I developed a Python webapp using Bottle locally and have it (mostly) working on pythonanywhere.
That said, when I try to authenticate a user (which worked on my local installation), I get the following error:
Redirect_uri mismatch: null. Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process.
I have updated my fitbit api application settings and triple-checked that my redirect_uri in the setting matches that in my application.
Taking a look at the fitbit docs forums, it appears that this could be a percent-encoding issue where...
https://www.fitbit.com/login?disableThirdPartyLogin=true&redirect=%2Foauth2%2Fauthorize%3Fclient_id%XXXXXXXX%26redirect_uri%3Dhttp%253A%252F%252Fexample.com%252Fcallback%26response_type%3Dcode%26scope%3Dactivity%2Bsleep%2Bweight%2Bnutrition%2Bsettings%26state%3D024
should be...
https://www.fitbit.com/login?disableThirdPartyLogin=true&redirect=%2Foauth2%2Fauthorize%3Fclient_id%XXXXXXXX%26redirect_uri%3Dhttp://example.com/callback%26response_type%3Dcode%26scope%3Dactivity%2Bsleep%2Bweight%2Bnutrition%2Bsettings%26state%3D024
The redirect to the authorization page is being built like this...
#app.route('/aas/<study_id>')
def hello(study_id):
'''This is the primary request page that redirects users to the fitbit api for authorization.'''
authorization_page = f'https://www.fitbit.com/oauth2/authorize' \
f'?response_type=code' \
f'&client_id={CLIENT_ID}' \
f'&redirect_uri={str(REDIRECT_URI)}' \
f'&scope={SCOPE}' \
f'&state={study_id}'
redirect(url=authorization_page)
Is there a way that I can prevent this encoding from happening, just to SEE if that's the problem? I assume it's being done by wsgi.
Any other thoughts/ideas greatly appreciated.
Thanks for looking, folks.
Turns out that I wasn't passing the URI in the Authorization Code Grant Flow (second portion of the oauth handshake) as so...
POST https://api.fitbit.com/oauth2/token
Authorization: Basic Y2xpZW50X2lkOmNsaWVudCBzZWNyZXQ=
Content-Type: application/x-www-form-urlencoded
client_id=22942C&grant_type=authorization_code&redirect_uri=http%3A%2F%2Fexample.com/callback%2Ffitbit_auth&code=1234567890
I still have no idea why it worked on my local server and not on pythonanywhere, but it's fixed.
Related
I am trying to implement the new TikTok Login Kit for Web and am stuck on the getting the access token.
Here's this specific step described in TikTok's doc.
https://developers.tiktok.com/doc/manage-user-access-tokens
I have registered the app.
I am able to reach the OAuth login screens.
I'm also able auth. and get a response from the auth. endpoint with an authorization code.
But when fetching the access token using the said authorization code my POST request comes back to my redirect URL with a "Status=Temporary Redirect, StatusCode=307" in the response.
I assume 307 means there's something missing on the tiktok server, but their support isn't very responsive unfortunately.
Perhaps someone in the community has dealt with this before?
I'm sending my POST request with the following parameters.
URL: https://open-api.tiktok.com/oauth/access_token
?code=atGaIopCm2M9L2vfad0l4IJzzX8qFfg7aButDrjqerJqs5rhIqmWZLLGk1YRJZUZ6-mGBaYxX_asSdw1TNe7NHhvysS99Yz5o4MtkNv2-nA*1
&client_key= <client key in plain text>
&client_secret=<secret in plain text>
&grant_type=authorization_code
Any ideas what could that 307 Error be hinting at in general?
Add -L in your curl command to enable redirections automatically
curl -X -L POST -H 'Content-Type:application/json' --data '{"secret": "xxx","app_id":"xxx","auth_code":"xxx" }' "https://business-api.tiktok.com/open_api/v1.2/oauth2/access_token/"
See the document here:
https://ads.tiktok.com/marketing_api/docs?id=1709207085043713
Cheers everybody,
we have been deeply reading google documentation on exchanging access_token from google in order our (delphi)desktop application to SSO with google from server side. Here is the payload we send first look like:
https://accounts.google.com/o/oauth2/v2/auth?client_id=1000217514248-t1lojs6f8ed7l9ocrpbm98leahtum8n1.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&state=E1DF2FBA-0A66-4D69-B594-5EB8F7828AF7&scope=openid+profile&include_granted_scopes=true&code_challenge=C832DA50-E55A-499D-89B8-493BB4123C94&login_hint=test#Speelkriebel.be
Normally after this it redirects me to login in to our test user and after this according to the documentation we send a POST request to the end point token in order to get the access_token and refresh_token...: 'https://oauth2.googleapis.com/token
with the following parameters, the 'code' is generated we also send it as follow:
client_id=1000217514248-t1lojs6f8ed7l9ocrpbm98leahtum8n1.apps.googleusercontent.com
grant_type=authorization_code
client_secret=******
code= 4/1AY0e-g4GlavO38PI5Oo3vq04Pc4lMWN77et-02UiVWOsT-IyRQnU1lq19qo
redirect_uri = urn:ietf:wg:oauth:2.0:oob
The response is always
{
"error_description": "Missing code verifier.",
"error": "invalid_grant"
}
We have tried to send the client secret id also, Does it have to do with our code_challenge ? are the end points url and initial url okay? What are we missing? We are using CEF4Delphi as "browser like experience in order for the user to type in their google credentials. We have been reading this: https://developers.google.com/identity/protocols/oauth2/web-server#offline
We were also trying the playground :https://developers.google.com/oauthplayground/
we were sending the initial url in a chrome which generated a "code" and in the playground we inserted the code, and still got the same error of missing code verifier.
Thanks Guys
You seam to have URL encoded a lot of the values try not doing that. Also try using the basic call, before you start adding everything else. It should help you figure out which one of those extra parameters you are sending that's causing your issues.
https://accounts.google.com/o/oauth2/auth?client_id={clientid}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=profile&response_type=code
Also make sure that the client id is from an installed / other type client
This may also help Google 3 Legged OAuth2 Flow
For installed apps, the code challenge and verifier are parameters for enhancing the security of the OAuth flow through PKCE [1].
There is additional documentation about generating a code challenge and verifier here [2].
[1] https://www.rfc-editor.org/rfc/rfc7636
[2] https://developers.google.com/identity/protocols/oauth2/native-app#step1-code-verifier
Trying to add twitter login using OAuth and it has been a nightmare to get the first step of requesting the token, which results in 401 error as always.
I used twitter's Test OAuth tool to compare the http request that my scala server sends.Curl request works while my server request fails. Pasting them below for comparison.
Curl Request
curl --request 'POST' 'https://api.twitter.com/oauth/request_token' --data 'oauth_callback=http%3A%2F%2F0.0.0.0%3A8081%2Fweb' --header 'Authorization: OAuth oauth_consumer_key="wRflKWWomJ9jKeK8wbTk0Jck3", oauth_nonce="46ef029600fcc2a6cbe068eb9711401c", oauth_signature="3ptB%2B6%2Fv9QYGgyQjO9DhuD7pmzA%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1422879905", oauth_version="1.0"' --verbose
Scala server Request
HttpRequest(POST,https://api.twitter.com/oauth/request_token,List(Authorization: OAuth oauth_consumer_key="wRflKWWomJ9jKeK8wbTk0Jck3", oauth_nonce="70449464359328", oauth_signature="yEni23tuzEveIMtDm7%2F8N2anU%2FM%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1422879900", oauth_version="1.0"),HttpEntity(application/x-www-form-urlencoded,oauth_callback=http%3A%2F%2F0.0.0.0%3A8081%2Fweb),HTTP/1.1)
Things I tried:
Made sure timestamp is within 5 minutes
Made sure "Allow this
application to be used to Sign in with Twitter" is set in twitter
settings.
Callback url is set - http://0.0.0.0:8081/web (even tried
proxy names for localhost by changing ip table)
Tried generating request token using Saclaj
Used custom OAuth signature request primarily using OAuth.scala
This 401 twitter request token seems to be a recurring theme for many folks, complicated by various failure points. Any help is much appreciated.
For anyone else facing this issue, I am listing down few things that you could benefit from.
After excruciating attempts of permutations and combinations,
oauth_token had to be a part of the signature (even if its value is
empty string). I am not sure if it is mentioned anywhere and particularly ironic that you had to remove access token and secret while using Twitter's OAuth testing tool (for the Curl command to work properly which took some bloody lot of time to figure out.)
It is good to validate your basestring - Tool
Validating if your signature process is correct - Check point (f)
Another possible scenario
In my Twitter client app settings screen, I set an option "Enable Callback Locking (It is recommended to enable callback locking to ensure apps cannot overwrite the callback url)" and this caused me getting 401 unauthorized error on trying to get request token.
I have a working OAuth process for authorizing with Google. My app can get data from the Google Sites API from areas that only the account used to authorize it has access, so I know that much is working. The trouble is creating new data via the API. I consistently get "Unknown authorization header" when trying to POST to the endpoint. The real frustration appears when I try to use the Google Oauth Playground. I put in the credentials I have, put in the same endpoint and same request body, and try it there -- and everything works perfectly.
I'm using Ruby 1.9.3 on the API side, and I've tried with both oauth-ruby and the Google-written signet client. Both do the same thing. I've verified and re-verified that the credentials are as I expect them to be (both just checking, and using the same ones in the Oauth Playground and seeing them work).
I have no idea why this is happening, because there's precious little information coming from Google's API about what's actually wrong with my request.
For the record, I'm using;
Ruby 1.9.3
oauth-ruby and signet for clients
OAuth 1.0
HMAC-SHA1 hashing
3-legged authorization
As it turns out, the problem was because I was failing to include the Content-Type header in the request. Yes, this didn't make any sense to me, either, considering the error message, but that's what it was.
I'm trying to implement Google OAuth 2 to get access to Google APIs. I follow this guide, using server-side scenario.
I have no problem with getting the code, server redirects to localhost (which is the only server allowed in redirect URIs for now).
To achieve this, I go to https://accounts.google.com/o/oauth2/auth?client_id=whatever.apps.googleusercontent.com&redirect_uri=http://localhost/&scope=https://www.google.com/m8/feeds/&response_type=code page.
Then, I tried using curl (as in guide) to test, if Google's server responds with access token. However, it seems to fail very hard. Only response I can get is {"error":"invalid_client"}. I'm sure I provide everything Google wants me to provide - code, client ID, client secret, redirect URI (localhost) and grant_type=authorization_code.
Whole curl command line is:
curl https://accounts.google.com/o/oauth2/token -d "code=<code>&client_id=whatever.apps.googleusercontent.com&client_secret=<won't tell!>&redirect_uri=http://localhost&grant_type=authorization_code"
Am I missing something? How can I exchange code for access token?
Did you urlencode your client secret and redirect url? That works for me.
Should be http%3A%2F%2Flocalhost instead of https://localhost.
I had the same error until I realized that I was trying to connect with a client ID which I created for iOS. So for me the solution was to create a new API key-secret pair on the API Console with the platform set to "other".
Now I'm getting other errors but that's another story. ;)
Happens when you use wrong Client secret. Make sure you are using correct Client secret from Google API console. I was using Email address since API console displays the information in the following order:
Client ID
Email address
Client secret