I try generate a access token in my application on WSO2 using implicit grant type, following the request:
POST /token HTTP/1.1
Host: localhost:8243
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Postman-Token: d6ef6038-9860-bdc6-3867-70af98b37cc6
grant_type=code&response_type=implicit&client_id=CLIENT_ID&redirect_uri=http%3A%2F%2Flocalhost%3A8888%2Fplayground%2Foauth2client&scope=default
And the request return this error:
{
"error_description": "Invalid grant_type parameter value",
"error": "invalid_request"
}
This is my grant types settings:
Grant Types
Why this error happen, although the settings include the implicit grant type?
I think you are mixing up few things. If you want to use the Implicit grant, you don't use the /token endpoint - you get everything from the authorization endpoint. The request could look like this:
/auth?response_type=token&client_id=...&redirect_uri=...
and after a successful authentication, the client gets an access token right away as part of the redirect URL.
If you have a code and you want to exchange it for an access token and a refresh token, you are using the Authorization code grant. Then the correct grant_type value is authorization_code and you must specify the code in the code URL parameter. So the error message you are getting is correct.
Finally, the token endpoint has no response_type parameter. It's a parameter of the authrization endpoint and the correct value for the implicit flow is token, because you want an access token to be returned.
Related
We need to consume API in Android application which requires access token. Tried client_credentials and authorization_code method to get the access token.
Getting the following error for client_credentials:
"AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid.
Note: We are passing client_id,client_secret,scope and grant_type in the body of the request.
grant_type:client_credentials
client_id:*
client_secret:*
scope:****
The second method which we tried "authorization_code" is returning 200 OK Response without any authorization token.
grant_type:authorization_code
client_id:*
client_secret:
scope:
redirect_uri:*
state:12345
response_type:code
response_mode:query
Any pointers on this will be greatly appreciated
You should try passing scope too along with grant_type etc.
Try
**'client_secret' : 'xxxxxxxxxxxxxxxxxxxxxxxx',
'client_id':'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
'scope':'https://graph.microsoft.com/.default',
'grant_type':"client_credentials"**
Try with these parameters and see if it works.
Although in the documentation somewhere is recommended/options but you have to pass scope in the body along with other parameters.
Thanks
For my API testing, I have been getting the Authentication Token with the help of Postman. API uses OAuth2.0 for authentication.
While using Postman, I am entering the details like Token Name, Grant Type, Access Token Url, Client ID, Client Secret, Scope, Client Authentication. Once clicked on the Request Token, Bearer token is received and is updated in the Header of the request. Please refer the image attached.Getting OAuth2.0 bearer token with Postman
But now, I want to do it with Rest Assured using Java. Hence I want to know the code how do I get the Bearer token by using Rest Assured?
Assuming you are sending the client id secret and other details in the Query Parameters, for the GET and your response header access_token has the value you are looking.
public class Sample {
String oauth_token ;
#BeforeTest
public void sampletest() {
oauth_token = RestAssured.given().auth().basic("username", "password").
.queryParams("client_id", "client_id_value")
.queryParams("client_secret", "client_secret_value")
.queryParams("grant_type", "authorization_code")
.queryParams("redirect_uri", "https://someuritoredirect")
.queryParams("otherparams", "sampleparam")
.when().get("https://uri.to.get.hostname.com/oauth2/access_token")
.then()
.statusCode(200)
.extract().header("access_token");
}
}
I am having difficulty getting Auth0 to return access tokens in JWT format. I need them in JWT format in order that I can verify them using a Java JWT library.
I am using Auth0 lock to login, and use /oauth/token to get the access token - I have tried setting the audience to our API identifier (in multiple places including the lock auth params, and the /oauth/token payload), without success - the access token is returned however not a JWT.
Alternatively, is there a Java library for validating "native" Auth0 access tokens?
var options = {
auth: {
redirectUrl: '<redirect_link>',
responseType: 'code',
params: {
audience: '<API_identifier>',
scope: 'openid offline_access'
}
},
allowedConnections: ['Username-Password-Authentication']
};
var lock = new Auth0Lock('<clientId>', '<auth0_Host>', options);
lock.show();
The returned code is used to POST to https://<host>/oauth/token with data:
client_id=<client_id>&redirect_uri=<redirect_url>&client_secret=<client_secret>&code=<returned_code>&grant_type=authorization_code&audience=<API_identifier>
Which is successful but the access token is not JWT, for example: "access_token":"sG99DAJI789SYgTj"
Using the scope openid returns an id_token in JWT format, but from reading the documentation this token should not be used for API authorisation.
It seems Auth0 is using OpenID connect, that is an extension of OAuth2. After a successful end-user authentication, the server returns an ID Token in JWT format and an access token
ID Token
The ID Token is a security token that contains Claims about the Authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims. The ID Token is represented as a JSON Web Token (JWT) [JWT].
You can validate the ID Token at client side using any JWT library, but the validation rules for access tokens are different
3.2.2.9. Access Token Validation
To validate an Access Token issued from the Authorization Endpoint with an ID Token, the Client SHOULD do the following:
Hash the octets of the ASCII representation of the access_token with the hash algorithm specified in JWA for the alg Header Parameter of the ID Token's JOSE Header. For instance, if the alg is RS256, the hash algorithm used is SHA-256.
Take the left-most half of the hash and base64url encode it.
The value of at_hash in the ID Token MUST match the value produced in the previous step.
So, basically to validate it you need to compute the digest of the access_token using the hash algorithm of ID token, and check that it matches with the at_hash claim of ID Token
I'm trying to use OpenBankProject to get Token, but in Postman I cannot do this due to Status 400 Bad Request and the following parameters are missing : oauth_callback.
From doc I get info that it should be:
Method POST
Authorization: Add params to header
Content-Type: application/x-www-form-urlencoded
Signature Method: HMAC-SHA256
Generated Consumer Key and Consumer Secret
And I tried to add Value oauth_callback="___" to Key Authorization and it returned same error as mentioned above.
Any idea to add oauth_callback to this request?
Best regards
I am using OAuth 2.0 for authorization according to this documentation :(https://developers.vendhq.com/documentation/oauth.html#oauth) and having this error:
"error": "invalid_request", "error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the \"grant_type\" parameter."
Request
Method : POST
Content-Type: application/x-www-form-urlencoded
URL : https://{domain_prefix}.vendhq.com/api/1.0/token
Parameters :
code = {code}
client_id = {app_id}
client_secret = {app_secret}
grant_type = authorization_code
redirect_uri = {redirect_uri}
As per the RFC6749, section 4.1.3, the encoded body of a POST request should look like code={code}&client_id={app_id}&client_secret={app_secret}&grant_type=authorization_code&redirect_uri={redirect_uri}.
Example:
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb&client_id=CLIENT_ID_1234&client_secret=CLIENT_SECRET
Do not forget to encode the redirect Uri: http://foo.bar/ => http%3A%2F%2Ffoo.bar%2F
Concerning the authentication error, it may be because the authorization server do not support client secret in post request (or your client is not allowed to use it).
Then try to add the Authorization header with basic authentication scheme.
The value of this header is Basic {ENCODED_AUTHENTICATION} with {ENCODED_AUTHENTICATION} =base64(client_id + ':' + client_secret)
With this header, the client_id and client_secret in the post request have to be removed. Your request parameters become code={code}&grant_type=authorization_code&redirect_uri={redirect_uri}.
You will need to check the URL to which you are attempting to send your POST to. The service that you are attempting to contact does not exist or is currently unavailable.