We are using VB.NET and developing one Windows Form based application. Where we need to send email using gmail.
Appropriate scope has been approved by Google: scope=https://www.googleapis.com/auth/gmail.send
Using below URL via browser, we are able to retrieve code.
https://accounts.google.com/o/oauth2/v2/auth?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fgmail.send&access_type=offline&include_granted_scopes=true&state=state_parameter_passthrough_value&redirect_uri=**********&response_type=code&client_id=******************
At this point, we have client id, client secret, and code.
But we are unable to send email.
Can someone please share any sample POST request or sample code?
Lanugage used: VB.NET and first URL was called using webbrowser object.
You are using OAuth2 Authorization Code Grant flow. This flows returns you just a code that you need to exchange for an access token and a refresh token using the /token endpoint. The code is just a random identifier and cannot be used for anything else. Without an access token, you cannot access protected resources (GMail). The /token endpoint requires authentication, so you will need your client ID and secret when calling it.
The workflow, request parameters, responses and examples are covered in the OAuth2 RFC.
Related
What should I enter for callback URL when trying to generate a new access token in Postman? I'm using a Client ID and Client Secret from my Twitter Developer account.
It should be the same callback URL that you registered on Twitter when generating a client ID and secret. If you haven't provided any URL there, then you can use anything (e.g. http://localhost).
If you're calling the token endpoint from postman (as I think you are), so you want to exchange the code for tokens, then you should use the same callback URL that you used in your authorization request.
I am having trouble understanding how to accomplish this. I have Firebase functions running on my application. I am using an external API in which I can configure Webhooks to hit an endpoint on my Firebase functions to perform an action. To make sure that the call comes from this external API, they recommend using an oauth2 flow. Mainly they ask me for:
Provide us (the external API) with an ID and an access token;
these are used to access a URL which provides a bearer token;
this bearer token is then used to access the provided webhook URL until the bearer
token expires after a pre-determined period of time.
And there are 4 input fields:
1. OAuth2 access token url
2. OAuth2 client id
3. OAuth client secret
4. OAuth2 Scope. <---- NOT SURE WHAT THIS ONE MEANS
My question is how do I generate the access token and the client id for this external API?
What value should I put for the oAuth2 scope?
Thanks!
I was able to figure this out using auth0. In one of their documentations, they cleared explained what I was trying to accomplish. Posting here to future reference in case any one needs it.
Thanks all!
reference: https://auth0.com/docs/authorization/flows/client-credentials-flow#learn-more
You can generate the client ID and client secret in the Console > Credentials.
Cloud Functions API oAuth2 scope is https://www.googleapis.com/auth/cloud-platform.
I am trying to understand how oauth protocol works. The books says that it involves two steps, when the end user first provides login information, the api provider returns a access code, and then another call is made to api provide with the access code and then we get the access token.
My question is that why can't the api provider returns the access token in steps when we it returns the access code instead? Why does it return first the access code and then the access token?
Basically to keep the access token out of the user's browser, where it is at higher risk of getting stolen or lost.
The authorization code flow that you are describing was originally meant to get the token to a web application hosted on a server. The web application would get the auth code from the browser and would need a special secret to exchange that code for an access token. This flow also allowed the web application to obtain a refresh token it could use to get new access tokens without the user's interaction.
The implicit flow would return the access token directly to the browser. It is considered unsafe and is deprecated in OAuth 2.1.
There's an RFC about the implementation of OAuth here: https://www.rfc-editor.org/rfc/rfc6749#section-1.3
Can anyone help me on generating OAuth token using QuickBooks API and postman?
I am not able to create one using API.
and can u help me to get sample account data from an account QuickBooks API ?
You can refer the following blog which shows how to generate OAuth1 tokens using OAuthPlayground tool and use those tokens in POSTMAN to make any API calls.
https://developer.intuit.com/hub/blog/2016/04/25/quick-start-to-quickbooks-online-rest-api-with-oauth1-0
You can try the entire QBO POSTMAN collection from the link below.
https://developer.intuit.com/docs/0100_quickbooks_online/0400_tools/0012_postman?isExpand=false#/1500
You can't generate OAuth tokens via Postman.
The whole point of OAuth is to give the end-user a UI-based process to click through and provide tokens.
Use the UI components Intuit provides to get your tokens.
https://developer.intuit.com/docs/0100_quickbooks_online/0100_essentials/000000_quickbooks_online_overview
I recently had to download QBO's postman collection to debug an integration issue with my app. I use OAuth2.0 with Authorization Code as the grant type to authenticate a user from my app to QBO. This is what QBO offers now and its not upto the app developer's discretion.
You can download the QBO's Postman collection from here.
To access QBO's endpoint from Postman, you must first create and register an app entry with QBO. Doing so will give you ClientID and ClientSecret which are needed for authentication purposes. Also put https://www.getpostman.com/oauth2/callback as the RedirectURI for your app since you will be authenticating using Postman. If you have your website up and running, you can put the link to your website as the RedirectURI.
Once you open the collection in Postman, open the Accounts endpoint and switch to the Authorization tab
Click on Get New Access Token.
CallbackURL is going to be what you put in the RedirectURL you registered your sample QBO app with.
AuthURL and AccessTokenURL are taken from the QBO link I mentioned above. Paste these as is.
ClientID and ClientSecret are the keys you get once you register your sample app with QBO.
Scope can be used as is since you need to access the accounting endpoint.
State can be any string that is returned intact after a successful authentication with QBO. It is something that your app can use for an extra check to ensure that you got a response from the right authorization server. Put any length string(do not leave it blank) in this case because we are only accessing the endpoints using Postman.
ClientAuthentication is set to Send client credentials in body as instructed by QBO.
Once you click on Request Token, you will be redirected to QBO's login page inside Postman itself in a new popup window. Successful authentication will close the popup window and give you an Access Token. Clicking Use Token will set the token in the body at the time of Send Request.
Make sure you know your companyid and that you are targeting the right baseurl. Notice that Im using minorversion 9 because thats what my app uses. You can choose to stick with 14.
Hitting Send Request should get you some accounts objects in the response.
Hello
My scenario is the following.
Client Application (on mobile phone) connects to Facebook via normal authentication process.
User gives consent to the application to access profile, gets back authorization code for the user.
With that code, plus application id and secret, the client gets an access token to access the information.
Can the authorization code be passed to a web service, which in turn does a call to Facebook to obtain an access token the same way?
I am not sure that is possible because reading documentation it looks like the access token API requires a redirect uri as a parameter.
Here instead, there would be a web service call waiting to complete.
Hope this is not confusing... :)
thanks in advance
"I am not sure that is possible because reading documentation it looks
like the access token API requires a redirect uri as a parameter."
The spec says
redirect_uri (of the access-token request):
REQUIRED, if the "redirect_uri" parameter was included in the
authorization request ... their values MUST be identical.
technically, the client can pass the server the authorization-code and the "redirect-uri", so the server makes the call with the same redirect-uri as the client, and if you control both ends it might work. However, the tricky part is that the client must also send the server the client-id and the client-secret. And if that happens, it contradicts all the idea of oAuth2.