I want to implement token refresh for OAuth2 using Spring Cloud.
I can create token by sending request to /oauth/token using this payload:
curl --location --request POST 'http://localhost:8080/engine/oauth/token' \
--header 'Authorization: Basic YWRtaW46cXdlcnR5' \
--form 'username=admin' \
--form 'password=qwerty' \
--form 'grant_type=password' \
--form 'scope=read'
But for refresh token the same path /oauth/token is used. I need to send also username and password into the header 'Authorization: Basic YWRtaW46cXdlcnR5'which I don't have them. I can create a new token using using refresh token with this payload:
curl --location --request POST 'http://localhost:8080/engine/oauth/token' \
--header 'Authorization: Basic YWRtaW46cXdlcnR5' \
--form 'grant_type=refresh_token' \
--form 'scope=read' \
--form 'refresh_token=....'
Do you know how this issue can be solved?
Github code
The refresh token grant message does not need an Authorization header. Try removing it and sending client_id as a form parameter instead. You may also need to configure the offline_access scope for token refresh to work.
The last I remember though, token refresh is not supposed to be supported for ROPC, though that behaviour may not be the same for all providers.
Finally, be aware that ROPG is not really recommended if you have better options. This post summarises the issues.
If you can summarise your usage scenario I may be able to recommend a better alternative.
Related
I am trying to get the repo details, of our comany bitbucket cloud.
using the API:
curl --request GET \
--url 'https://api.bitbucket.org/2.0/repositories/{workspace}/{repo_slug}' \
--header 'Authorization: Bearer <access_token>' \
--header 'Accept: application/json'
from
https://developer.atlassian.com/cloud/bitbucket/rest/api-group-repositories/#api-repositories-workspace-repo-slug-get
the problem is that every key/token I use, I get an error response of
{"type": "error", "error": {"message": "Access token expired."}}
I created an OAuth 2.0 key and secret and tried them both.
--header 'Authorization: Bearer <KEY>'
--header 'Authorization: Bearer <SECRET>'
I also tried App Password :
--header 'Authorization: Bearer <APP PASSWORD>'
also with SSH key:
--header 'Authorization: Bearer <SSH KEY>'
But I get the same error.
Thanks
I suggest that you omit the 'Authorization: Bearer' header completely, and use an app_password instead. In fact, Atlassian recommends the use of app passwords, allowing you to completely bypass the need for an access_token.
See the App passwords section of the Authentication Methods docs page.
Here's how it works. (Notice that the 'Authorization: Bearer' header is absent in these examples.) If your workspace is companyname, your username is prospero , and the app password you created per the Atlassian documentation is a1b2c3d4e5f6g7h8, then you can retrieve the list of repositories in this manner.
Curl:
curl -u prospero:a1b2c3d4e5f6g7h8 https://api.bitbucket.org/2.0/repositories/companyname
Python:
import requests
import json
r = requests.get('https://api.bitbucket.org/2.0/repositories/companyname', auth=('prospero', 'a1b2c3d4e5f6g7h8'))
print(r.text)
print(json.dumps(r.json(), indent=4))
Of course, you will want to use more sophisticated code. These are just quick examples.
Even though I read a numerous duplicate issues here on Stackoverflow, still can't figure out for the life of me what I'm doing wrong.
Problem: I successfully receive an authorization code from, but when I request an access token using this code I get the following error:
{
"error": "invalid_request",
"error_description": "Invalid parameter value for redirect_uri: Missing scheme: http%3A%2F%2Flocalhost%3A3030%2Fgoogle%2Foauth2%2Fcallback"
}
Configuration:
I use http://localhost:3030/google/oauth2/callback as a callback URL
It's setup in the google developer console:
This is a "raw curl" request that I send to obtain a token:
curl --location --request POST 'https://oauth2.googleapis.com/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'code=4%2F0AY0e-g6zyewnsWjPEXoxZWawsp1E634ZlefYoBeYO1nXxBwjPQNCGVf7SGb4MxfNcjUApw' \
--data-urlencode 'redirect_uri=http%3A%2F%2Flocalhost%3A3030%2Fgoogle%2Foauth2%2Fcallback' \
--data-urlencode 'client_id=....' \
--data-urlencode 'client_secret=....' \
--data-urlencode 'grant_type=authorization_code'
P.s. as you can see I "UrlEncoded" redirect_url as well as code since it does contain slashes. To be on the same side, I tried to encode client_id, client_secret and grant_type as well, but since they only contain ASCII characters they came out the same.
What I have done:
Researched through similar problems on SO: jenkins issue, ios issue, php issue, missing http issue,nodejs issue - similar to this one followed up by discussion, this, that, and all other ones present here - will omit them for brevity.
I've tried to set
http://localhost/google/oauth2/callback:3030 as well as
http://127.0.0.1:3030/google/oauth2/callback and
http://127.0.0.1/google/oauth2/callback:3000 (although specifying a port in the end is super weird and changing localhost to 127.0.0.1, but was suggested in one of the similar threads), none of these worked.
Read all the docs from google
Played with OAuth2 Playground (where it works obviously), but doesn't work for me
Tried multiple variations for body + different content types the same problem, but sometimes I also get
{
"error": "invalid_grant",
"error_description": "Bad Request"
}
Any help would be appreciated.
After some time I was able to successfully obtain a token. Turns out that I didn't craft request to Google API correctly. Also, for the "curl" request it should be --data rather than --data-urlencode. The following request worked for me:
curl --request POST \
--url https://oauth2.googleapis.com/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data code=4%2F0AY0e-g4TLGE7c7VyMe8-95baQzeh0uERiKuGnHG5Sqccb4MCsmJOzV_a2jSbI9bm62VZ6Q \
--data redirect_uri=http%3A%2F%2Flocalhost%3A3030%2Fgoogle%2Foauth2%2Fcallback \
--data client_id=********* \
--data client_secret=********* \
--data grant_type=authorization_code
or
curl --request POST \
--url https://oauth2.googleapis.com/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data 'code=4%2F0AY0e-g4TLGE7c7VyMe8-95baQzeh0uERiKuGnHG5Sqccb4MCsmJOzV_a2jSbI9bm62VZ6Q&redirect_uri=http%3A%2F%2Flocalhost%3A3030%2Fgoogle%2Foauth2%2Fcallback&client_id=*********&client_secret=*********&grant_type=authorization_code'
One more observation: When you test, you can use the authorization code only once (for security reasons). Sometimes even if you send multiple "unsuccessful requests" with the same code, Google's API will reject all subsequent requests with that code (you need to go through the OAuth2 again flow to obtain a new one). The most "frustrating" part that confused me is that the response for the wrong code looks like this:
{
"error": "invalid_grant",
"error_description": "Bad Request"
}
instead of being something like "Code is not valid" or "Code has expired".
So, if you encounter an error above it means the request was crafted correctly, but the code is wrong.
I am using the Linkedin API OAuth 2.0 API and trying to perform a 'like' to a post or a comment using the new version 2 of the Linkedin API using the Postman client.
I have added the following permissions to the scope
r_liteprofile r_emailaddress rw_organization_admin w_organization_social r_organization_social w_member_social w_organization_social r_organization_social
And added the relevant callback, Auth & Access Token URLs to the postman request along with the Client ID and Client Secret ID.
When I perform a request to the \me v2 endpoint it returns relevant data.
When I perform the following GET request it gives me an not enough permissions error (even though it has been recently been accepted to the Marketing API for Linkedin)
https://api.linkedin.com/v2/socialActions/urn%3Ali%3Aorganisation%3A24799518/comments
I would expect to get data - but get a 403 status code and the error message below -
Not enough permissions to access: GET /socialActions/urn%3Ali%3Aorganisation%3A24799518/comments"
The cURL request looks as follows :
curl -X GET \https://api.linkedin.com/v2/socialActions/urn%3Ali%3Aorganisation%3A24799518/comments \
-H 'Authorization: Bearer {MY BEARER TOKEN HERE}' \
-H 'Content-Type: application/json' \
-H 'Postman-Token: 59c239c2-d1c7-48ee-9e5f-a894afde95dc' \
-H 'X-Restli-Protocol-Version: 2.0.0' \
-H 'cache-control: no-cache'
-- update --
I have manually tried this using cURL also with the X-Restli-Protocol-Version: 2.0.0 header and have the same issue. I am ultimately trying to use the API to like posts/comments etc..
Social Action Api is not applicable for organization|Page
GET https://api.linkedin.com/v2/socialActions/{shareUrn|ugcPostUrn|commentUrn}/comments
It is applicable for share|ugcPost|Comment
Use the following request to fetch the shares and use the share Id in the above request to get the comments for the post
GET https://api.linkedin.com/v2/shares?owners=urn:li:organization:24799518&q=owners&count=100
I have deployed the OpenAM - AccessManagement (6.0.0.4) version. I am using Rest API's to get the access token using password flow. And trying to introspect the token.
1) get access token
$ curl \
--request POST \
--user "clientid:clientsecret" \
--data "grant_type=password&username=user&password=welcome&scope=openid" \
http://openam.mydomain.com:8080/openam/oauth2/access_token
2) get header token (to be used for authorization header while token
introspection in step 3)
$ curl \
--request POST \
--user "clientid:clientsecret" \
--data "grant_type=client_credentials&scope=openid" \
http://openam.mydomain.com:8080/openam/oauth2/access_token
3) introspect token
$ curl \
--request POST \
--header "Authorization: Basic ZGVtbzpjaGFuZ2VpdA==" \
--data "token=f9063e26-3a29-41ec-86de-1d0d68aa85e9"
"https://openam.mydomain.com:8080/openam/oauth2/introspect"
Token introspection is always returning as {"active" : false }. I guess I am missing some OpenAM configuration. any thoughts please?
UPDATE
As suggested by #BernhardThalmayr it is working when I gave token as query parameter. 3 issues here:
1)I need to give authorization header as encoded clientid:clientsecret.I can not use the bearer token generated in step 2 as authorization header.
With gluu as IDP, bearer token is accepted as auth header for token introspection.But with openAm it gives
{
"error_description": "Invalid authorization",
"error": "invalid_client"
}
I can see in docs for openam micro-services, for token validation bearer token being used as auth header. https://backstage.forgerock.com/docs/platform/6/mservices-guide/#sec-validate-am-sso-token. How to do it without microservice?
2) scope list is empty : I have added scopes in client configuration as openid, introspect, mail,cn,profile. still token introspection returns scopes array as empty
3) openam/oauth2/userinfo endpoint returns only {
"sub": "amadmin"
}
IMHO AM is not spec compliant as it requires the value of the token to be sent as query parameter [backstage.forgerock.com/docs/am/6/oauth2-guide/… in contrast to what is defined in [tools.ietf.org/html/rfc7662]. Have you tried to provide the token as documented in AM docs?
I try to use OAuth with google. I receive a code using a POST request to this URL:
https://accounts.google.com/o/oauth2/v2/auth
Then I try to get a access token by sending a POST request to this URL:
https://www.googleapis.com/oauth2/v4/token
But this returns me a HTTP 404 "Not found" error. Is this URL wrong?
The URI that I've gotten to work for an Oauth2 token right now is
https://www.googleapis.com/oauth2/v3/token
I saw the same "v4" referenced in documentation, but couldn't get it to work either.
If you're developing your own OAuth 2.0 clients on the Google infrastructure, I'd recommend Google's OAuth 2.0 Playground which takes you through each request and response for their API's.
Oauth has been deprecated by Google. For OAuth 2.0, Try their well-known OpenID Configuration link which shows:
"authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth"
This works for me
curl --location --request POST 'https://www.googleapis.com/oauth2/v4/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=1234567891011-t28d34tfmfk5i5865hm7kij8nvl7vdax.apps.googleusercontent.com' \
--data-urlencode 'client_secret=KFcsEpfLjg64ta6TtQ1QibOC' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token=1/gb5fEFSu_iwbvbsXZdK8ddrJjNTD1RrXbQqdsT6wuJK'
It looks newer and it worked when I tried.
https://oauth2.googleapis.com/token
https://developers.google.com/identity/protocols/oauth2/web-server#httprest_3