How to request Netsuite RESTlet with TBA authentification - oauth

I am trying to do a request my Netsuite RESTlet using Alamofire (SWIFT) but I meet several difficulties:
In the documentation it's specify the different parameters needed (see below).
DOCUMENTATION:
An OAuth 1.0 RESTlet authorization header requires the data described in the following table. Some of these values can be obtained from the NetSuite UI. Other values must be calculated. Typically, your integration should include logic to identify these values and generate the finished header. Follow the OAuth 1.0 protocol to create the authorization header.
However in postman I am using extra parameters (consumer Secret and the Token Secret) and it's works if I remove them it doesn't works
To finish when i check the Authorization header generated by postman, I see only the specify parameters in the documentation :
OAuth realm="my realm",oauth_consumer_key="myConsumerKey",oauth_token="myAccessToken",
oauth_signature_method="HMAC-SHA1",oauth_timestamp="1543488570",
oauth_nonce="ERxdLbUfkeh",oauth_version="1.0",oauth_signature="UeqmxAyeUqtPoICLo%2FARsQE8B1E%3D"
If someone can explain me this, I could implement TBA authentification in my Application but for now I need to understand better this authentification.

I also spend a few hours trying to make it work. In my case I wasn't adding the account ID to the realm param. Here a picture of what I ended with:
Here where you can get the account ID:
I hope it helps

The explanation of why the consumer secret and the token secret are needed by Postman to generate the token is shown in SuiteAnswer 42019 - as referenced in the Notes section beside oauth_signature in your screenshot above. From that page:
Sign the result string from step 5 using the consumer secret and token secret concatenated using '&' (For this case, HMAC-SHA1 or HMAC-256).
In other words, Postman uses the secrets to generate the output which authenticates your credentials - you cannot generate the oauth_signature correctly without them.

I ran into a lot of issues with NetSuite broken RESTlet/TBA connections as well. I did build this out in our software to help out customers. You can see the methods I used in the article below.
Using NetSuite TBA by Calling a RESTlet from an HTTP Source or Target

Related

Validate JWT token signed with RS256 in Knock (rails)

I am trying to connect React app and Rails app using Auth0. It used to be super simple since tokens were signed with HS256. But since auth.js v8 jwt tokens signed with RS256. I don't have problems with frontend but can't make RoR (I use Knock) work with new signing algorithm. I've added
config.token_signature_algorithm = 'RS256'
and
config.token_public_key = key.public_key
into Knock initializer but still no luck.
Key seems to be correct, at least it works in jwt.io or pure ruby-jwt (at least I was able to read information from token).
I am no expert working with asymmetric algorithms so any help would be appreciated. What I am trying to do right now is to get "access_token" from frontend and to send it in "authorization" header to the backend. I know I need to add "Bearer" into header but is there is any other operation I need to do with token first?
Best, Iurii
Just in case anyone interested here is short discussion on GitHub here is a link

Get code field in oauth method

I try to authenticate Slack. I will use, oauth, if I can.
How can I get the code field which is required for oauth.access?
https://api.slack.com/methods/oauth.access
To be able to test the method, I should fill;
client_id Required
client_secret Required
code Required
redirect_uri Optional
Alright I get client_id and client_secret from OAuth Information. But where should I get the code field?
The steps of negotiating tokens with OAuth are sequential -- it's not possible to test all of the OAuth API methods in the tester alone, as part of the sequence of events is your server receiving a callback containing that token value you'll need for the oauth.access step.
The OAuth documentation lays out the steps in order and is probably a better overall reference than the method documentation alone.

Google OAuth - Keeping the Client ID Secret

When using OAuth in the Google Cloud Endpoints JavaScript client, how do you preserve the secrecy of the client ID?
How to implement 0Auth in the Google Cloud Endpoints JavaScript client is detailed here. In the code snippet below the client ID is passed as a parameter to the OAuth method.
gapi.auth.authorize({client_id: CLIENT_ID, scope: SCOPES,
immediate: mode}, callback);
Since the end user will receive the script file in clear text, regardless of the use of HTTPS, how would you avoid handing the client ID over to every user you serve? After all, it would be rather simple to comb the JavaScript code to find the client ID.
You don't. Anyone can see and intercept it (as you stated), which is the root of the confused deputy problem.
That's why you validate your tokens. For a simple explanation of token validation and the confused deputy problem, check out this great SO question and answer on How and why is Google OAuth token validation performed.

How can I extract the OAuth consumer key from a Rails request?

When an OAuth signed request is made to a Rails 3 app, I can see the OAuth consumer key in amongst the other values in request.headers["HTTP_AUTHORIZATION"]. What is a better way to access it? I'm using the OAuth gem.
According to this section in the OAuth specification, the Authorization header is the preferred way of sending OAuth protocol parameters. The specification does make allowances for sending protocol parameters in a form encoded body or in the request URI, if the request meets certain requirements.
To answer your question: parsing the Authorization header is a must for any OAuth provider. But you may also look for it (and other protocol parameters) amongst "normal" parameters, you will never find them in more than one place,

Getting the video thumbnail of private videos on Vimeo

This is a repost from the vimeo forum, but since nobody is answering over there, I try my luck here:
I have been trying for some hours now to get my head around the whole oAuth thing, but I don't seem to get it working. I want to retrieve thumbnails for private videos, using the advanced vimeo api. This is what I have right now:
$vimeo = new phpVimeo($consumer_key, $consumer_secret, $access_token, $access_token_secret);
$result = $vimeo->call('vimeo.videos.getThumbnailUrls', array('video_id ' => $video_id));
When I try it like this, I keep getting the error
"Fatal error: Uncaught exception 'VimeoAPIException' with message 'Invalid signature' ".
I'm absolutely positive that the keys and secrets are correct. Do I have to do more to make this thing work? Of course, it would be amazing to have an example where I just have to put in all my key data in and it works.
thanks in advance!
There are a couple of ways to help troubleshoot your signature errors. First I want to explain some terminology.
Api Endpoint - The api url you are requesting.
Client ID / Client Secret - A pair of tokens given to you when you create your Api Application
Request Token - A token generated while authorizing a user. This token can not be used to make api calls.
OAuth Token / Token Secret - A pair of tokens given to you when you send a user through your authorization workflow
Base String - A specifically formatted string that contains all the information relating to your API request.
OAuth Signature - A hashed token that represents the request you are making. This is generated using a base string, your client id and secret, and an optional oauth token and secret.
Troubleshooting
Try using the latest version of the official PHP library : https://github.com/vimeo/vimeo-php-lib.
If this works, there is an issue in your code. Continue to step 2.
If this does not work let Vimeo know. You do not need to continue these steps.
Use the Hueniverse interactive guide : http://hueniverse.com/oauth/guide/authentication/
Make a request and log every URL, header and parameter. Also include the Base String.
Click all the plus signs to expand the input forms and then fill in all of the appropriate data.
Ensure that the Hueniverse Base String matches your own generated Base String
If this matches, and the signature is still incorrect you are likely performing the hmac signature incorrectly. Check all of your tokens, feel free to contact Vimeo.
If the Base String does not match, make sure you are following the spec : https://www.rfc-editor.org/rfc/rfc5849#section-3.4.1
If all else fails, your best option is to contact Vimeo directly. They can look up your authentication tokens and expected signatures.

Resources