I am using OAuth2 in Websphere 8.0.0.5. I get an access token and make a link. For example: https://IP:PORT/wps/myportal/PATH/?access_token=CARN1QbcWYUfT9kL1yZ13hOxXV0S5G0PNHRwDs22. When a I click in this link, I access OK and I can to get the token. But, in the second intent I lose the token.
Example:
1) Access to generate an access token
Asunto:
Sujeto: defaultWIMFileBasedRealm/userapp
Credencial pública: com.ibm.ws.security.auth.WSCredentialImpl#a60840bf
Credencial privada: com.ibm.ws.security.token.SingleSignonTokenImpl#6b291942
Credencial privada: com.ibm.ws.security.token.AuthenticationTokenImpl#bdc2e900
Credencial privada: com.ibm.ws.security.token.AuthorizationTokenImpl#e2b283b9
2) Generated link with access token
https://IP:10029/wps/myportal/PATH/?access_token=spPHk7MMBsianOvLI9yLYFepIpXyBkj5lghoWp6J
3) Click in link - First intent
Asunto:
Sujeto: defaultWIMFileBasedRealm/wasadmin
Credencial pública: com.ibm.ws.security.auth.WSCredentialImpl#5110eb9e
Credencial privada: Provider:OAuthProvider,user:wasadmin,client:user,expiration:Mon Jul 10 16:06:53 ART 2017,token:spPHk7MMBsianOvLI9yLYFepIpXyBkj5lghoWp6J,
Credencial privada: {OAuthProvider=OAuthProvider, com.ibm.wsspi.security.cred.cacheKey=OAuthProvider-692974521}
Credencial privada: com.ibm.ws.security.token.SingleSignonTokenImpl#11ebdd0c
Credencial privada: com.ibm.ws.security.token.AuthenticationTokenImpl#caf4f5f9
Credencial privada: com.ibm.ws.security.token.AuthorizationTokenImpl#5ed614f8
4) Click in link - Second intent
Asunto:
Sujeto: defaultWIMFileBasedRealm/wasadmin
Credencial pública: com.ibm.ws.security.auth.WSCredentialImpl#a64eaabc
Credencial privada: {com.ibm.wsspi.security.cred.cacheKey=OAuthProvider-692974521, OAuthProvider=OAuthProvider}
Credencial privada: com.ibm.ws.security.token.SingleSignonTokenImpl#39d13d7d
Credencial privada: com.ibm.ws.security.token.AuthenticationTokenImpl#c38fb578
Credencial privada: com.ibm.ws.security.token.AuthorizationTokenImpl#738fd8aa
Any help?
ERA
Related
We are using the Sharepoint Rest API to index contents.
Due to a customer's security requirement, we can only use API permissions as granted in the Sharepoint Admin Center in combination with an app-only principal with a secret.
We registered an application in the Azure AD Admin Center and granted it permissions as described here.
We then wrote a piece of Java Code that adapts the requests described here to retrieve a JWT:
List<NameValuePair> params = new ArrayList<>(10);
params.add(new BasicNameValuePair("grant_type", "client_credentials"));
params.add(new BasicNameValuePair("client_id", clientId + "#" + directoryId));
params.add(new BasicNameValuePair("client_secret", clientSecret));
params.add(new BasicNameValuePair("resource", "00000003-0000-0ff1-ce00-000000000000/" + targetHost + "#" + directoryId));
try (CloseableHttpClient httpClient = HttpClientBuilder.create().build()) {
HttpPost post = new HttpPost("https://accounts.accesscontrol.windows.net/" + directoryId + "/tokens/OAuth/2");
post.setEntity(new UrlEncodedFormEntity(params, Consts.UTF_8));
String result;
try (CloseableHttpResponse response = httpClient.execute(post)) {
if (response.getStatusLine().getStatusCode() != HttpStatus.SC_OK)
throw new SharepointClient.HttpStatusException(response.getStatusLine().getStatusCode());
result = Strings.fromUtf8(IO.readAll(response.getEntity().getContent()));
}
accessToken = new JsonData(result).get("access_token");
}
We then use the token as a bearer token in the authorization header for all requests to the API.
This worked fine for a couple of months until about a week ago. Since then, we're only receiving 403 responses.
HttpResponseProxy{HTTP/1.1 403 Forbidden [Cache-Control: private, max-age=0, Transfer-Encoding: chunked, Content-Type: application/json;odata=verbose;charset=utf-8, Expires: Wed, 30 Sep 2020 09:58:49 GMT, Last-Modified: Thu, 15 Oct 2020 09:58:49 GMT, P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI", X-SharePointHealthScore: 2, X-MSDAVEXT_Error: 917656; Zugriff+verweigert.+Zum+%c3%96ffnen+von+Dateien+an+diesem+Speicherort+m%c3%bcssen+Sie+zun%c3%a4chst+zur+Website+wechseln+und+die+Option+zur+automatischen+Anmeldung+aktivieren., DATASERVICEVERSION: 3.0, X-AspNet-Version: 4.0.30319, SPRequestGuid: f7dd839f-10d1-2000-73fa-40c47dd29bbb, request-id: f7dd839f-10d1-2000-73fa-40c47dd29bbb, MS-CV: n4Pd99EQACBz+kDEfdKbuw.0, Strict-Transport-Security: max-age=31536000, X-FRAME-OPTIONS: SAMEORIGIN, Content-Security-Policy: frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com *.powerapps.com *.yammer.com *.officeapps.live.com *.stream.azure-test.net *.microsoftstream.com;, X-Powered-By: ASP.NET, MicrosoftSharePointTeamServices: 16.0.0.20530, X-Content-Type-Options: nosniff, X-MS-InvokeApp: 1; RequireReadOnly, X-MSEdge-Ref: Ref A: 330CB0BA15E647CC8B732FCC45D4F950 Ref B: AM3EDGE0620 Ref C: 2020-10-15T09:58:49Z, Date: Thu, 15 Oct 2020 09:58:49 GMT] ResponseEntityProxy{[Content-Type: application/json;odata=verbose;charset=utf-8,Chunked: true]}}
The error message is in german (I don't know why, the whole system is set to english). It sais: "Access denied. To open files in this location, you have to first go to the website and activate the option for automatic login."
Does anyone know what might have changed? Do we need to change something in the requests?
We already checked:
The secret is not expired
Authentication via certificate and Azure AD Admin Center permissions is still working (same API requests, just the token retrieval is done with msal4j)
Sending the token request and the API requests via Postman leads to the same results
The reason for the error is not that you lack permissions. According to the error message Access denied. To open files in this location, you have to first go to the website and activate the option for automatic login.
Do you need:
1.Authenticate to Office 365.
2.Add your SharePoint Online sites to trusted sites.
3.Check the status of the WebClient service.
see: Troubleshoot mapped network drives that connect to SharePoint Online.
I have read some discussion, Q&A about the error w/c is thrown if sender email is invalid,
but I'm not sure if
this error Net::SMTPSyntaxError · 501 is for both invalid email from & to.
Net::SMTPSyntaxError 501 error is thrown if you have bad sender address. Sender address should be an email address. Any fake email will also do. like: abc#fakemail.com
This code works
I surf I got the code by surfing https://app.stex.com/oauth/authorize?response_type=code&client_id=144&scope=trade profile then I got a code.
I put the code on my program
Dim code = "def50200354606432acfb60c836ac40ff440dc2755164756cd7e34ddcf9cd4db8df87cabe71bf5e5c5c278c18c81b0415ba47da34f83ddaab0a84696e1722e266aec2e7942ed86e40e65b0dcf7428aad2747920de6cf8585ce281214f2ecc7353e807640320ca263013387ea0b2d466e2cc31b46c2a2e7b1dd33cdc518efa20b76b752734174f2b500450ed1ccb434611b0bdc458fcfed69a2ab2a5f91242f1f68c504d3151048c49eaf976eff6bbb922dac1acbba069fc8b57fd74069eeadf24c067edf4563aa5ad14b0d9740f1518723ba1c5637164e5e3c4d408102f49c0f63d8f3f5dfbfe11132d242a182e4af3449e811292d1ac69aadf74608a5383b9c4030de3579c98b07c4f087752f7e404f4897d8167b3d8ad266bdb42f74b539cc3fef6ce774edd35d305e655e984028614e50afe760acc754de70986dc7651ac760d5817c665ef1238d0811190763dbfd65993408d12dcf7926be6c71afb5d8a10528c174647934bdd1e4fcf1f4a800b8a74a7ae93bf60b02c602900a981bdb75e9de2b17f359ee"
Then I do
Dim token2 = CookieAwareWebClient.downloadString1("https://api3.stex.com/oauth/token", "grant_type=authorization_code&code=" + code + "&client_id=" + _apiKey1 + "&client_secret=" + _secret1 + "&redirect_uri=https://apidocs.stex.com/oauth2-redirect.html", {})
Dim jtoken1 = JToken.Parse(token2)
Dim refreshtoken = jtoken1.Item("refresh_token").ToString
And it works.
However, this code doesn't work
Dim token2 = CookieAwareWebClient.downloadString1("https://api3.stex.com/oauth/token", "grant_type=authorization_code&code=" + code + "&client_id=" + _apiKey1 + "&client_secret=" + _secret1, {})
Dim jtoken1 = JToken.Parse(token2)
Dim refreshtoken = jtoken1.Item("refresh_token").ToString
The only difference is that in the first code I added + "&redirect_uri=https://apidocs.stex.com/oauth2-redirect.html"
Basically, I am creating a stex api.
My client has only one redirect URL. So why do I have to specify that redirect URL, that is not used anymore, and the server know anyway, to the https://api3.stex.com/oauth/token url?
I think I read the RFC
4.1.3. Access Token Request
The client makes a request to the token endpoint by sending the following parameters using the "application/x-www-form-urlencoded"
format per Appendix B with a character encoding of UTF-8 in the HTTP
request entity-body:
[...]
redirect_uri
REQUIRED, if the "redirect_uri" parameter was included in the authorization request as described in Section 4.1.1, and their values
MUST be identical.
It says that the redirect_URI is required if the parameter was included.
I didn't include the parameter when I request authorization code.
I'm just not able to solve this for days now, anyone have any ideas? Below is the request response as shown by Fiddler
The response is that the oauth_signature is absent, however it was sent. If I calculated the signature incorrectly i would expect signature_invalid
I feel like the issue is staring me in the face, but I can't see it.
GET http://developer.messenger.yahooapis.com /v1/session HTTP/1.1
Authorization: OAuth
realm: "yahooapis.com"
oauth_version: "1.0"
oauth_token: "The oauth token "
oauth_nonce: "4724376"
oauth_timestamp: "1449488987"
oauth_consumer_key: "My consumer key"
oauth_signature_method: "HMAC-SHA1"
oauth_signature: "oBjiENcrXBX6I5dE/Vr7AHj2FOA="
Content-Type: application/json;charset=utf-8
Host: developer.messenger.yahooapis.com
HTTP/1.1 401 Authorization Required
Date: Mon, 07 Dec 2015 11:49:34 GMT
WWW-Authenticate: OAuth oauth_problem="parameter_absent: oauth_signature", realm="yahooapis.com"
Connection: close
Transfer-Encoding: chunked
Content-Type: application/xml
Cache-Control: private
17b
<?xml version='1.0' encoding='UTF-8'?>
Please provide valid credentials. OAuth oauth_problem="parameter_absent: oauth_signature", realm="yahooapis.com"
Many thanks
Jon
Found the problem:
I was creating a new request header for each authentication item. All the OAuth tokens must go in the same header. ie. the Authorization header
The code below is how I add create the Authorization header, which works fine now.
string OAuthHeader = "OAuth realm=\"yahooapis.com\"," +
"oauth_consumer_key=\"" + consumerkey + "\"," +
"oauth_timestamp=\"" + timestamp + "\"," +
"oauth_nonce=\"" + nonce + "\"," +
"oauth_version=\"1.0\"," +
"oauth_signature_method=\"PLAINTEXT\"," +
"oauth_token=\"" + dictGetRequestTokenParams["oauth_token"] + "\"," +
"oauth_signature=\"" + consumerSecret + "%26" + dictGetRequestTokenParams["oauth_token_secret"] + "\",";
request.Headers.Add(HttpRequestHeader.Authorization, OAuthHeader);
I am quite new to the concept of ipython and twython .However i want to retrieve some data using twitter.search query .But when i use it it gives me the following error
In [3]: search_results = twitter.search(q="#india", rpp="50")
---------------------------------------------------------------------------
TwythonError Traceback (most recent call last)
/home/vishal/<ipython-input-3-241f789b11cc> in <module>()
----> 1 search_results = twitter.search(q="#india", rpp="50")
/usr/local/lib/python2.7/dist-packages/twython-2.5.5-py2.7.egg/twython/twython.pyc in search(self, **kwargs)
365 """
366
--> 367 return self.get('https://api.twitter.com/1.1/search/tweets.json', params=kwargs)
368
369 def searchGen(self, search_query, **kwargs):
/usr/local/lib/python2.7/dist-packages/twython-2.5.5-py2.7.egg/twython/twython.pyc in get(self, endpoint, params, version)
236
237 def get(self, endpoint, params=None, version='1.1'):
--> 238 return self.request(endpoint, params=params, version=version)
239
240 def post(self, endpoint, params=None, files=None, version='1.1'):
/usr/local/lib/python2.7/dist-packages/twython-2.5.5-py2.7.egg/twython/twython.pyc in request(self, endpoint, method, params, files, version)
231 url = '%s/%s.json' % (self.api_url % version, endpoint)
232
--> 233 content = self._request(url, method=method, params=params, files=files, api_call=url)
234
235 return content
/usr/local/lib/python2.7/dist-packages/twython-2.5.5-py2.7.egg/twython/twython.pyc in _request(self, url, method, params, files, api_call)
208 raise exceptionType(error_msg,
209 error_code=response.status_code,
--> 210 retry_after=response.headers.get('retry-after'))
211
212 # if we have a json error here, then it's not an official TwitterAPI error
TwythonError: 'Bad Request: The request was invalid. An accompanying error message will explain why. This is the status code will be returned during rate limiting. -- An error occurred processing your request
what could be the issue.
Does it requires authentication
Thanks
Twitter API v1 search didn't not need authentication, however; the Twitter search API now requires authentication in v1.1. (https://dev.twitter.com/docs/api/1.1/get/search/tweets)
Thanks for using Twython!
For me this code works:
from twython import Twython
twitter = Twython()
search_results = twitter.search(q="#india", rpp="50")
for tweet in search_results["results"]:
print "Tweet from#%s Date: %s" % (tweet['from_user'].encode('utf-8'),tweet['created_at'])
print tweet['text'].encode('utf-8'),"\n"