{
"error": "invalid_grant"
}
You are using an invalid refresh_token. You can generate multiple
access tokens, but you can only use the latest generated
refresh_token.
You supplied an invalid code when exchanging an authorization code
for an access_token.
I have a global account that has several views that I want to use on the server side to embed dashboards for the various views on the client side. From what I understand, I get an access token using a service account on the server side and can then send the access token to the client side whenever needed. I was wondering, is this the correct flow? Should the access token be per session?
The authorization on the client side shown here has a field for a server auth access token, but couldn't find documentation on the exact flow I wanted. Basically I'm unsure what the proper way of generating that server auth access token is. Any help/pointers would be very much appreciated.
[Here][1] is an example of how to set up server side auth. The above code creates a new token when anyone visits the site. You can see the endpoint that gets that access token [here][2].
Below are the general steps to get to a working version:
Step 1: Create a service account and download the JSON key
Step 2: Add the service account as a user in Google Analytics
Step 3: Use the JSON key data to request an access token
# service-account.py
import json
from oauth2client.client import SignedJwtAssertionCredentials
# The scope for the OAuth2 request.
SCOPE = 'https://www.googleapis.com/auth/analytics.readonly'
# The location of the key file with the key data.
KEY_FILEPATH = 'path/to/json-key.json'
# Load the key file's private data.
with open(KEY_FILEPATH) as key_file:
_key_data = json.load(key_file)
# Construct a credentials objects from the key data and OAuth2 scope.
_credentials = SignedJwtAssertionCredentials(
_key_data['client_email'], _key_data['private_key'], SCOPE)
# Defines a method to get an access token from the credentials object.
# The access token is automatically refreshed if it has expired.
def get_access_token():
return _credentials.get_access_token().access_token
Back to the client side:
Step 4: Load the Embed API library.
<script>
(function(w,d,s,g,js,fs){
g=w.gapi||(w.gapi={});g.analytics={q:[],ready:function(f){this.q.push(f);}};
js=d.createElement(s);fs=d.getElementsByTagName(s)[0];
js.src='https://apis.google.com/js/platform.js';
fs.parentNode.insertBefore(js,fs);js.onload=function(){g.load('analytics');};
}(window,document,'script'));
</script>
Step 5: Add HTML containers to host the dashboard components.
<div id="chart-1-container"></div>
<div id="chart-2-container"></div>
Step 6: Write the dashboard code.
Use the access token obtained in step 3 to authorize the Embed API.
gapi.analytics.ready(function() {
/**
* Authorize the user with an access token obtained server side.
*/
gapi.analytics.auth.authorize({
'serverAuth': {
'access_token': '{{ ACCESS_TOKEN_FROM_SERVICE_ACCOUNT }}'
}
});
...
The additional work of creating an endpoint which returns the token depends on your back end implementation but the source code of how the demo does it can be found [here][2].
[1]: https://ga-dev-tools.appspot.com/embed-api/server-side-authorization/
[2]: https://github.com/googleanalytics/ga-dev-tools/blob/abb3c5a18160327a38bf5c7f07437dc402569cac/lib/controllers/server_side_auth.py
I'm not very familiar with Google Analytics, but as far as OAuth goes, the handling of access tokens and refresh tokens should all be on the server-side. The client receives an authorization code and provides that to the server, which then obtains the tokens and uses the tokens to obtain the data necessary. There shouldn't be any need to send an access token to the client.
It might be helpful to read this, which describes the standard OAuth flow:
https://developers.google.com/identity/protocols/OAuth2
I am using code in following link to Renew access token for Intuit QuickBooks integration.
https://gist.github.com/IntuitDeveloperRelations/7259345
but, I am unable to test this code as intuit renew its access token only after 150 days from token creation date and I've created token only few days back. So I don't know the output. Right now, it is generating xml response with error message.
Now this method is returning me a single string which seems to be the Access Token. Do I also need to renew Access Token Secret ? If yes, then how to generate it ? Or the output contains secret as well ?
Actually, Can you give me the output for this method?
A successful response looks like this:
<ReconnectResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://platform.intuit.com/api/v1">
<ErrorMessage/>
<ErrorCode>0</ErrorCode>
<ServerTime>2012-01-04T19:21:21.0782072Z</ServerTime>
<OAuthToken>qye2eIdQ5H5yMyrlJflUWh712xfFXjyNnW1MfbC0rz04TfCP</OAuthToken>
<OAuthTokenSecret>cyDeUNQTkFzoR0KkDn7viN6uLQxWTobeEUKW7I79</OAuthTokenSecret>
</ReconnectResponse>
Refer to Intuit's documentation.
Notice that you will get back both a new token and a new token secret which you should store.
Remember that you can use Intuit's OAuth Playground to generate shorter lived tokens to test with.
You can test Reconnect API in the following way-
1. Navigate to IPP Playground- Go to Manage My Apps->Click on your app
Fill in consumer key and consumer secret in links below.
Prod: https://appcenter.intuit.com/Playground/OAuth/IA/?ck=prodConsumerKey&cs=prodConsumerSecret
Alternatively, you can navigate to the Manage page for your app on stage or prod and click ‘Test connect to app (OAuth)’.
Enter the duration you would like for the issued OAuth tokens (e.g., 3600 for successful Reconnect) in the ‘Access Token Duration’ field.
Click on the Connect to QuickBooks button, go through OAuth flow to authorize a connection to a realm.
Under the resulting Post-Connection Interactions heading, click ‘Reconnect API Test’. Screen shot attached.
A new page will launch where your OAuth tokens are displayed. Copy these values to your application to test Reconnect.
See if this reconnection code sample helps:
http://developer.qbapi.com/Reconnect-to-Quickbooks-Online-.aspx
I'm only starting to explore what OAuth and I have barely any clue of the related terms.
In a PHP code snippet, I saw :
// Callback can either be 'oob' or a url
$callback='oob';
I'd like to know what oob is?
oob usually stands for "out of band". I would assume that this is to support OAuth responses that come through an unspecified method.
OOB ("out of band") is an alternative to the traditional 3-step process of an OAuth flow (known as 3-Legged-OAuth). The user is not redirected after granting access to a consumer, instead, a code is shown to the user which he needs to manually input in the Consumer App. The difference is outlined in the step 2b below.
An OAuth1a flow:
Step 1: Get a short lived request_token which can be used to access the User Authorization URL.
Step 2: Use the request_token to access and show the User Authorization URL to the user. The user will see a screen where he can accept or decline access; the tipical "Do you want to give App ABC access on your behalf?".
Step 2a (callback url): If a callback_url has been provided, the user will be redirected to that callback URL. The URL will include the parameter oauth_verifier which contains a code, needed for step 3.
Step 2b (callback is oob): If the callback_url is set to oob, the user will not be redirected. Instead, the oauth_verifier code is shown to the user. This must be implemented by the Provider. The user can use this code in the Consumer App, usually a mobile app or any other non-browser based App, to continue to step 3.
Step 3: The oauth_verifier code (and Request Token) is used to get a long-lived access_token. The Consumer can now make calls to the (REST)-API of the Provider using this token in his OAuth calls (the request still needs other OAuth parameters and needs to be signed etc.).
Further info:
Pin based authorization with Twitter API
OAuth1a core specification - Request URLs