Okay, I'm trying to figure out how this Microsoft Authorization API works. I have a native application (iOS) and another web application that I'm intending to run as a daemon in the backend. Both are created in the same Active Directory.
I'm using the the Native application to obtain the Access Token and transferring that to the backend daemon application to obtain an Access Token on behalf of the application using this flow
Now from the backend, I'm sending this request:
grant_type:urn:ietf:params:oauth:grant-type:jwt-bearer
client_id:840c72c1-52fd-4082-bc99-85765cbd3215
resource:https://graph.microsoft.com
client_secret:CGI3d2V4RH1nmiBxR5EkKjsg+woLBG+9bl+H6Aix46U=
assertion:EwAwA8l6BAAU7p9QDpi/D7xJLwsTgCg3TskyTaQAAazJBY1nXVDAMSukxfVB0ojJC1aYhn2+9nPBtQwrq6nNi+6/r8IkJl21tK1y+jBQ9jg7YFbdj4GjRkr1aCjb0w4gWtoLmVYtl+zmg63GZseEJCpUTcFHlBxk1l4bF5F5yTSrfNzZisW9iKdGMmBbdlNDuZPchG+NVdIjS+26h+vu/QADARE82VuIcMictwC/fh6DvDD51v5NfVg+6ZXBy8cbCOnfLx1xut2J0WMjmpN3lqOe0bA7urX9eQH8ElwF3zDy+/7INk4FXSjp+PhCBrCktUiG6fpevpnIVfih2Lbdg1JitYVNY0KYtMkVIU2eerpX996sdw7fhRxR97nJ9AgDZgAACMNVRVFo6MyiAAJe2OJP2XH4Z8OnzUZCrO6L5g99VvkzxrhHrEXohdgWpcBg7XT9Wy3KYOyz1gK+S3vU/iymzAQ3RdR5aAW9YW593XS1W1t/t/0TtgEpcuaWc4ulowoqE0O/8RdQideYHqorg6A5e4/NO2EOz5Zu6bwWXM90edY6dsXGwjIAoCfukY/Ym5N/UuI3nd9KPm1KwTnkAzQmUrG0AH9HiGrqglGScYXD3NWTd881XpjXyVnWan/+Lqd641O/7luCSjhujnkRkGURlWlCTeHdFDcQTqF5e68jL+o5DVDi4/G32OptrpVDxS8CdebjFZQmq4iv9KSqbWZObC8XUplg9goOJQ3gsEvVhuBZB709+j0j3oiUhh0IHoSm5aU3XlbYORppl3Rz3JGPX58k4mU/1ihdr2P2tFw3GQWIuHMrtLUXfb5aBlSjedlP4ziWaoAyWkstmdqploYq8k7a05tC69yb68d1YqfPk2CNNQtKJ2eNb1T0/de04IxocgUisayEuhthAWYy9UuAq+KKos/pbfnriTfgZFkA42vHFTq7VT+HfrDmPG6zM6gkLGf3HXR4mcB74bdY2gSUwBM9dm0qjbN1N+jZ4wpyJhw/sAlUIJko6kyj3KIbN/etPzd6DamsDrSomB5xF9fgdyjl0ll71vCuwij8a46Ulr0iBET4FfmHfws1CzUC
requested_token_use:on_behalf_of
but I'm getting this response header 400 Bad Request:
Cache-Control →no-cache, no-store
Content-Length →447
Content-Type →application/json; charset=utf-8
Date →Sat, 25 Feb 2017 01:41:08 GMT
Expires →-1
P3P →CP="DSP CUR OTPi IND OTRi ONL FIN"
Pragma →no-cache
Server →Microsoft-IIS/8.5
Set-Cookie →x-ms-gateway-slice=003; path=/; secure; HttpOnly
Set-Cookie →stsservicecookie=ests; path=/
Strict-Transport-Security →max-age=31536000; includeSubDomains
X-Content-Type-Options →nosniff
X-Powered-By →ASP.NET
x-ms-request-id →1b12cc35-5ed6-4ebe-8ba8-96e59038a82d
and body:
{
"error": "invalid_request",
"error_description": "AADSTS50027: Invalid JWT token. AADSTS50027: Invalid JWT token. Token format not valid.\r\nTrace ID: 1b12cc35-5ed6-4ebe-8ba8-96e59038a82d\r\nCorrelation ID: ae2fbd5f-f542-4f7e-87a0-fbeb23492266\r\nTimestamp: 2017-02-25 01:41:10Z",
"error_codes": [
50027,
50027
],
"timestamp": "2017-02-25 01:41:10Z",
"trace_id": "1b12cc35-5ed6-4ebe-8ba8-96e59038a82d",
"correlation_id": "ae2fbd5f-f542-4f7e-87a0-fbeb23492266"
}
For some reason, the API thinks that my token in the assertion field is JWT token.
I played around with the Application and the Delegate permissions with no
Any help would be appreciated.
Related
I'm trying to get refresh token which doesn't expire after 24 hours on google oauthplayground but Im getting error as :
{
"error_description": "Unauthorized",
"error": "unauthorized_client"
}
I updated my redirect url in google console with https://developers.google.com/oauthplayground.
I also updated my client id and client secret in configuration setting on google oauth playground.
Some posts mentioned that it would take some time but I had done this 12 hours ago but still getting the error.
Any help would be much appreciated.
Below is complete response :
HTTP/1.1 400 Bad Request
Content-length: 68
X-xss-protection: 0
X-content-type-options: nosniff
Transfer-encoding: chunked
Vary: Origin, X-Origin, Referer
Server: scaffolding on HTTPServer2
-content-encoding: gzip
Cache-control: private
Date: Sun, 14 Jul 2019 11:35:13 GMT
X-frame-options: SAMEORIGIN
Alt-svc: quic=":443"; ma=2592000; v="46,43,39"
Content-type: application/json; charset=utf-8
{
"error_description": "Bad Request",
"error": "invalid_grant"
}
unauthorized_client
Means that the Client id and or secret you are sending either is invalid (its been deleted) or you copied it wrong from the Google developer console.
Unless you only attend to ever have one user and refresh token for your application you really shouldn't be using developer console to generate tokens. You should do this with your own application.
I am facing InvalidUserAddress and unsupportedScenario even thought I have checked the headers and params,
Everything is correct,
I tried it with and without Location Constraint, Even Authorization token was perfect
HTTP/1.1 400 Bad Request
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: application/json
request-id: 80c3e650-3a57-49b5-b49d-39a4f585192e
client-request-id: 80c3e650-3a57-49b5-b49d-39a4f585192e
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"South India","Slice":"SliceC","Ring":"5","ScaleUnit":"002","Host":"AGSFE_IN_6","ADSiteName":"INS"}}
Duration: 78.1616
Strict-Transport-Security: max-age=31536000
Date: Fri, 08 Feb 2019 12:05:22 GMT
Connection: close
{
"error": {
"code": "BadArgument",
"message": "Invalid user address",
"innerError": {
"code": "UnsupportedScenario",
"request-id": "80c3e650-3a57-49b5-b49d-39a4f585192e",
"date": "2019-02-08T12:05:23"
}
}
}
I'm getting the same error when I try the v1.0 or beta version of the Graph findMeetingTimes method (docs = https://learn.microsoft.com/en-us/graph/api/user-findmeetingtimes?view=graph-rest-beta&tabs=http ).
I'm using a registered app and thus Application permissions. Sadly, that permission type is not supported for this method.
Is it possible, Siddhant, that you are using Application access, too? If so, the only workaround seems to be using a login of the user or a user delegated access to an appropriate mailbox.
I am trying to learn OAuth 2.0 by walking through walking through making Google API call using Firefox 28.0 and REST Client v2.0.3.
I went to the Google Developer OAuth 2.0 Playground site.
I signed in using my Google credentials
Selected "Calendar API v3" .readonly
clicked the "Authorize APIs" button
Then I clicked "Exchage authorization code for tokens" and got the access token ab31.4.CDEfG_HI1JkKMNoPQR5S9tuvW_x2yzabcDEFGhiJklMnOpqRs-T6uvwXyza5BcdEFGHiJK3L
From the Calendar API, I use the URL https://www.googleapis.com/calendar/v3/users/me/calendarList wtih the GET HTTP action
In RESTClient I create a header with the name "Authorization" and set the value ab31.4.CDEfG_HI1JkKMNoPQR5S9tuvW_x2yzabcDEFGhiJklMnOpqRs-T6uvwXyza5BcdEFGHiJK3L to the from "Access token:" box from the OAuth 2.0 Playground.
With an empty Body I click SEND and I get an authorization error (the playground says my token is still valid for another 30 minutes)
The error's header is:
Status Code: 401 Unauthorized
Alternate-Protocol: 443:quic
Cache-Control: private, max-age=0
Content-Encoding: gzip
Content-Length: 162
Content-Type: application/json; charset=UTF-8
Date: Tue, 18 Mar 2014 19:17:35 GMT
Expires: Tue, 18 Mar 2014 19:17:35 GMT
Server: GSE
WWW-Authenticate: Bearer realm="https://www.google.com/accounts/AuthSubRequest"
X-Content-Type-Options: nosniff
X-Firefox-Spdy: 3.1
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
and the body is:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "authError",
"message": "Invalid Credentials",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Invalid Credentials"
}
}
The header needs to be set to Authorization: Bearer ab31.4.CDEfG_HI1JkKMNoPQR5S9tuvW_x2yzabcDEFGhiJklMnOpqRs-T6uvwXyza5BcdEFGHiJK3L. You need the word "Bearer" preceding the token.
I've got the initial half of an OAuth flow working with the SurveyMonkey API, but when I try to exchange the short-lived authorization code for a long-lived OAuth access token, I get an HTTP 400 response. This is step 3 of the SurveyMonkey OAuth Guide.
Here's a scrubbed version of the full exchange:
POST /oauth/token?api_key=<removed> HTTP/1.1
Accept: application/json
Accept-Encoding: gzip, deflate, compress
Content-Length: 338
Content-Type: application/json; charset=utf-8
Host: api.surveymonkey.net
User-Agent: HTTPie/0.7.2
{
"client_id": "<removed>",
"client_secret": "<removed>",
"code": "dKkIJYnimBli3TMHoTdHoT-zkzkUFzfHeaWJJyPVmrYG35R5Q-jLLU-Y7Fg3BR0n3tVTQ6sAmDnwVxHXSjZVdiYTJ7u7SWbLCKgQa061bKJYXSpRhTsEL0v5GMWcMEBC2vje5UjRHp3SScFQEwIIjHKZH5raC5RQJJh.JYWEOqw8Iy-2Ds7km1zYaHGGlxqu",
"grant_type": "authorization_code",
"redirect_uri": "https://app.hubspotqa.com"
}
HTTP/1.1 400 Bad Request
Cache-Control: no-store
Connection: keep-alive
Content-Length: 96
Content-Type: application/json; charset=UTF-8
Date: Fri, 24 Jan 2014 00:05:53 GMT
SM-Request-ID: 41264d11-b93d-4f8b-ad1a-c656ccfa268b
Server: nginx
{
"error": "invalid_request",
"error_description": "Invalid POST body or Content-Type received."
}
I'm able to reproduce the exact same error using other HTTP clients as well, but I have no trouble manually getting an access token using the SurveyMonkey API console. What am I doing wrong?
Side question: the OAuth guide says that step 3 accepts a redirect_uri but the example Python guide uses redirect_url. Which is the correct parameter? Can I omit it entirely? My server certainly does not care about getting redirected anywhere.
As it turns out, the required Content-Type for this POST is form encoding – application/x-www-form-urlencoded, not JSON.
Note that the documentation does not actually say that anywhere; it's implied by the example usage of the Python requests library.
I am currently using the Youtube API for a desktop application in C++. I am trying to implement the direct upload, which requires an authentication. I naturally choose OAuth 2.0, I followed the Google example and apparently everything worked well, I've got an access token and a refresh token, without any error returned.
However, when I try to use the access token to upload a video (I put it in the Authorization : Bearer header), I get an error 401 : Unauthorized with the description Token Invalid.
I then tried to refresh the access token right before requesting the upload (which means I try to refresh right after retrieving the access token, since the two operations are consecutive in my application's flow). The access token remained unchanged : I received the same access token from the refresh request and the exchange request.
I first thought it meant an access token should be refreshed only when it expires, but it is apparently not true : using the OAuth 2.0 Playground, it seems clear that refreshing a not yet expired token works fine and gives a different access token.
Any idea on what the problem could be ? Is the 401 error linked to the fact that I am not able to refresh the token ?
Edit : Here are the request and the response as shown in Fiddler
Request :
POST http://uploads.gdata.youtube.com/feeds/api/users/default/uploads HTTP/1.1
Accept: */*
Accept-Language: xx
Authorization: Bearer MY_ACCESS_TOKEN
GData-Version: 2
X-GData-Key: key=MY_DEV_KEY
Slug: test.avi
Content-Type: multipart/related; boundary="f93dcbA3"
Pragma: no-cache
User-Agent: SOME_STUFF
Host: uploads.gdata.youtube.com
Content-Length: 23686
Connection: Keep-Alive
--f93dcbA3
Content-Type: application/atom+xml; charset=UTF-8
<?xml version="1.0"?><entry xmlns="http://www.w3.org/2005/Atom" xmlns:media="http://search.yahoo.com/mrss/" xmlns:yt="http://gdata.youtube.com/schemas/2007"><media:group><media:title type="plain">Bad Wedding Toast</media:title><media:description type="plain">I gave a bad toast at my friend's wedding.</media:description><media:category scheme="http://gdata.youtube.com/schemas/2007/categories.cat">People</media:category><media:keywords>toast, wedding</media:keywords></media:group></entry>
--f93dcbA3
Content-Type: video/avi
Content-Transfer-Encoding: binary
<My file binary data>
--f93dcbA3--
Response
HTTP/1.1 401 Unauthorized
X-GData-User-Country: FR
WWW-Authenticate: Bearer realm="https://accounts.google.com/o/oauth2/auth",service="youtube"
Content-Type: text/html; charset=UTF-8
Content-Length: 13
X-GUploader-UploadID: AEnB2UrVDA94Fk5VFn1ng-2q9VFOo2KifLvIEHFOxQ4m66IUSC8sRf3mo5S8UH94mLyupbfANeLQvxMPhPLo6L0wlcaguQW9CQ
Date: Wed, 17 Jul 2013 09:51:23 GMT
Server: HTTP Upload Server Built on Jul 8 2013 15:32:26 (1373322746)
Token invalid
Edit 2 : Request and response using Youtube API v3
Request :
POST /upload/youtube/v3/videos?part="snippet" HTTP/1.1
Host: www.googleapis.com
X-gdata-key: DEV_KEY
Content-length: 42190
Content-type: multipart/related; boundary="===============1679429526=="
Authorization: ACCESS_TOKEN
--===============1679429526==
Content-type: application/json
{
"snippet":
{
"title": "test"
}
}
--===============1679429526==
Content-type: video/avi
<BINARY DATA - 41984B>
--===============1679429526==--
Response :
HTTP/1.1 400 Bad Request
Content-length: 229
Via: HTTP/1.1 GWA
X-google-cache-control: remote-fetch
Server: HTTP Upload Server Built on Jul 8 2013 15:32:26 (1373322746)
Date: Wed, 17 Jul 2013 22:14:03 GMT
Content-type: application/json
{
"error": {
"errors": [
{
"domain": "global",
"reason": "badContent",
"message": "Unsupported content with type: video/avi"
}
],
"code": 400,
"message": "Unsupported content with type: video/avi"
}
}