I'm testing my SMART application on Epic AppOrchard using Hyperspace simulator. Currently facing issue related to Tokens in OAuth2 context. Following is my Token URL: mrn=%PATID%&user=%SYSLOGIN%&providerId=%USERPROVFHIRID%
I used to get providerId parameter filled with correct practitioner Id that I can use to fetch Practitioner information until start of third week of July 2019. Now I'm receiving empty string in providerId parameter. I don't think I've changed anything that made my application receive empty string in providerId.
Can someone please help me understand how these token parameters are filled with correct values and/or under what circumstances they remain empty?
Maybe a guide how Tokens in OAuth2 Context work could help. Thanks
Related
I've searched pretty hard for an existing answer to this question because I have a feeling that I've made a stupid mistake, so please let me know if this has been asked already and I haven't found it.
I'm trying to make a little installed app that needs to access the OAuth Reddit API, and since it's installed it has to be by the implicit grant flow.
Here is the process I'm trying to use:
I'm having the user open this URL (private info removed):
https://www.reddit.com/api/v1/authorize?client_id=[client_id]&response_type=token&state=[random_state_data]&redirect_uri=http://localhost:3000&scope=read
But when the user gets redirected after authorizing it goes to a URL that looks like this:
http://localhost:3000/#access_token=[token]&token_type=bearer&state=[random_state_data]&expires_in=3600&scope=read
The problem is that the access token is in a query? string after the fragment identifier (the #), so I can't access it from a server hosted on port 3000. Have I made a mistake with how I handled the authentication? Or is it something more subtle?
Thanks in advance for your help, and let me know if you need more information or I made a mistake in asking this question.
It turns out this is a classic case of missing something in the manual.
In the information about Reddit's Implicit grant flow:
he response from this request, if successful, will be form encoded into the fragment with the following values:
So it was totally intended behavior that I just didn't pick up on. I guess I'll just have to do some Javascript magic to get the token from the fragment to my server.
Sorry if I wasted anyone's time.
I'm trying to authorize my standalone application. But after I click "Allow" it always redirects to http://oauth.vk.com/error?err=2 and gives this as response body:
{"error":"invalid_request", "error_description":"Security Error"}
Here's the request URL (I do have correct client_id):
https://oauth.vk.com/authorize?client_id=...&scope=messages,offline&redirect_uri=https://oauth.vk.com/blank.html&display=page&v=5.37&response_type=token
It seems that I've tried everything:
Turning application on and off
Passing scope as bit mask
URI encoding some parameters to have correct URL
and so on
After hour of searches I've found this.
So, it means that user has an old session and must re-login in browser.
Space in state parameter causes this.
OAuth 2 RFC, sections 4.1.1 on authorization request and 4.1.2 on authorization response, recommends using state parameter to maintain state in authorization code flow, particularly to prevent CSRF.
When I set this field to CSRFTOKEN123 http://my.site/next/url, I got this error. Replacing (space) with : to get CSRFTOKEN123:http://my.site/next/url helps.
By the way, I couldn't find any mention of state parameter on VK documentation website but VK OAuth 2 authorization system actually supports it. It couldn't be called OAuth 2 otherwise. So I find it legit to use state parameter.
The topic https://vk.com/topic-17680044_30635058 mentioned by author is closed now, current discussion is https://vk.com/topic-1_24428376. There are number of questions on this. All in Russian.
Apologies for typos if any on my phone. We have been trying to put together a solid integration for several providers and aside from Twitter and their non existent email address (oh "good bye" unique key) we have Google with their extremely short token lifetime.
For now we resorted to performing a fake refresh by pushing user through flow on clientside in js.
How would one go about refreshing token without pushing user through the oauth flow without having Offline Access accessType? As refresh tokens are only valid for this accessType.
If i am missing a trick please let me know! All the social providers seem to follow different approaches as expiry does not seem to be exactly specified anywhere so in some cases it is a unixtime stamp some it is a negative integer in seconds relative to now (im guessing it has to be based on UTC or that wont work) and ive seen some that provide expiry as a unix timestamp. Damn was there no RFC for OAuth 2??
Any insights appreciated. Thank you.
Update
Apologies for the lack of clarity. Everything works, it's just Googles OAuth tokens are so shortlived. It's not a showstopper, it's just not ideal that we have to refresh Google's OAuth tokens with JS or use 'accessType' offline.
You don't say anything in your question about the specific OAuth flow that your app is using, so it's hard to provide a solid answer.
Two approaches tha spring to mind:-
If you're doing client JavaScript auth, then you can set immediate=true to the "refresh" is done without any user UI.
You can do the offline bit which wins you a refresh token. You could store that on a server and use it to generate access tokens as needed.
This is a repost from the vimeo forum, but since nobody is answering over there, I try my luck here:
I have been trying for some hours now to get my head around the whole oAuth thing, but I don't seem to get it working. I want to retrieve thumbnails for private videos, using the advanced vimeo api. This is what I have right now:
$vimeo = new phpVimeo($consumer_key, $consumer_secret, $access_token, $access_token_secret);
$result = $vimeo->call('vimeo.videos.getThumbnailUrls', array('video_id ' => $video_id));
When I try it like this, I keep getting the error
"Fatal error: Uncaught exception 'VimeoAPIException' with message 'Invalid signature' ".
I'm absolutely positive that the keys and secrets are correct. Do I have to do more to make this thing work? Of course, it would be amazing to have an example where I just have to put in all my key data in and it works.
thanks in advance!
There are a couple of ways to help troubleshoot your signature errors. First I want to explain some terminology.
Api Endpoint - The api url you are requesting.
Client ID / Client Secret - A pair of tokens given to you when you create your Api Application
Request Token - A token generated while authorizing a user. This token can not be used to make api calls.
OAuth Token / Token Secret - A pair of tokens given to you when you send a user through your authorization workflow
Base String - A specifically formatted string that contains all the information relating to your API request.
OAuth Signature - A hashed token that represents the request you are making. This is generated using a base string, your client id and secret, and an optional oauth token and secret.
Troubleshooting
Try using the latest version of the official PHP library : https://github.com/vimeo/vimeo-php-lib.
If this works, there is an issue in your code. Continue to step 2.
If this does not work let Vimeo know. You do not need to continue these steps.
Use the Hueniverse interactive guide : http://hueniverse.com/oauth/guide/authentication/
Make a request and log every URL, header and parameter. Also include the Base String.
Click all the plus signs to expand the input forms and then fill in all of the appropriate data.
Ensure that the Hueniverse Base String matches your own generated Base String
If this matches, and the signature is still incorrect you are likely performing the hmac signature incorrectly. Check all of your tokens, feel free to contact Vimeo.
If the Base String does not match, make sure you are following the spec : https://www.rfc-editor.org/rfc/rfc5849#section-3.4.1
If all else fails, your best option is to contact Vimeo directly. They can look up your authentication tokens and expected signatures.
I'm working on a project that will generate an OAuth querystring in JavaScript, using HTTPS and in internal application, so security is not a major concern at this point (figured I'd mention that up front )
The JavaScript querystring is used to call a C# script on a different server and domain, essentially to pass data from the internal application to the C# application, and allow to verification that a) the query comes from the right source, and b) the query is valid and hasn't expired, etc.
OAuthSimple gives me a signed URL like this:
http://www.myremotesite.com/mycodepath/mycodefile.aspx?firstname=Kevin&lastname=Blount&oauth_consumer_key=ThisIsTheConsumerKey&oauth_nonce=nuOoM&oauth_signature=DAoaSxD5SvVFTTDNSxiTbANzGlc%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1313162452
My question is, one the C# side of things.. what do I do next? I've two thoughts, but I can't work out which I need to explore:
using C# generate a new signed URL and compare the two (or just compare the oauth_signature values)
take the querystring and somehow decrypt/decode it and verify it.
I'm told that DotNetOpenAuth is the standard to use, but I can't figure out my next step using it.
Can I get some advice on what I need to look into, or articles that explain how I should proceed?
Read the instructions on DotNetOpenAuth and make sure you understand it. I haven't used it previously, but have heard good things about it.
The oAuth server will do several steps:
Validate version - Is the client using the correct version of oAuth for you to handle
Validate TimeStamp - All timestamps must be in UTC to avoid Time Zone problems
Validate Nonce - Has it been used previously allowed time range
Validate Signature - Get the private key from the consumer key, compute the signature using the values passed in the parameters and compare to the actual signature.
Once the message has passed all the checks, then the server will return the resource requested by the message