It feels like amazon are encouraging people to just use their client SDK, but it would be nice to see what a sequence of valid REST calls looks like for the authorization and implicit grant flows.
The AWS documentation for the authorization and token endpoints is a nice start:
http://docs.aws.amazon.com/cognito/latest/developerguide/cognito-userpools-server-contract-reference.html
Does anybody know if some examples exist showing the sequence of REST calls for the Implicit and Authorization flows (against Cognito)?
The documentation is a bit shoddy, but here's an example PHP cURL call to get the ID/Access Tokens using your authorization code for the Authorization flow:-
$url = 'https://<YOURDOMAIN>.auth.us-east-1.amazoncognito.com/oauth2/token';
$client_key = '<YOUR_CLIENT_ID>';
$client_secret = '<YOUR_CLIENT_SECRET>';
$data = [ 'grant_type' => 'authorization_code',
'client_id'=>$client_key, 'code'=>$_GET["code"],
'redirect_uri'=>'<YOUR_REDIRECT_URI>'];
$handle = curl_init($url);
curl_setopt($handle, CURLOPT_VERBOSE, true);
curl_setopt($handle, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($handle, CURLOPT_USERPWD, $client_key . ":" . $client_secret);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
$field_string = http_build_query($data);
curl_setopt($handle, CURLOPT_POSTFIELDS, $field_string);
$resp = json_decode(curl_exec($handle),true);
Once you've got the ID token you need to parse the JWK JSON file from
https://cognito-idp.us-east-1.amazonaws.com/<USER_POOL_ID/.well-known/jwks.json
and then lookup the kid field in the token header, and use that as the secret to decode the token. I used this library:-
https://github.com/firebase/php-jwt
So the token validation code looks something like:-
$jwks_json = file_get_contents("https://cognito-idp.us-east-1.amazonaws.com/<USER_POOL_ID>/.well-known/jwks.json");
$jwk = JWK::parseKeySet($jwks_json);
$tks = explode('.', <YOUR_TOKEN>);
list($headb64, $bodyb64, $cryptob64) = $tks;
$jwt_header = json_decode(base64_decode($headb64),true);
$jwt_body = json_decode(base64_decode($bodyb64),true);
$key=$jwk[$jwt_header["kid"]];
try
{
$decoded = JWT::decode(<YOUR_TOKEN>, $key, array($jwt_header["alg"]));
$decoded_array = (array) $decoded;
// GREAT SUCCESS!
}
catch (\Exception $e)
{
// TOKEN COULDN'T BE VALIDATED
}
I am not aware of anything with it nicely documented. I think your best option would be to spin up a test app using one of the SDKs and monitor the network traffic. It seems the API is not well documented.
Related
So, im working on an Application which compares your youtube channel Data with other similare youtube channels.
Currently im working on the authentication of an user with his youtube account, therefore im Using the OAuth Client.
I already got an code which i can exchange for an access_token, which also works.
Sadly, the access_token which i get does not work for an simple /search call and gives me an HTTP 400 -> keyinvalid
The same call works with an generated ApiKey just fine, but i would prefer to use OAutch.
My question is, does an accessToken not work with public calls like /search? If it does, what could be my problem here?
Thanks in Advance!
EDIT: Added Code Examples
Step 1: I call the OAuth client with the following url call in an new window with window.open(url)
https://accounts.google.com/o/oauth2/v2/auth?
scope=https://www.googleapis.com/auth/youtube.readonly&
access_type=offline&
include_granted_scopes=true&
state=state_parameter_passthrough_value&
redirect_uri=https://website.com/&
response_type=code&
client_id=9791...7bng.apps.googleusercontent.com"
In the Response I extract the Code which looks something like this
4/1QCLZnwsntp...sNcE
Send this code over an REST API to my Backend which uses this code to exchange it for an access_token with an PHP curl POST call
$this->connection = curl_init();
$url = 'https://www.googleapis.com/oauth2/v4/token';
$param = 'code='.$this->credentialsTemp['code'].'&client_id='.$GLOBALS['Youtube-Credentials']['clientId'].'&client_secret='.$GLOBALS['Youtube-Credentials']['clientSecret'].'&redirect_uri=https://website.com/&grant_type=authorization_code';
curl_setopt($this->connection, CURLOPT_URL, $url);
curl_setopt($this->connection, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($this->connection, CURLOPT_TIMEOUT, 20);
curl_setopt($this->connection, CURLOPT_POST,true);
curl_setopt($this->connection, CURLOPT_POSTFIELDS, $param);
$resp = curl_exec($this->connection);
curl_close($this->connection);
$acces_token = json_decode($resp,true)["access_token"];
in $acces_token should be my access_token which at the Moment looks close to this ya29.GlyTBtFMdLqKbvgaps...SA2pBORo_Am5UuBuxo8g
I have followed the whole process to obtain an oauth2 access token from the Identity Manager (I get it) and I want to pass it to a web application developed on Filab Mashup but embedded in my own web.
In my Mashup application I need get the oauth token for to access Orion Context Broker information but I don't know how to pass it.
This is the code of my callback URL where I obtain the token:
<?php
//get the code from url
$code = $_GET["code"];
//print_r($code);
//application specific declarations
$domain = "www.talkysync.com";
$clientId = "my_client_ID";
$clientSecret = "my_client_secret";
//access token url
$url = 'https://account.lab.fiware.org/oauth2/token';
//payload params for the request token
$payload = 'grant_type=authorization_code&code='. $code .'&redirect_uri=http%3A%2F%2Fwww.talkysync.com%2Ffiware_login%2Fcallback.php';
//base64(client_id:client_secret)
$cadena = $clientId . ":" .$clientSecret;
$base = base64_encode($cadena);
//extra header for the request
$header = array("Content-Type: application/x-www-form-urlencoded", "Authorization: Basic ". $base);
//actual request implementation
$ch = curl_init($url);
curl_close($ch);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$output = curl_exec($ch);
;
//get the access token from the json response
$jsonData = json_decode($output,true);
$access_token = $jsonData["access_token"];
//start a session and set the access token to it
session_start();
$_SESSION["X-Auth-Token"] = $access_token;
$_SESSION["code"] = $code;
header("Location: fiware.php");
?>
And this is the code of fiware.php:
<?php
session_start();
if(!isset($_SESSION["X-Auth-Token"])){
header('Location: login.php');
}else{
header('Location: https://mashup.lab.fiware.org/ertonio/Talkykar?mode=embedded');
}
?>
But in the mashup application I always have an anonymous connection because I don't know how to pass it the token.
Thanks in advance.
Currently is not possible to create an embedded WireCloud URL including the credentials. Seems interesting and worth implementing it, but also seems a lot of work, so don't expect it to be implemented in a short period of time.
Regarding, accessing the orion context broker from WireCloud, take a look into section "3.2.1. Using Orion Context Broker" on the WireCloud's course available on the FIWARE Academy.
I want to get the device longitude and latitude using the mac address not it's not returning any value.
I have activate my Google Geolocation API and have enable billing. pls help.
<?php
$mac = "E4:D5:3D:E4:05:BF";
//encode the data in JSON
$wifiAccessPoints = array("macAddress"=>$mac);
$wifiAccessPoints = json_encode($wifiAccessPoints);
$API_key = "AIzaSyApOf.................";
$url = "https://www.googleapis.com/geolocation/v1/geolocate?key=$API_key";
$client = curl_init($url);
//send the request to resource
curl_setopt($client, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($client, CURLOPT_HEADER, false);
curl_setopt($client, CURLOPT_POSTFIELDS, $wifiAccessPoints);
curl_setopt($client, CURLOPT_RETURNTRANSFER,true);
curl_setopt($client, CURLOPT_HTTPHEADER,array("Content-type: application/json", "Content-Length".strlen($wifiAccessPoints)));
curl_setopt($client,CURLOPT_POST,true);
//get response from request.
$response = curl_exec($client);
//decode format response
//$result = json_decode($response);
$status = curl_getinfo($client, CURLINFO_HTTP_CODE);
echo $status."<br>";
echo $response."<br>";
?>
The error being returned indicates that your request is formatted correctly, but the API could not find a geolocation for it. The API documentation has this to say about your result:
Reason: notFound
Domain: geolocation
Status Code: 404
Description: The request was valid, but no results were returned.
So it appears that you are performing your request successfully, but Google will not always be able to tell you where a particular WiFi access point is located (t would be impossible to expect them to know them all).
The documentation also states that
The request body's wifiAccessPoints array must contain two or more WiFi access point objects. macAddress is required; all other fields are optional.
It looks like you only have one access point, a lookup by IP may be ore accurate. The documentation has a wealth of information on how you can reformat your input JSON.
I am developing an app in which I want to know if a facebook authorized user has a verified profile or not. I can see that there is a is_verified field that facebook provides. I am just not getting it in the response I get from OAuth. Is there any permissions issue? I am using permissions public_profile,email. Please guide me on this.
You can ask 'is_verified' field in your query. You can try below code as a sample and u can take the appropriate part of the code to integrate in yours. public_profile,email permission is enough to get this field. result will be a bolean
$fb_page = 'barackobama'; //any fb page,fb profile
$access_token = ''; //your access token
$url = "https://graph.facebook.com/v2.2/".$fb_page.'
?access_token='.$access_token.'&fields=is_verified';
$curl = curl_init($url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
$result = curl_exec($curl);
curl_close($curl);
$details = json_decode($result,true);
echo "verified:".$details['is_verified'];
There are many REST API methods to check if a username is being used on Twitter but as far as I researched all of them are rate limited.
The reason I want this feature is to prevent someone from claiming a username on a website that someone else uses on Twitter, for example someone might claim a celebrity's username and confuse people.
It's impossible to use oauth in this scenario, since the user in this scenario might not be a Twitter user.
[150/hour rate limit is unacceptable. A possible solution would be to use Bing Search API to search for the username? - If Bing Search is not rate limited of course]
Try curl, here is minimal working script in php:
$url = "http://mobile.twitter.com/justinbieber";
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
$resp = curl_exec($curl);
$code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
if($code == 200)
{
echo "He is on twitter";
}
else
{
echo "He is on not twitter";
}
You should query mobile.twitter.com instead of real one, because real one doesn't do HTTP response codes. and few more reasons.