I am working with the Slack oAuth API.
When I do a GET on https://slack.com/oauth/authorize passing my client_id, and the scope, I get html reponse asking for workspace URL.
After that I need to sign in and provide my password before code is returned which I can use to renew my temporary token
My question is: How can I automate the process of providing workspace URL, username and password? I need to get the code return after authentication (the temporary token) so that I can call https://slack.com/api/oauth.access to renew my token
My reasoning is that if I have access (from the app I created) to: App ID, Client ID, Client Secret, Signing Secret and Verification Token there should be a way for me make simple API call to get code or is my understanding of the slack OAuth flow wrong?
NB: I have taken a look at https://api.slack.com/docs/oauth but I was not able to get it done. I am also aware that I can make the /signin and /checkcookie to get this done but it involves parsing HTML response for parameter values needed to make subsequent calls. I just feel there a simpler way to do it.
This Stackoverflow question is not a duplicate because is it mainly referred to a case of not having an app created; In my case, I have an app created.
Related
I'm implementing Google's 'code model' of Oauth2 and having trouble getting users' email - I wonder if this is a scopes problem or my misunderstanding about how to set up the code model. This sequence of events is already working:
Client loads https://accounts.google.com/gsi/client
Client starts call to google.accounts.oauth2.initCodeClient
Client gets code
Client passes code to one of my server endpoints
Server has an oauth2Client set up using the config with client_id, client_secret, and redirect URL = 'postmessage'
Server exchanges the code from the client for tokens
Server does oauth2Client.setCredentials(tokens) - this contains an access_token, which is enough for the client to make API calls to, e.g., retrieve the user's Google Calendar
Server is able to do oauth2Client.getTokenInfo(tokens.access_token);
There are various places along the way that involve scopes; I am probably getting something confused here. The client's initial call (step 2 above) uses
scope: 'https://www.googleapis.com/auth/calendar',
My code path on the server does define scopes anywhere.
In GCP, my project is set up with scopes
calendar.calendarlist.readonly, calendar.readonly and calendar.events.readonly
openid
/auth/userinfo.email
Here's the problem I'm encountering: when I go through this flow as a user and oauth with the account that owns the GCP project (this is a Google Workspace email, in case that matters), the tokens object that the server receives (step 6 above) has access_token, refresh_token and id_token - the id_token can be decoded to yield the user's email, and the user's email is also in the response to oauth2Client.getTokenInfo(token.access_token).
However, when I go through the flow with my other (personal) Gmail account, the tokens object that the server receives is missing the id_token but has the access and refresh tokens. Question 1: why are the responses different?
Question 2: How can I get the email of the user on the server in the personal Gmail account case? I've tried having the server make a call to https://www.googleapis.com/oauth2/v2/userinfo?fields=id,email,name,picture with the access_token, but this fails. I am not sure if I'm supposed to declare scopes for oauth2Client somehow, or tap a Google API using a different method on the server.
I think I've had a breakthrough: in step 2 in my original post, when I did "Client starts call to google.accounts.oauth2.initCodeClient", I had set the scope of initCodeClient to just the calendar scope. When I changed it instead to scope: 'https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/userinfo.email openid', (scope takes a space-delimited list in this case), it allowed my server call to get the id_token for this user and oauth2Client.getTokenInfo to get a response with the user's email in it.
When I updated the scopes like that, the popup asking for authorization also updated to request all the scopes I wanted - previously, it was only asking for the Calendar scope, so it makes sense Google didn't want to return the email.
What I still don't understand is why my previous setup was working for the account that owns the GCP project. In other words, when I was first building it out with that owner account, the client was only noting the Calendar scope while the server was asking for all three scopes (ie there was a mismatch), and the server was still able to get an id_token and the user's email in getTokenInfo. Maybe the owner account has some special privilege?
Before someone marks this question as duplicate,
Yes I know audit log is a thing.
No I won't use it because it requires permission.
Yes it's easier to find out server owner
No I need to know exactly who invited my bot
I want to:
Find out who invited my bot the server (user-guild id pair) using invite link redirection.
I read about the OAuth2 API but didn't quite undertstand it due to my lack of background knowledge.
All I understand is that bot invite links can have redirect uri,
and some infos are transfered to it after authentication.
Is it possible to get user/guild id from this?
I tried:
Setting up http server using python -m http.server,
add my IP to redirect uri list in dev page & generate a invite link containing redirect to my IP.
But I didn't get redirected to my http server after inviting my bot using that link,
and nothing got printed on the http server console either.
Things to note:
A. Don't reveal your client secret or your bot token for any purpose. If you do so, immediately regenerate them from the developer portal.
B. Code and token have different meanings in the answer below.
C. This is not for absolute beginners and you are expected to have a general understanding of web requests(specifically GET and POST requests). You might also need to host the site handling redirect URL.
D. This does not cover security issues in any shape, way or form.
In the bot tab of the developer portal, enable the REQUIRES OAUTH2 CODE GRANT option. This prevents the bot from joining a server unless step 4 is completed.
Then use the OAuth tab to generate an OAuth URL with identity and bot scopes. This is important to get user info in step 5.
When someone visits the URL, logs in, and selects a server, they are redirected to your redirect URL. This URL receives a single-use code as URL parameter ie the URL will be <base_url>&code={code}<other stuff>. It is up to you (and probably outside the scope of any SO answer; google is your friend here) to set up a web server and handle requests.
This code can then be used to get a token. This link explains how to exchange code for token. It involves sending a post request with your application's client id and secret. Both are available from discord's developer portal. The response will also have information about the guild along with the token in fields "guilds" and "access_token" respectively.
Send a get request to https://discord.com/api/v9/users/#me with a header containing Authorization: Bearer ${token} where the token is obtained in step 4. The response is in JSON format and contains user data specified here. Note: The link above is for the latest API version v9 which may change in future versions.
Edit:
It is possible to manually modify the URL to remove identity scope from URL. The bot would still join the server as long as you make a request to exchange the code for the token. In this case, the request to /users/#me would fail and you would have no access to the user object. It should be easy to make the bot leave the server if the request fails with the status code corresponding to unauthorized.
I am building an oauth app to connect to Basecamp 3 API using PHP and following the documentation here.
https://github.com/basecamp/api/blob/master/sections/authentication.md
The request authorization url works fine
https://launchpad.37signals.com/authorization/new
but the token url produces a page not found
https://launchpad.37signals.com/authorization/token
I contacted Basecamp but didn't get a response. They do say they don't prioritize suppose issues with the API because so few of their customers use it.
Any ideas on what the correct url for getting tokens would be?
There are 4 steps:
Step 1: Choose a webhook service or build your own (which certainly takes more time). This will receive the authentication.
Step 2: Register your app within Basecamp. it'll give you the client key and secret key
Step 3: You need to make a GET call to the .../new address. You need to pass on the client key, secret key and redirect url. The API will send an 8-digit number to the Webhook. You need to retrieve that from the webhook.
Step 4: Make the same GET call to the .../token address. You'll pass the key in addition to all previous information in the header. Then you'll receive an access token.
Supposedly with this access token you should be able to activate all other API. I have not figure this part out.
I'm writing a Slack app that adds Slash commands.
Every time I go through the OAuth flow, when I try to exchange a temporary auth code for an access token, I get the following JSON response:
{"ok"=>false, "error"=>"code_already_used"}
and despite that error message, the two slash commands provided by my app do get installed on the target Slack team.
The desired outcome is: I get a successful response from Slack's API, which contains the access_token and scopes for which the token is valid.
Troubleshooting I've tried so far:
Revoked permissions from my app & uninstalling from target team before trying again
Requesting additional scopes (e.g, commands,channels:history,users.profile:read which I don't need, instead of just commands) to see if that would cause the API to return an access token.
I am able to install on other teams outside of the original team I used when creating the app, but with the same api failure
Any suggestions for how to get the API to return an access token? Thanks in advance!
I have a hobby project in mind to use battle.net login. I'm wondering how I can obtain the access token from the API after receiving the authorization code.
This is Oauth flow question rather than a battle.net question.
Currently I can successfully authorize the user for my app which is registered in dev.battle.net and then I try to use the authorization code returned from the battle.net login to obtain the access token by sending a request to https://<region>.battle.net/oauth/token.
However I keep receiving this error:
{
"error": "unauthorized",
"error_description": "An Authentication object was not found in the SecurityContext"
}
I use postman extension to send post requests to that uri. I authenticate my request with my client id and secret. I pass redirect_uri (https://localhost), granty_type (authorization_code), code(the code returned from the previous authorization step). However I keep getting the error above.
I couldn't find much about battle.net online. There are other oauth related help articles but couldn't really find my way.
Wondering if you can help me with this easy stuff. I'm just wondering what I'm skipping here.
Here is the documentation:
https://dev.battle.net/docs/read/oauth
https://localhost is added in my mashery dev account's app settings.
Me again, I resolved this problem after trying almost every combination in the universe:)
Steps to apply:
Don't use the same authorization token for different access token trials, they are not valid
Always use https on every domain you test including localhost, you
redirect_uri must be https as well.
You must use the "basic authentication" in the header of your POST request while requesting the token from the authorization code you obtained from the previous step.
This is one of the most important ones: For requesting token, Pass redirect_uri, client key and secret as POST form parameters to the authenticated request. This is interesting because it's already an authenticated request; why would i need to pass my secret again? Anyways, that's how it works.
Here are the full text:
http://hakanu.net/oauth/2017/01/26/complete-guide-of-battle-net-oauth-api-and-login-button/
This is working prototype:
https://owmatch.me
Thanks.