I am trying to integrate the oauth flow in my application.
I am getting a 401 when calling the oauth/request_token endpoint with this error:
"message": "401 - {\"errors\":[{\"code\":135,\"message\":\"Timestamp out of bounds.\"}]}"
This is my authorization header:
"Authorization": "OAuth oauth_callback=http%3A%2F%2F127.0.0.1%3A3000%2Ftwitter%2Foauth_callback,oauth_consumer_key=MYKEY,oauth_nonce=150255341200200,oauth_signature_method=HMAC-SHA1,oauth_timestamp=1502553412002,oauth_version=1.0,oauth_signature=d09f2f2a39e51909442ae6ca717e4aeba7066fda"
I can see in the response header that the server time for Twitter is:“date”: “Sat, 12 Aug 2017 15:56:52 GMT”
If I take my timestamp and convert it to a GMT date I get:
Saturday, August 12, 2017 3:56:52.002 PM
I am not sure why it is considered out of bounds.
The oauth_timestamp should be the number of whole seconds since 1 Jan 1970 00:00:00 UTC.
Your timestamp is out by a factor of around 1000! It should have been:
oauth_timestamp=1502553412
For timestamp value, please use the below piece of code:
Math.floor((new Date()).getTime() / 1000);
Related
I'm calling an Microsoft Graph API endpoint to change sensitivity labels (like described here and documented here). It's a beta endpoint and currently working well. Here's how to use it according to the documentation:
PATCH https://graph.microsoft.com/beta/groups/{id}
Content-type: application/json
{
"assignedLabels":
[
{
"labelId" : "45cd0c48-c540-4358-ad79-a3658cdc5b88"
}
]
}
Looking at the response headers I noticed those three related to deprecation Deprecation, Sunset and Link:
"Link": "<https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,PrivatePreview:Restricted_AU_Properties&from=2021-04-01&to=2021-05-01>;rel=\"deprecation\";type=\"text/html\",<https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,Device_Properties&from=2022-01-01&to=2022-02-01>;rel=\"deprecation\";type=\"text/html\"",
"Deprecation": "Mon, 05 Apr 2021 23:59:59 GMT",
"Sunset": "Sat, 19 Feb 2022 23:59:59 GMT",
I'm trying to determine whether this means that the endpoint stops working on Feb 19 with respect to sensitivity labels. The links in the Link response header unfortunately do not work and look kind of internal-ish. E.g. https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,PrivatePreview:Restricted_AU_Properties&from=2021-04-01&to=2021-05-01
Looking at the query parameters of the link I see the keywords Restricted_AU_Properties and Device_Properties. The Microsoft Graph change log does not show anything about those or the assignedLabels that is about to happen.
How do I have to read this response? Is setting sensitivity labels using this endpoint going to stop working on Feb 19?
Talking to a colleague helps. Apparently the 1.0 Graph API endpoint also allows setting sensitivity labels and the documentation claiming that it is read-only is wrong:
So my interpretation for now is that the deprecation headers tell me to use the 1.0 endpoint instead of beta. Which would kind of make sense.
I'm sending moment object in request, but unfortunately the date is changing. For example when I choosed some date and I write to console, the date is ok, but in the request time is few hour early what is change the date.
console: Fri Oct 01 2021 00:00:00 GMT+0200 - ok,
In sent json: "2021-09-30T22:00:00.000Z" - wrong
Why it happens and how to fix it.
We are using the Sharepoint Rest API to index contents.
Due to a customer's security requirement, we can only use API permissions as granted in the Sharepoint Admin Center in combination with an app-only principal with a secret.
We registered an application in the Azure AD Admin Center and granted it permissions as described here.
We then wrote a piece of Java Code that adapts the requests described here to retrieve a JWT:
List<NameValuePair> params = new ArrayList<>(10);
params.add(new BasicNameValuePair("grant_type", "client_credentials"));
params.add(new BasicNameValuePair("client_id", clientId + "#" + directoryId));
params.add(new BasicNameValuePair("client_secret", clientSecret));
params.add(new BasicNameValuePair("resource", "00000003-0000-0ff1-ce00-000000000000/" + targetHost + "#" + directoryId));
try (CloseableHttpClient httpClient = HttpClientBuilder.create().build()) {
HttpPost post = new HttpPost("https://accounts.accesscontrol.windows.net/" + directoryId + "/tokens/OAuth/2");
post.setEntity(new UrlEncodedFormEntity(params, Consts.UTF_8));
String result;
try (CloseableHttpResponse response = httpClient.execute(post)) {
if (response.getStatusLine().getStatusCode() != HttpStatus.SC_OK)
throw new SharepointClient.HttpStatusException(response.getStatusLine().getStatusCode());
result = Strings.fromUtf8(IO.readAll(response.getEntity().getContent()));
}
accessToken = new JsonData(result).get("access_token");
}
We then use the token as a bearer token in the authorization header for all requests to the API.
This worked fine for a couple of months until about a week ago. Since then, we're only receiving 403 responses.
HttpResponseProxy{HTTP/1.1 403 Forbidden [Cache-Control: private, max-age=0, Transfer-Encoding: chunked, Content-Type: application/json;odata=verbose;charset=utf-8, Expires: Wed, 30 Sep 2020 09:58:49 GMT, Last-Modified: Thu, 15 Oct 2020 09:58:49 GMT, P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI", X-SharePointHealthScore: 2, X-MSDAVEXT_Error: 917656; Zugriff+verweigert.+Zum+%c3%96ffnen+von+Dateien+an+diesem+Speicherort+m%c3%bcssen+Sie+zun%c3%a4chst+zur+Website+wechseln+und+die+Option+zur+automatischen+Anmeldung+aktivieren., DATASERVICEVERSION: 3.0, X-AspNet-Version: 4.0.30319, SPRequestGuid: f7dd839f-10d1-2000-73fa-40c47dd29bbb, request-id: f7dd839f-10d1-2000-73fa-40c47dd29bbb, MS-CV: n4Pd99EQACBz+kDEfdKbuw.0, Strict-Transport-Security: max-age=31536000, X-FRAME-OPTIONS: SAMEORIGIN, Content-Security-Policy: frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com *.powerapps.com *.yammer.com *.officeapps.live.com *.stream.azure-test.net *.microsoftstream.com;, X-Powered-By: ASP.NET, MicrosoftSharePointTeamServices: 16.0.0.20530, X-Content-Type-Options: nosniff, X-MS-InvokeApp: 1; RequireReadOnly, X-MSEdge-Ref: Ref A: 330CB0BA15E647CC8B732FCC45D4F950 Ref B: AM3EDGE0620 Ref C: 2020-10-15T09:58:49Z, Date: Thu, 15 Oct 2020 09:58:49 GMT] ResponseEntityProxy{[Content-Type: application/json;odata=verbose;charset=utf-8,Chunked: true]}}
The error message is in german (I don't know why, the whole system is set to english). It sais: "Access denied. To open files in this location, you have to first go to the website and activate the option for automatic login."
Does anyone know what might have changed? Do we need to change something in the requests?
We already checked:
The secret is not expired
Authentication via certificate and Azure AD Admin Center permissions is still working (same API requests, just the token retrieval is done with msal4j)
Sending the token request and the API requests via Postman leads to the same results
The reason for the error is not that you lack permissions. According to the error message Access denied. To open files in this location, you have to first go to the website and activate the option for automatic login.
Do you need:
1.Authenticate to Office 365.
2.Add your SharePoint Online sites to trusted sites.
3.Check the status of the WebClient service.
see: Troubleshoot mapped network drives that connect to SharePoint Online.
I'm trying to implement a client that imports the events that a user has in Office 365 so that I can easily display them in the company's application.
I managed to get the user to authenticate with his / her Office 365 account and to approve my application and to also get an AccessToken, but when I try to use the token to retrieve the events from the API, I get a 401 HTTP error code, no body and in the headers I have this:
Content-Length →0
Date →Thu, 17 Mar 2016 08:56:00 GMT
Server →Microsoft-IIS/8.0
WWW-Authenticate →Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000#*", token_types="app_asserted_user_v1 service_asserted_app_v1", authorization_uri="https://login.windows.net/common/oauth2/authorize", error="invalid_token",Basic Realm="",Basic Realm=""
X-BEServer →DB4PR06MB522
X-BackEndHttpStatus →401
X-CalculatedBETarget →DB4PR06MB522.eurprd06.prod.outlook.com
X-DiagInfo →DB4PR06MB522
X-FEServer →AM3PR06CA022
X-Powered-By →ASP.NET
request-id →de1963bc-36df-4473-81f6-66ec37e8b415
x-ms-diagnostics →2000001;reason="OAuth token submitted with the request can not be parsed.";error_category="invalid_token"
The token I get from https://login.microsoftonline.com/common/oauth2/token with the following body:
grant_type=authorization_code
redirect_uri=https://example.com/redirect-uri
client_id=XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX
client_secret=[my-client-secret]
code=[code-received-from-user-auth]
The token I receive from the above call, I send through the Authorization header to https://outlook.office.com/api/v2.0/me/events like so:
Authorization: Bearer [access-token]
The response status I get from this call is 401 Unauthorized, I get an empty body and the headers are like so:
Content-Length →0
Date →Thu, 17 Mar 2016 08:56:00 GMT
Server →Microsoft-IIS/8.0
WWW-Authenticate →Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000#*", token_types="app_asserted_user_v1 service_asserted_app_v1", authorization_uri="https://login.windows.net/common/oauth2/authorize", error="invalid_token",Basic Realm="",Basic Realm=""
X-BEServer →DB4PR06MB522
X-BackEndHttpStatus →401
X-CalculatedBETarget →DB4PR06MB522.eurprd06.prod.outlook.com
X-DiagInfo →DB4PR06MB522
X-FEServer →AM3PR06CA022
X-Powered-By →ASP.NET
request-id →de1963bc-36df-4473-81f6-66ec37e8b415
x-ms-diagnostics →2000001;reason="OAuth token submitted with the request can not be parsed.";error_category="invalid_token"
Can you please tell me what I'm doing wrong?
I managed to fix the problem I had.
For future reference, the problem was that I wasn't telling the https://login.microsoftonline.com/common/oauth2/token endpoint what I needed the token for.
I had to provide a resource parameter with the base url of the resource I was going to interogate after.
In my case, it was https://outlook.office365.com.
I've got a production app and occasionally I see this error appear in the logs.. I can't seem to duplicate it on my end, so it seems like there is a user out there somewhere with some specific settings / cookies / etc that are causing this problem. I am not sure... The log shows that this user was redirected to this callback url: "users/auth/facebook/callback?code=AQCayaAoFOruFgwbfg1D682j8DbxOt0CZYNH3Vv5RtYKlQgSzISyN8ygTn25W_RTl3fu35cS1-tl5ArZ9B_XylwORP0hGU6st8P6TyTYUzfiR1m0poaSRkX-KBeWiBvT6IUsm-Af0VJcUNTQPg-dM1F9y5CgJ2bTJEJqhCE9wYlvkUY3kguwcl3TQ48FTT4-PhA///"
The actual error is:
RuntimeError: #<OAuth2::Response:0x1da7fae0 #error=#<OAuth2::Error: OAuth2::Error>, #options={:parse=>:query}, #parsed={"{\"error\":{\"message\":\"Invalid verification code format.\",\"type\":\"OAuthException\"}}"=>nil}, #response=#<Faraday::Response:0x1da8fa80 #on_complete_callbacks=[], #env={:response=>#<Faraday::Response:0x1da8fa80 ...>, :request_headers=>{"Content-Type"=>"application/x-www-form-urlencoded"}, :body=>"{\"error\":{\"message\":\"Invalid verification code format.\",\"type\":\"OAuthException\"}}", :status=>400, :url=>#<Addressable::URI:0xed52bf0 URI:https://graph.facebook.com/oauth/access_token>, :request=>{:proxy=>nil}, :parallel_manager=>nil, :response_headers=>{"expires"=>"Sat, 01 Jan 2000 00:00:00 GMT", "access-control-allow-origin"=>"*", "content-type"=>"text/javascript; charset=UTF-8", "connection"=>"close", "www-authenticate"=>"OAuth \"Facebook Platform\" \"invalid_code\" \"Invalid verification code format.\"", "date"=>"Thu, 13 Oct 2011 15:58:29 GMT", "content-length"=>"81", "cache-control"=>"no-store", "x-fb-rev"=>"457598", "x-fb-server"=>"10.65.13.60", "pragma"=>"no-cache"}, :ssl=>{:ca_file=>"/etc/pki/tls/certs/ca-bundle.crt"}, :method=>:post}>>
and the parameters were:
{"code"=> "AQCayaAoFOruFgwbfg1D682j8DbxOt0CZYNH3Vv5RtYKlQgSzISyN8ygTn25W_RTl3fu35cS1-tl5ArZ9B_XylwORP0hGU6st8P6TyTYUzfiR1m0poaSRkX-KBeWiBvT6IUsm-Af0VJcUNTQPg-dM1F9y5CgJ2bTJEJqhCE9wYlvkUY3kguwcl3TQ48FTT4-PhA///",
"action"=>"",
"controller"=>""}
I know if I manually go to "users/auth/facebook/callback?code=blah" it will trigger this same error because the callback code parameter is obviously bogus, but it doesn't look like there's anything suspicious about the actual code in the user's params hash-- so I am wondering why it would be an invalid format?
Has anyone else experienced this?
I think the following link provides the answer: http://developers.facebook.com/docs/authentication/#authenticating-users-in-a-web-application
You first need to call https://graph.facebook.com/oauth/authorize with your client_id and redirect_uri. This will then redirect you back to the redirect_uri, with a verification code in the query string that you can pass to your https://graph.facebook.com/oauth/access_token call (via the code parameter) to exchange for an oAuth access token.
Good luck! :)