Have anyone had any luck implementing Epic's App Orchard Oauth flow (server to server flow. no user interaction)
I'm trying to get OAuth flow working from the point a user launches our app from Epic's patient chart. The user would trigger a request to our app with a launch token. From there we'd use this token to get access_token and then query a few APIs.
The issue is that there is very little documentation. The steps I was able to piece together fail when requesting /oauth2/token endpoint. The only error indication is in body json containing this:
{"error":"invalid_request"}
No other errors or indications for failure points. So I'm looking for anyone who had any luck with such authentication to Epic's FHIR APIs.
My request query params look like this:
serverBaseURl +
"/oauth2/token?" +
"grant_type=authorization_code" +
"&client_id=" + clientId +
"&code=" + encodeURI(code) + //<-- code from /oauth2/authorize step
"&redirect_uri=" + encodeURI(redirectUrl) //<-- url declared in app configuration
I know this isn't super clear question, but if anyone has any pointers , it's really appreciated
The oauth2/token endpoint accepts a url-encoded form as the POST body instead of query parameters.
Related
Cheers everybody,
we have been deeply reading google documentation on exchanging access_token from google in order our (delphi)desktop application to SSO with google from server side. Here is the payload we send first look like:
https://accounts.google.com/o/oauth2/v2/auth?client_id=1000217514248-t1lojs6f8ed7l9ocrpbm98leahtum8n1.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&state=E1DF2FBA-0A66-4D69-B594-5EB8F7828AF7&scope=openid+profile&include_granted_scopes=true&code_challenge=C832DA50-E55A-499D-89B8-493BB4123C94&login_hint=test#Speelkriebel.be
Normally after this it redirects me to login in to our test user and after this according to the documentation we send a POST request to the end point token in order to get the access_token and refresh_token...: 'https://oauth2.googleapis.com/token
with the following parameters, the 'code' is generated we also send it as follow:
client_id=1000217514248-t1lojs6f8ed7l9ocrpbm98leahtum8n1.apps.googleusercontent.com
grant_type=authorization_code
client_secret=******
code= 4/1AY0e-g4GlavO38PI5Oo3vq04Pc4lMWN77et-02UiVWOsT-IyRQnU1lq19qo
redirect_uri = urn:ietf:wg:oauth:2.0:oob
The response is always
{
"error_description": "Missing code verifier.",
"error": "invalid_grant"
}
We have tried to send the client secret id also, Does it have to do with our code_challenge ? are the end points url and initial url okay? What are we missing? We are using CEF4Delphi as "browser like experience in order for the user to type in their google credentials. We have been reading this: https://developers.google.com/identity/protocols/oauth2/web-server#offline
We were also trying the playground :https://developers.google.com/oauthplayground/
we were sending the initial url in a chrome which generated a "code" and in the playground we inserted the code, and still got the same error of missing code verifier.
Thanks Guys
You seam to have URL encoded a lot of the values try not doing that. Also try using the basic call, before you start adding everything else. It should help you figure out which one of those extra parameters you are sending that's causing your issues.
https://accounts.google.com/o/oauth2/auth?client_id={clientid}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=profile&response_type=code
Also make sure that the client id is from an installed / other type client
This may also help Google 3 Legged OAuth2 Flow
For installed apps, the code challenge and verifier are parameters for enhancing the security of the OAuth flow through PKCE [1].
There is additional documentation about generating a code challenge and verifier here [2].
[1] https://www.rfc-editor.org/rfc/rfc7636
[2] https://developers.google.com/identity/protocols/oauth2/native-app#step1-code-verifier
We have an inquiry from our client, to enable Autodesk Model Viewer from within our App. The first step is to implement OAuth2 authentication (2 legged). I followed Forge Autodesk tutorials, but this is completely new to me, and I cannot configure that to work. I do http request (using jQuery) from our App, passing client_id and client_secret, grant_type and a scope. When looking on the developer menu (F12) - I can see that request is hitting their server and returns with the access_token, expire time, authorization "Bearer" with the status 200. So far so good.
I understand that now I need to make a call back to the API and pass this access_token I received. And here is where I lost: console shows me error, Cross origin ... And the success part of http request is not fireing (in http request success part I'm trying to redirect user to the Model Viewer url + access_token we just received). But it is never fires. Was digging forums and tutorials but can't find any good sample or explanation what I'm doing wrong. Below is my code example:
$.post("https://developer.api.autodesk.com/authentication/v1/authenticate",
{
client_id: 'here_is_a_client_id',
client_secret: 'here_is_a_client_secret',
grant_type: 'client_credentials',
scope: 'viewables:read'
},
function(data, status){
console.log("Data: " + data);
window.location.href = 'https://viewer.autodesk.com/id/here_is_a_long_id_number&Authorization=Bearer&' + data;
});
Any help highly appreciated. Also, I was trying to follow Autodesk tutorials using Node.js, but again, after seeing that access_token get back from their server, can't make a callback and attach this access_token to it. New to all these Authorization/Authentication/Tokens so can't figure out the way it works. Thanks in advance.
I could advice you how to avoid this Cross Origin error, but it is critical not to and very dangerous to authorise your application on the client side. Exposing you client secret key will give everyone the right to access your account and spend cloud credits on your behalf. And access all your content. That is the reason you do should not have that approach.
You should never expose the client secret, neither an read/write scoped access token on a client, those should resides on the server, and server only. The only access token you could eventually see on the client should be a viewables:read scoped token only. And even when using a viewables:read token, I prefer to use a proxy instead myself (see here).
I have written a mobile application using the React Native Framework.
This application uses Google's OAuth 2.0 endpoints to authorize access to Google APIs.
I followed the documentation to implement this.
I have been able to retrieve Access Tokens and Refresh tokens for months now by making the following HTTP requests:
HTTP GET Request to retrieve Authorization Code:
https://accounts.google.com/o/oauth2/v2/auth?scope=email%20profile%20https://www.googleapis.com/auth/youtube%20https://www.googleapis.com/auth/yt-analytics.readonly%20https://www.googleapis.com/auth/yt-analytics-monetary.readonly%20https://www.googleapis.com/auth/youtubepartner&response_type=code&client_id=OMITTED&redirect_uri=OMITTED');
HTTP POST Request to exchange Authorization Code for Access Token:
let queryString = "code=" + authCode + "&" + "client_id=OMITTED&redirect_uri=OMITTED&grant_type=authorization_code";
fetch('https://www.googleapis.com/oauth2/v4/token', {method:'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8' }, body: queryString})
This POST Request is now getting the following error within the response:
Error:
"invalid_scope"
error_description
:
"Some requested scopes were invalid. {valid=[https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile, https://www.googleapis.com/auth/youtube, https://www.googleapis.com/auth/yt-analytics.readonly, https://www.googleapis.com/auth/yt-analytics-monetary.readonly], invalid=[https://www.googleapis.com/auth/youtubepartner#]}"
Again, I have been able to retrieve an Access Token and Refresh Token for months using this same code.
This error has suddenly been surfacing as of 09/12/2018.
There have been no changes to my code.
Does anyone have any ideas regarding why I am now getting this error?
What about removing the email scope?
I guess Google has fixed it now. I can signing-in without removing email scope now on my app.
I'm trying to use the oAuth functionality of adfs but are struggling to get an access token out of it.
The setup is a Windows Server 2012 R2 Preview Edition installed in a virtualbox vm.
I am able to get an access_code by issuing the following:
https://asdf.bla.dev/adfs/oauth2/authorize?response_type=code&client_id=abcd-abcd-abcd&redirect_uri=https://localhost/auth&resource=testservice.asdf.oauth
this redirects me to the following url
https://localhost/auth?code=U2dIhBsRt0eDnEhAEq2fcw.d3LeME__0QgBAC8zvLR6mTlRvC0.fLKd5eQRjXslTEeEck17m6Zo4fKKO9oGk2byUyr4CyLQHKSJs5wKzWZcusLXqXk22tdzvswxBjzaYcCqzkbeT5VxhMEdq97vbSnGAQ1tVD0vutVIfbx1Mb5A-QItgOx8a8LBapn7axCpGThoVH2jWCVM59X5eOt9ACuJTTK1UFbNaldaTkuGdqrtcGC8tFoSOP96G-4sHgIBpi2t8BSwCdf3asDd3AJAOYk6gnUkH5WJQRf2pg4S_AkgOxseeZW8Y5qbWAajyESkEmJ-UcWkV98uHlrmNsFwTSJ-ZoNk-aZI_U85ZlZrsdpKzocrWM5HmfcvXm5XdXz2QXIHngIBTA
but when I try to redeem the token with this request:
https://asdf.bla.dev/adfs/oauth2/token?grant_type=authorization_code&client_id=abcd-abcd-abcd&redirect_uri=https://localhost/auth&code=U2dIhBsRt0eDnEhAEq2fcw.d3LeME__0QgBAC8zvLR6mTlRvC0.fLKd5eQRjXslTEeEck17m6Zo4fKKO9oGk2byUyr4CyLQHKSJs5wKzWZcusLXqXk22tdzvswxBjzaYcCqzkbeT5VxhMEdq97vbSnGAQ1tVD0vutVIfbx1Mb5A-QItgOx8a8LBapn7axCpGThoVH2jWCVM59X5eOt9ACuJTTK1UFbNaldaTkuGdqrtcGC8tFoSOP96G-4sHgIBpi2t8BSwCdf3asDd3AJAOYk6gnUkH5WJQRf2pg4S_AkgOxseeZW8Y5qbWAajyESkEmJ-UcWkV98uHlrmNsFwTSJ-ZoNk-aZI_U85ZlZrsdpKzocrWM5HmfcvXm5XdXz2QXIHngIBTA
there is an error and I don't get an access-token.
The event viewer of the adfs service states the following error:
There are no registered protocol handlers on path /adfs/oauth2/token to process the incoming request....
I built the request following this information: https://github.com/nordvall/TokenClient/wiki/OAuth-2-Authorization-Code-grant-in-ADFS
I have no idea what's going wrong and would really appreciate your help!
I know that the thread is quite old but I was going through hell today when trying to resolve this error. I checked http.sys, reinstalled the server role,... nothing worked.
At the end, I had to find out that this crazy ADFS does (again) return garbage error messages. After 5 hours of debugging I didn't trust postman any longer (even if it worked without issues for months now) and used a short PowerShell script to invoke the POST with the access code:
$client = new-object net.webclient
$form = New-Object System.Collections.Specialized.NameValueCollection
$form.Add("client_id", "you client id")
$form.Add("grant_type", "authorization_code")
$form.Add("code", "authorization code")
$form.Add("redirect_uri", "your redirect uri")
$result = $client.UploadValues("https://sso.mydomain.com/adfs/oauth2/token", "POST", $form)
$decodedToken = $client.Encoding.GetString($result);
Et voila... all working. So I went back to the broken postman query, stripped all url parameters, removed all headers and added the parameters to the x-www-form-urlencoded tab. Then it worked there again.
Meaningful errors would definitely be helpful. Hope this saves someone many hours of frustrating try&error...
You are on the right track. You get code on redirect URI. Now we will have to make a POST request to the /token endpoint using the following parameters:
code - you will have to extract this value from the URL using some programming logic
client_id
redirect_uri
grant_type - use the value "authorization_code"
In response you should get a JWT access token.
It looks like you use HTTP GET to access the token endpoint, but it should be HTTP POST.
I am trying to build an application that would fetch the events from a user's Google calendar. Once I get the authorization code which the user is given and asked to enter in another page, I try to exchange it for access_token. But I get an error in the post request I am sending to retrieve the token.
client_id=encodeURIComponent("id.apps.googleusercontent.com");
client_secret=encodeURIComponent("secret.apps.googleusercontent.com");
$.post("http://accounts.google.com/o/oauth2/token/code="+auth_code
+"&client_id="+client_id+"&client_secret="+client_secret
+"&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code",
function(response){
console.log('Response = '+ response);
}
);
Can someone tell me the error in the post request?
You need to look at the response coming back for the error reason. This appears to be jQuery code, so you could look under the Network tab in Chrome Developer Tools (View, Developer, Developer Tools, Network) to see the HTTP response.
That said, unless you're using jQuery in a server-side environment, you're using the wrong OAuth flow. You should be using the implicit/javascript flow, where you don't need to get an authorization code or exchange it-- you immediately get an access token returned in the hash fragment of your URL:
OAuth2UserAgent
Please clarify your question more with language/environment/objective.