Any good resources on how to do this? I tried doing a curl, but I have no clue how to get my app-secret. I've gone here to get the client/app id. And when I submit the curl it verifies that it's a valid client/app id.
curl -X POST -H "Cache-Control: no-cache" -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=<your-app-id>&client_secret=<your-app-secret>&grant_type=client_credentials&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default' 'https://login.microsoftonline.com/common/oauth2/v2.0/token'
On the first page you linked to (https://docs.botframework.com/en-us/skype/chat/#authentication), there's a link later on in that section:
For more information on obtaining an OAuth2 token see the OAuth 2.0
Authorization Code Flow.
On that page, in the section titled 'Request an Access Token,' it provides a more detailed description of the purpose of the POST request you're trying to send including descriptions of all the parameters, including 'client-secret.' It says the following about client-secret:
The application secret that you created in the app registration portal
for your app. It should not be used in a native app, because
client_secrets cannot be reliably stored on devices. It is required
for web apps and web APIs, which have the ability to store the
client_secret securely on the server side.
So assuming your app is a web app, when you registered it there should have been a section in the app registration portal (the second link in your original post) where you are able to generate a client_secret. That section looks like this:
If you didn't do that initially, you should still be able to go back and edit the registration to add another secret.
Hopefully that answers your question.
Related
I am trying to implement the new TikTok Login Kit for Web and am stuck on the getting the access token.
Here's this specific step described in TikTok's doc.
https://developers.tiktok.com/doc/manage-user-access-tokens
I have registered the app.
I am able to reach the OAuth login screens.
I'm also able auth. and get a response from the auth. endpoint with an authorization code.
But when fetching the access token using the said authorization code my POST request comes back to my redirect URL with a "Status=Temporary Redirect, StatusCode=307" in the response.
I assume 307 means there's something missing on the tiktok server, but their support isn't very responsive unfortunately.
Perhaps someone in the community has dealt with this before?
I'm sending my POST request with the following parameters.
URL: https://open-api.tiktok.com/oauth/access_token
?code=atGaIopCm2M9L2vfad0l4IJzzX8qFfg7aButDrjqerJqs5rhIqmWZLLGk1YRJZUZ6-mGBaYxX_asSdw1TNe7NHhvysS99Yz5o4MtkNv2-nA*1
&client_key= <client key in plain text>
&client_secret=<secret in plain text>
&grant_type=authorization_code
Any ideas what could that 307 Error be hinting at in general?
Add -L in your curl command to enable redirections automatically
curl -X -L POST -H 'Content-Type:application/json' --data '{"secret": "xxx","app_id":"xxx","auth_code":"xxx" }' "https://business-api.tiktok.com/open_api/v1.2/oauth2/access_token/"
See the document here:
https://ads.tiktok.com/marketing_api/docs?id=1709207085043713
Before someone marks this question as duplicate,
Yes I know audit log is a thing.
No I won't use it because it requires permission.
Yes it's easier to find out server owner
No I need to know exactly who invited my bot
I want to:
Find out who invited my bot the server (user-guild id pair) using invite link redirection.
I read about the OAuth2 API but didn't quite undertstand it due to my lack of background knowledge.
All I understand is that bot invite links can have redirect uri,
and some infos are transfered to it after authentication.
Is it possible to get user/guild id from this?
I tried:
Setting up http server using python -m http.server,
add my IP to redirect uri list in dev page & generate a invite link containing redirect to my IP.
But I didn't get redirected to my http server after inviting my bot using that link,
and nothing got printed on the http server console either.
Things to note:
A. Don't reveal your client secret or your bot token for any purpose. If you do so, immediately regenerate them from the developer portal.
B. Code and token have different meanings in the answer below.
C. This is not for absolute beginners and you are expected to have a general understanding of web requests(specifically GET and POST requests). You might also need to host the site handling redirect URL.
D. This does not cover security issues in any shape, way or form.
In the bot tab of the developer portal, enable the REQUIRES OAUTH2 CODE GRANT option. This prevents the bot from joining a server unless step 4 is completed.
Then use the OAuth tab to generate an OAuth URL with identity and bot scopes. This is important to get user info in step 5.
When someone visits the URL, logs in, and selects a server, they are redirected to your redirect URL. This URL receives a single-use code as URL parameter ie the URL will be <base_url>&code={code}<other stuff>. It is up to you (and probably outside the scope of any SO answer; google is your friend here) to set up a web server and handle requests.
This code can then be used to get a token. This link explains how to exchange code for token. It involves sending a post request with your application's client id and secret. Both are available from discord's developer portal. The response will also have information about the guild along with the token in fields "guilds" and "access_token" respectively.
Send a get request to https://discord.com/api/v9/users/#me with a header containing Authorization: Bearer ${token} where the token is obtained in step 4. The response is in JSON format and contains user data specified here. Note: The link above is for the latest API version v9 which may change in future versions.
Edit:
It is possible to manually modify the URL to remove identity scope from URL. The bot would still join the server as long as you make a request to exchange the code for the token. In this case, the request to /users/#me would fail and you would have no access to the user object. It should be easy to make the bot leave the server if the request fails with the status code corresponding to unauthorized.
I was able to install the Chrome extension for this and to use it in a certain way as described in other questions answered here. For example when I am using the URL for the fully developed application.
However my problem is a little bit different. I am using basic authentication but not based on user id and password. I am using the email for user id and an authentication token instead of password.
Here is my curl command working very well at the console prompt and retrieving all users my application has:
curl -X GET -H "Content-Type: application/json" -H 'Authorization: Token token="mytoken", email="levi.l.damian#gmail.com"' http://instrumon.herokuapp.com/api/v1/users/
This command connects as an admin and retrieves the list of users registered for my app.
Also my URL contains a distinct "api/v1" string.
Don't know how to replace in the "Construct" the password with the authentication token.
In the GET I used "Form" and under "Add new header" I typed Authorization and in the Value instead of using "Construct" I put a string like this:
Token token="mytoken", email="levi.l.damian#gmail.com"
And I used the URL like this:
https://instrumon.herokuapp.com/api/v1/users
The Response was a JSON containing the 6 user records I expected.
I have tried this and that.
But requesting this:
https://api.twitter.com/1.1/statuses/user_timeline.json?user_id=monyetbego
keep giving me Bad Authentication data.
I don't know exactly how to get authenticated.
You need to register an application through Twitter's developer site. Once your application is approved you will be given a set of Oauth keys, which you can use within an API request to receive a response. Note that in API V1.1, you can no longer submit unauthenticated requests (i.e. send requests through a unauthenticated URL like the one you posted).
For example, once you have your authentication information, you can use curl to submit a show_timeline request (see your Application's OAuth tool on the Twitter Dev website for parameters specific to your authentication information):
curl --get 'https://api.twitter.com/1.1/user_timeline.json' --header 'Authorization: OAuth
oauth_consumer_key="XXXXXXXXXXXXXXXX", oauth_nonce="XXXXXXXXXXXXXXXXXXXXXXXX",
oauth_signature="XXXXXXXXXXXXXXXXXXXXXXXXXXX", oauth_signature_method="XXXX-XXXXX",
oauth_timestamp="XXXXXXXXXXX", oauth_token="XXXXXXXX-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", oauth_version="1.0"' --verbose
I'm trying to implement Google OAuth 2 to get access to Google APIs. I follow this guide, using server-side scenario.
I have no problem with getting the code, server redirects to localhost (which is the only server allowed in redirect URIs for now).
To achieve this, I go to https://accounts.google.com/o/oauth2/auth?client_id=whatever.apps.googleusercontent.com&redirect_uri=http://localhost/&scope=https://www.google.com/m8/feeds/&response_type=code page.
Then, I tried using curl (as in guide) to test, if Google's server responds with access token. However, it seems to fail very hard. Only response I can get is {"error":"invalid_client"}. I'm sure I provide everything Google wants me to provide - code, client ID, client secret, redirect URI (localhost) and grant_type=authorization_code.
Whole curl command line is:
curl https://accounts.google.com/o/oauth2/token -d "code=<code>&client_id=whatever.apps.googleusercontent.com&client_secret=<won't tell!>&redirect_uri=http://localhost&grant_type=authorization_code"
Am I missing something? How can I exchange code for access token?
Did you urlencode your client secret and redirect url? That works for me.
Should be http%3A%2F%2Flocalhost instead of https://localhost.
I had the same error until I realized that I was trying to connect with a client ID which I created for iOS. So for me the solution was to create a new API key-secret pair on the API Console with the platform set to "other".
Now I'm getting other errors but that's another story. ;)
Happens when you use wrong Client secret. Make sure you are using correct Client secret from Google API console. I was using Email address since API console displays the information in the following order:
Client ID
Email address
Client secret