I am trying to implement Stream chat Rest APIs ( by following this link : https://getstream.io/chat/docs_rest ) provided by GetStream. So, I put the baseUrl and expected headers in following ways :
Request Url : https://chat-us-east-1.stream-io-api.com/channeltypes
These are the values which I put in Headers section of Postman :
Authorization : <Getstream token (generating from setUser function) from backend>
Stream-Auth-Type: jwt
api_key : <Getstream API key>
But I am getting this response on hitting API on Postman:
{
"code": 17,
"message": "ListChannelTypes failed with error: \"Channel types can be described only with server-side auth\"",
"StatusCode": 403,
"duration": "0.00ms"
}
I am unable to find out what I am missing or doing wrong in using the Rest API of Getstream. Please suggest and help in fixing this issue.
As described in error message:
Channel types can be described only with server-side auth
It's only possible with server side authentication.
When you use Authorization: <Getstream token (generating from setUser function) from backend>, this is for client-side.
You need to use your secret in the token to enable server-side and to gueary in this endpoint.
Related
I need to read and import google people contacts but I get the following error:
"Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project."
"status": "UNAUTHENTICATED"
This is the script (classic asp) I am using:
StrURL="https://people.googleapis.com/v1/people/get"
ApiKey="my api key"
Set objXMLHTTP = CreateObject("Msxml2.ServerXMLHTTP.6.0")
objXMLHTTP.Open "GET", StrURL, False
On Error Resume Next
objXMLHTTP.setRequestHeader "Authorization", "Bearer " & ApiKey
If Err.Number<>0 Then Response.Write "Error:" & Err.Description & "<br>"
On Error GoTo 0
objXMLHTTP.send
content = CStr(objXMLHTTP.ResponseText)
statuscode = objXMLHTTP.Status
How can I get the token using classic asp? Can anyone help me?
objXMLHTTP.setRequestHeader "Authorization", "Bearer " & ApiKey
You appear to be sending an api key. An api key is not a bearer token. Api keys only grant you access to public data, not private user data.
In order to access private user data you need to request authorization from that user to access that data that is done using Oauth2
Once you have been grated consent of the user to access their data you will have an access token. This access token can then be sent to the api in the authorization header.
I haven't used asp classic in years. These videos may help you understand how to make the authorization request.
Google 3 Legged OAuth2 Flow
How to create web app credetinals
Understanding oauth2 with curl
I have an oAuth Provider which uses Authentication URL. In some cases, my Authentication URL returns "non-200" with meaning messages e.g. incorrect username, incorrect password, user locked etc.
I wonder how to pass the meaningful message from Authentication URL to the client who is requesting the token via API (oauth2/token)??
I have tried many ways, the API Connect always results 401 - invalid grant only.
Here is my oAuth Provider Code
x-ibm-configuration:
testable: true
enforced: true
phase: realized
oauth2:
client-type: confidential
scopes:
weather: Weather Information
openid: Enable OIDC
grants:
- password
identity-extraction:
type: basic
authentication:
x-ibm-authentication-url:
url: 'https://8hxovobj7g.execute-api.eu-west-2.amazonaws.com/Prod/auth'
authorization:
type: authenticated
access-token:
ttl: 1500
refresh-token:
count: 2048
ttl: 2682000
gateway: datapower-gateway
assembly:
execute:
...
...
when authen fail due to incorrect username, the authentication URL return
401 Unauthorized
{
"error": "incorrect username"
}
However, when I use postman to post a request to API Connect Gatwatway to the oAuth Provider (path: /oauth2/token)
if correct username password (authen URL user registry return 200-OK, I will get
{
"token_type": "bearer",
"access_token": "AAIkNTU4M2RlMzktODY1NS00ZDQ1LTgyMjctODEyMDM4MDUzMTE2m7lBYXfx73OVPONAHoLT5VNdtSVD40Hu-M3nAQPu6wdviOxcIfbsOXBwt-Iy8EAgLzuATlZB7RBME_U5Ymd5fDkRTwy05G9zGmV7mIkawaELtiOj4xdzQr7Vn-indlv-y1NFEjvRv2VrK0d3TOqZnTEj5heDdY7Q0X9BFeydV4MtS-gCpnj-9l6TU3XqyeiK5hGnBZkZRAWOIskLm4KCyf8n_mnsi42vN9GLxlxoO9EmuHAwXOxr_aocKaaVlLKK5vDMHBRws2Vguqk3eVuoh9EnkRZvjbTurmW57bCgX3nMTd6MwcEYFkAGh-cOcEDyydZR6BI_pLuwaUM9RN8Vnb7EATQjzW2d_eHKQyjShcyM0TqxzhYq3q90fLfJLo08WxDgTFaKpGHA6qoZmUpYRLeyyImhOPtyd9p1l9z87g52duHbL1cyVGErHktTVpeXsmIRtn-QTTvI4jWmjxPZnSYj_rEeR9S8QAxYpHSEPmJQQmsjISf2SIRLABwuhG9dKyrrzs3UTotVyIotxmJjc9lfEsEtDTz9Ej--yQFw97ESHCVEvOkifeyIJ9F5MyPFh7fMEoGGwyDmWEfZSYRpkLg4_ib3dbjkGAuthiwjdA0",
"metadata":
...
}
if incorrect username/ password (authen URL user registry return 401-Unauthorized with response-body (error message), I will get
401-Unauthorized
{
"error": "invalid_grant"
}
The Authentication URL is custom made. I have tried to make different returns in authentication URL (different http response code/ body/ headers) which all cannot affect the end-user's oauth's oauth/token result which always return the msg "invalid grant". what I really want to pass the authentication URL result message to the end-users to let the users know what is wrong such as incorrect username
Thanks for your kindly help
Unfortunately, it seems that in APIC v5 it is not possible to adjust OAuth error based on the response from Authentication URL call.
You can check DataPower XSLT code which handles this case (local:/isp/aaa-ldap-lib.xsl) to see more details. For any non-200 response code returned by an authentication URL, the same hardcoded error is produced. Only a response code is checked and all response information is discarded after that check - including a response code.
In the case of non-200 response code returned by authentication URL following XSLT code is executed:
<xsl:call-template name="error">
<xsl:with-param name="code" select="'401'"/>
<xsl:with-param name="reason" select="'Unauthorized'"/>
<xsl:with-param name="challenge" select="'Basic'" />
</xsl:call-template>
That means it is not possible to distinguish between errors caused by different authentication URL responses in OAuth API assembly catch. You can catch UnauthorizedError in the created assembly in OAuth API but you would have no additional information based on which you could create custom error response.
However, if you are using on-premise APIC v5 and you have access to the DataPower Gateway you could:
change mentioned xsl file to propagate status code/reason from authentication URL (possibly using gateway extensions)
info necessary, add a custom assembly to your OAuth API where you would catch UnauthorizedError and add GatewayScript code to adjust behavior
GatewayScript code to adjust behavior in case of UnauthorizedError caught would be something like:
let p = session.name('policy');
let e = p.getVariable('fw/exception');
let statusCode = e.httpCode;
let statusReason = e.httpReasonPhrase;
...
Following the OAuth2 login flow described at https://github.com/reddit/reddit/wiki/OAuth2 I got to the point where POST-ing to https://www.reddit.com/api/v1/access_token returns something like this:
{'token_type': 'bearer', 'expires_in': 3600, 'scope': 'identity', 'access_token': '*****'}
Then I do
GET https://oauth.reddit.com/api/v1/me
With this header:
Authorization: bearer *****
The response is HTTP 403 Unauthorized. But why? It is clear that the access token has 'identity' scope. It is also documented that the /api/v1/me call requires this scope only. (See https://www.reddit.com/dev/api/oauth#GET_api_v1_me )
So why am I getting http 403?
I was experiencing the exact same issue as you described. In my case, I resolved the 403 by adding a faux user agent string in the request headers.
In my case, using HttpClient of C#, this proceeds like so:
using (var client = new HttpClient())
{
client.DefaultRequestHeaders.Add("User-Agent", "MockClient/0.1 by Me");
...
}
In my case this was because of a redirect.
Calling a non-oauth endpoint in my application (like https://www.reddit.com/r/learnpython/about.json) with the Authorization header would fail with code 403. But calling https://reddit.com/r/learnpython/about.json (without www) with the Authorization header succeeded. However both endpoints worked when I tried via Postman.
The reason for this is that reddit.com would redirect to www.reddit.com, which results in the Authorization header being dropped by Postman for the second request. In my application code, I was including the header with both requests, which explains the different behavior.
Solution: don't include the Authorization header when calling non-oauth endpoints.
I'm getting a 401 when trying to POST a request to the Twilio REST API.
I've included the following header:
Authorization: Basic <base64 encoded '<accountSid>:<authToken>' string>
And I've also tried Basic Authorization without encoding the string but the result is the same.
Edit: This is the response body:
Not Authorized - only signed requests from Twilio are allowed. More info about this error at: https://www.twilio.com/help/faq/twilio-basics/why-does-my-twiml-bin-url-give-me-a-not-authorized-error-when-i-try-to-view-it
How do i sign a request? The docs aren't very clear about it.
Im trying to use google oauth using the below link but get a 405 error,
Can you please let me know if the parameters are correct?
client_id = changed to a diff value
response_type = code
scope= openid%20email
redirecturl = given the value based on what I registered in console.developers.com
login_hint = my gmail id..
https://accounts.google.com/o/oauth2/token?
client_id=690178314820-85fvo4eq56se4mppdaf0pt6tnnjo552&
response_type=code&
scope=openid%20email&
redirect_uri=http://test.webfactional.com&
state=security_token%3D138r5719ru3e1%26url%3Dhttps://oa2cb.example.com/myHome&
login_hint=myemail#gmail.com
I made the above get requests in the browser..
There are a few steps to getting access to Google its easer for me to show you the full flow. My guess is you are stuck on step two because your not sending it as a post.
Step 1: Ask for access
https://accounts.google.com/o/oauth2/auth?client_id={clientid}.apps.googleusercontent.com&redirect_uri={From console}&scope=openid%20email&response_type=code
This just displays the window asking them to approve you. Once the user has approved access you get a one time Authentication Code.
Step 2: Exchange Authentication Code for AccessToken and RefreshToken. Note this needs to be sent as a HTTP POST not a HTTP Get.
https://accounts.google.com/o/oauth2/token
code={Authentication Code from step 1}&client_id={ClientId}.apps.googleusercontent.com&client_secret={ClientSecret}&redirect_uri=={From console}&grant_type=authorization_code
you should get a JSon string back looking something like this.
{
"access_token" : "ya29.1.AADtN_VSBMC2Ga2lhxsTKjVQ_ROco8VbD6h01aj4PcKHLm6qvHbNtn-_BIzXMw",
"token_type" : "Bearer",
"expires_in" : 3600,
"refresh_token" : "1/J-3zPA8XR1o_cXebV9sDKn_f5MTqaFhKFxH-3PUPiJ4"
}
Now you can take that Access_token and use it to make your requests. But access tokens are only good for 1 hour and then they expire before that time you need to use the Refresh_token to get a new access token. Also if you are going to want to access your users data again you should save the refresh_token some place that will enable you to always access there data.
Step 3: Use Refreshtoken
https://accounts.google.com/o/oauth2/token
client_id={ClientId}.apps.googleusercontent.com&client_secret={ClientSecret}&refresh_token={RefreshToken from step 2}&grant_type=refresh_token
This time you will only get the Access token back, because your refreshtoken is good until the user removes authentication or you haven't used it for 6 months.
{
"access_token" : "ya29.1.AADtN_XK16As2ZHlScqOxGtntIlevNcasMSPwGiE3pe5ANZfrmJTcsI3ZtAjv4sDrPDRnQ",
"token_type" : "Bearer",
"expires_in" : 3600
}
You can find more detailed information on this here Google 3 Legged oauth2 flow
It seems you are using wrong api, you should use https://accounts.google.com/o/oauth2/auth instead of https://accounts.google.com/o/oauth2/token.
The reason you get error 405 is https://accounts.google.com/o/oauth2/token can only be called by POST, and it is to get token. You need to get authorization code first and then exchange it for a token.
Please pay attention for this /oauth2/v3/token and /oauth2/token
I do follow guide of google at this link
It show me following
obtain Authentication Code by /o/oauth2/auth => it work, the response as example in the guide
obtain access token by /oauth2/v3/token => it is error, the status code 405 is responsed
The correct must be /oauth2/token