I'm currently trying to get a small app to authenticate my own user.
First I navigate to
https://auth.ebay.com/oauth2/authorize?
client_id=...&
response_type=code&
redirect_uri=...&
scope=...
Which asks me to log in then gives me an authorization code via the url.
I url decode this and use postman to request the access token by hitting:
https://api.ebay.com/identity/v1/oauth2/token
with Headers:
Authorization: Basic ...
Content-Type: application/x-www-form-urlencoded
These both appear to be correct, since if I change either of them I get an error saying that they're wrong.
And in the body:
grant_type: authorization_code
redirect_uri: ...
code: ...
Once again these all error individually if I change them to something else.
The error that I get is:
{
"error": "invalid_grant",
"error_description": "the provided authorization grant code is invalid or was issued to another client"
}
Which is very strange to me. This is using the same redirect_uri and client_id as the previous request.
I've tried generating a new redirect url, I've tried rotating the client secret, I've tried not url decoding the auth code, but whatever I try I get the same error.
Interestingly, if I request a grant_type of client_credentials that works perfectly, but is of little use to me.
I'm very confused and the ebay forums are no help whatsoever, any help will be greatly appreciated.
I've actually managed to fix this myself.
I was url decoding the code using js's decodeURI, which was not actually decoding anything. Switched over to decodeURIComponent and now it seems to work ok
Related
Cheers everybody,
we have been deeply reading google documentation on exchanging access_token from google in order our (delphi)desktop application to SSO with google from server side. Here is the payload we send first look like:
https://accounts.google.com/o/oauth2/v2/auth?client_id=1000217514248-t1lojs6f8ed7l9ocrpbm98leahtum8n1.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&state=E1DF2FBA-0A66-4D69-B594-5EB8F7828AF7&scope=openid+profile&include_granted_scopes=true&code_challenge=C832DA50-E55A-499D-89B8-493BB4123C94&login_hint=test#Speelkriebel.be
Normally after this it redirects me to login in to our test user and after this according to the documentation we send a POST request to the end point token in order to get the access_token and refresh_token...: 'https://oauth2.googleapis.com/token
with the following parameters, the 'code' is generated we also send it as follow:
client_id=1000217514248-t1lojs6f8ed7l9ocrpbm98leahtum8n1.apps.googleusercontent.com
grant_type=authorization_code
client_secret=******
code= 4/1AY0e-g4GlavO38PI5Oo3vq04Pc4lMWN77et-02UiVWOsT-IyRQnU1lq19qo
redirect_uri = urn:ietf:wg:oauth:2.0:oob
The response is always
{
"error_description": "Missing code verifier.",
"error": "invalid_grant"
}
We have tried to send the client secret id also, Does it have to do with our code_challenge ? are the end points url and initial url okay? What are we missing? We are using CEF4Delphi as "browser like experience in order for the user to type in their google credentials. We have been reading this: https://developers.google.com/identity/protocols/oauth2/web-server#offline
We were also trying the playground :https://developers.google.com/oauthplayground/
we were sending the initial url in a chrome which generated a "code" and in the playground we inserted the code, and still got the same error of missing code verifier.
Thanks Guys
You seam to have URL encoded a lot of the values try not doing that. Also try using the basic call, before you start adding everything else. It should help you figure out which one of those extra parameters you are sending that's causing your issues.
https://accounts.google.com/o/oauth2/auth?client_id={clientid}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=profile&response_type=code
Also make sure that the client id is from an installed / other type client
This may also help Google 3 Legged OAuth2 Flow
For installed apps, the code challenge and verifier are parameters for enhancing the security of the OAuth flow through PKCE [1].
There is additional documentation about generating a code challenge and verifier here [2].
[1] https://www.rfc-editor.org/rfc/rfc7636
[2] https://developers.google.com/identity/protocols/oauth2/native-app#step1-code-verifier
I am using OneLogin OpenID Connect, I did the initial redirect to OpenID server, put username and password in and OneLogin redirected me to the callback url I provided. I have received a "Code" from this and would like to exchange this code for turning it into an access_token.
I am trying to make a request to the token endpoint but it is returning a 400 Bad Request with this error:
"error_description": "invalid authorization header value format"
I have attached a screenshot below. I didn't have "Client_Secret" in the Authorization header before, I looked around and tried it with "Basic" as well. But none of it seems to work.
Can anyone help me with some insight?
I was also following these two tutorials:
https://openidconnect.net
https://developers.onelogin.com/openid-connect/connect-to-onelogin
I have looked on here to see if I was doing anything wrong. But I still get the same error.
https://connect2id.com/learn/openid-connect#token-endpoint
Your Authorization header has an incorrect format, it should look like the example below for the username "username" and the password "password".
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
The variable dXNlcm5hbWU6cGFzc3dvcmQ= is found by concatenating username and password with a colon as separator (username:password) and calculating the Base64 value of this new string (dXNlcm5hbWU6cGFzc3dvcmQ=).
Postman does that for you, just click on the Authorization tab next to Headers. You'll probably need Basic Auth.
I believe I am running the exact POST request in the OAuth docs ( with my credentials ), but I'm getting a 400 error. I was getting a 404 error, but then reset my client_secret and started using the new client_secret and am now getting a bad request error. Any ideas what I am doing wrong?
$.ajax({
url:'https://www.googleapis.com/oauth2/v4/token',
data:{
'code':getParameterByName('code'),
'client_id':'',
'client_secret':'',
'redirect_uri':encodeURI(url+'?mail=tokened'),
'grant_type':'authorization_code'
},
dataType:'json',
method:'POST',
success:function(response){console.log(response);}});
Most probably the redirect_uri value that you send is off; it should be exactly the URL that you sent in the authorization request i.e. the redirect to the authorization endpoint earlier.
This may be a long shot, but according to the HTTP/REST example available at Using OAuth 2.0 for Web Server Applications (section Handling the OAuth 2.0 server response) you should be sending the payload with a content type of application/x-www-form-urlencoded instead of JSON.
I've seen other OAuth implementations accepting JSON payload besides the application/x-www-form-urlencoded mentioned in the specification, but maybe Google implementation is more strict.
I've tested your code and it works fine if you have a valid Authorization Code and fill the Client ID, Secret and Redirect URI accordingly. In your snippet client_id and client_secret are set to empty string and this may be why it's not working.
Google OAuth endpoints return nice error messages with the Bad Request responses and can help you discover what is wrong with the parameters you sent.
your grant_type needs to be different than 'authorization_code'. You are having issues while getting tokens.
try grant_type=refresh_token
Redirect URL in .env file should be the same URL in google developer account and also check the redirect url in your route web.php
I want to use OAuth2 authentication in my application for calling Eloqua APIs using access token.
I'm following instructions given in the link http://docs.oracle.com/cloud/latest/marketingcs_gs/OMCAB/Developers/GettingStarted/Authentication/authenticate-using-oau… and using Resource Owner Password Credentials grant flow for getting access token.
POST https://login.eloqua.com/auth/oauth2/token
Authorization: Basic Q09NUEFOWVhcdXNlcjE6cGFzc3dvcmQxMjM=
{
"grant_type":"password",
"scope":"full",
"username":"testsite\\testuser",
"password":"user123"
}
But I'm getting exception "java.net.ConnectException: Connection timed out: connect" while calling get token endpoint https://login.eloqua.com/auth/oauth2/token from java code.
I tried the endpoint using browser but getting similar error. Also tried accessing the endpoint using REST client but again same connection error.
I'm unable to understand that why the endpoint is giving connection timeout exception. I also tried increasing timeout but same error.
Please guide me as I'm stuck.
Is there any other endpoint for getting Eloqua access token?
Below is a POSTMAN Screenshot in case it helps.
Also written out in case someday that screenshot isn't there. Don't use built in Auth in POSTMAN since you need to base64 encode the clientid:clientsecret with the : in the middle. These values are provided when you created an App in Eloqua.
Be sure to include the content type as application/json and the Authorization. Use a double backslash in the Json for the username in between the site and username (clientsite\\username).
JSON body should look like this:
{"grant_type":"password","username":"clientsite\\username","password":"password"}
Make sure you are doing a POST to login.eloqua.com/auth/oauth2/token
From the docs:
POST https://login.eloqua.com/auth/oauth2/token
Authorization: Basic Q09NUEFOWVhcdXNlcjE6cGFzc3dvcmQxMjM=
{
"grant_type":"authorization_code",
"code":"SplxlOBeZQQYbYS6WxSbIA",
"redirect_uri":"https://client.example.com/cb"
}
From your request, it looks like you are missing the redirect_uri and the code.
Try using the body contract from the docs: http://docs.oracle.com/cloud/latest/marketingcs_gs/OMCAB/index.html#Developers/GettingStarted/Authentication/authenticate-using-oauth.htm
I am trying to work with the Box API and need an access token. I followed the tutorial video here: https://www.youtube.com/watch?v=ha26tN8amI0 to get an authorization code and then exchange it for an access and refresh token. Here is the post request I made into Post Man:
https://api.box.com/oauth2/token?grant_type=authorization_code&client_id=<my_client_id>&client_secret=<my_client_secret>&code=<code_given_on_redirect>&redirect_uri=http://0.0.0.0
The response I get is:
{
"error": "invalid_client",
"error_description": "The client credentials are invalid"
}
Unless I am completely losing my mind, I am positive I am entering the correct client_id and client_secret from my application page. (I tried several times.)
I sent this post request in less than 30 seconds after it was generated.
Any idea what I might be missing? Thanks.