Spring-security provides support for localization.
https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#localization
I am looking for similar option for oauth2.
I have implemented token based authorization using spring-security-oauth2. Is there any support for localization in spring-security-oauth2 or please suggest me any other option?
I have checked official document but did not find anything on that.
For example I am getting below messages based on the scenarios, I want to provide localize support those messages.
{
"error": "invalid_token",
"error_description": "7896d62f-04ce-42ad-b7bc-bd2436b73f8b"
}
{
"error": "invalid_token",
"error_description": "Token was not recognised"
}
{
"error": "invalid_grant",
"error_description": "Bad credentials"
}
Unfortunately the OpenID Connect specification states:
error_description
OPTIONAL. Human-readable ASCII encoded text description of the error.
Thus, localisation would have to use some other field or mechanism.
Related
Hopefully I'm missing something very simple. According to this documentation to get an access token I need to hit the following url:
https://login.live.com/oauth20_authorize.srf?client_id={client_id}&scope={scope}
&response_type=token&redirect_uri={redirect_uri}
So far this appears to be working as the returned url I get contains
/#access_token=EwAYA61DBAAUcSSzo.......
According to the token flow documentation above,
You can use the value of access_token to make requests to the OneDrive API.
According to this page,
Your app provides the access token in each request, through an HTTP header:
Authorization: bearer {token}
When running curl I give it the exact token I was given before,
curl -X GET \
https://graph.microsoft.com/v1.0/drive \
-H 'Authorization: Bearer EwAYA61DBAAUcSSzoTJJs.....
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "CompactToken parsing failed with error code: 8004920A",
"innerError": {
"request-id": "8780c600-2b7f-45a0-b484-7eca9dfd2697",
"date": "2019-01-25T19:33:22"
}
}
}
Why is the token they provided not working?
What I've tried so far:
changing the case of bearer in the header
wrapping said token in {}
generating new tokens
URL decoding said token
One thing to note: the tokens I am receiving are not JWT tokens. Googling the error code pulls up several Stack Overflow questions that seem to imply the graph api is expecting a JWT. If this is the case, am I missing a step to obtaining it?
You can't call Microsoft Graph API after completing the authentication flow for Microsoft accounts (OneDrive personal).
In addition, the authorization process with Microsoft accounts is no longer recommended according the docs and new applications should be developed using Microsoft Graph:
This topic contains information about authorizing an application using Microsoft accounts for OneDrive personal. However, this approach is no longer recommended. New applications should be developed using Microsoft Graph and follow the authorization process in Authorization and sign-in for OneDrive in Microsoft Graph.
I have scoured the web to try and find an answer to what seems to be a simple solution but unable to come across one.
I am using Postman. On the Authorisation tab, I have entered the details as defined in the Twitter Application Management.
In the header, I have a key of Authorization and value of
OAuth oauth_consumer_key="my-consumer-key",
oauth_token="my-consumer-token",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1538075001",
oauth_nonce="zXeiLqV5GzK",
oauth_version="1.0",
oauth_signature="SYdcrIrRT6jdgo57b1qP9a9THcc%253D"
When I run a GET request for https://api.twitter.com/1.1/search/tweets.json?q=test I get the expect results.
However, trying to search for a hashtag
https://api.twitter.com/1.1/search/tweets.json?q=%23test&include_entities=true I get the following in the response body
{
"errors": [
{
"code": 32,
"message": "Could not authenticate you."
}
]
}
with a status of 401: Authorization Required
Why would this be the case, would there be a step I missed in setting up or can you not search for hashtags on the free version?
Any help would be appreciated.
Solution is to use OAuth2
Twitter OAuth1 seems to have issue with url encoding.
I ended up using OAuth2 too. Requesting Bearer's Token to https://api.twitter.com/oauth2/token and giving it App Consumer API keys as authorization credentials.
Reference can be found here
We have a Grails 3.2.7 application and use the org.grails.plugins:spring-security-oauth2-provider:3.0.0-RC2 plugin in our application and everything works so far.
But recently we're starting to introduce user activation after registration. This means that the "enabled" field is false before the user activates his account.
So for an user that hasn't been activated yet, when I make a POST request to authenticate him using /oauth/token, I get an HTTP Status 400 with a response body of:
{
"error": "invalid_grant",
"error_description": "User is disabled"
}
The problem is, even for a user for whom I typed in the wrong password, he gets an HTTP Status 400 with a response body of:
{
"error": "invalid_grant",
"error_description": "Bad credentials"
}
As you can see, both have HTTP Status 400 (Bad Request) and an "error" of "invalid_grant". So really the only way for me to differentiate between these two cases is through the "error_description". But I don't want to do that because according to RFC 6749 (The OAuth 2.0 Authorization Framework), that is an
OPTIONAL, Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred.
which is not meant to be reliable for discerning the type of error we have (inactive user vs. bad credentials). Is there a better way to solve my problem?
Or if I may be so bold to ask, how would one override the default behavior of /oauth/token? I can't seem to find any documentation on how to do that.
I'm trying to call (POST) the Auth0 delegation endpoint from Postman with the following request, as suggested by Auth0:
Content-Type: 'application/json'
{
"client_id": "{CLIENT_ID}",
"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
"id_token": "{YOUR_ID_TOKEN}",
"target": "lwTL1rYVfC0KsBUFPeKWY3HvGjbIgdDM",
"api_type": "salesforce_api",
"scope": "openid"
}
I'm getting this error, even though the grant_type parameter is included in the above request:
{
"error": "invalid_request",
"error_description": "Missing grant_type parameter"
}
What am I doing wrong here?
From Auth0's new OIDC Conformant Authentication docs:
Delegation
Given that ID tokens should no longer be used as API tokens and that refresh tokens should be used only at the token endpoint, this endpoint is now considered deprecated.
At the moment there is no OIDC-compliant mechanism to obtain third-party API tokens. In order to facilitate a gradual migration to the new authentication pipeline, delegation can still be used to obtain third-party API tokens. This will be deprecated in future releases.
Also, from Auth0's Using AWS with Tokens docs:
Legacy Grant Types
As of 8 June 2017, new Auth0 customers cannot add any of the legacy grant types to their clients, which are required for use with the Delegation endpoint. Legacy grant types are only available for previous customers while they migrate to new flows, to avoid breaking changes. To find the secure alternative for your case refer to Secure Alternatives to the Legacy Grant Types.
Reading further from the Secure Alternatives to the Legacy Grant Types link:
Legacy Grant Type
http://auth0.com/oauth/legacy/grant-type/ro/jwt-bearer
Alternative
This feature is disabled by default. If you would like this feature enabled, please contact support to discuss your use case and prevent the possibility of introducing security vulnerabilities.
More info on legacy grant types can also be found here.
So, the problem you are having is that Delegation has been deprecated. That means the /delegation endpoint and more importantly the jwt-bearer grant type, have been deprecated. If you are a new customer, you are out of luck. If you are an existing customer you need to contact support to get it enabled.
As to why Postman returns the cryptic "Missing grant_type parameter" error as opposed to the much better "Grant type 'http://auth0.com/oauth/legacy/grant-type/delegation/id_token not allowed for the client." error you get with other browser extension based REST Clients, your guess is as good as mine.
I am very new to development so please forgive the occasional misused term, general lack of knowledge, and the poorly worded title.
I am building a new login flow for my company following the guidelines outlined for 'manually building a login flow' at developer.faceboook.com.
After making a request to this URL from the user's device:
GET
https://www.facebook.com/v2.8/dialog/oauth?
response_type=code
&redirect_uri={app-id}://authorize
&client_id={my-app-client-id}
I receive a 'code' which I can in turn use for authentication. The redirect uri above allows me to open the app after the user has granted permission through application(:handleOpen:).
I send the code to our backend and attempt to make this request:
GET
https://graph.facebook.com/v2.8/oauth/access_token?
client_id={app-id}
&redirect_uri={app-id}://authorize
&client_secret={app-secret}
&code={code-parameter} <- received from initial request
The guidelines say that the redirect_uri should match that of the uri from the first request, which mine does, but I still receive this response:
{
"error": {
"message": "Error validating verification code. Please make sure your redirect_uri is identical to the one you used in the OAuth dialog request",
"type": "OAuthException",
"code": 100,
"fbtrace_id": "XXXXXXXXXXX"
}
}
I'm not sure if what I'm doing is allowed by Facebook. Since the requests are originating from two different sources and the uri provided in the second request doesn't really do anything if the request is made from the backend. I should also mention I am testing the second response using Postman. Is what I'm doing possible or do I have to rethink the flow? Any help would be greatly appreciated and thank you in advance.