When accessing Google-Drive, an access-token can expire and we can use the refresh-token to get a new access-token. There are a number of possible reasons though, that the refresh-token itself stops working or expires, see:
https://developers.google.com/identity/protocols/OAuth2#expiration
So my question, what happens if the refresh-token has expired after the 6 months, how can I detect it? Does the request for refreshing the access-token fail with 403 forbidden, or does it return a JSON containing an error message, or something else?
Unfortunately it is hard to find any information about this, and to test it out one has to wait for 6 month...
Solution:
Thanks to Gary Archers answer I could produce the situation with an invalid refresh-token and this is the response I got, maybe it helps somebody else:
HTTP-status-code: 400
JSON:
{
"error": "invalid_grant",
"error_description": "Bad Request"
}
Almost all implementations I've seen return a known error code of 'invalid_grant' that you can check for. It will look something like this, with the server returning a JSON response with an error field and an optional error_description. At this point you need to redirect the user to reauthenticate:
Related
I know this question asked many times but currently we have a problem with fetching access token from Google Oauth. Actually, "sign in with Google" works for some accounts on the other hand it doesn't work for some accounts. So we couldn't catch the exact problem.
Actually, there is no problem with fetching code from googleapis...auth?... -> return code.
But fetching access token returns error:
https://oauth2.googleapis.com/token?code=4/0AY0...
&client_id=....apps.googleusercontent.com
&client_secret=...
&redirect_uri=...
&grant_type=authorization_code
Some cases we encounter with:
{
"error": "invalid_grant",
"error_description": "Bad Request"
}
Any suggestion?
Note: I did some research, but none of the suggestions helped (spelling, checking server time, adding access_type=offline to the first OAuth step url, etc.)
Solution:
When I try to fetch token with same code multiple time, google throws invalid_grant error.
1. call https://oauth2.googleapis.com/token?code=my_code -> returns OK.
2. call same request again https://oauth2.googleapis.com/token?code=my_code -> returns invalid_grant.
When you try to fetch token with same code multiple time, google throws invalid_grant error.
1. call https://oauth2.googleapis.com/token?code=my_code -> returns OK.
2. call same request again https://oauth2.googleapis.com/token?code=my_code -> returns invalid_grant.
I'm trying to exchange an authorization code for access code, but I'm getting an error saying "redirect_uri_mismatch".
I waited ~8 hours just in case it needs to update, but no luck so far.
The redirect uri's are set correctly, as you can see from the image here.
Initial Front-End redirect/request:
GET => https://accounts.google.com/o/oauth2/v2/auth
?scope=https://www.googleapis.com/auth/youtube.readonly
&include_granted_scopes=true
&state=state_parameter_passthrough_value
&redirect_uri=http://localhost:4200/profile?platform=youtube
&access_type=offline
&response_type=code
&client_id=[HIDDEN]
After code is parsed, I exchange the code for access code:
POST => https://oauth2.googleapis.com/token
?client_id=[HIDDEN]
&client_secret=[HIDDEN]
&code=[HIDDEN]
&grant_type=authorization_code
&redirect_uri=http://localhost:2222/youtube/oauth
Response:
data: {
error: 'redirect_uri_mismatch',
error_description: 'Bad Request'
}
Apparently, the redirect_uri has to match the initial request's uri.
Problem solved, feel free to upvote for visibility - thanks.
Source: https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3
Is it ever expected to see a "500" status response during the final redirect from an OAuth2 provider?
server_error: Unable to issue redirect for OAuth 2.0 transaction
I'm trying to determine if this is ultimately the provider Auth0's error (it seems to be) or mine. If it were mine I'd expect a 400 series error. It is possible to have hooks or rules, could these result in 500-series errors in a scenario like this? I would also anticipate a more specific 500-error not 500 but another available number like 599 for lack of a better example.
My more specific case has something like:
new auth0.WebAuth({
domain: '....auth0.com'
,clientID: 'theid...'
,callbackUri: 'http://localhost:8080/'
,audience: 'http...',
,responseType: 'token id_token'
,scope: 'openid profile'
,leeway: 60
});
success then 500 for /login/callback?state=... on return
I misspelled the callback field, it should be redirectUri (not callbackUri above)! Auth0 tech support was kind enough to point this out.
I also asked about changing the error from 500 internal server error to 400 "Bad Request" to indicate a missing client-provided detail per my read of the details
https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
details for 400 (and the rest) https://www.rfc-editor.org/rfc/rfc7231#section-6.5.1
This is the OAuth header I have generated using OAuth1.0 Library. Given below .
{"Authorization":"OAuth realm=\"TSTDRV1606019\",oauth_consumer_key=\"c85f08d536fb43ffbf199896b970af6cc8ae3b9ffbd4d5a8d7bd35c36bbc58be\",oauth_nonce=\"PxTkoW9AHGgo36obe2qL\",oauth_signature=\"60eebfff6843f7fb652f98ce6dd65fe025d9837e\",oauth_signature_method=\"HMAC-SHA1\",oauth_timestamp=\"1497605488\",oauth_version=\"1.0\"","content-type":"application/json"}
I keep getting a USER_ ERROR like below
"error" : {"code" : "INVALID_REQUEST", "message" : "The request could not be understood by the server due to malformed syntax."}}
Can anyone please tell me where I am going wrong ?
Appreciate all the help !
AS of Netsuite release 2021.2, the TBA(Token Based Authentication) with HMAC-SHA1 signature method gets deprecated. And users who actively use HMAC-SHA1 have to switch to HMAC-SHA256. Otherwise, the user may find the below error with 4xx error code
{
"error": {
"code": "INVALID_REQUEST",
"message": "The request could not be understood by the server due to malformed syntax."
}
}
Not sure if this is the only problem, but it looks like you're missing your oauth_token. See Required Data for Using TBA with RESTlets
I have no clue why, but after fixing the SHA to 256 I was still getting the malformed syntax error when calling from Postman until I set the Advanced -> Version to "1.0" (NOT "1").
I'm hopelessly stuck on trying to call Amazon MWS Products API. Particularly I'm trying to request this function
It requires building a pretty complicated request with a signature:
POST /Products/2011-10-01 HTTP/1.1
Content-Type: x-www-form-urlencoded
Host: mws.amazonservices.com
User-Agent: <Your User Agent Header>
AWSAccessKeyId=AKIAEXAMPLEFWR4TJ7ZQ
&Action=ListMatchingProducts
&MWSAuthToken=amzn.mws.4ea38b7b-f563-7709-4bae-87aeaEXAMPLE
&MarketplaceId=ATVPDKIKX0DER
&Query=0439708184
&SellerId=A1IMEXAMPLEWRC
&SignatureMethod=HmacSHA256
&SignatureVersion=2
&Timestamp=2012-12-12T22%3A23%3A50Z
&Version=2011-10-01
&Signature=V%2BEXAMPLERT%2Baj%2Fxwqo7y3PIifMFHeqFlNYW0EXAMPLEA%3D
I build this query with the help of this little library:
So my final url string looks like this:
https://mws.amazonservices.com/Products/2011-10-01?AWSAccessKeyId=<MY_ACCESS_KEY>&Action=ListMatchingProducts&MarketplaceId=A1PA6795UKMFR9&Query=0439708184&SellerId=<SELLER_ID>&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2016-04-19T16%3A50%3A13Z&Version=2011-10-01&Signature=mZt3OhM14gwLdsQ%2Bhxz5UFMzr7m2U36DvZ7RG3dcsTI%3D
And it seems that the url string is built correctly. I think so because if a parameter is missing or incorrect the API returns 400 error with explanation that this parameter is invalid. The same applies for the signature. If signature is incorrect the API returns error which clearly states that the signature is invalid. So, again, I think that the url must be ok. However the API returns 401 error and a html page which looks like this:
<?xml version="1.0"?>
<ErrorResponse xmlns="http://mws.amazonservices.com/schema/Products/2011-10-01">
<Error>
<Type>Sender</Type>
<Code>AccessDenied</Code>
<Message>Access denied</Message>
</Error>
<RequestID>7b12e3c8-7b1a-4b6e-b7ba-15ec8c4e0968</RequestID>
</ErrorResponse>
Access denied. And I have no idea why. I've spent several hours already trying to figure out what's wrong. Can anyone help me?
The reason for the problem was that I was calling American url https://mws.amazonservices.com instead of European one https://mws-eu.amazonservices.com. It would be really nice if Amazon response gave more context about the error than simply Access denied