Any URL that has in the query string '.profile' returns a 403 error.
For example:
example.com?data=user.profile
I can't just remove the string, because I'm using Google OAuth and upon callback, it's part of scopes.
example.com/callback/?code=###&scopes=https://www.googleapis.com/auth/userinfo.profile#
I guess it is considered a .profile file, but how can I make it behave as expected?
Related
So I am trying to pass a filerepo path as a url parameter in Postman, but it keeps saying its a bad request.
Example:
http://url/api/C:\File
I have also tried the url encoded version, but postman still says bad request:
http://url/api/C%3A%5CFile
I try create simple OAuthHandler.
After my request (using the implicit flow), server send request to my page, with an authorization code. But in query string from server, all parameters starts with hash (#) instead?
In method HandleRemoteAuthenticateAsync, I'm trying to parse query string, but none of the properties contain authorization code or anything like that.
How can I handle hash in query string?
As Joppe and David mentioned in the comments, anything after the hash (#) is part of the fragment, and is not sent to the server by the browser. That's why your server code can't see it.
The implicit flow is for JavaScript clients, not web servers. You want the authorization code flow instead. The redirect will look like:
REDIRECT_URI?code=7a6fa...
Since the code is transmitted in the query string, instead of the fragment, your server-side code will be able to see it.
Steps to reproduce
Register a redirect_uri in the client: http://example.com/publisher/auth
Direct a user to the /oauth/authorize endpoint with the redirect_uri including a query parameter:
https://api.instagram.com/oauth/authorize/?client_id=xxx&redirect_uri=http%3A%2F%2Fexample.com%2Fpublisher%2Fauth%3FinviteId%3D00001000-cf33-11e4-9f26-8789dd0b3e01&response_type=code&scope=basic&type=web_server
For reference, those query parameters are:
client_id=xxx
redirect_uri=http%3A%2F%2Fexample.com%2Fpublisher%2Fauth%3FinviteId%3D00001000-cf33-11e4-9f26-8789dd0b3e01
response_type=code
scope=basic
type=web_server
Authenticate an instagram user and allow the app.
The user is redirected back to the correct redirect_uri.
Use the code query parameter from the redirected URI to post to Instagram's /oauth/access_token endpoint.
Expected behavior
The endpoint responds with 200 and an access token.
ACTUAL behavior
The endpoint responds with:
code=400
error_type = 'OAuthException'
error_message = 'Redirect URI doesn't match original redirect URI'
What I've Investigated So Far
To confirm that this is a problem with Instagram, I checked the API docs which very clearly state that adding query parameters to the redirect URI should be possible. I also tried varying only that query parameter. For example, when replaced with this /oauth/authorize URL I get the expected behavior:
https://api.instagram.com/oauth/authorize/?type=web_server&client_id=xxx&redirect_uri=http%3A%2F%2Fexample.com%2Fpublisher%2Fauth&response_type=code&scope=basic
For reference, those query parameters are:
client_id=xxx
redirect_uri=http%3A%2F%2Fexample.com%2Fpublisher%2Fauth
response_type=code
scope=basic
type=web_server
Notes
This question is actually a duplicate of another question which actually didn't really turn out to be a question, and which never got any answers.
I have submitted a bug with Instagram, but I wanted to see if anyone had found this or come up with a workaround.
Had the same issue today. To get the custom data passed between requests you must include it as state param. My authorize request url looked something like this:
https://www.instagram.com/oauth/authorize?client_id=SOME_CLIENT_ID&response_type=code&redirect_uri=http://example.com/auth/InstagramRedirect/&state=855C0114-F860-420A-AEB1-A276644FCCEA
Notice the & and state=...
You have to provide the redirect_uri with your extra search params as the last parameter:
https://www.instagram.com/oauth/authorize/?client_id=be1b911b487f4919b9c2fb7df0c4142c&type=web_server&response_type=code&scope=basic&redirect_uri=https://wpwifidemo.alepo.net/instagram/joinus/?inviteId=00001000-cf33-11e4-9f26-8789dd0b3e01
User will be redirected to:
https://wpwifidemo.alepo.net/instagram/joinus/?inviteId=00001000-cf33-11e4-9f26-8789dd0b3e01&code=CODE
It might be too late reply for this question. But i faced the same issue today & got this question already posted and solution for passing parameters to authentication URL is as follows.
It seems that your extra parameter is type=web_server , taking that into consideration, your URL for getting for code should be as follows
https://www.instagram.com/oauth/authorize/?client_id=be1b911b487f4919b9c2fb7df0c4142c&redirect_uri=https://wpwifidemo.alepo.net/instagram/joinus/?type=web_server&response_type=code&scope=basic
And then while calling the accessToken API append your redirect_uri parameter with your passed parameter (not the same configured in the app).
e.g.
redirect_uri=http%3A%2F%2Fexample.com%2Fpublisher%2Fauth%3FinviteId%3D00001000-cf33-11e4-9f26-8789dd0b3e01?type=web_server
When I try to generate access token using:
https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&code=xxxxxxxxxxx&redirect_uri=http%3A%2F%2Fws-100945%3A9080%2FArtisWeb%2Findex.html&client_id=xxxxx&client_secret=xxxxx
it's throwing error as:
{"error_description":"missing required parameters, includes an invalid
parameter value, parameter more than once. : Unable to retrieve access
token : appId or redirect uri does not match authorization code or
authorization code expired","error":"invalid_request"}.
Could you guide me on this issue?
The URL itself looks correct so it must be the code that is expired or reused. Make sure the code is used immediately after you receive it and use it only once.
Also make sure that you URL-encode in fact all parameter values, including client_id and client_secret if/since they may contain URL-unsafe characters like '&' and ' '.
I seem to be getting intermittent results back from our OnDemand Jira instance's REST API.
If I properly set the Authorization header to 'Basic [base64login]' & the Content-Type header to 'application/json', and then issue a GET to http://[installation].atlassian.net/rest/api/2/project I get different results each time.
The first result always seems to be an empty JSON array ([]). Subsequent calls seem to work as expected for the most part, but occasionally I get an empty response. Also, if I enter invalid credentials I get an empty response rather than an error / 401 / etc.
Is there some gotcha to using Basic Auth on OnDemand instances? Does it require the additional use of cookies or something else?