I have scoured the web to try and find an answer to what seems to be a simple solution but unable to come across one.
I am using Postman. On the Authorisation tab, I have entered the details as defined in the Twitter Application Management.
In the header, I have a key of Authorization and value of
OAuth oauth_consumer_key="my-consumer-key",
oauth_token="my-consumer-token",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1538075001",
oauth_nonce="zXeiLqV5GzK",
oauth_version="1.0",
oauth_signature="SYdcrIrRT6jdgo57b1qP9a9THcc%253D"
When I run a GET request for https://api.twitter.com/1.1/search/tweets.json?q=test I get the expect results.
However, trying to search for a hashtag
https://api.twitter.com/1.1/search/tweets.json?q=%23test&include_entities=true I get the following in the response body
{
"errors": [
{
"code": 32,
"message": "Could not authenticate you."
}
]
}
with a status of 401: Authorization Required
Why would this be the case, would there be a step I missed in setting up or can you not search for hashtags on the free version?
Any help would be appreciated.
Solution is to use OAuth2
Twitter OAuth1 seems to have issue with url encoding.
I ended up using OAuth2 too. Requesting Bearer's Token to https://api.twitter.com/oauth2/token and giving it App Consumer API keys as authorization credentials.
Reference can be found here
Related
When I use this endpoint in postman https://discordapp.com/api/guilds/1068721953185206354/members/460428342781542402
I keep getting
{ "message": "Invalid OAuth2 access token", "code": 50025 }
the status code is 403
Here are my headers and body:
Response
Headers
`Body
Please help I have looked everywhere and nothing worked.
I have tried to reset the token a couple try (Revoke it then regenerate it)
I have tried to use it on https://discord.com/api/oauth2/#me and it worked so it's not the access token.
I have tried to use https://discordapp.com/api/guilds/1068721953185206354/members/460428342781542402 as PATCH and it did tell me the info of the user.
I have searched everywhere on the internet.
I have checked that the bot is on the same application as the token
Cheers everybody,
we have been deeply reading google documentation on exchanging access_token from google in order our (delphi)desktop application to SSO with google from server side. Here is the payload we send first look like:
https://accounts.google.com/o/oauth2/v2/auth?client_id=1000217514248-t1lojs6f8ed7l9ocrpbm98leahtum8n1.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&state=E1DF2FBA-0A66-4D69-B594-5EB8F7828AF7&scope=openid+profile&include_granted_scopes=true&code_challenge=C832DA50-E55A-499D-89B8-493BB4123C94&login_hint=test#Speelkriebel.be
Normally after this it redirects me to login in to our test user and after this according to the documentation we send a POST request to the end point token in order to get the access_token and refresh_token...: 'https://oauth2.googleapis.com/token
with the following parameters, the 'code' is generated we also send it as follow:
client_id=1000217514248-t1lojs6f8ed7l9ocrpbm98leahtum8n1.apps.googleusercontent.com
grant_type=authorization_code
client_secret=******
code= 4/1AY0e-g4GlavO38PI5Oo3vq04Pc4lMWN77et-02UiVWOsT-IyRQnU1lq19qo
redirect_uri = urn:ietf:wg:oauth:2.0:oob
The response is always
{
"error_description": "Missing code verifier.",
"error": "invalid_grant"
}
We have tried to send the client secret id also, Does it have to do with our code_challenge ? are the end points url and initial url okay? What are we missing? We are using CEF4Delphi as "browser like experience in order for the user to type in their google credentials. We have been reading this: https://developers.google.com/identity/protocols/oauth2/web-server#offline
We were also trying the playground :https://developers.google.com/oauthplayground/
we were sending the initial url in a chrome which generated a "code" and in the playground we inserted the code, and still got the same error of missing code verifier.
Thanks Guys
You seam to have URL encoded a lot of the values try not doing that. Also try using the basic call, before you start adding everything else. It should help you figure out which one of those extra parameters you are sending that's causing your issues.
https://accounts.google.com/o/oauth2/auth?client_id={clientid}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=profile&response_type=code
Also make sure that the client id is from an installed / other type client
This may also help Google 3 Legged OAuth2 Flow
For installed apps, the code challenge and verifier are parameters for enhancing the security of the OAuth flow through PKCE [1].
There is additional documentation about generating a code challenge and verifier here [2].
[1] https://www.rfc-editor.org/rfc/rfc7636
[2] https://developers.google.com/identity/protocols/oauth2/native-app#step1-code-verifier
I'm using Postman to make GET requests from the Twitter API, but having some quirky issues when using search/tweets for a particular hashtag. My goal is to return a list of recent tweets that have the same #hashtag. I'm following along with Twitter's instructions on how to do this, which can be found here (look under the header 'Query Parameters').
This returns the below JSON response
GET https://api.twitter.com/1.1/search/tweets.json?q=%23somehashtag
{
"errors": [
{
"message": "Could not authenticate you",
"code": 32
}
]
}
I'm using OAuth 1.0, also based on Twitter's docs. I can make successful calls to the same endpoint by simply removing the %23:
GET https://api.twitter.com/1.1/search/tweets.json?q=somehashtag
Since you use OAuth 1.0 this suggests the the code that generates the signature does not correctly include the %23 in the payload that is signed. Switching to OAuth 2.0 will make sending authorized requests easier and future proof.
Just need to encode the #. Don't need to go to OAuth2
var url="https....?q="+encodeURIComponent("#hashtag")
and it should work for you.
I am facing the same issue with POSTMAN, and it seems like a bug
I've found this in a different scenario
GET parameters that have been URL encoded need to be decoded before adding to oAuth.
https://github.com/J7mbo/twitter-api-php/pull/112
it seems there is no way to tell postman to not encode, but in my code it just works
Responding to an old post , but using Bearer Token on Postman is working for me to resolve this authorization issue ( code 32) of using #hashtag in query
https://api.twitter.com/1.1/search/tweets.json?q=%23somehastag&result_type=recent
I am getting the following error when I use the linkedin V1 API:
response body: {
"errorCode": 0,
"message": "[unauthorized]. The token used in the OAuth request has been revoked. 75--5cfb9cdb-3c9c-47c2-b3f8-XXXXXXXX",
"requestId": "I2GQ0ZMWIE",
"status": 401,
"timestamp": 1408976297742
}
I am using this guide here, I am doing exactly what this person is doing but I get a different result:
https://github.com/PrincessPolymath/LinkedIn-OAuth-Sample-Client
I have no idea why I get The token used in the OAuth request has been revoked. for an error. The HTTP request is identical. Could it be something with my bundle ID?
I cannot find anything from linkedin on the matter. Why don't linkedin have normal error-code lookups like other API's.
Here are some photos of the two request objects, one from the example and one from mine.
I'm taking a guess here based on my understanding of the problem you're describing, have not tested this. I'm also assuming you got your credentials right...
You should checkout this answer by Kamyar Mohager (#39), he explains how to bypass this error:
When obtaining access token, error occurs if:
POST https://www.linkedin.com/uas/oauth2/accessToken
Body:
{
grant_type=authorization_code,
code={auth-code},
redirect_uri={uri},
client_id={id},
client_secret={secret}
}
The error WON'T occur if you obtain the access token by passing the params as query params:
POST https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&code={auth-code}&redirect_uri={uri}&client_id={id}&client_secret={secret}
Error clearly states that the user is authorized to make a call using the token which you are using.
"message": "[unauthorized]. The token used in the OAuth request has been revoked. 75--5cfb9cdb-3c9c-47c2-b3f8-XXXXXXXX",
In the two photos which you pasted above I can see that your request object has different values "tokenKey and tokenSecret" parameters than the example request object, which is correct as your request should have the token information which received from LinkedIn.
But the thing which I don't understand is why both the request objects have same values for "consumeKey & consumerSecret" parameters. I think you need to use your "consumerKey & consumerSecret" with your "tokenkey & tokensecret" to make this OAuth call. "consumer" and "token" detail combination should match then only you will be allowed to make the successful oauth call.
I guess you saw this error because you used your token with some other consumer key.
One more thing I can see that you are passing the "verifier" in your request object hence I want to know are you making a call to get the "access token" which is a 3rd leg of oauth. If yes then there could be scenario that "requestToken" is getting expired before you are making this "access_token" call as "requestToken" is actually a "temporary token" and expires quickly.
HTH...
The issue was code re-use.
As stated in the comments for the API, the API will give you a token and secret upon the first request. This only happens during authentication and then the token and secret can basically be thrown away, and the one issues at developer.linkedin can be used.
I fixed this by constructing my own request object rather than relying on the old HTTPRequestBody in the oAuth process.
Hoping someone can help me out here. I'm using Google Contacts API to fetch a list of contacts. To my understanding, this is done by sending a GET request:
https://www.google.com/m8/feeds/contacts/default/full?alt=json&max-results=9999&oauth_token=OATH_TOKEN_HERE
However, this is wildly insecure as any intruder can gain access to the oauth_token in the URL. To combat this, I'm trying to send this as a POST request with my parameters (alt, max-results, oauth_token) as the data. However, I simply get an error that "Authorization is required". I've tried adding "Authorization: OAuth" to my headers but to no avail (get an error that authorization type is not recognized).
Any advice? I need a secure way to send the oauth token to Google such that my security software won't complain about a security hole in my program ...
Thanks!
To answer your question directly, even though security is irrelevant as you are using HTTPS, you cannot POST to Google to get a list of contacts. Google requires you use Get.
The proper formatting for authorization (Because you can still use a Get and not pass the oauth_token as a query string is to use an HTTP Header formatted:
Authorization: Bearer 1/fFBGRNJru1FQd44AzqT3Zg
Using OAuth 2.0 to Access Google APIs