My problem with linking the account is that I don't know which of my "request contains an invalid argument" when it comes to testing my google assistant. It is for sure a problem with account linking.
My setup is:
Grant type: authorization code
Client-ID: client-id from google project -> oauth
Client secret: client-secret from google project -> oauth
Authorization url: https://accounts.google.com/o/oauth2/auth
Token url: https://accounts.google.com/o/oauth2/token
scopes: email
add quick account link is checked
auto google sign-in is checked
gsi client id: https://accounts.google.com/o/oauth2/auth
testing instructions is formated as follows (username first line, password second line):
username-mail#gmail.com
passwordasplaintext
This is my configuration. I have no idea what's wrong with it.. The client id and client secret are for sure correct. Any suggestions what might cause that I'm not able to link the account?
Thanks!
While there may be other problems (it is difficult to tell), at least part of the problem is that the GSI Client ID... isn't a Client ID. It shouldn't be a URL, but should be the Client ID you make on the Credentials page of your Google API Console (not the Actions Console).
To make that Client ID:
Go to the Credentials page for your project.
Click the Create Credentials button.
Select OAuth Client ID.
Select Web Application.
Enter a name
You can skip the Authorized JavaScript Origin, but set the Authorized Redirect URI to the OAuth redirect URL, which should be in the form https://oauth-redirect.googleusercontent.com/r/your-project-id-000000 (replacing your project ID)
Click Create
On the Credentials page, you will see a list of OAuth 2.0 Client IDs. You'll want to get the Client ID from this table and use this in the GSI Client ID field.
Related
I am trying to set up a resource owner password credentials flow (ROPC) in Azure Active Directory.
My objective is to generate an OAuth 2.0 Access token using my Company org AAD username/password.
I have registered an AAD App with Application (client) ID: “d76b7a4f-xxxxx-xxx” that has these permissions:
I then used Postman to send a request:
However, I am getting this above error. The username/password is correct, but still I am not sure why I am getting this above error message. Probably something to do with the "invalid_grant"?
I have followed these Microsoft articles to build up this ROPC flow:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-user-flow
In the above 2nd article, I am missing this part (Create a resource owner user flow): https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-user-flow#create-a-resource-owner-user-flow
Maybe that is the reason? Please note, I also don't have an admin role at my company's AAD.
What I am targeting here is to generate the identity of the AAD user in the form of an access token, which is then passed onto the backend system, which then responds based on the identity of the user accordingly.
I could generate the access token using the “client_credential” flow (see below), but I need the access token against the owner password credentials flow (ROPC).
Could you please help me out here.
I have made a bot for a customer.
the purpose is to run admin commands through a secured API.
For this, they need to be
Logged on the teams using their standard account
When they execute an admin command, bot asks for OAuth Login (Connection is set to AzureAD v2 mode).
In teams / tester in portal, it never asks for credentials, it just defaults to the logged on user.
How do I make it always just ask for credentials?
One way is to make a seperate AzureAD, but that then requires customer to pay for Premium AD once again, to be able to assign the AzureAD Roles defined for the admin API to groups and not single users.
So this is not a very good solution.
They can also add teams license to their admin account, but that breaks the whole workflow and reason to have a bot. cause they would have to have a browser open with admin creds logged to teams.
I hope this is possible, otherwise I am super sad, that some amazing admin scenario possibilities are lost. Unfortunately none of our enterprise customers, would allow to trigger various admin APIs using the employees standard account.
I'm not sure if this totally answers your question and I'm a bit confused by what you want. but from what I'm understanding,
I followed this documentation here:https://learn.microsoft.com/en-us/microsoftteams/platform/bots/how-to/authentication/add-authentication?tabs=dotnet%2Cdotnet-sample
the sample has a bot that authenticates with azure ad, it pops up the azure log in window every time for me in teams. a please sign in button appears, then you click sign in, and it pops up the login window which then you can get the token for and use that to call graph and etc.
I tested this out and when I talk to the bot, it always asks me to sign in, so hopefully this is what you're looking for? if not, please specify which part its missing, thanks
edit: the instructions are for the aad v1 endpoint, but if you want to use the v2 endpoint, it's nearly the same. just less to type, also you need to enter the scopes that you give api permissions to, eg "User.Read User.ReadBasic.All etc etc"
Update
So upon further discussion I saw what your issue was. what you need to do is the following. in the bot channels registration -> settings -> oauthconnectionsettings, take note of your values and delete it.
Then create a new one, under same name,
with these parameters,
service provider: Oauth 2 Generic Provider
ClientID: same as before
secret: same as before.
scope list delimiter: ' '
authorization URL Template: https://login.microsoftonline.com/common/oauth2/v2.0/authorize (Replace Common with your tenant, just because i was using common)
Auth URL Query string template (this is key): ?client_id={ClientId}&response_type=code&redirect_uri={RedirectUrl}&scope={Scopes}&state={State}&prompt=login
token url template: https://login.microsoftonline.com/common/oauth2/v2.0/token (again replace common with your tenant id)
token url query string tempalte : ?
token body template: code={Code}&grant_type=authorization_code&redirect_uri={RedirectUrl}&client_id={ClientId}&client_secret={ClientSecret}
refresh url template: https://login.microsoftonline.com/common/oauth2/v2.0/token (again replace common with your tenant id)
refresh url query string: ?
refresh body template: refresh_token={RefreshToken}&redirect_uri={RedirectUrl}&grant_type=refresh_token&client_id={ClientId}&client_secret={ClientSecret}
scopes: Mail.Read Mail.Send User.Read User.ReadBasic.All (or whatever your scopes are)
The account linking and authentication proces for my google action works just fine, except once the access token expires, it is not being refreshed.
I have the following settings:
No account creation outside of website
linking type: OAuth & google sign in
Flow: Authorization code
OAuth & google sign in client information:
Entered client id,
Entered client secret,
Entered Authorization Url (seems to work just fine as I am able to authenticate)
Entered Token Url: https://sod.superoffice.com/login/common/oauth/tokens (This is a default url provided by the service I'm authenticating with)
Some additional information about the parameters my external service expects to receive in order to refresh the access token:
https://{env}.superoffice.com/login/common/oauth/tokens?
grant_type=refresh_token&
client_id=4ref5376616343b38d14ddcd804f2654&
client_secret=18f45229e442772a78df5f554e24a456&
refresh_token=nKHwerkjh34Yd6QShsnGKk4cFhTwCv3XtJu9PW2X63MtUMygLdI57BJjwCU0&
redirect_url=http://localhost/callback
The access token expires every hour and then forces me to relink my Google account with the external service. To me this seems to indicate that the access token is not being refreshed.
Any suggestions...?
I fixed it by removing all of the parameters I thought you had to provide at the authorization URL field. Instead of just providing the URL, I also included the parameters such as the redirect url, scope, client id etc.
By just providing the authorization & token URL without any additional parameters I have fixed my issue.
I'm struggling with OAuth2 authorization, authentication and user linking.
What I've done so far:
I've created a client and it's secret.
All redirects and so on are working. Grant type password works for own native app (e.g. Android and iOS)
But for access token, user_id is NULL if grant type is Authorization code.
How can I assign a user to access token or authorization code?
Is there a module for Apigility to provide login screen? I only get asked for "allow" or "disallow" application but I'm never asked for a username and password.
Update:
Question is related to provide OAuth2 access third party pages, e.g. IFTTT. They open /oauth/authorize page and somewhere I have guide user to a login?! to determine related user? Is there an existing module for this?
Third party sites, e.g. IFTTT do not use password grant type for security reasons. And compared to other pages the workflow is: Is user authenticated? Yes: Show Accept/Decline button. No: User has to login and will be redirected afterwards to /oauth/authorize page. So is there a common way in apigility to check if user is logged in and if not, redirect to a login mask?
To authenticate with username and password using OAuth2 you should use the grant_type=password.
I'm not sure if there is a login screen in Apigility. But I don't think it should have it, because Apigility already allow this by one or more endpoints through OAuth2, more specifically by OAuth2 Server Library for PHP.
How to do
Add the grant type to client:
On your client table (oauth_clients.grant_types column) set "password".
Create a new authentication adapter type=oauth2.
Create a post to the authetication url like below.
url=localhost:8080/oauth, where localhost:8080 is where the apigility is running and /oauth is the configured auth adapter url.
payload:
{
"username": "USERNAME",
"password": "PASSWORD",
"grant_type": "password",
"client_id": "CLIENT_ID"
}
When login successfully it will return the access token.
Can anyone help me on generating OAuth token using QuickBooks API and postman?
I am not able to create one using API.
and can u help me to get sample account data from an account QuickBooks API ?
You can refer the following blog which shows how to generate OAuth1 tokens using OAuthPlayground tool and use those tokens in POSTMAN to make any API calls.
https://developer.intuit.com/hub/blog/2016/04/25/quick-start-to-quickbooks-online-rest-api-with-oauth1-0
You can try the entire QBO POSTMAN collection from the link below.
https://developer.intuit.com/docs/0100_quickbooks_online/0400_tools/0012_postman?isExpand=false#/1500
You can't generate OAuth tokens via Postman.
The whole point of OAuth is to give the end-user a UI-based process to click through and provide tokens.
Use the UI components Intuit provides to get your tokens.
https://developer.intuit.com/docs/0100_quickbooks_online/0100_essentials/000000_quickbooks_online_overview
I recently had to download QBO's postman collection to debug an integration issue with my app. I use OAuth2.0 with Authorization Code as the grant type to authenticate a user from my app to QBO. This is what QBO offers now and its not upto the app developer's discretion.
You can download the QBO's Postman collection from here.
To access QBO's endpoint from Postman, you must first create and register an app entry with QBO. Doing so will give you ClientID and ClientSecret which are needed for authentication purposes. Also put https://www.getpostman.com/oauth2/callback as the RedirectURI for your app since you will be authenticating using Postman. If you have your website up and running, you can put the link to your website as the RedirectURI.
Once you open the collection in Postman, open the Accounts endpoint and switch to the Authorization tab
Click on Get New Access Token.
CallbackURL is going to be what you put in the RedirectURL you registered your sample QBO app with.
AuthURL and AccessTokenURL are taken from the QBO link I mentioned above. Paste these as is.
ClientID and ClientSecret are the keys you get once you register your sample app with QBO.
Scope can be used as is since you need to access the accounting endpoint.
State can be any string that is returned intact after a successful authentication with QBO. It is something that your app can use for an extra check to ensure that you got a response from the right authorization server. Put any length string(do not leave it blank) in this case because we are only accessing the endpoints using Postman.
ClientAuthentication is set to Send client credentials in body as instructed by QBO.
Once you click on Request Token, you will be redirected to QBO's login page inside Postman itself in a new popup window. Successful authentication will close the popup window and give you an Access Token. Clicking Use Token will set the token in the body at the time of Send Request.
Make sure you know your companyid and that you are targeting the right baseurl. Notice that Im using minorversion 9 because thats what my app uses. You can choose to stick with 14.
Hitting Send Request should get you some accounts objects in the response.