I've been working with this issue of trying to set the authorization header in the relay environment after the user signs-in. I've tried this suggestion React relay injectNetworkLayer is not a function I have tried using a class that wraps the environment has a token property that when updated creates the Authorization header and places the token into it. This also threw an error. There has to be a way to do this but I can't figure it out.
How about storing the token in AsyncStorage when you log in, then in your fetch function, you try to read the token form AsyncStorage, and add it as a header if it is not null.
Related
The issue I’m facing is I’m trying to manually get the token from the API for the sake of automation. What I did is I configured IdentitySever to grant token on user credentials it worked fine when request has been sent via OAuth UI:
I’m getting the following request/response (viewed in console):
Now the issue is that I’m sending the exact same request but manually, but it fails:
I'm getting 'invalid_client' error instead of Token
I'm not overriding IResourceOwnerPasswordValidator so I'm using default implementation.
Anything else that I’m missing? Does UI do something else under the hood? Did I miss something?
The requests are identical, I copied over clients, passwords etc in case anything is different.
I’ve also tried to do the token request via get+query string, but same result
I tried changing the clientid, clientsecret, but no luck so far
There's a typo in your manual request. It should be 'client_secret' but not 'cliend_secret'.
OAuth2 doesn't understand this field and as a result of this, it assumes that you didn't pass the secret of the client in the request and thus it throws an 'invalid_client' error.
I'm stuck with an issue while trying to use Google's OAuth2 php lib. On the server side, after I instantiate an OAuth2 object I redirect the user to Google's sign in page, after which they hopefully grant permissions based on the scopes (the APIs I declared for use in the OAuth2) I declared. Now here's my issue: after the user grants permission I get redirected to the redirectUri I specified during the instantiation of OAuth2. This redirectUri contains as params state, code, and scope k-v pairs. I always get a "Missing authorization code" if I don't send back the value code to server and set it as a property of the OAuth2 object. However, if I send back the value of code to the server and set it as a property of the OAuth2 object I get a
"Client error: POST https://www.googleapis.com/oauth2/v4/token
resulted in a 400 bad request response. Error: "invalid_grant"`
So, I'm at lost here. I should mention that I actually managed to make 2 authorized calls to Google Ad Manager (the scope I declared) using the same flow I described above, but after that I keep getting the same 2 errors as above.
Does anybody know what's going on? I must be missing something but I can't see what. I'm using this guide so it's not really convoluted or complicated code but I just can't get it to work somehow. https://github.com/googleads/googleads-php-lib/wiki/API-access-on-behalf-of-your-clients-(web-flow)
I’m updating a third party app that currently integrates with Twinfield using the session’s method with username and password to use the oAuth method.
In confused by the documentation though... do I still need to use the sessions or when using oAuth do I just call the endpoint(s) by passing the access token in the header as normal?
Also their Soap definition has four properties, the usual ClientID and Secret but also accessSecret? What’s that?
TLDR: you no longer need to use the sessions and SelectCompany; when you have the access token you can use that and the company code directly in the header.
You can obtain the access token as described here.
The documentation is a bit unclear on how to use the access token in your calls.
In the old username/password/session flow, you referred to a SessionID in the SOAP Header, and you would do a SelectCompany call to select the relevant target ("administratie").
In the OAuth flow, the SessionID is no longer relevant. Once you obtained a valid access token, you should set that in the header using the AccessToken field.
Instead of the old SelectCompany call, you can set the CompanyCode directly in the header. So if you have obtained an access token eyWhatANiceToken, and want to retrieve data for company "My Company BV [130001]" you have set AccessToken to eyWhatANiceToken and CompanyCode to 130001 in the header.
You can request the available codes using the list offices call
I'm trying to follow this: https://developers.google.com/api-client-library/python/guide/aaa_oauth
using the python client. I want to get the authorization code so I can exchange it for a refresh token.
However, when I make flow = OAuth2WebServerFlow(...) and call flow.step1_get_authorize_url() , I automatically get the access token instead of the authorization code upon signing in, which is what I want. I'm requesting contacts scope and passing the following parameters:
access_type='offline',
approval_prompt='force',
include_granted_scopes='true'
I've searched online for a while on how to fix this problems, and most of them just suggest adding approval_prompt='force', which I already have.
Any help would be much appreciated. Thanks!
I want to create a Rails application which exposes an API to be consumed by only authorised client applications (will be mobile apps for iOS / android). I've not started working on the app yet, but the primary method of accessing the underlying data will be through the api. I've been looking at using the grape gem, but would need to add an authentication layer to it. I was thinking about using devise and adding another model for storing client details, api key and secret key. Upon sign in through the api, the api key and secret are returned. The API key is transmitted with each request, but the secret key is not. Instead, it is used to sign each request; the request parameters are ordered by name, hashed using the secret key as the hash key. This signature is then added as a parameter to the request.
Does this system of authentication sound logical and secure?
I tried to prototype the system earlier, but ran into difficulty signing up a user using JSON with devise. At first I was getting a CSRF error. I then turned off protect_from_forgery and was getting another error. Is it safe to turn this off if I am authenticating in this way?
Yes you can turn off rails CSRF protection since you are using a different authenticity method as long as a date or timestamp is always inside the parameters that are being signed. You can use this to compare the request time to the server time and make sure you aren't undergoing a replay attack.
protect_from_forgery helps you protect your HTML forms. If you're consuming JSON from mobile clients, you don't need it.
Here's what I would do if I were you:
on user's account page, have a button that says "(re)generate API key"
client then embeds this key into his calling code and passes with each request.
your API server checks whether this API key can be used with this client id.
Very easy to implement and serves well.
Signing parameters also works and I used it in several projects with success. But it increases code complexity without any real gain (secret key is on the client, attacker already knows it).