I am developing an app in c# accessing the CoinBase Api. After the user enters their credentials, I get a code from the api on the callback. I exchange the code for an access_token. I do get a Token with access_token, token_type, refresh_token, expires_in, scope. Everything is populated from CoinBase.
The problem is when I copy that access_token into Postman, I get back invalid_token. Here is how I make the call:
Api Url:
https://api.coinbase.com/v2/user
With these headers:
Content-Type:application/json
Authorization:bearer <access_token here>
CB-VERSION:2018-02-09
The other interesting thing is that if I paste my access_token into jwt.io it can't read it. It shows the headers with lots of weird ascii chars like: mÖߧÜ
Any clues why this is happening? I use the exact calls in Postman on other Api's and they work fine....
Thanks for the insight,
Jeff
After spending the whole night on this, I FINALLY figured it out and wanted to share. I was exchanging code and access_token totally in Postman and I was getting the same error, invalid_token!
Just for fun, I selected the Authorization tab in Postman and selected bearer token from the drop-down. I pasted in my access_token and clicked the preview button. It said my bearer token was applied. I clicked the Send button and viola! It actually worked!! After a few more minutes of investigation, I realized it had put the bearer token auth header in a second time.... hmmm, I removed it, and it failed again. At first I thought Coinbase was broken and needed it in there twice??? Naa, could not be it. So, I removed my auth header line and left the once Postman put in there (effectively changing the order of the headers). That did it!
The Fix: changed my headers to:
Content-Type:application/json
CB-VERSION:2018-02-09
Authorization:Bearer <access_token here>
Related
In order to use Discord's API I need a token, and to get it I open a link such as
https://discordapp.com/api/oauth2/authorize?client_id=<client_id>&redirect_uri=<redirect_url>&response_type=token&scope=identify
Then I set the token as authorization (in format Bearer <token>) header of requests that are issued to the Discord's API.
Let's say I want to "logout", so that a certain token can't be used anymore to do such requests. In this case I have to revoke that token, right?
So after reading Discord's documentation and making some adjustments I decided that I have to make a POST request to a URL such as
https://discordapp.com/api/oauth2/token/revoke, and content-type header of this request should be set to x-www-form-urlencoded.
When I do it I'm getting an error message from discord's server with message saying {error: "invalid_client"}
What do I do wrong?
If you come by this question and are wondering what is the full API call to revoke the token, here it is:
POST https://discord.com/api/oauth2/token/revoke
Content-Type: application/x-www-form-urlencoded
data:
client_id: <client_id>
client_secret: <client_secret>
token: <access_token>
So the problem was in actual format of the data I was sending. I was sending JSON data because I thought that setting specific headers would automatically turn the data into the right format, but it turns out I had to use FormData object to create the data in the right format, and after that I also removed the lines where I'm setting the header explicitly, after these steps everything worked fine.
I'm currently trying to get a small app to authenticate my own user.
First I navigate to
https://auth.ebay.com/oauth2/authorize?
client_id=...&
response_type=code&
redirect_uri=...&
scope=...
Which asks me to log in then gives me an authorization code via the url.
I url decode this and use postman to request the access token by hitting:
https://api.ebay.com/identity/v1/oauth2/token
with Headers:
Authorization: Basic ...
Content-Type: application/x-www-form-urlencoded
These both appear to be correct, since if I change either of them I get an error saying that they're wrong.
And in the body:
grant_type: authorization_code
redirect_uri: ...
code: ...
Once again these all error individually if I change them to something else.
The error that I get is:
{
"error": "invalid_grant",
"error_description": "the provided authorization grant code is invalid or was issued to another client"
}
Which is very strange to me. This is using the same redirect_uri and client_id as the previous request.
I've tried generating a new redirect url, I've tried rotating the client secret, I've tried not url decoding the auth code, but whatever I try I get the same error.
Interestingly, if I request a grant_type of client_credentials that works perfectly, but is of little use to me.
I'm very confused and the ebay forums are no help whatsoever, any help will be greatly appreciated.
I've actually managed to fix this myself.
I was url decoding the code using js's decodeURI, which was not actually decoding anything. Switched over to decodeURIComponent and now it seems to work ok
I've successfully implemented Discord's OAuth2 flow using the authorization code grant type into my application. The end user navigates to Discord's OAuth2 link for my bot, authorizes its access, and Discord redirects them back to my site with a code querystring. The bot then exchanges this code for an access token by querying Discord's API. Documentation on this process is available here for reference.
However, roughly every 50-100 requests to the exchange endpoint, I receive a 403 with the error invalid_grant and the description Invalid "code" in request. Frankly, I don't understand how the code just provided by Discord's system is instantly invalid. The same user can complete the process again and no error is returned the second time.
Out of desperation, I tried toggling on the option in the Developers Dashboard named Requires OAuth2 Code Grant seeing that it said "if your application requires multiple scopes," but it made no effect. I've also tried endless debugging, but the circumstances under each occurrence are apparently random. Oddly enough, I can't find anyone with the same issue online.
Below is the request I'm making in Node.js using the superagent library. It matches the documentation and works perfectly, other than the response randomly being the error described.
superagent.post('https://discordapp.com/api/v6/oauth2/token')
.type('x-www-form-urlencoded')
.set('Content-Type', 'application/x-www-form-urlencoded')
.send({
client_id: process.env.BOT_ID,
client_secret: process.env.BOT_SECRET,
grant_type: 'authorization_code',
code,
redirect_uri: process.env.OAUTH2_REDIRECT_URI,
scope: 'identify guilds.join',
});
I can confirm that all variables match their expected values. The value of redirect_uri matches that of redirect_uri in the original URL used. code is the value of the code querystring returned through the OAuth2 flow.
What (if anything) am I doing wrong that's causing the error?
Update 1:
Discord has directed me to the API GitHub repo, and I found the issue closed here. Commented and will update here if I receive any helpful info or resolve the issue completely (hopefully the case).
Ran into the same issue using nodejs. Leaving here notes for prosperity:
On Node, if there is no explicit app.head() handler, the .post() handler receives all head requests
Several Android phones, upon being redirected from discord, first send a head request to the endpoint
Meaning:
The user authenticates on discord, then through the redirect back, does a head request. This pulls discord with the code, BUT directly afterwards it also does a post request, which will fail (as you already used the code once), and possibly un-authenticates the user.
Solution for my specific issue was an explicit .head handler for all callback endpoints, which basically just returned the same headers (a redirect) as the post one did, but without calling discord.
Hope this helps.
did you use the OAuth2 link to invite your bot to your server - with the correct permissions? If so, in your main.js file did you define the token?
I.e. bot.login(“YOUR_TOKEN_HERE”)
I would recommend not toggling the ‘Requires OAuth2 Code Grant’ as it is a pain to do anything with in the beginning.
Please let me know of any progress :)
I'm having a good time with Satellizer, except in one case - the Twitter oAuth 1.0a flow. The popup does not close after successfully authenticating a user.
My configuration is;
$authProvider.twitter({
url: '<my server endpoint to get request token (POST)>',
redirectUri: '<my server endpoint to perform oAuth login (GET)>'
});
I have set the callback URI for my Twitter app to be the same as redirectUri (and I also pass it when getting a request token from Twitter).
The flow that I see is this (basically, I get to Step 10 in the oAuth 1.0 flow and then the popup does not close):
User clicks the "Sign in with Twitter" button
The popup appears and an empty POST call is made - my server returns the request token
The user clicks "Authorize Application"
My server receives a GET request for the oAuth login (not a POST as the documentation says I should)
My server correctly authenticates and returns the Bearer token.
And then nothing - it all stops. I suspect because I am responding to a GET not a POST but I can't figure out what is causing the GET.
Any help would be greatly appreciated!
Ben
Apologies everyone - this is my fault. Per my comment above, once I set the redirectUri properly and used just the /auth/provider method it all worked.
Quite simply, on the second call the parameters come through (correctly) in the body. Once I realised that, extracted them, authenticated, and then returned, it all worked like a charm.
I have been trying with the simple REST Client as well as the REST Plugin for Mozilla. I am getting
"HTTP/1.1 401 Unauthorized" response with
"{"error":"unauthorized_client","error_description":"the client is not authorized"}" in the body.
I have been successful in getting the auth code, and the below is the POST request for access token, (Scope is r_fullprofile)
https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&code=AQTQeBxBzbU2aNWaQM6Ff3Z3bUd8Gyg10W9G2DdqXgWiP0q7-M55c5PLtppP7Ni3Y-6A9C8yDkj9K4VfJ7QkRUFjuV-3AknA5jAahpsFJv3wYfr8XD8&redirect_uri=https://www.google.com&client_id=75wl6j5zndvfkp&client_secret=secret
The redirect_uri=https://www.google.com is the one used for getting auth code as well.
Do we need to perform any URL encoding before making the POST request?
When I log into the linked in to my app, it has the below tokens,
OAuth User Token: c3ae4cee-1b23-xxx-9d2a-206f578dee4d
OAuth User Secret: 76bc48cc-c94f-xxx-bf9d-a663f7003383
I am not sure where it is used. we are using API & secret key to get auth code.
Thanks in Advance.
This is a 2-step process.
First, go to:
https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=YOUR-API-ID&scope=r_basicprofile&state=STATE&redirect_uri=YOUR-ENCODED-REDIRECT-URI
Then, within 10 secs of receiving the response, go to:
https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&redirect_uri=YOUR-ENCODED-REDIRECT-URI&client_id=YOUR-API-ID&client_secret=YOUR-API-ID&code=THE-CODE-OBTAINED-IN-FIRST-STEP
The response of the second request will have the actual access token you need to use.
When I followed the two steps I faced an issue where I got an error as
{"errorCode":0,"message":"Access to posting shares denied","requestId":"TYWULO2WPZ","status":403,"timestamp":1497353538016}
So I had to remove the &scope=r_basicprofile since it was preventing reading all the Default Application Permissions
I faced a similar problem and the problem was with the initial authorization code. You should mention the scope=rw_company_admin or whatever it is that you want to authorize to while doing the initial redirect URL call. Something like this -
https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id=your_client_id&redirect_uri=https%3A%2F%2Fwww.google.com/&state=12345&scope=rw_company_admin%20r_emailaddress%20w_share%20r_basicprofile