https://learn.microsoft.com/en-us/onedrive/developer/rest-api/getting-started/graph-oauth?view=odsp-graph-online#step-1-get-an-authorization-code
I have followed this step to a tee, login with success, get redirected, and there is no code with the redirect url as the tutorial promises.
The following link is my version with the credentials.
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=a383dd3b-8306-4902-93d3-f5a33fe4a445&scope=Files.Read&response_type=code&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
I get taken to this page and sign into an account under the same namespace. Login view
After signing into a proper login, all I get in return is redirected to my redirect URI with no code attached to the end like the tutorial says I should. All I need is access to 3 files on my onedrive, but I can't seem to make it past OAuth2. Here is what I get redirected to. https://login.microsoftonline.com/common/oauth2/nativeclient
From first look it seems that the redirect_uri is wrong. This should be the endpoint where you receive the authorization code and then exchange it for the rest of the OAuth process.
I work with Pathfix and we solve the problem of OAuth token management using a serverless infrastructure.
To summarize, here is what your url should look like
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=a383dd3b-8306-4902-93d3-f5a33fe4a445&
scope=https://graph.microsoft.com/Files.ReadWrite.All%20offline_access&
response_type=code&
redirect_uri=https://your endpoint
An additional note on the scope. Note above that the scope definition for token should be as I have specified above
It all works the same. I just made sure my app was open to all tenants and replaced the .com with .us in all links but the redirect uri. Hopefully, this helps someone else. For example, my data is on a sharepoint, but the microsoft graph api works the same for all accounts with a difference in .us, .com, and few others.
Related
Before someone marks this question as duplicate,
Yes I know audit log is a thing.
No I won't use it because it requires permission.
Yes it's easier to find out server owner
No I need to know exactly who invited my bot
I want to:
Find out who invited my bot the server (user-guild id pair) using invite link redirection.
I read about the OAuth2 API but didn't quite undertstand it due to my lack of background knowledge.
All I understand is that bot invite links can have redirect uri,
and some infos are transfered to it after authentication.
Is it possible to get user/guild id from this?
I tried:
Setting up http server using python -m http.server,
add my IP to redirect uri list in dev page & generate a invite link containing redirect to my IP.
But I didn't get redirected to my http server after inviting my bot using that link,
and nothing got printed on the http server console either.
Things to note:
A. Don't reveal your client secret or your bot token for any purpose. If you do so, immediately regenerate them from the developer portal.
B. Code and token have different meanings in the answer below.
C. This is not for absolute beginners and you are expected to have a general understanding of web requests(specifically GET and POST requests). You might also need to host the site handling redirect URL.
D. This does not cover security issues in any shape, way or form.
In the bot tab of the developer portal, enable the REQUIRES OAUTH2 CODE GRANT option. This prevents the bot from joining a server unless step 4 is completed.
Then use the OAuth tab to generate an OAuth URL with identity and bot scopes. This is important to get user info in step 5.
When someone visits the URL, logs in, and selects a server, they are redirected to your redirect URL. This URL receives a single-use code as URL parameter ie the URL will be <base_url>&code={code}<other stuff>. It is up to you (and probably outside the scope of any SO answer; google is your friend here) to set up a web server and handle requests.
This code can then be used to get a token. This link explains how to exchange code for token. It involves sending a post request with your application's client id and secret. Both are available from discord's developer portal. The response will also have information about the guild along with the token in fields "guilds" and "access_token" respectively.
Send a get request to https://discord.com/api/v9/users/#me with a header containing Authorization: Bearer ${token} where the token is obtained in step 4. The response is in JSON format and contains user data specified here. Note: The link above is for the latest API version v9 which may change in future versions.
Edit:
It is possible to manually modify the URL to remove identity scope from URL. The bot would still join the server as long as you make a request to exchange the code for the token. In this case, the request to /users/#me would fail and you would have no access to the user object. It should be easy to make the bot leave the server if the request fails with the status code corresponding to unauthorized.
I've successfully implemented Discord's OAuth2 flow using the authorization code grant type into my application. The end user navigates to Discord's OAuth2 link for my bot, authorizes its access, and Discord redirects them back to my site with a code querystring. The bot then exchanges this code for an access token by querying Discord's API. Documentation on this process is available here for reference.
However, roughly every 50-100 requests to the exchange endpoint, I receive a 403 with the error invalid_grant and the description Invalid "code" in request. Frankly, I don't understand how the code just provided by Discord's system is instantly invalid. The same user can complete the process again and no error is returned the second time.
Out of desperation, I tried toggling on the option in the Developers Dashboard named Requires OAuth2 Code Grant seeing that it said "if your application requires multiple scopes," but it made no effect. I've also tried endless debugging, but the circumstances under each occurrence are apparently random. Oddly enough, I can't find anyone with the same issue online.
Below is the request I'm making in Node.js using the superagent library. It matches the documentation and works perfectly, other than the response randomly being the error described.
superagent.post('https://discordapp.com/api/v6/oauth2/token')
.type('x-www-form-urlencoded')
.set('Content-Type', 'application/x-www-form-urlencoded')
.send({
client_id: process.env.BOT_ID,
client_secret: process.env.BOT_SECRET,
grant_type: 'authorization_code',
code,
redirect_uri: process.env.OAUTH2_REDIRECT_URI,
scope: 'identify guilds.join',
});
I can confirm that all variables match their expected values. The value of redirect_uri matches that of redirect_uri in the original URL used. code is the value of the code querystring returned through the OAuth2 flow.
What (if anything) am I doing wrong that's causing the error?
Update 1:
Discord has directed me to the API GitHub repo, and I found the issue closed here. Commented and will update here if I receive any helpful info or resolve the issue completely (hopefully the case).
Ran into the same issue using nodejs. Leaving here notes for prosperity:
On Node, if there is no explicit app.head() handler, the .post() handler receives all head requests
Several Android phones, upon being redirected from discord, first send a head request to the endpoint
Meaning:
The user authenticates on discord, then through the redirect back, does a head request. This pulls discord with the code, BUT directly afterwards it also does a post request, which will fail (as you already used the code once), and possibly un-authenticates the user.
Solution for my specific issue was an explicit .head handler for all callback endpoints, which basically just returned the same headers (a redirect) as the post one did, but without calling discord.
Hope this helps.
did you use the OAuth2 link to invite your bot to your server - with the correct permissions? If so, in your main.js file did you define the token?
I.e. bot.login(“YOUR_TOKEN_HERE”)
I would recommend not toggling the ‘Requires OAuth2 Code Grant’ as it is a pain to do anything with in the beginning.
Please let me know of any progress :)
I actually looking for an answer for my problem of account linking on Google Assistant.
Sorry, the screens are in french but I can translate all if it's necessary to understand.
I followed the google account linking documentation until "implement your Oauth server"
https://developers.google.com/assistant/identity/oauth2?oauth=implicit
First:
On google Action, this is my configuration of account linking:
Next I'm trying to auth me on my application :
I have to sign in on Google Home APP.
I said, "talk to my test app:"
And google redirect me on my API with the authorization page.
I provide my password and my email.
The auth works on my API, but unfortunately an error is display on google assistant after the redirection ...
The error message in English is : "Sorry, an error occured. I didn't succeed to sign-up. You can try again later."
I don't understand why I got this Error ...
The URL GET authorize is :
http://f8f73376.ngrok.io/api/auth/authorize?redirect_uri=https%3A%2F%2Foauth-redirect.googleusercontent.com%2Fr%2Farlex-ccevqe&client_id=*clientid*&response_type=code&state=AB8b_TOd3At3ADLyuTi9k02War1fEmzT8vBeXxgHidVA5zTHVmVmE536Sjw60EAK_rUfb4Ie84Ly2l6E5AfW-F_Eo3hipueQzGbnEfpGlUHdhIeTQyfJYCk2I5-yT_n6vceOYeVlYfXF-frpVoiSCH9K2ns-7rbbgq3wEX2Px0DX3QH5ijgSsT7lvr0vOHECCCzTav9ldYf4G-EcruSModayIhIYBMKjKUQJqddBjJZ5JyCEE0cOJNvOeI13T35WoJ8_0HYoX2BXRYKGUJLiEOHX_cNlLWmcL1Y5wzDze6wa-qTM7Hvg7cutqO_u9pnhNWeMDkMgQljpSfUzyP7Ry1iWziE64nMtDmhxA48Qbufm-bRjpTRTCOBQN-_gLmx1aT2bBGTouSyg6cNY8E33HCzsp7H8qRfKYTdZ_Ga0IJcOam9MjNp2XFfgrw0uV7TTLig2LmYyJG_d-6urRGBY-xcwRxWkp7vCUtWvY6CXEZsF42rTjXYk-kr8xraS-2tNvgavhLASGvVVVgIg0AVSNZLdw9qvQMM-4NRFwsrAkZWz08kO493_lvA&user_locale=fr-FR
And the URL I sent for the redirection is:
https://oauth-redirect.googleusercontent.com/r/arlex-ccevqe#access_token=65cc814038a84114b8922b47eebc45cb&token_type=bearer&state=AB8b_TOd3At3ADLyuTi9k02War1fEmzT8vBeXxgHidVA5zTHVmVmE536Sjw60EAK_rUfb4Ie84Ly2l6E5AfW-F_Eo3hipueQzGbnEfpGlUHdhIeTQyfJYCk2I5-yT_n6vceOYeVlYfXF-frpVoiSCH9K2ns-7rbbgq3wEX2Px0DX3QH5ijgSsT7lvr0vOHECCCzTav9ldYf4G-EcruSModayIhIYBMKjKUQJqddBjJZ5JyCEE0cOJNvOeI13T35WoJ8_0HYoX2BXRYKGUJLiEOHX_cNlLWmcL1Y5wzDze6wa-qTM7Hvg7cutqO_u9pnhNWeMDkMgQljpSfUzyP7Ry1iWziE64nMtDmhxA48Qbufm-bRjpTRTCOBQN-_gLmx1aT2bBGTouSyg6cNY8E33HCzsp7H8qRfKYTdZ_Ga0IJcOam9MjNp2XFfgrw0uV7TTLig2LmYyJG_d-6urRGBY-xcwRxWkp7vCUtWvY6CXEZsF42rTjXYk-kr8xraS-2tNvgavhLASGvVVVgIg0AVSNZLdw9qvQMM-4NRFwsrAkZWz08kO493_lvA
There are two possible OAuth2 flows that you can use: Implicit (or "token") and Authorization Code (or "code"). While they are similar, there are some significant differences between the two in values of some of the parameters, how those parameters are sent back, and what else you need to support for each flow.
Although the URL you provided indicated you were following the "Implicit" flow, your screen shot shows you set Actions on Google to expect the Authorization Code flow. Additionally, Google is sending you a URL with response_type=code, and you are responding using a redirect that includes a hash and an access_token parameter, which are expected with the Implicit flow.
It looks like you have most things already setup to use the Implicit Flow, so the easiest solution would be to change this configuration in the Actions on Google Console. If you need the features that the Authorization Code Flow provide (most notably, limited lifetime for tokens), then you should adjust your server accordingly.
I'm currently implementing an OAuth2 authentication using Microsoft Bot Framework and Cortana as one of my channels. However, as I was setting up my OAuth2 configuration with the following details in where I properly set the Redirect URL both from Knowledge Store and apps.dev.microsoft.com
Knowledge Store:
apps.dev.microsoft.com:
Whenever I authenticate to Cortana based from the OAuth2 that I've configured, the redirect URI seems to be always set as https://www.bing.com/agents/oauth. Here's a screenshot of the http request from Cortana Authentication that I got from fiddler:
Which causes this error message:
Any idea how to fix this?
Don't forget that the bot channel (in this case Cortana) needs to be where the redirect points to. Cortana's redirect is https://www.bing.com/agents/oauth.
Documentation here. You can test OAuth via botframework and the emulator. In that case, the redirect is https://token.botframework.com/.auth/web/redirect. Documentation here. If you look at the diagram in the spec on page 10, you'll see that Cortana is the client. The auth call needs to come back to her. You also need to let the auth server know that the redirect URL is allowed. For Microsoft login, you go to the app dev portal, select your app, go add a "web platform" and register the redirect urls. That should solve the problem on both ends.
I created a Google OAuth 2.0 ClientID and secret in Google Developer console
After that I tested in Google OAuth playground (https://developers.google.com/oauthplayground).
and registered ClientID and secret already created above and applied to Google OAuth 2.0 playground setting menu.
Some people say that after creating ClientID/secret they need some time for testing. So after two days I tried to test in the same conditions but the error is same redirect_uri_mismatch.
How can I solve this?
As little as having a '/' at the end of your uri and not having the same '/' at the end in your code will throw it off.
Your site URL and the Authorized redirect URIs in developer console should be the exact match.
This kind of error occurs if one URL has www (http://www.example.com) and the other URL is non-www (http://example.com).
Other common URI mismatch are:
Using http:// in Authorized Redirect URIs and https:// as actual URL, or vice-versa
Using trailing slash (http://example.com/) in Authorized Redirect URIs and not using trailing slash (http://example.com) as actual URL, or vice-versa
Here is the step-by-step procedure (with screenshots) to update the Authorized redirect URIs in Google Developer Console (For those like me who found it difficult to get to that page).
Go to https://console.developers.google.com
Select your Project
Click on the menu icon
Click on API Manager menu
Click on Credentials menu. And under OAuth 2.0 Client IDs, you will find your client name. In my case, it is Web Client 1. Click on it and a popup will appear where you can edit Authorized Javascript Origin and Authorized redirect URIs.
Here is a Google article on creating project and client ID.
It should be a exact match what you have given in the console.developers.com.
In my case I missed the www in the url.
For eg: you have given http://www.google.com but in console.developers.com you gave http://google.com
It will still throw error. So it should be exact match.
The redirect URI (where the OAuth response is returned to) has to be registered in Google APIs console, and the error is indicating that you haven't done that, or haven't done it correctly.
Go to the console for your project and look under API Access. You should see your client ID & secret there, along with a list of redirect URIs. If the URI you want isn't listed, click edit settings and add the URI to the list.
I kept getting this same error until I realized that I needed to put "signin-google" at the end of the redirect setting in the Google API console, like this (ie, NOT http://www.example.org/api):
http://www.example.org/api/signin-google
(Magento 1.*) if You use inchoo Social Connect Magento extension then:
Set below url in your google app (OAuth 2.0 client IDs):
Authorized Redirect URIs: http://www.example.com/socialconnect/google/connect/
Authorized JavaScript Origins: http://www.example.com
Don’t forget to replace http://www.example.com with your domain
Please make sure that in your google-client-api, the value of credentials in these field are matched as what you got from Google API console:
$client->setClientId('xxx.apps.googleusercontent.com');
$client->setClientSecret('xxx');
$client->setRedirectUri('http://example.com/oauth2callback');
$client->setDeveloperKey('xx');
This could happen when the value of setRedirectUri is different from the one you set in Google API console.