I'm having a problem with OAuth2 and WSO2 IS as KM.
When the server generates a jwt token, I get the error None of the audience values matched the tokenEndpoint Alias since, in the said token, the audience is preceded by a "\t".
In the service provider configuration the "Enable Audience Restriction" is checked and the uri are correct, however, when the token is generated a "\t" gets appended at the beginning of the audience field. I'm using jwt.io as a decoder.
What could it be causing the issue? I've already tried to switch the token Issuer in identity.xml
Many thanks for any help.
Related
We've configured Snowflake for Oauth2 using AAD when we retrieve a token the audience, scope, ... are correct.
But when validating using SYSTEM$VERIFY_EXTERNAL_OAUTH_TOKEN
we receive the following error (and no information can be found why this is occuring)
Token Validation finished.{"Validation Result":"Failed","Failure
Reason":"EXTERNAL_OAUTH_JWS_CANT_RETRIEVE_PUBLIC_KEY"}
Has anyone had this error before?
Most likely while creating the security integration,value for Public Key was not extracted from the IdP's certificate and instead, the certificate was entered.
I have decoded JWT token using 'jwt.io' . I found one claim 'gty' in payload section. What is the meaning and significance of it.
gty is not a registered claim name as defined in RFC 7519.
Although I could not find any reference clearly stating it, it seems
auth0.com uses gty for the grant_type that was used to request the token. e.g. client-credentials or password
Here's an example in the Auth0 community in which grant_type password and the gty claim are mentioned.
I have been toying around with the twitter API over the last few days, but seem to be stuck at requesting a "request token". (flow A)
Over at the twitter api, I should be hitting the following end point (https://api.twitter.com/oauth/request_token) and on a successful request this should net me an oauth_token, oauth_token_secret and oauth_callback_confirmed (should match what I pass). I attempted to just use my private key, but this of course is failing. Is my understanding of how to generate this request wrong?
I believe my issue is the way I am generating the oauth_signature. Reading the documentation at twitter, everything seems straight forward until I need to generate signing key documented Here. It states that the signing key should be Consumer Secret & OAuth token secret, but to me this is a circular reference. The response, for this request, should contain the oauth_token_secret.
With this request an empty oauth_token_secret is expected. Signing key should be consumer_secret&, the trailing & must be included.
Relevant quote from https://www.rfc-editor.org/rfc/rfc5849#section-3.4.2:
An "&" character (ASCII code 38), which MUST be included
even when either secret is empty.
I am having some issues with MapMyFitness API. MapMyFitness uses OAuth 1.0
I am able to successfully get a temporary Authorization token/temporary secret Token combination from calling 3.1/oauth/request_token
After that, I am able to successfully direct the user to the Authorization page and get a redirect callback with a authorization verifier.
After that, I am, unfortunately, getting errors when trying to call 3.1/oauth/access_token. (HTTP error 401)
First of all, MMF documentation (http://api.mapmyfitness.com/3.1/oauth/access_token?doc) states: Exchange a request token and an authorization verifier for an access token. However, the list of input arguments in the documentation contains no mention of oauth_verifier. Should oauth_verifier that I have received with the redirect callback be passed to access_token call as an argument?
Secondly, it appears to me that perhaps I am not creating the signature correctly. For the 3.1/oauth/request_token call the key to generate the signature is 'XXX&' where XXX is the Consumer Secret Key assigned to my app by MapMyFitness. This works fine. For the 3.1/oauth/access_token call, I am using 'XXX&YYY' as a signature key where XXX is the Consumer Secret Key assigned to my app by MapMyFitness and YYY is the temporary Secret Token returned to me by the server during the 3.1/oauth/request_token call. Is that correct?
I would greatly appreciate any suggestions.
OK, I got it working. First of all, oauth_verifier DOES need to be included as part of parameters. For some reason, Map My Fitness does not include it in its list of required parameters, but it has to be there. Secondly - very important - according to OAuth 1.0 documentation, all parameters need to be in alphabetical order when creating the signature - otherwise there will be a signature mismatch and you'll get HTTP 401 error. Once I sorted my parameters in alphabetical order, I was able to exchange temporary MapMyFitness credentials to permanent ones.
I am using (OpenId+OAuth) hybrid protocol.
After I redirect user to "https://www.google.com/accounts/o8/ud" with all openid and oauth extension parameters, user is able to see login screen and services I need to access. On successfull login I receive response as following:
http://muUrl.com/...&openid.ns.ext2=http://specs.openid.net/extensions/oauth/1.0&openid.ext2.scope=http://docs.google.com/feeds/&openid.ext2.request_token=4/8GCHDIvtxhbg8gVkfYro7QIFakoB
I understand user is properly logged in and text in bold is authorized token. Then I make call for obtaining access token with all parameters except oauth_verifier as that is not available in hybrid mode. I sign base string using HMAC-SHA1 with key as "consumersecret&" (token secret is yet not available)
I get 400 bad request with signature invalid. Any help or suggestion is highly appreciated to resolve this issue.
pls see Bob and my comments.
% escaping can be an issue if you are facing same problem as mine. oauth_verifier is indeed not required in hybrid mode.