Hi I have the Google OAuth 2 explicit flow working according to:
https://developers.google.com/identity/protocols/OAuth2WebServer
I also have the implicit flow working on iOS with GIDSignIn, specifically I get the GIDSignInDelegate::sign(_ signIn: GIDSignIn!, didSignInFor user: GIDGoogleUser!, withError error: Error!) callback and have access to user.authentication.accessToken and user.authentication.refreshToken.
I'm trying to pass that refreshToken back to our private app server so that it can make requests on behalf of the user (mainly because it's easier to just sign in with the SDK than make the front end developers deal with raw URL requests).
However, when I try to use that refresh token to get a new access token on the back end:
curl --request POST \
--url https://www.googleapis.com/oauth2/v4/token \
--header 'cache-control: no-cache' \
--header 'content-type: application/x-www-form-urlencoded' \
--data 'client_id={client_id}&client_secret={client_secret}&refresh_token={refresh_token}&grant_type=refresh_token'
It returns:
{ "error": "invalid_grant", "error_description": "Bad Request" }
I think the issue is that my server has a client id and secret, but iOS only has a client id. Without a secret (sometimes called key) corresponding to the iOS client id, there is no way for me to refresh the token on the back end. I was hopeful that Google would detect that both the server client id and iOS client id were registered to the same app and let the server refresh the token with its credentials, but that doesn't work.
I've looked at both the "API keys" and "OAuth 2.0 client IDs" sections at:
https://console.developers.google.com/apis/credentials
But am at a loss.
Does anyone know a curl command for refreshing a token acquired through the iOS SDK?
Or is this simply not possible?
Thanks!
For anyone reading this, I got it working:
On a whim I tried calling the refresh token endpoint without passing client_secret (as there isn't one when using implicit flow on mobile). Here is the curl:
curl --request POST \
--url https://www.googleapis.com/oauth2/v4/token \
--header 'content-type: application/x-www-form-urlencoded' \
--data 'client_id={client_id}&refresh_token={refresh_token}&grant_type=refresh_token'
This appears to be undocumented. The closest example I found is at https://developers.google.com/identity/protocols/OAuth2InstalledApp#refresh but it shows client_secret=your_client_secret& and never mentions that with implicit flow, front end web and mobile apps don't normally use a client secret.
Please don't upvote my answer, as I haven't done anything. OAuth is generally not documented very well, or contains code snippets pertaining to platform SDKs without the underlying URL requests or curl examples. SDKs are often opaque/closed-source so would require dropping down to tcpdump or packet sniffing to see what's going on. I didn't do the due diligence, I just got lucky.
I have sent feedback to Google but if this issue has affected you, you can click the gear in Gmail and "Send feedback" to hopefully get documentation updated more quickly.
Please refer to this link:
https://developers.google.com/identity/sign-in/ios/offline-access
From the reference, you have to do 2steps below to let your server able to refresh your access token
Make sure your server and iOS app use credentials of the same project, 1 browser key and 1 iOS key
Add this line: [GIDSignIn sharedInstance].serverClientID = your_server_client_id
Related
I am trying to upload a Video to my YouTube account using my own Application(Spring-boot) with the help of Google Library. But every time when I try to call the insert API of YouTube it asks for a Physical Sign in to Google Account. I want to upload my Video without Google Signin via passing the API Key or the client credentials(generated in Google Console for OAuth) in a post Request. I don't want to signin to google every time to upload a video. My account should be verified with the credentials I provide in the post Request.
curl --request POST
'https://youtube.googleapis.com/youtube/v3/videos?key=[YOUR_API_KEY]'
--header 'Authorization: Bearer [YOUR_ACCESS_TOKEN]'
--header 'Accept: application/json'
--header 'Content-Type: application/json'
--data '{}'
--compressed
Another Question is How I can get [YOUR_ACCESS_TOKEN] ..?
End Point URL : POST https://www.googleapis.com/upload/youtube/v3/videos
Google Link : YouTube Upload Video steps
Any Suggestion would be Very Helpful.
JAVA code snippet :
you can find this on Google Link.
The only way to do that would be to request offline access. At which point you should get a refresh token back. You can then use the refresh token to request a new access token at a later date without requiring that you login to google again.
Since your code is in Curl i have posted a response using Curl, even though your question mentons java.
# Authorization link. Place this in a browser and copy the code that is returned after you accept the scopes.
https://accounts.google.com/o/oauth2/auth?client_id=[Application Client Id]&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=[Scopes]&response_type=code
# Exchange Authorization code for an access token and a refresh token.
curl \
--request POST \
--data "code=[Authentcation code from authorization link]&client_id=[Application Client Id]&client_secret=[Application Client Secret]&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code" \
https://accounts.google.com/o/oauth2/token
# Exchange a refresh token for a new access token.
curl \
--request POST \
--data 'client_id=[Application Client Id]&client_secret=[Application Client Secret]&refresh_token=[Refresh token granted by second step]&grant_type=refresh_token' \
https://accounts.google.com/o/oauth2/token
Code ripped from my Gist
By testing OAuth 2.0 Web Server Flow for Web App Integration in Salesforce, I've found a way to negotiate an access token by doing something somewhat weird.
Here is the scenario.
I've create two accounts :
phdezann+user01-mbpt#force.com
phdezann+user02-8wl6#force.com
With the second account, I've created an New Connected App and enabled Enable OAuth Settings and got a pair of clientId and secretId, part of the OAuth protocol.
Then, I've requested an authorization code by going to :
https://login.salesforce.com/services/oauth2/authorize?client_id=<client_id_of_user02_instance>&redirect_uri=http://localhost:8080&response_type=code
Here, and this is the interesting part, I logged in with the user01 and managed to get an authorization code in the callback.
And finally, I've tried to convert that authorization code to an access token :
curl \
--location \
--request POST 'https://login.salesforce.com/services/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'code=<authorization_code_from_user01>' \
--data-urlencode 'client_id=<client_id_of_user02_instance>' \
--data-urlencode 'client_secret=<client_secret_of_user02_instance>' \
--data-urlencode 'redirect_uri=http://localhost:8080'
And, it worked. I got :
{
"access_token": "00D2X00000....",
"signature": "CSfC0khkT7...",
"scope": "api",
"instance_url": "https://eu13.salesforce.com",
"id": "https://login.salesforce.com/id/00D2X000003IgQFUA0/0052X00000AP6AdQAL",
"token_type": "Bearer",
"issued_at": "1596728532049"
}
I really don't get how this is possible, I surely miss something here.
That's by design and it's an OAuth2 thing, not really Salesforce thing.
If you would be making a mobile app or some amazing integration with your website - it's impractical to ask every admin to generate the app, paste keys to your mobile app and distribute to users... You'd ship your app with one pair of keys you control and then the end users decide if they trust you, want to proceed, are comfortable with the level of access you are requesting...
You can paste your keys to https://openidconnect.herokuapp.com/
or use it as is and get to your orgs.
See also https://salesforce.stackexchange.com/q/213666/799 and https://salesforce.stackexchange.com/q/70489/799
can anyone help me I am trying to call below request
curl https://rtm.zopim.com/stream/{resource} \
-H "Authorization: Bearer {API access token}"
initially, I tried with basic auth (adding id : password in the request) response was unauthorized,
then I generate access token with postman like in below screenshot
and when call API with that access token then the response is 403 forbidden
I can successfully hit and get response other api like ( https://www.zopim.com/api/v2/chats) with the same access token
but not the specific "rtm.zopim.com/stream/"
The Real Time Chat API is available on Enterprise plans only, so if you are not on the Enterprise plan you will receive a 403 Forbidden error.
I was using apim 3-m18 previously and post'ing to localhost:9443/api/auth/oauth2/v1.0/token?grant_type=password&scope=apim:api_view with the basic auth token of clientid:clientsecret returned from /api/id4entity/oauth2/dcr/v1.0/register endpoint worked fine in giving me the oauth token for admin api's - e.g. the logic laid out at wso2 API-M 3.0 - how to get oauth token for product/admin api calls
However, I upgraded to latest rev (m24) and the dcr register endpoint still works fine, but when I then hit the token api with the base64-encoded clientid:clientsecret from dcr, the request hangs before i get a timeout error.
When I exit m24 and restart m18 and make the exact same requests (dcr call for clientid/secret, then token api call), it works. Then switching to m22 fails with same requests.
I didn't see any documentation or issues in github on this, so was curious if anyone knows what I might need to change to get the oauth token. Thanks.
Could you please use the following curl command
curl -X POST -H "Authorization: Basic N2Y4MzM0ODEtNjk1ZS00OWY4LTg0OTgtOGU0NjUwNzhmYjljOmU1NmZlOTM3LTQwZjYtNGEwMy04MDIzLTE4ZGE0YmZmNWU3OA==" -H "Content-Type: application/x-www-form-urlencoded" -d 'username=admin&password=admin&grant_type=password&scope=scope' "https://localhost:9443/api/auth/oauth2/v1.0/token" -kv
Authorization token is Base64 encoded(clientId:clientSecret)
I was trying to make a iOS which will use the Uber API to do things like get rides and what not. I am trying to implement the OAuth 2.0 on the iPhone without using any server side help.
Is that possible? Has anyone done this?
Here are some references:
Uber Authentication: https://developer.uber.com/v1/auth/
Oauth 2.0: https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified
Yes, this is possible. I was able to configure OAuth2 for my app using Uber API. Here are step-by-step instructions:
In your app, redirect to https://login.uber.com/oauth/authorize with your client_id and response_type=code in order to allow user to authorize your app.
Upon successful authorization, Uber will redirect to your redirect_uri (you can specify any redirect_uri, including localhost:xxxx for testing purposes, etc.) to provide you with an auth code that is single-use and valid for 10 min. Implement a callback to retrieve this auth code.
With the valid auth code from Step 2, make a POST request to exchange for an access token. As a simple check, I would recommend using curl to confirm access token validity. For ex:
curl -F 'client_secret=YOUR_CLIENT_SECRET' \
-F 'client_id=YOUR_CLIENT_ID' \
-F 'grant_type=authorization_code' \
-F 'redirect_uri=YOUR_REDIRECT_URI' \
-F 'code=AUTHORIZATION_CODE' \
https://login.uber.com/oauth/token
Upon successful exchange, use the access token as the value for the 'Authorization' header for subsequent endpoint calls. For ex:
curl -H 'Authorization: Bearer YOUR_ACCESS_TOKEN' 'https://api.uber.com/v1/products?latitude=37.7759792&longitude=-122.41823'