I'm writing a desktop application in Delphi and trying to sync it with Google calendar (windows only, win 7 and newer). I've registered a custom uri schema in my system registry, so eu.myapp:test will run my program or pass a message to an already running instance of the program.
I've managed to get the first step of authentication going - I open the default browser, asking the user for permission to modify their calendars, I get the authentication code back into my software without a hitch. The oauth client is registered as an iOS app,
However when I try to request an actual token, the request is denied (400 - Bad request) with the following response body:
{
"error": "invalid_request",
"error_description": "Invalid parameter value for redirect_uri: Missing scheme: eu.myapp",
"error_uri": ""
}
My request body looks like this:
POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded
code=XXX&
client_id=YYY&
redirect_uri=eu.myapp&
grant_type=authorization_code
According to the documentation, I am supposed to include the redirect URI obtained from the API Console, but I found no such URI there. Found some older answers, but the developer console has apparently been changed since they were given so they are no longer relevant. What am I missing?
Edit: Added some more information
I built a simple nodejs server and put it up with a SSL certificate and nginx, so I could see what actually gets sent across. I then used both my app and the example C# app to send the token request to it and monitor the request body.
The only discernible difference was that delphi url encoded the code automatically (4%2Fhky... instead of 4/Fhky... for example). Other than that they seemed identical.
I also tried rewriting the app to listen to a localhost port but ended up with the same results. There is a delphi demo where they demonstrate the use of google api by using an embedded browser for the user to log in (and it works), but according to the api documentation, it's deprecated and will go away soon. Besides, it seems like I can manage the first redirect just fine, but getting the actual tokens fails.
Found my error. I noticed that the parameters were getting encoded automatically by the delphi component responsible for making the requests. I manually encoded the redirect uri before setting it as a parameter on the token request. Then the component encoded it again, which caused it to be different to the url given on the code request, which caused the uri_mismatch error.
The uris also need to be identical on both requests, as even though the second request does not redirect, it still uses the redirect_uri as a validation parameter.
Related
When I attempt to make a request to Etrade's Account List endpoint in sandbox (https://apisb.etrade.com/v1/accounts/list), I am getting an HTTP 401 - "Unauthorized request - invalid Consumer key and/or session token".
I don't understand why this request is not working, since I am successfully calling the Get Access Token API, retrieving the oauth_token and oauth_token_secret and using them to sign and make the request to Account List.
To add to my confusion, I downloaded the official Etrade Python Client, put a breakpoint right before the account list is called, and confirmed that my code is generating the exact same oauth_signature given the same request parameters.
Furthermore, I actually copied all of the request parameters generated by the official Python client and pasted them into my web browser, and am still getting the same "Unauthorized request - invalid Consumer key and/or session token" response.
To illustrate, here is a breakpoint I put in the official Python client (I've replaced the first four letters of sensitive keys with "123a"):
Breakpoint 1 at /Users/me/Downloads/EtradePythonClient/venv/lib/python3.9/site-packages/rauth/session.py:210
(Pdb) c
> /Users/me/Downloads/EtradePythonClient/venv/lib/python3.9/site-packages/rauth/session.py(210)request()
-> return super(OAuth1Session, self).request(method, url, **req_kwargs)
(Pdb) pprint.pprint(oauth_params)
{'oauth_consumer_key': '123a01814e407344bc2b385f3954679b',
'oauth_nonce': '8230791e8c0253518a6b2dec8120b643fde93745',
'oauth_signature': '123apxtEaUJmlvKFWv7zz+lfNk4=',
'oauth_signature_method': 'HMAC-SHA1',
'oauth_timestamp': 1614559929,
'oauth_token': '123aMSpwaaWItBDgXQ/Te4M9363WSULWFdeHkh18B8s=',
'oauth_version': '1.0'}
(Pdb) url
'https://apisb.etrade.com/v1/accounts/list.json'
(Pdb) method
'GET'
Using the above, I constructed the following URL and pasted it into my web browser:
https://apisb.etrade.com/v1/accounts/list.json?oauth_consumer_key=123a01814e407344bc2b385f3954679b&oauth_nonce=8230791e8c0253518a6b2dec8120b643fde93745&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1614559929&oauth_token=123aMSpwaaWItBDgXQ/Te4M9363WSULWFdeHkh18B8s=&oauth_version=1.0&oauth_signature=123apxtEaUJmlvKFWv7zz+lfNk4=
but I get an HTTP 401 response - "Unauthorized request - invalid Consumer key and/or session token".
And yet, the request works in the official Python client (as long as I don't try it in my browser first, otherwise I will get a 'Error: oauth_problem=nonce_used' error in the Python client).
One thing I noticed is that the official Python client adds the oauth_version=1.0 parameter, but my requests are still failing whether or not I include that parameter and sign with it.
I also noticed the official Python client adds a .json to the url, but again I am still getting the unauthorized error whether or not I include .json.
I've also tried sending the OAuth parameters as an HTTP Header instead of as URL parameters, but I still get the same error.
I'm also rfc3986-encoding (percent-encoding) the URL parameters in my request, which is working for the Get Access Token request but not the Account List request.
Note that I am using the following URLs for request token, access token, and API for sandbox:
https://apisb.etrade.com/oauth/request_token
https://us.etrade.com/e/t/etws/authorize?key=${oauth_consumer_key}&token=${state.oauth_token}
https://apisb.etrade.com/oauth/access_token
https://apisb.etrade.com/v1/accounts/list
What else I can try to debug this?
Figured it out:
The problem was that, since I'm sending my requests from a web browser (a Chrome extension), my request was including a Cookie, which was causing the API to produce a session error.
I am using the Fetch API.
Setting {"credentials": "omit"} in the init parameter omits the Cookie header and solves the issue.
I've successfully implemented Discord's OAuth2 flow using the authorization code grant type into my application. The end user navigates to Discord's OAuth2 link for my bot, authorizes its access, and Discord redirects them back to my site with a code querystring. The bot then exchanges this code for an access token by querying Discord's API. Documentation on this process is available here for reference.
However, roughly every 50-100 requests to the exchange endpoint, I receive a 403 with the error invalid_grant and the description Invalid "code" in request. Frankly, I don't understand how the code just provided by Discord's system is instantly invalid. The same user can complete the process again and no error is returned the second time.
Out of desperation, I tried toggling on the option in the Developers Dashboard named Requires OAuth2 Code Grant seeing that it said "if your application requires multiple scopes," but it made no effect. I've also tried endless debugging, but the circumstances under each occurrence are apparently random. Oddly enough, I can't find anyone with the same issue online.
Below is the request I'm making in Node.js using the superagent library. It matches the documentation and works perfectly, other than the response randomly being the error described.
superagent.post('https://discordapp.com/api/v6/oauth2/token')
.type('x-www-form-urlencoded')
.set('Content-Type', 'application/x-www-form-urlencoded')
.send({
client_id: process.env.BOT_ID,
client_secret: process.env.BOT_SECRET,
grant_type: 'authorization_code',
code,
redirect_uri: process.env.OAUTH2_REDIRECT_URI,
scope: 'identify guilds.join',
});
I can confirm that all variables match their expected values. The value of redirect_uri matches that of redirect_uri in the original URL used. code is the value of the code querystring returned through the OAuth2 flow.
What (if anything) am I doing wrong that's causing the error?
Update 1:
Discord has directed me to the API GitHub repo, and I found the issue closed here. Commented and will update here if I receive any helpful info or resolve the issue completely (hopefully the case).
Ran into the same issue using nodejs. Leaving here notes for prosperity:
On Node, if there is no explicit app.head() handler, the .post() handler receives all head requests
Several Android phones, upon being redirected from discord, first send a head request to the endpoint
Meaning:
The user authenticates on discord, then through the redirect back, does a head request. This pulls discord with the code, BUT directly afterwards it also does a post request, which will fail (as you already used the code once), and possibly un-authenticates the user.
Solution for my specific issue was an explicit .head handler for all callback endpoints, which basically just returned the same headers (a redirect) as the post one did, but without calling discord.
Hope this helps.
did you use the OAuth2 link to invite your bot to your server - with the correct permissions? If so, in your main.js file did you define the token?
I.e. bot.login(“YOUR_TOKEN_HERE”)
I would recommend not toggling the ‘Requires OAuth2 Code Grant’ as it is a pain to do anything with in the beginning.
Please let me know of any progress :)
When we are accessing Asana API we are using the Asana node client v0.15.0 together with an Tampermonkey script. The Api is responding with an 401 (Unauthorized).
This worked a couple a days ago. I have tried with new Personal Access Tokens but still get the same error.
While fiddling the request I tried to change the auth-header Bearer to be lower cased.
Authorization: Bearer my-personal-access-token ->
Authorization: bearer my-personal-access-token.
This seems to work fine, that indicates that something changed on Asana's side.
The node-asana js client lib does not let me modify the request before sending it to Asana API.
According to Asana API support it is on stackoverflow that I should ask about help on this matter.
EDIT
By some further investigation it seems that when we send in the cookie
auth_token=My auth token we do get the 401 error. But If removing the cookie and reissue the request in fiddler it works fine.
Another note is that now we do not get any custom_fields in the response from e.g https://app.asana.com/api/1.0/tasks/TaskId
I'm a Developer Advocate at Asana. You've caught something that is a known issue and we're working on a fix :) We're rolling out a new version of our API. It's intended to be backwards-compatible with the older implementation, but giving us multiple forms of authentication is one of those cases where we do something different between the two.
For security purposes, we initially implemented this in the new version to not allow requests with multiple forms of authentication, but it turns out that in-browser integrations were affected in precisely the way you're seeing: being logged into Asana, which causes your browser to send your authorization credentials for requests to asana.com automatically, and also authorizing "the right way" for our API with OAuth or a Personal Access Token will end up breaking. We're working on a fix that will allow this to work for the case when both the logged in (cookie) user and the API (access token) user are the same.
If this is an urgent issue and you want to force the old behavior to happen while we roll out the fix in our newer API implementation, you can set a header as described in that link --^ to force your requests on to the old API. Once we get the new API fully deployed and stable, though, we'll deprecate that header, so please be cautious in relying on it for a long-term solution.
Sorry that this has caused issues for you, and thanks for creating this question to let us know!
As part of the OpenID Connect (OAuth2 for Login), my application is supposed to request an access token, given a one-time authorization code, via the endpoint https://www.googleapis.com/oauth2/v3/token. According to documentation, this request needs 5 parameters passed to it, client_id among them. That is exactly what my application does, using the Perl module Net::OAuth2.
Everything has been working fine for several months, but today I was notified that it stopped working. No updates were made to the application code nor the libraries used by it.
The message my application now receives from the server when calling the token endpoint is this, in a 400 error response:
OAuth 2 parameters can only have a single value: client_id
A Google search suggests nobody has ever seen this message before, or lived to tell the tale. There doesn't seem to be a general issue with Google's OpenID Connect (other services based on it are working flawlessly), and the imminent shutdown of the old login protocol doesn't seem relevant.
More testing: removing all parameters except client_id causes this error message:
Required parameter is missing: grant_type
Supplying only client_id and grant_type produces the original error message again.
Does anyone have an idea what's going on here?
Google changed this behavior few days ago, so any OAuth2 library using Basic Auth headers AND body request parameters will start to see messages like
OAuth 2 parameters can only have a single value: client_id
or
OAuth 2 parameters can only have a single value: client_secret
So, you must now do NOT use both (the Auth headers and body request parameters) at the same time to send credentials to Google.
And according RFC 6749, the preferable way to send credentials is through Auth headers (thanks #JanKrüger for alert me about this).
Got the same error. It seems the problem is that NET::OAuth2 sets the authorization header when exchanging authorization code for access token. If you remove this header everything works fine.
Check the get_access_token method in Net::OAuth2::Profile::WebServer module. The authorization header includes client_id:client_secret base64-encoded string. Apparently Google now treats this duplication as an error.
The right way of fixing this is to set the secrets_in_params parameter when creating Net::OAuth2::Profile::WebServer object. Look in the Net::OAuth2::Profile documentation for more details.
I know same question has been asked many times but even after following each and every post as well trying various suggestions, I am still facing invalid_request error.
I am able to get code successfully from Google API and when I am trying to access accessToken , I am getting this error and HTTP code being sent from Google API is 400.
I have already tried and compared my data with oauthplayground and seems everything is same
Following data is being sent from my Application to Google API
https://accounts.google.com/o/oauth2/auth?
scope=openid+profile+email
&response_type=code
&redirect_uri=http%3A%2F%2Fsavealifetoday.org%2Fblood_donors%2FoAuthCallBackAction%3Fservice_provider_name%3D
&approval_prompt=force
&client_id=193214746340-ea0nq5alpst82n2fno13s9j21pn4f4pf.apps.googleusercontent.com
Access Token URL
https://accounts.google.com/o/oauth2/token?
scope=openid+profile+email
&client_secret=***********
&grant_type=authorization_code
&redirect_uri=http%3A%2F%2Fsavealifetoday.org%2Fblood_donors%2FoAuthCallBackAction%3Fservice_provider_name%3D
&code=4%2F8veoAnihzkao58oWvZaRShn5nhYg.0to7Or-lHPwRXE-sT2ZLcbTblHXFhgI
&client_id=193214746340-ea0nq5alpst82n2fno13s9j21pn4f4pf.apps.googleusercontent.com
But When Application is trying to fetch data over the network, I am getting exception
SEVERE: Error while fetching access token for Google..
OAuthProblemException{error='invalid_request', description='null', uri='null', state='null', scope='null', redirectUri='null', responseStatus=0, parameters={}}
I am using URLConnectionClient to establish network connection
Go through the OAuth flow using the OAuth playground https://developers.google.com/oauthplayground/.
Then compare what is being sent with your own.
Note that it needs to be an HTTP POST. The code you posted looks like a GET.
Also, your redirect URL looks a little odd. Is that exactly the same URL that you registered in the API console? This is isn't your current error, but will probably become your next one ;-)
It seems that you forgot to send 'state' parameter here (it is mandatory!):
https://accounts.google.com/o/oauth2/auth?
scope=openid+profile+email
&response_type=code
&redirect_uri=http%3A%2F%2Fsavealifetoday.org%2Fblood_donors%2FoAuthCallBackAction%3Fservice_provider_name%3D
&approval_prompt=force
&client_id=193214746340-ea0nq5alpst82n2fno13s9j21pn4f4pf.apps.googleusercontent.com
In Java code you can generate it in a way like this:
String state = new BigInteger(130, new SecureRandom()).toString(32);
So you request should look like this:
https://accounts.google.com/o/oauth2/auth?
scope=openid+profile+email
&response_type=code
&redirect_uri=http%3A%2F%2Fsavealifetoday.org%2Fblood_donors%2FoAuthCallBackAction%3Fservice_provider_name%3D
&approval_prompt=force
&client_id=193214746340-ea0nq5alpst82n2fno13s9j21pn4f4pf.apps.googleusercontent.com
&state= {insert_here_generated_state}
And also I don't know if it is necessary to send a 'scope' parameter in "Access Token URL".