Yet another issue with LinkedIn OAuth2.
For a few days now, we have been receiving dozens of OAuth2 responses every day with an empty code parameter (as per https://developer.linkedin.com/docs/oauth2).
There is no error parameter provided, which means that the application has been approved by the user. Only an empty code parameter, and the state parameter (which is not empty and seems ok).
Has anyone encountered this issue? What should we do to fix that? Can we even? It is having a very bad impact on our website, as LinkedIn is the only registration method that we chose to offer, for quality reasons.
Cheers,
Related
I want my app to chat.postMessages to Slack, using the icon_emoji and username parameters so that I sometimes change the icon and name displayed.
From the doc of the method, it seems I have to set as_user to false. But when I do so, I'm getting a missing_scope error: I need scope chat:write:bot. (Same error whether I use my OAuth access token or my OAuth bot user access token)
But from this page I got that they are disappearing? So are the parameters I want to use (icon_emoji and username) going to disappear as well?
No, as of Dec 19 2019, you cannot use icon_emoji, etc
I ran into the same issue, and so I opened a support ticket with Slack. After a few messages back and forth, I got confirmation that this is likely a bug:
With your help I was able to replicate the issue. I suspect this is a bug but I've escalated it to the Granular Bot Token team for a second opinion. As soon as I have more details I will let you know.
Edit:
I've received another update, which I've trimmed down to the essentials:
When building the Granular Bot Token model our team really wanted to use this as an opportunity to slowly deprecate certain API behaviour. The as_user parameter is one of them. See the following comment from (https://api.slack.com/authentication/quickstart).
One effect worth noting: chat.postMessage and other chat.* methods no longer mess around with the as_user parameter. You're granted a single chat:write scope (no :user or :bot is appended). If you call the chat.postMessage method with your bot token, you post as the bot. If you've obtained a user token through the new install flow, and you call the method with your user token, you post as the user.
So in regards to the action you are wanting to take, I'm afraid it's not possible with Granular Bot Token. We also recognized that the error this is throwing is completely unhelpful and confusing for developers. For this, we've created a bug to fix the error that's returned when Granular Bot tokens try to make restricted API calls.
I've requested clarification on whether it is just the as_user part that is deprecated, or the icon_emoji part as well.
Edit 2 (Dec 19, 2019 13:38 EST):
One, probably final, update:
The option for app to change information such as username, avatar and icon via the API is up for debate as well. Currently with Granular Bot Tokens you can only update that information via your API management page.
Which is really unfortunate.
I had to add a Scope to "Bot Token Scopes" with the value of "chat:write.customize".
https://api.slack.com/scopes/chat:write.customize
then I had to re-install my app. And it worked like I expected.
Note: I tried this as it was a suggestion from a comment. but it worked so i am adding it as an answer.
I used this guide to built a showcase - sign in with LinkedIn into a specific site.
Everything worked perfectly until I demonstarted it in front of a wide audience and it broke down :-( It was a great FAIL and I want to know why. Here is what I do:
1.On the sign in page the user may click a Sign in with LinkedIn button and is redirected to similar link:
https://www.linkedin.com/oauth/v2/authorization?redirect_uri=[my_callback]&client_id=[my_client_id]&response_type=code&state=[securely_random]&scope=r_basicprofile%20r_emailaddress
2.The user allows the application and is sent back to my_callback
3.In my_callback I make a POST to https://www.linkedin.com/oauth/v2/accessToken in order to obtain an access token. I use the code sent by LinkedIn, correct client ID and secret. Everything is OK, e.g the response might be:
{
"access_token": [access_token],
"expires_in": 5184000
}
4.I make authenticated requests to fetch the profile data from endpoint https://www.linkedin.com/v1/people/~:(firstName,lastName,email_address)
Headers:
x-li-format: json
Authorization: Bearer [access_token]
I started to get an error 401 occasionally, e.g.:
{
"errorCode": 0,
"message": "Unable to verify access token",
"requestId": "YX21AN6NZG",
"status": 401,
"timestamp": 1483732371224
}
It seems that some of the requests randomly passed nevertheless...
Additional details:
The user is logged in LinkedIn
The user is administrator for the LinkedIn application
I have checked the limitations (throttle limits) at in the application. Available at https://www.linkedin.com/developer/apps. Everything which can be seen is green.
I have tried all advices and hacks from this question
My app is not live
I'm puzzled!
Question: Any obvious mistake?
Question: Is there any hidden throttle limits (or security instruments) for the limitation of the number of access tokens for specific user/app combination? (I'm always using the same user and I tested pretty aggressively before the big FAIL)
UPDATE: In the next two days the Sign in started working smoothly again as described above. No 401-s anymore... :-X I've made no changes to the code base. So is this some kind of throttle limit or just LI was in a bad mood on Friday?
In case someone is curious I got an answer to my problem from LI support:
Unfortunately, we really can't assist with API issues and 3rd party apps. My guess is that there was a hiccup on Friday and you were the victim of bad timing.
I accept the explanation that I was a victim so this answers my question...
I have an access-token that worked to get data through the API, however now it has stopped working. I've carefully read LinkedIn's documentation: https://developer.linkedin.com/docs/oauth2 and have come up with why this can happen.
The docs state, that the user's session is linked with the access-token. Therefore, logging out of the session means the access-token is invalidated. This makes sense because it's exactly what I see happening.
The oauth2 expired-at is just a timestamp of the ultimate time this access-token will be valid. But it can be invalidated at any moment apparently.
Other oauth2 implementations show features for refreshing the access-token, Linkedin does not provide such feature. Therefore a user has to refresh it manually every time. Not sure if this is by design or they haven't got around to it yet. Overall their API feels pretty out-dated.
I am trying to implement oauth2 for yahoo (target is yahoo's contact api). See here: https://developer.yahoo.com/oauth2/guide/#implicit-grant-flow-for-client-side-apps
However, I get the following error:
Oops. Yahoo is unable to process your request.
We recommend that you contact the owner of the application or web site to resolve this issue. [95037]
How to get this resolved? It comes with I use response_type=token (which is needed for Implicit Grant Flow), but works fine for response_type=code
[EDIT]
The request to yahoo (urldecoded):
https://api.login.yahoo.com/oauth2/request_auth?client_id=[CLIENT_ID]&response_type=token&redirect_uri=[PATH]&display=popup&scope=&state={"client_id":"[CLIENT_ID]","network":"yahoo","display":"popup","callback":"_hellojs_23g8z6wk","state":"","redirect_uri":"[PATH]","scope":"friends,basic"}
[UPDATE]
After following the recommendations from HansZ., I was able to resolve it.
Now the issue has come back without changing any code. Basically, it only works when I am logged in with the Yahoo ID that I used to setup the App at Yahoo.
Otherwise, sometimes it goes in loops and chrome says
This webpage has a redirect loop`
rest of the time it gives the error again.
Your state is the problem. I can reproduce the problem by including your URL-encoded state in the authorization request for my Yahoo client. The problem is the length of the state or the total URL. You may revert to using a cookie for maintaining that state and send only the (much shorter) cookie name as the state parameter.
I randomly get the following message when trying to access the graph from my iPhone using Facebook iOS SDK:
response string: {"error":{"type":"OAuthException","message":"Error validating access token: The session was invalidated explicitly using an API call."}}
I'm not sure why this is because I call the graph immediately after I login, so the token should be valid. Also, this happens randomly around 30% of the time. Does anyone know how to go about debugging this issue?
I've been experiencing the same issue. It happens with any graph request after calling authorize immediately after a successful logout callback (with the idea being that a different user can log in from there).
The authorization screen will say that the user's already accepted the permissions (even though they're supposed to be logged out now...) and if they hit ok it will cause the issue. Almost as if the auth process reissues an invalidated token because it doesn't get the memo that they've logged out. However it won't happen if the user hits the "not you?" link and logs in as someone else as intended (or if they log in again as the same user), so this isn't a major issue in my case.
As for an answer / fix, I made mine fix itself by detecting the error response from the graph call and then making another call to authorize. Not ideal though, since it annoys the user with two consecutive app switches...
I am using the ruby twitter gem and oauth to gain access to users twitter accounts. In my code, I have:
unless #user.twitter_authd?
oauth = Twitter::OAuth.new('token', 'secret')
session[:twitter_request_token] = oauth.request_token.token
session[:twitter_request_secret] = oauth.request_token.secret
#twitter_auth_url = oauth.request_token.authorize_url
end
where token and secret have my actual token and secret inserted. When I click on the link to the #twitter_auth_url, I am taken to twitter and asked to grant access. I click allow and then twitter redirects me to my callback URL http://www.mydomain.com/twitter_callback/?oauth_token=fmy2aMvnjVgaFrz37bJ4JuB8r5xN79gsgDQRG4BNY which then hits this code:
oauth = Twitter::OAuth.new('token', 'secret')
logger.info("session[:twitter_request_token] = #{session[:twitter_request_token]}")
logger.info("session[:twitter_request_secret] = #{session[:twitter_request_secret]}")
oauth.authorize_from_request(session[:twitter_request_token], session[:twitter_request_secret])
session[:twitter_request_token] = nil
session[:twitter_request_secret] = nil
#user.update_attributes({
:twitter_token => oauth.access_token.token,
:twitter_secret => oauth.access_token.secret,
})
redirect_to root_path
The twitter request token and secret are being set just fine. However I end up with an authorization error:
OAuth::Unauthorized in MainController#twitter_callback
401 Unauthorized
RAILS_ROOT: /Users/TAmoyal/Desktop/RoR_Projects/mls
Application Trace | Framework Trace | Full Trace
/Library/Ruby/Gems/1.8/gems/oauth-0.3.4/lib/oauth/consumer.rb:167:in `token_request'
/Library/Ruby/Gems/1.8/gems/oauth-0.3.4/lib/oauth/tokens/request_token.rb:14:in `get_access_token'
/Library/Ruby/Gems/1.8/gems/erwaller-twitter-0.6.13.1/lib/twitter/oauth.rb:29:in `authorize_from_request'
/Users/TAmoyal/Desktop/RoR_Projects/mls/app/controllers/main_controller.rb:70:in `twitter_callback'
The code is failing at this line:
oauth.authorize_from_request(session[:twitter_request_token], session[:twitter_request_secret])
when it tries to get an access token. You can see the source code of authorize_from_request here. I am not sure why this is happening. Anyone have ideas?
A bit late to the party but just ran into the same issue myself. I tracked the issue down to the setup of my OAuth app in Twitter. I had initially not specified a callback URL as I was unsure of it.
Once I had setup my rails app I went back to find Twitter had assumed I was a desktop application as I hadn't specified a callback URL. Once I changed this to website and entered a callback URL I stopped getting 400s.
If you're getting error 401 - OAuth::Unauthorized, make sure you edit the settings of your Twitter application as follows:
Application Type: Browser
Callback URL: http://127.0.0.1:3000/auth/twitter/callback
this is an issue about time synchronization of your system with twitter server.
Twitter doesn't allow localhost as part of a valid callback URL.
Instead use http://127.0.0.1:3000/auth/twitter/callback
Hope this helps
This was one of the most annoying things to debug that I have come across. I was outputting in a couple places by accident because the URL's are dynamic and they happened to not be defined in my test case (i use this to display chart data and there is not enough right now so the google chart api URL's are blank). This caused my browser to make multiple requests to my localhost when some pages were loaded. Somehow that made the oauth process crap out. Obviously there is no way for people on S.O. to know about my application specific issue so I had to answer my own question.
I had this same problem and none of the suggestions in this thread worked for me.
I found the problem for me was the TIMESTAMP on my request. The mobile device I was running my scripts on had a jacked up clock. When I updated the system time on my device to the correct time (i.e. now), all of my requests came back "200 OK" instead of "401 Unauthorized".
This problem seems to be caused by twitter not being able to handle connection keep-alive correctly. Make sure you set connection=close http header in the request to twitter. Wasted a weekend debugging this.
not enough info for me, but when was twitter gem last updated? twitter changed their oauth 'stuff' in mid may approx. perhaps you have an old one. I'd update your question to show the callback_url, and make sure you have the right token and secret, which it looks like you don't have.
also, did you put the right callback url in your twitter app page? alot of times that screws you up too.
if that fails use mbleighs twitter_auth instead. it worked for me and is pretty slick.