My application is not working due to csrf error. I am getting 403 response. All I have understood so far is that when I send a POST message (form), Play expects CSRF Token. But I am unable to find out from where this token comes.
Is Play suppose to send this token first to a client and the client is suppose to return it in every request? What is the Header which carries this token? Is It csrfToken or Csrf-Token?
I checked the 200 OK response of the 1st request. I didnt see any csrf token.
Related
I saw in a few places that Imlicit flow clients use iframe to get a new token silently, without user interaction. Why is that? Why can't the client just send a GET request to the authorization server and retrieve the token from the returned HTTP 301 response?
I saw iframe mentioned in these places:
https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas
https://auth0.com/docs/authenticate/login/configure-silent-authentication
I found this post: OAuth2 Implicit Flow - IFrame Refresh Identity. It says that the request sent from iframe carries a cookie with it. Is it not possible to attach such a cookie from a JS request?
I am trying to call OKTA logout api from client. But it ends up with 404 Bad request. It expects 3 parameters: id_token_hint, post_logout_redirect_uri and state(optional). I am hitting request with format
https://{oktaDomain}.com/oauth2/default/v1/logout?id_token_hint={someToken}&post_logout_redirect_uri={someUri}
Purpose is just to wipe out the user session at OKTA by making some implicit call and redirecting user to {someUri}. This uri has been registered in OKTA configuration under Logout redirect uri, as per documentation. After all these efforts, whenever i am hitting request it return me 404 Bad request (token is Invalid)
The id_token_hint which i am passing is jwt id_token, which was returned at the time of authorizing user(login).
Not sure what i am missing ?
Is id_token_hint is some different token from id_token ?
or Is there any problem with URL itself ?
I am trying to work with the Box API and need an access token. I followed the tutorial video here: https://www.youtube.com/watch?v=ha26tN8amI0 to get an authorization code and then exchange it for an access and refresh token. Here is the post request I made into Post Man:
https://api.box.com/oauth2/token?grant_type=authorization_code&client_id=<my_client_id>&client_secret=<my_client_secret>&code=<code_given_on_redirect>&redirect_uri=http://0.0.0.0
The response I get is:
{
"error": "invalid_client",
"error_description": "The client credentials are invalid"
}
Unless I am completely losing my mind, I am positive I am entering the correct client_id and client_secret from my application page. (I tried several times.)
I sent this post request in less than 30 seconds after it was generated.
Any idea what I might be missing? Thanks.
When i am sending BitCoins using the send:to:withNotes:withHandler: method , the failure block gets invoked with error localised description mentioning error 403 forbidden.
A 403 response from the Coinbase API usually means your API key or OAuth token is lacking the required scopes for the specific request you are making.
Based on the name of the method, it sounds like it would be the Send Money request, which requires the wallet:transactions:send scope/permission.
You can check with permissions you have for an API key, or OAuth token using the Show Authorization Info request.
I am working on an app that uses the same OAuth token and OAuth token secret for multiple requests to post a tweet on behalf of a user. On the first request, the tweet is successfully posted. However on subsequent requests I get an HTTP Error 403: Forbidden. Could this be caused by reusing the OAuth tokens? I am also tweeting the same message on each request.
There are two components of a Twitter error response, the HTTP status code (in this case 403) and an error code that provides more detail on the cause of the failure. Which error code are you seeing in the JSON response? It's possible that the error is regarding duplicate tweets.
Twitter REST API error codes