I am trying to use the bitbucket API for getting details of my repositories, issue, etc., but I am not able to find a clear way of authenticating the API request.
I would like to have a simple way of authenticating the endpoints like
https://api.bitbucket.org/2.0/repositories/usamarehank_dckap?access_token={my_access_token}
Here I obtained the access token from the app password section of my account.
I am getting an error on doing so like
{"type": "error", "error": {"message": "Access token expired. Use your >refresh token to obtain a new access token."}}
I tried using consumer key creation but I am not sure where to plug those values in the request and with the OAuth it asks for client_id which I am pretty sure not giving in the docs where to get them.
How would I basically do a simple access_token request just like github API without any OAuth?
Right, this access_token is part of the OAuth authentication process: https://confluence.atlassian.com/bitbucket/oauth-on-bitbucket-cloud-238027431.html
To use just these app passwords you can create via your profile, you need to use simple Basic Authentication with that app password.
You can read a bit more about it here: https://developer.atlassian.com/bitbucket/api/2/reference/meta/authentication
Related
I'm trying to make a call to the Graph API from an Azure Logic App.
I can make a call to the authentication endpoint and get a bearer token.
However, when I use that bearer token to make the call to Graph API, I get the error message:
Access token validation failure. Invalid audience.
I've tried various examples from the MS website and other websites, but none work.
Where am I supposed to specify the audience?
In the first action I have made a HTTPS request to token endpoint with the details as shown below.
Then I parsed the JSON content and picked the access_token and created a new request to call MS Graph as shown below.
Since this is a client credential flow, we will be getting an App token so make sure you have configured Calendars.Read or Calendars.ReadWrite Application permissions and hit https://graph.microsoft.com/v1.0/users/{userid}/events. You should not use /me because there is no user here.
It worked for me.
Lets say I have created my own application. We have react front end and RESTful API as backend and we are using Google OAuth for Authorization of our users. Front end is making calls to the APIs. Front end uses Authorization Code Flow of OAuth. After getting access token from Google OAuth server, front end uses this token to make calls to my backend.
Now Malicious user will get my API's URL, other information required for REST API from Chrome Network tab and can call directly to APIs with access token.
Questions:
How will my REST API know from where the request is coming?
Also how it will validate the access token?
Is it possible once User got all information about my REST API, it can call directly with fake access token?
I have look into the diagram for Authorization Code Flow. Below is the link.
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-app-types
But how will web api validate the token?
Please guide me if I am lacking some information.
Google's OAuth server will issue your front-end a JSON Web Token (JWT). This token is singed by Google private key. Your API needs to:
Obtain Google's public key and
Verify the signature of the JWT.
If that is valid, the token originated from Google. If not, it didn't come from Google or was tampered with.
After this, your API needs to do a few additional checks:
Check the expiration time and see that it's not in the past. This can be found in the exp claim.
Check that the token is not only from Google but for your API. This can be done by looking at the aud (audience) claim and seeing that it's for you.
Check when the token was issued, and ensure that it's not in the future. The issuance time is in the iat claim.
Check that you should start using it already, and there wasn't some sort of embargo on the usage period. This will be indicated in the not-before claim (nbf).
Check that the type of token is an access token (as opposed to an ID token).
(You can find a longer more detailed description in this howto.)
If you do these things, you can be sure that Google issued the token and that it was intended for your API. It does not indicate to your API that the caller was your front-end. The reason is that the token is an "bearer token", meaning the token is bound only to the one that bears or presents it. To ensure that only your app provides the token, you need it to prove possession of a private key. This is not possible when using Google as your token issuer (to my knowledge).
My question is basically how do my rest api validate integrity of the token. I found the link: https://developers.google.com/identity/sign-in/android/backend-auth
I need to access several YouTube channels for my job to pull analytical data and export it to a database. The problem, is that this requires using OAuth, which would be fine except I don't know the controlling person's username/password. She probably won't give me her credentials since it's personal.
Is there a way to do this without explicitly using her username/pass? Like, she tried making me a content owner, but I still can't authorize this level of information.
This is exactly the reason why OAuth was created, to make requests on behalf of a user without their username and password.
Have that user generate an access token. Here are the Google Docs. In a nutshell:
Have your user send a post request to https://accounts.google.com/o/oauth2/token with your app key. The response should look something like:
{
type: "oauth",
token: "XXXXXXX"
}
Then, make an API request on behalf of that user with their token by passing in the token returned from the previous step as value for the Bearer filed for any web request to the YouTube API. This will allow you to perform an authenticated request without explicitly knowing the user's username and password.
I am building my REST API to be used with my IOS app. I have a little problem...
How do I implement the "resource owner password credentials grant"? I cannot store the client credentials in the IOS app code (not secure) so I have no idea how to secure the API.
So basically, I would be using HTTP Basic Authentication over SSL which would return a token. However, this means that anyone can make a simple post request to my API endpoint from wherever and also obtain a API access token. Basically I'd have a open API.
What do you recommend?
you can actually use keychain to store the data you need .. it's totally secure.. but sure don't store password in it, it will be a deal breaker for you :)
you can request with the password of the user an access_token from the oAuth as you've suggest
and store the access token into the keychain.. it proved that it's secure for me .
I am developing a google app engine - java project where I want to integrate Salesforce APIs.
I want to authorize user with Oauth 2.0 and want to retrieve contacts of the authorized user.
Salesforce API returns code in response of the first request and then again I request for the access token from the code.
With the access token when I call any of the service API it gives me following error
[{"message":"Session expired or invalid","errorCode":"INVALID_SESSION_ID"}]
I found the issue.
In configurations Administration Profile was missing to be connected with Apps whose client ID and secret I was using.
you are not getting valid access token.
generate the proper url to get the access token
https://developer.salesforce.com/page/Digging_Deeper_into_OAuth_2.0_at_Salesforce.com
For more proper information, you can have a look of this