I just starting working on an iOS Swift 3 application that will integrate with a certain EHR. I had it working several months ago, but when I tried it this eve I noticed the application froze when I tried to get the access token. it appears that the token part of the OAuth2 exchange has changed and now looks like this:
POST https://api.xxxxxx.com/oauth2/access_token
curl -X POST https://api.xxxxxx.com/oauth2/access_token \
-H 'Authorization: Basic Y2xpZW50X2lkOnNlY3JldA==' \ //dummy auth
--data "code=a14d2c8e-9c8a-4820-8ae1-d9313bb6abe2&grant_type=authorization_code&redirect_uri=YOUR_REDIRECT_URI" //dummy code
I was going to include a pic of their documentation concerning this, but its copyrighted. Basically this is what must be included in the post to the token URL:
The Authorization header is required and must be in the format API_KEY:SECRET_KEY and then url safe base64 encoded.
The body of the request must include the following fields:
code - The authorization code that was sent to your Redirect URI at the end of the OAuth login process (see above).
grant_type - The type of authorization grant in use. In this case code for the authorization code.
redirect_uri - The redirect URI for the application, URL encoded.
Any idea of how to do this in Paw would be greatly appreciated! Right now the only way I can figure it to do each call manually as a request and pass along the pertinent items.
thanks!
Mark
From what I see here, it should be nicely supported by Paw. Here's an example config that should fit your needs:
In Paw, if you do NOT check "Set client credentials in the body", it will set the Client Key and Secret in the Authorization header exactly as you described (base64, separated by a :, that's the Basic Auth format).
Otherwise, things should be working ok. Let me know if you need any help.
Related
I want to implement Google Document AI to read invoice details in salesforce using Rest API. I found below Api detail which is working well.
Now to call this api I need Oauth token. I have tired to setup Named Credentials but getting error "No_Oauth_Token: Access token was not returned". Can you please guide me for this? Might be I am setting wrong Scope, so can you please let me know which scope I need to setup.
Currently scope:- https://www.googleapis.com/auth/cloud-platform
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d #request.json \
"https://LOCATION-documentai.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/processors/PROCESSOR_ID:process"
Also, if any other way is available, please suggest.
Looking forward to hear on this.
Thank you!
Looking for solution to get Google Authentication(Oauth) token which I can use to call Google Document AI api.
Here is the information about setting up OAuth 2.0 for Google Cloud
https://support.google.com/cloud/answer/6158849?hl=en
And General Information about using OAuth 2.0 with Google APIs
https://developers.google.com/identity/protocols/oauth2
In addition, the REST request provided is not complete. It looks like you got the sample from this page https://cloud.google.com/document-ai/docs/send-request
On this page, you can click on the purple variables to replace them with the appropriate values for your setup (PROJECT_ID, LOCATION, etc)
I have done research base on above answer and found solution.
Solution is to use JWT token. You can generate JWT token at your end and using that we can call google API to get valid Authentication token and then we can use respective Google APIs.
I'm a newbie to this stuff so downloaded the samples which is all fine and I thought I could see what was going on and what I needed to do. However, got a bit stuck for no obvious reason so I wondered if anyone could maybe give me some hints.
I'm trying to engineer Cognito authentication and identity into an old Apache Struts 1 legacy web application written in Java, so all the activity needs to be server-side. Using the Cognito https://xxx.auth.xxx.amazoncognito.com/login? URL I can successfully authenticate and get an auth code back using this URL providing my client id, redirect URI and response_type=code so all good thus far.
If I then create an HttpClient (as per the sample code in Github) and call the token URL https://xxx.auth.xxx.amazoncognito.com/oauth2/token and write various parameters to the request body (grant_type=authorization_code, client_id=as previously, redirect_uri=my URI and code=auth code just returned), I get an "unauthorized_client" message returned. But the code is valid albeit for authorization, and the client_id is correct because I used it previously.
My log:
Cognito following successful signin, continuing to url http:[redacted]/passport/CognitoHandlerSignIn.do?code=62eeb0b1-a76b-489b-bd28-e42023a497bd
(this was the /login succeeding)
Callback from Cognito received
(following is the log dump of the /oauth2/token URI called to)
Cognito token signin URL is https:[redacted].amazoncognito.com/oauth2/token
HTTP request header, added Authorization=Basic M29wcGR0azdpYzF2YjloNGd0OTQzNXYxcmI6MW9mMmFsaWNzZGR2dHZ1NmFkOHRuc2s4cnJ0cXEyYm0yc3RqbG1mcmkyamhkdXBubG1wMw==
HTTP request header, added Content-Type=application/x-www-form-urlencoded
HTTP request body, added grant_type=authorization_code
HTTP request body, added
redirect_uri=https%3A%2F%2F<redacted>%2Fpassport%2FCognitoHandlerSignIn.do
HTTP request body, added code=62eeb0b1-a76b-489b-bd28-e42023a497bd
HTTP request body, added client_id=[redacted]
HTTP request is sun.net.www.protocol.https.DelegateHttpsURLConnection:https:
[redacted].auth.eu-west-1.amazoncognito.com/oauth2/token
HTTP Json result=<{"error":"unauthorized_client"}>
org.json.JSONException: JSONObject not found.
at org.json.JSONObject.get(JSONObject.java:454)
at
What's wrong with this picture? I tried also adding client_id, code as URL parameters but I just get an "invalid_client" message instead.
I also tried using the /oauth2/token URI directly from the Struts app to provide a token but it returns the id_token using # rather than ? in the parameter list so it is client-side only and hence can't be intercepted by the Struts app and so will be a pain to forward to the server, but I could write some Javascript to do it if I had to. It doesn't seem the path of least resistance, though, as it seems wrong that the pure Java server side call doesn't work so I must be doing something wrong which isn't obvious to me.
I am rewriting a legacy JSON API application in Rails 5 (in API mode, so we're using ActionController::API). For the sake of API consistency, the new application needs to be accessed like so:
$ curl -u my-api-token: http://foo.bar/baz
(Note that no password is provided).
From there, we ostensibly authenticate based on the API token and life is grand.
The issue I am having is my inability to access the my-api-token component of the request using Rails' request object in the controller (which is an ActionDispatch::Request object) or through the params hash -- in either case, my-api-token appears to be absent. The act of curling is otherwise successful, in that it hits the right endpoint and the right controller action.
The documentation for curl and for ActionDispatch::Request seem to be not particularly useful yet, and searching for my-api-token when inspecting the request object turns up nothing. Other threads in SO seem to be mostly about how to get curl working in the first place, rather than this particular use case.
What am I doing incorrectly? Or, perhaps better, what do I need to do differently to make this work?
Thanks in advance.
It looks like you are misunderstanding what the -u option does in cURL. With the -u option, you are telling cURL to use Basic Authentication. Thus, your API token is being sent in the HTTP Authorization header, not in the request params.
I see a few options to fix your problem.
The first option is to look in the request headers to extract the Authorization header value, base64 decode it, and you can then grab your API token. I'm not very familiar with Rails, but it looks like this is fairly easy to do: http://api.rubyonrails.org/classes/ActionDispatch/Request.html#method-i-headers
The second option is to send the API token via GET params or a POST request. I believe using a POST request is most common for authentication.
For example, using a POST request, you might do something like
curl --data "token=API_TOKEN" https://example.com/resource.cgi
Then you should be able to access the data in the request params.
Also, please consider using HTTPS. With HTTP, any of the solutions I mentioned are susceptible to having your API token intercepted. You can read this question to understand why this is so: https://superuser.com/questions/919859/is-curl-u-usernamepassword-http-example-com-secure
I have a question regarding the auth-scheme. I stumble across JSON Web Tokens and one of the official page:
https://jwt.io/introduction/
They use
Authorization: Bearer <token>
In the past, I am familiar with the Authorization: JWT <token> and had assume that was correct until today, I read the official JWT webpage and they used Bearer <token> instead.
I was testing the Knock Rails gem: https://github.com/nsarno/knock and with this library, I was able to make a Postman request to my Rails API with random auth-scheme:
I could even get rid of the auth-scheme completely:
When I remove my JWT token from the Authorization header, however, it returns 401 Unauthorized response as expected, so I know it's...working?
So I began to think...is there a purpose to the auth-scheme ?
Is a library or web server suppose to honour/respect/enforce the correct usage of auth-scheme in the Authorization header?
I came across this Stackoverflow post in my quest for answer:
Custom HTTP Authorization Header
It showed the official format is:
credentials = auth-scheme #auth-param
The example given was even more bizarre:
Authorization: FIRE-TOKEN apikey="0PN5J17HBGZHT7JJ3X82", hash="frJIUN8DYpKDtOLCwo//yllqDzg="
I don't know if this qualifies as a programming question. I can blindly follow/use a third party library.
What's the purpose of the auth-scheme ?
I'm no cryptography/computer security expert.
Maybe someone can shed some light on the issue (or maybe non-issue?) ?
The authorization scheme is just an indication to the server of what type of credentials are following. A client can use basic scheme
Authorization: Basic <base64(username:password)>
Or bearer scheme
Authorization: Bearer <base64(JWT)>
Or the Hawk scheme
Authorization: Hawk id="...", ts="...", nonce="...", ext="...", mac="..."
Or any other scheme it can agree on with the server.
so - tearing my hair out here
im sending this a POST to https://api.twitter.com/oauth/request_token
my Authorisation header is
OAuth oauth_callback="splat%3A%2F%2F",
oauth_consumer_key="Fh71vIGgcR9zJO7eF1Rc4NC5t",
oauth_nonce="c0ec4fcb6b84b089821a4eea187e8dbc0b4629fb1760203805304cb25193b72f%2C",
oauth_signature="OTkyYmI2NDM1MTc4YjY0OTQwYzYwZTUwNWEyZGVkZDI3MzYyNjBkZg%3D%3D",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1414442911001",
oauth_version="1.0"
and my base string used to generate this was
POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_callback%3Dsplat%253A%252F%252F%26oauth_consumer_key%3DFh71vIGgcR9zJO7eF1Rc4NC5t%26oauth_nonce%3Dc0ec4fcb6b84b089821a4eea187e8dbc0b4629fb1760203805304cb25193b72f%252C%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1414442911001%26oauth_version%3D1.0
i keep getting a 401 however, my example seems to match any examples i can find
any help/obvious mistakes would be much appreciated...
Without your consumer key (and I suggest you don't post it here!), we can't check whether your signature is correct or not.
However you could try verifying your signature using one of the online signature generators such as:
The LinkedIn OAuth Test Console
Had the same problem, what fixed it for me was to remove the oauth_callback altogether.
Just specify a callback in the app settings, then it should work.
I know the documentation labels it as required, but somehow with the callback it doesn't work.
Your header should look like this:
OAuth oauth_consumer_key="XXXXXXXXXXXXXXX",
oauth_nonce="Lhw1HTTtPojMXTsPNWwlXMp1J8UPST9GftzelvW6rQ6",
oauth_signature="zQyHupvnJwFaRPU8IR%2F2axaMFVc%3D",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1415554564",
oauth_version="1.0"
And your basestring something like this:
POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_consumer_key%XXXXXXXXXXXXXX%26oauth_nonce%3DLhw1HTTtPojMXTsPNWwlXMp1J8UPST9GftzelvW6rQ6%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1415554564%26oauth_version%3D1.0