I'm trying to use the Postman REST Client to test the Quizlet API. Postman has a feature to do OAuth 2.0 for you. However, the Quizlet API requires a state parameter:
A random string generated by you. You send us this, and we'll send it back to you, and you verify that we send back the same thing you sent. You must send and verify this value in order to prevent CSRF attacks.
The default Postman helper does not have the ability to send more in the POST (as far as I know). Is there a known way to send the extra payload, or get around this (whether in Postman or the Quizlet API?)
Thanks in advance!
Steps:
Related
I need to trigger Twilio Flow Rest API via a webhook that freshdesk have on the automation feature.
Twilio Flow
I configure the automation with webhook service: https://webhook.site and i received the data.
Freshdesk Automation Webhook configuration
When I use POSTMAN to trigger the flow it works perfectly.
POSTMAN TWILIO
Based on your screenshots, you are sending the data differently to Twilio with each approach.
The Freshdesk example is sending application/json but Postman (which you indicated works) is using form-data.Try selecting X-FORM-URLENCODED on the Freshdesk side.
Creating or Updating Resources with the HTTP POST and PUT Methods
"Creating or updating a resource involves performing an HTTP PUT or HTTP POST to a resource URI. In the PUT or POST, you represent the properties of the object you wish to update as form urlencoded key/value pairs. Don't worry, this is already the way browsers encode POSTs by default. But be sure to set the HTTP Content-Type header to "application/x-www-form-urlencoded" for your requests if you are writing your own client."
I'm using Postman 5.1.3. I'm trying to connect to an OAuth 1.0a endpoint using Postman's OAuth screen. How do I view the raw signature that Postman is using to construct its hashed "oauth_signature" param? I'm filling in a value for
consumer_key
consumer_secret
signature_method
timestamp
nonce
version
I'm leaving the HTTP method as "GET" and clicking "Send". Everything goes through fine, but I'm not able to reproduce the behavior in Java, which is why I'm seeking a way to view the raw signature Postman uses when building its request.
To generate the signature, postman follow the RFC, there is no point for them to display the steps to generate that, so it is unavailable on display.
RFC is 5849 section 3.4 for signature stuff. It is quite explicit.
I am playing with client credentials grant flow described here https://msdn.microsoft.com/en-us/office/office365/howto/building-service-apps-in-office-365
Here is my initial authorization request:
https://login.microsoftonline.com/common/oauth2/authorize?nonce=c43a377e-8b75-4c7f-9fab-300f1dbc76c5&prompt=admin_consent&state=35&redirect_uri=http%3A%2F%2Flocalhost%3A6543%2Fcallback%2Foffice365&response_type=code+id_token&client_id=XXXX&scope=openid
According to the documentation I expect to receive a POST callback with a token in the body.
But I actually receive a GET callback like this:
http://localhost:6543/callback/office365#code=XXXXX&id_token=XXXXX&state=35&session_state=3a2e2c61-7e71-4f11-a9a6-f1dd8f50aeb6&admin_consent=True
I actually prefer GET over POST but there is a hash sing # instead of question mark ? in the URL, so the parameters are actually not a GET arguments.
Is there anything I can do to receive a valid callback?
By spec OAuth2 supports different response modes.
Adding response_mode=query solves the problem. This means MS Authorization endpoint uses response_mode=fragment by default which is not explicitly described in the documentation.
I am simulating an app where json requests are sent at the back. Now i have to add oauth support. I don't know how to move forward. Is the oauth token sent with the same json request?
Yes and no.. an oauth token is sent in the HTTP headers. So, ti's not in the json payload, but it is sent in the same HTTP request.
HOwever, before sending it, you have to accomplish some steps dictated by the standard, to exchange the proper token(s) (access and/or request)
Look at this good tutorial http://hueniverse.com/oauth/guide/ to understand the process more in depth. It even has an interactive part where you can dynamically change the parameters and see the headers and messages you should generate and exchange.
I followed the tutorial on https://dev.twitter.com/docs/auth/implementing-sign-twitter to use OAuth on my homepage. Everything worked and after the last step I have an oauth_token (after converting it to an access token) and an oauth_token_secret. Now I want to post a new status on twitter. So I did everything on this page https://dev.twitter.com/docs/auth/authorizing-request which is just a post request to /1/statuses/update.json. On that page nothing is said about the oauth_token_secret, so I haven't used it in my request and just have put the oauth_token in it. After submitting the post request twitter gives me the status code 401 Unauthorized. Why that? Do I have to use the oauth_token_secret somewhere?
The token secret is used to hash the signature base. Something like a password. You don't send the password, you use it to compute a secure hash of the thing the service sent to you. You send that secure hash, then the service checks that secure hash against the request you sent. If they match, you're authorized.
The gory details are described in the OAuth spec, RFC 5849.
Twitter uses OAuth1.0a, but is mostly consistent with that spec.
here's the relevant bit:
https://www.rfc-editor.org/rfc/rfc5849#section-3.4.2