I'm using Ruby on Rails for get a token using Oauth2 for Clio app. So, I install the following gem:
gem 'oauth2'
And this is my code:
client = OAuth2::Client.new(CLIENT_KEY_CLIO, CLIENT_SECRET_CLIO, site: SITE)
token = client.auth_code.get_token(code, :redirect_uri => 'http://127.0.0.1/approval')
return token
Where the variable code is send by frontend. And is a code that the clio app send when user make a login in his clio account.
But the redirect_uri URL did not exist. However, I created it and the only thing it does is get the code parameter and return it.
Still, it does not work. According to the documentation I can put the default URL that is https://app.clio.com/oauth/approval but it does not work either. I always have this error:
{
"error": "invalid_grant",
"error_description": "The provided access grant is invalid, expired, or revoked (e.g. invalid assertion, expired authorization token, bad end-user password credentials, or mismatching authorization code and redirection URI)."
}
I remember that this error happened before. But it was solved when the redirect_uri value was changed.
What is wrong with the redirect_uri? Could someone provide me with an example of Oauth2 requests?
seems like it should work readin other threads. Add port to your calback url like or what port your app is running
http://127.0.0.1:3000/approval
In redirect_uri I needed the URL that generate code variable. So, if http://127.0.0.1/approval exists and is accessible by internet but not generate the code so, it's not working. But if I put the correct url that generate code, all it's works.
client = OAuth2::Client.new(CLIENT_KEY_CLIO, CLIENT_SECRET_CLIO, site: SITE)
token = client.auth_code.get_token(code, :redirect_uri => 'http://address_generate_code_from_frontend')
return token
Related
has anyone succeeded in connecting to Linkedin API here?
I followed the instructions on the docs but failed to retrieve the Authorization Code.
Here's the result of my POST request to get the access_token
{
"error": "invalid_redirect_uri",
"error_description": "Unable to retrieve access token: appid/redirect uri/code verifier does not match authorization code. Or authorization code expired. Or external member binding exists"
}
I'm using the https//airbyte.io as a redirect_uri
My GET get request to obtain the authorization token is the following:
https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id=78oy2gu644mxz2&redirect_uri=https%3A%2F%2Fairbyte.io&scope=r_ads,r_ads_reporting,r_organization_social
I followed a couple advices in the different thread in SO
double checked my client_id and client_secret
encoded the URI in GET request
added scope parameters to the redirect_url at the POST request
Tested the request with the code within 20 seconds window.
Couple of things:
Ensure your redirect URI is also defined within your app's configuration as an allowed redirect URI. See https://learn.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin%2Fmarketing%2Fcontext&view=li-lms-2022-11&tabs=HTTPS1#step-1-configure-your-application. The documentation specifies a certain URL to use when testing with Postman.
In your authorization call, your scopes are comma-delimited. They should be space-delimited and URL-encoded. See https://learn.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin%2Fmarketing%2Fcontext&view=li-lms-2022-11&tabs=HTTPS1#step-2-request-an-authorization-code.
I'm trying to implement the authorization code model using the Google Identity Services SDK, as described in Use Code Model. I would like to use the popup mode.
I managed to initialize the code client and receive an auth code with this Javascript code:
tokenClient = google.accounts.oauth2.initCodeClient({
client_id: CLIENT_ID,
scope: SCOPES,
callback: '', // defined later
ux_mode: 'popup',
})
...
tokenClient.requestCode({prompt: 'consent'});
When I receive the auth code in my callback, I relay it to an endpoint on my platform, as described in Step 5: Exchange authorization code for refresh and access tokens and I try to exchange the auth code for a refresh and access token in Python:
flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
'client_secret.json',
scopes=scopes,
state=state
redirect_uri=redirect_uri
)
flow.fetch_token(code=code)
The problem is that I use this code with an empty redirect_uri, I get an error "missing redirect_uri parameter". If I specify a redirect URL defined in Google Cloud Console, I get an error "redirect_uri mismatch". And if I try to use the same redirect_uri as the one sent in the initial popup request (Google seems to use storagerelay://... in this case), I get an error that "it doesn't comply with Google Oauth2 policy".
It appears that in any authorization flow when you get an authorization code on the client side and then pass that to your server for token exchange you have to use the string literal "postmessage" as your setting for redirect_uri.
flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
'client_secret.json',
scopes=scopes,
state=state
redirect_uri="postmessage"
)
flow.fetch_token(code=code)
This very important fact seems to be curiously absent from the documentation from most of the google client libraries, but it works for me. Hope this helps!
I'm having trouble to allow users to logout from an application that uses Keycloak for access management.
I have found this topic being discussed here and there, but not clear instructions on how to handle the logout.
I tried to cause the logout of an user redirecting the browser to an endpoint of the following format:
https://example.com/auth/realms/myrealm/protocol/openid-connect/logout?id_token_hint=mytoken&post_logout_redirect_uri=https://example.com/initialpage/
What I used as "mytoken" was the access_token I had obtained making a post request to the endpoint:
https://example.com/auth/realms/playipintern/protocol/openid-connect/token
passing to it parameters like the ones bellow:
grant_type="authorization_code"
code=code_obtained_from_a_url_to_which_keycloak_redirected_the_browser
client_id=client_id_created_using_key_cloak_gui
redirect_uri=the_to_which_keycloak_redirected_the_browser
and reading the body of the response. The content of the body was a json, like the one bellow:
{
'access_token': 'long_token_I_used_latter_as_token_hint_trying_to_logout',
'expires_in': 300,
'refresh_expires_in': 1800,
'refresh_token': 'other_long_token',
'token_type': 'bearer',
'not-before-policy': 0,
'session_state': 'a_shorter_code',
'scope': 'email profile'
}
My logout attempt resulted in the following message in Keycloaks log:
22:53:51,686 WARN [org.keycloak.events] (default task-24) type=LOGOUT_ERROR, realmId=playipintern, clientId=null, userId=null, ipAddress=192.168.16.1, error=invalid_token
and the response said "We are sorry, session not active".
Now I'm aware that I should have used the id_token and not the access_token to logout, but received no id_token in the json.
Somewhere, someone said I should have included
scope=openid
in the parameters that I used to obtain the token. I did it, expecting to find an "id_token" field in the json, but nothing changed.
Someone else reported to have needed to create a scope (I believe using Keycloak's GUI) named "openid" to obtain the token. That didn't make much sense to me, but I tried it anyway and added the just created scope to the client scopes using Keycloak's GUI again. Oncemore, the json didn't change.
I tried to use the refresh_token as the id_token, but that also resulted in an invalid token message.
I don't know what to try now. Any help is appreciated.
Thank you.
/token endpoint returns only the access token by default. No refresh token is returned and no user session is created on the Keycloak side upon successful authentication by default. Due to the lack of refresh token, re-authentication is required when the access token expires. However, this situation does not mean any additional overhead for the Keycloak server because sessions are not created by default.
In this situation, logout is unnecessary. However, issued access tokens can be revoked by sending requests to the OAuth2 Revocation Endpoint as described in the OpenID Connect Endpoints section:
/realms/{realm-name}/protocol/openid-connect/revoke
Example:
POST /revoke HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
token=45ghiukldjahdnhzdauz&token_type_hint=access_token
You need to put your token in place of 45ghiukldjahdnhzdauz.
token_type_hint can take either access_token or refresh_token as value to define which type of token you want to revoke.
You will have to add scope=openid to your initial request to http://example.com/auth/realms/playipintern/protocol/openid-connect/auth (note the /auth instead of /token at the end) before the redirect from where you copied the access code.
You can find further information and explanation in this article.
I have a hobby project in mind to use battle.net login. I'm wondering how I can obtain the access token from the API after receiving the authorization code.
This is Oauth flow question rather than a battle.net question.
Currently I can successfully authorize the user for my app which is registered in dev.battle.net and then I try to use the authorization code returned from the battle.net login to obtain the access token by sending a request to https://<region>.battle.net/oauth/token.
However I keep receiving this error:
{
"error": "unauthorized",
"error_description": "An Authentication object was not found in the SecurityContext"
}
I use postman extension to send post requests to that uri. I authenticate my request with my client id and secret. I pass redirect_uri (https://localhost), granty_type (authorization_code), code(the code returned from the previous authorization step). However I keep getting the error above.
I couldn't find much about battle.net online. There are other oauth related help articles but couldn't really find my way.
Wondering if you can help me with this easy stuff. I'm just wondering what I'm skipping here.
Here is the documentation:
https://dev.battle.net/docs/read/oauth
https://localhost is added in my mashery dev account's app settings.
Me again, I resolved this problem after trying almost every combination in the universe:)
Steps to apply:
Don't use the same authorization token for different access token trials, they are not valid
Always use https on every domain you test including localhost, you
redirect_uri must be https as well.
You must use the "basic authentication" in the header of your POST request while requesting the token from the authorization code you obtained from the previous step.
This is one of the most important ones: For requesting token, Pass redirect_uri, client key and secret as POST form parameters to the authenticated request. This is interesting because it's already an authenticated request; why would i need to pass my secret again? Anyways, that's how it works.
Here are the full text:
http://hakanu.net/oauth/2017/01/26/complete-guide-of-battle-net-oauth-api-and-login-button/
This is working prototype:
https://owmatch.me
Thanks.
I want users to request Uber rides from my app.
https://developer.uber.com/docs/rides/authentication
Under OAuth 2.0 section at the above url, there are 6 steps :
1. Authorize (done)
2. Receive Redirect (done)
3. Get an Access Token ('invalid_grant' error)
The following screenshot is from Postman.
I tried passing client_id, client_secret, grant_type, redirect_uri and code as params, form-data and x-www-form-url-encoded. But everytime it returns the same error.
I have put 'http://localhost:3000/auth/uber/callback' as redirect url in my Uber App dashboard.
I have even tried the following curl command in the terminal,but it returns the same 'invalid_grant' error
Can someone help me with this issue.
Your postman request looks correct to me. My best guesses at whats going on:
1) You have multiple redirects set up, and you're using one redirect url when you do the authorization phase and a different one when you try and do token exchange
2) You're doing authorization for one client_id, and trying to do token exchange for another
3) You're authorization code has already been used / expired. Keep in mind its only good for one request.
Could you try the following and tell me what happens:
1) Do the authorization flow and pay special attention that the client id and redirect uri you put in your authorization URL are correct
2) After your browser redirects, copy the authorization code out of the redirect URL
3) Put the authorization code into the postman request / curl statement and make sure that the client id / redirect URI is correct when you do it.
Status Code: 401 Unauthorized
{
"error": "invalid_grant"
}
You are using an invalid refresh_token. You can generate multiple
access tokens, but you can only use the latest generated
refresh_token.
You supplied an invalid code when exchanging an authorization code
for an access_token.