I am writing a SmartHome skill and need an access token to post asyncrhonous notifications for a device (doorbell). The documentation is confusing - but from what I have infered - I am supposed to get my client_id and client_secret from the Alexa console, and get the Bearer Token during the initial skill connection/authorization, then request the access token (and refresh token) via OAuth. So I can get these three pieces of info, but then I try to do:
curl -vv X POST -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' -d "\
grant_type=authorization_code\
&code=$CODE\
&client_id=$CLIENT_ID\
&client_secret=$CLIENT_SECRET" \
https://api.amazon.com/auth/o2/token
Where CODE came from the initial authorization request as:
"payload": {
"grant": {
"code": "<<REDACTED>>",
"type": "OAuth2.AuthorizationCode"
},
But this always gives me:
{"error_description":"The request has an invalid parameter : code","error":"invalid_grant"}
If I remove the code parameter it complains it's missing, and if I change the code to something invalid, the error changes from invalid_grant to invalid_request. So it understands the code - but doesn't like something about this whole flow.
(I know the client_id, client_secret and grant_types are valid, because when I change them to something deliberately erroneous, I get some expected error).
Any idea what I'm doing wrong??
The code can only be used once - whether it succeeds or not. So even if you use it and your request is botched or otherwise doesn't work - you cannot reuse it. The only was I was able to handle this was to disable the skill, re-enabled it, then snoop and use the new code given.
Related
I am making the following curl call:
curl -k -d "grant_type=client_credentials" -H "Authorization: Basic <Encoded ID & Secret>)" https://MyIDPUrl/token
I get a response of:
{
"access_token":"MyAccessTokenHere",
"scope":"am_application_scope default",
"token_type":"Bearer",
"expires_in":3212
}
It all seems fine, except that I am not getting a refresh token. I tried adding &scope=openid to the url, and that added an id_token to the response, but not a refresh token.
How can I get a refresh token with WSO2?
The specification states that client_credentials grant type does not return a refresh token.
It makes sense because the point of a refresh token is to not bother the user to login again. But with client_credentials, you can just go get another access token.
source
Yes for the client_credentials grant type there is no usage of having a refresh token. But if you want to get a refresh token you can allow getting a refresh token by changing a configuration in the identity.xml (IS_Home/repository/conf/identity) In the following section,
<SupportedGrantType>
<GrantTypeName>client_credentials</GrantTypeName>
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.ClientCredentialsGrantHandler</GrantTypeHandlerImplClass>
<IsRefreshTokenAllowed>false</IsRefreshTokenAllowed>
<IdTokenAllowed>false</IdTokenAllowed>
</SupportedGrantType>
if you change the value of the IsRefreshTokenAllowed to true it should return a refresh token. (You need to restart the server after changing the configuration value). By default it is false as there is no user engagement in this grant type refresh token is not useful.
As #Vaccano said, using client_credentials grant type does not return a refresh token.
Instead you can use Password grant type instead, that does return a refresh token:
curl -k -X POST https://localhost:9443/oauth2/token
-d "grant_type=password&username=Username&password=Password"
-H "Authorization: Basic Base64(consumer-key:consumer-secret)"
Both GET and POST methods supported by the endpoint. The POST method is recommended to call endpoint with a huge number of user ids to follow, because the GET method will lead to an oversized URL that the server can't handle. How the "follow" parameter can be passed in the body of the request?
UPD: here is what I've already tried using Insomnia (the URL is always 'https://stream.twitter.com/1.1/statuses/filter.json' and the method is always 'POST' and the server response is always "No filter parameters found. Expect at least one parameter: follow track locations"):
A plain text body with Content-Type: text/html
follow=2731236345
A json body with Content-Type: application/json
{
"follow": "2731236345"
}
Another json body
{
"follow": [
2731236345
]
}
However, when I use form-url-encoded with field "follow" and the value "2731236345" I receive the response "Unauthorized".
First of all, consider looking at the Twitter Developer Labs new endpoint, because this existing API will be retired, likely (but not yet confirmed) in 2020.
When you say "without any success", what libraries are you using, and at what levels of query parameters - you're not being very clear about what is not working here. 5000 user IDs is very large. Can you please be more specific about the errors you're seeing, and the code you're trying to run?
I've managed to connect using curl:
curl --request POST \
--url 'https://stream.twitter.com/1.1/statuses/filter.json' \
--header 'authorization: <censored>' \
--data 'follow=2731236345'
The same request doesn't work in Insomnia for some reason, but it doesn't matter for the goal of this post.
We want to enable uploading apps to the Intune store via an API.
I saw this example on GitHub, and want to do something similar in JS, so I've tried using the same REST calls.
The problem is, I can't seem to make the https://graph.microsoft.com/beta/deviceAppManagement/mobileApps request properly - I always get 401. When making the same request via the Graph API Explorer it works fine.
I tried fixing my permissions, and I'm kinda stuck getting the correct token.
I did the following steps with an admin account, on both the "common" and our own tennant:
Called the admin consent - https://login.microsoftonline.com/nativeflow.onmicrosoft.com/adminconsent?client_id=<ID>&redirect_uri=<URI>
Got authorization from the user - https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=<ID>&response_type=code&redirect_uri=<URI>&response_mode=query&scope=DeviceManagementApps.ReadWrite.All
POST request to get the actual token -
https://login.microsoftonline.com/nativeflow.onmicrosoft.com/oauth2/v2.0/token
with the following body:
client_id: <ID>
scope: https://graph.microsoft.com/.default
client_secret: <secret>
grant_type: client_credentials
requested_token_use: on_behalf_of
code: <The code I got in step 2>
I tried changing the scope in step 3 to https://graph.microsoft.com/DeviceManagementApps.ReadWrite.All or simply to DeviceManagementApps.ReadWrite.All, but it says that it's not a valid scope.
I got a token in step 3, but when I try calling the actual API I receive this error:
{
ErrorCode:"Forbidden",
Message:{
_version: 3,
Message: "An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 7b5c3841-976d-4509-b946-f7fdabd047d7 - Url: https://fef.msub02.manage.microsoft.com/StatelessAppMetadataFEService/deviceAppManagement/mobileApps?api-version=5018-05-02",
CustomApiErrorPhrase: "",
RetryAfter: null,
ErrorSourceService: "",
HttpHeaders: {"WWW-Authenticate":"Bearer realm=urn:intune:service,f0f3c450-59bf-4f0d-b1b2-0ef84ddfe3c7"}
},
Target:null,
Details:null,
InnerError:null,
InstanceAnnotations:[]
}
So yeah, I'm pretty much stuck. Anyone have any experience with it? I've tried making the calls in Postman, curl and via code, but nothing works.
Cheers :)
You have a couple issues going on:
You're using the Authorization Code Grant workflow but requesting Client Credentials.
The scope Device.ReadWrite.All is an application scope, it is only applicable to Client Credentials. It isn't a valid Delegated scope so it will return an error when you attempt to authenticate a user (aka delegate) using Device.ReadWrite.All.
Your body is using key:value but it should be using standard form encoding (key=value).
To get this working, you need to request a token without a user. This is done by skipping your 2nd step and moving directly to retrieving a token (body line-breaks are only for readability):
POST https://login.microsoftonline.com/nativeflow.onmicrosoft.com/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id={id}
&client_secret={secret}
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&grant_type=client_credentials
I'm trying to use the refresh_token to (obviously) refresh the Spotify access_token I have. The documentation gives this as an example curl statement:
curl -H "Authorization: Basic ZjM4Zj...Y0MzE=" -d grant_type=refresh_token -d refresh_token=NgAagA...NUm_SHo https://accounts.spotify.com/api/token
and here is my Python implemtation:
payload = {
'grant_type': 'refresh_token',
'refresh_token': <REFRESH_TOKEN>
}
r = requests.post('https://accounts.spotify.com/api/token', data=payload,
headers={'Authorization': 'Basic <CLIENT_SECRET>'})
In both cases I get back {"error":"invalid_client"}
I've tried passing my client_id and the client_secret in the post data but I always get back invalid_client. Someone here on SO said I need to pass in code, but code is a single use, very short lived object that has already been consumed/expired.
Any thoughts to what I'm doing wrong?
The only problem I can see is that you write:
headers={'Authorization': 'Basic <CLIENT_SECRET>'}
when it, using your notation, should be:
headers={'Authorization': 'Basic ' + base64.b64encode('<CLIENT_ID>:<CLIENT_SECRET>')}
However, that could be simplifed further since you are using requests. As described here: http://docs.python-requests.org/en/latest/user/authentication/ Just remove headers and replace it with auth instead:
auth=('<CLIENT_ID>', '<CLIENT_SECRET>')
However, I guess that this isn't what is actually wrong in your code either, since you somehow managed to get a refresh token which requires that you authorized successfully once before.
I have been implementing the Google web server OAuth flow, but when I attempted to exchange the authorization code with access token, it always complains "invalid_code".
Here is the issue:
Step 1:
Redirect one of our pages to 'https://accounts.google.com/o/oauth2/auth?scope=email&redirect_uri=https%3A%2F%2Fmyurl.com%2Fcallback&response_type=code&client_id=some_client_id'
Step 2:
The redirection happens and google would redirect to our url
https://myurl.com/callback?code=somecode
Step 3:
curl -X POST --data "code=somecode&client_id=some_client_id&some_client_secret=some_client_secret&redirect_uri=https://myurl.com/callback&grant_type=authorization_code" https://accounts.google.com/o/oauth2/token -v --trace-ascii /dev/stout
The response comes back:
HTTP 400 Bad request
{
"error" : "invalid_grant",
"error_description" : "Invalid code."
}
Can someone help me with this issue? Thanks!
The life span of authorization code is only 10 mins,and can only be used one time. So do these checks:
Do you use it 10 min later? If so, use it in 10 mins.
Have you used it before? If so, obtain a new one and then use it.
Is you server time in sync with Google OAuth server's? If not, change your time.
I was using http://localhost:8080 as my redirect url since I was just trying out their examples. And my json file contents had this:
"redirect_uris": [
"http://localhost:8080"
],
"javascript_origins": [
"http://localhost:8080"
]
In the developer console I had the redirect_uri set to "http://localhost:8080" and I was getting the same error. I changed it to "http://localhost:8080/" and then it started working. (Essentially adding a '/' at the end.)
Hope this helps!