Context
We are successfully using https://accounts.google.com/o/oauth2/auth to acquire an authentication_code with the following app permissions.
Know who you are on Google
View your email address
View your basic profile info
We are also successfully using https://accounts.google.com/o/oauth2/token to exchange that authentication code for an access_token and id_token.
Problem
With that access_token, we are using https://www.googleapis.com/plus/v1/people/me/openIdConnect to acquire profile information. This is a GET request with the following header.
Authorization: Bearer access_token
The response from Google is invariably this error:
"error": {
"errors": [
{
"domain": "global",
"reason": "authError",
"message": "Invalid Credentials",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Invalid Credentials"
}
This Google documentation makes two suggestions:
Refresh the access token using the long-lived refresh token.
If this fails, direct the user through the OAuth flow, as described in Authorizing Your App with Google Drive.
We have tried both of those approaches and receive the same error.
We were accidentally using the id_token in the Authorization header. We needed to make sure to use the access_token instead.
Related
In this topic, the author explains how to get an access token based on users login and password, skipping the authorization dialog.
I could hit the endpoint and get an access token, and refresh token:
GET https://login.microsoftonline.com/348a...6e4/oauth2/token?grant_type=password&\
client_id=6d5f...64f&client_secret=g...f2&username=user#Domain.com&\
password=P#ssW0RD&resource=https://graph.microsoft.com/&\
scope=user.read%20calendars.read%20MailboxSettings.Read%20Mail.read%20Mail.Send
//RESPONSE
{
"token_type": "Bearer",
"scope": "User.Read",
"expires_in": "3600",
"ext_expires_in": "3600",
"expires_on": "1559602338",
"not_before": "1559598438",
"resource": "https://graph.microsoft.com/",
"access_token": "eyJ0eXAiOiJKV...KJmNhyz5bvhzCWiFA",
"refresh_token": "AQABAAA...VkgAA",
"id_token": "eyJ0...xLjAifQ."
}
But when I tried to get the userĀ“s email, I get an error:
GET https://graph.microsoft.com/v1.0/me/messages?\
$select=sender,subject,ReceivedDateTime&\
$filter=ReceivedDateTime%20ge%202019-05-01&$top=20
RESPONSE
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "e35f...94",
"date": "2019-06-03T21:39:40"
}
}
}
Is this authentication method still valid to Microsoft Graph API? If not, Is there any another way to get the user authorization using only login and password, without any user interaction, just getting his login and password?
You cannot dynamically specify scope with the v1 Endpoint. That model is on only supported with the newer v2 Endpoint (see Scopes, not Resources in the documentation).
In order access the user's mailbox, you'll need to add Mail.Read to your application's registration in the Azure Portal.
Keep in mind that you'll either need an Admin to consent to your application for all users in the tenant or have each user sign-in interactively at least once so they can consent themselves.
I'd also be remiss if I didn't point out that using the Password grant is almost always a bad idea. It is fundamentally less secure than every other OAuth Grant.
I've a Node.js API which is authenticated using passport and passport-azure-ad's OIDC strategy.
After User's authentication I get User's profile, access_token, refresh_token, sub and ISS.
Then I use the same access_token to get User's details from Microsoft graph using this API - https://graph.microsoft.com/v1.0/me
When I request, it prompts me this error,
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"request-id": "04048b3a-7636-4197-88ef-1f08d3a07c9e",
"date": "2018-12-26T09:40:58"
}
}
}
When I use OAuth 2.0 and get the access_token and use that access_token to access the same API, the details are returned successfully.
Although even I tried matching the access_tokens returned by Open ID connect and OAuth 2.0, they differ despite logging in as a same user.
I don't understand why the access_token returned by the Open ID connect didn't worked.
I am getting 401 Invalid Credentials error trying to use the Youtube API in the OAuth 2.0 Playground.
Response is:
{
"error": {
"code": 401,
"message": "Invalid Credentials",
"errors": [
{
"locationType": "header",
"domain": "global",
"message": "Invalid Credentials",
"reason": "authError",
"location": "Authorization"
}
]
}
}
Steps can be reproduced here.
Select Manage Youtube account API
Authorize
Get access token
Attempt to call any Youtube API (you may need to plug your own API key in as well)
The access token is valid (non-Youtube API calls work fine) and I have tried this with a number of different accounts which have Youtube accounts and channels set up (so the reply here is not what's happening).
The API works fine in the Try it Now section here so this is quite strange.
Maybe somebody can try these steps with their account and verify if the outcome is the same or not?
You have to choose the "Use your own OAuth credentials" option in the settings of the OAuth Playground (link at the top right corner).
You also need to add the following URL to the list of Redirect URIs of you project in the Developers Console:
https://developers.google.com/oauthplayground
If you do that, you don't need to pass the API key.
I am using the PHP Google client library. I successfully get a token and refresh token from user/google to use with the API.
As soon as the user revokes the permission for my website in Googles settings on the Google page i get following error:
Error calling GET https://www.googleapis.com/calendar/v3/users/me/calendarList: (401) Invalid Credentials
That is expected behavior since the user revoked my permission.
However, how do I detect that a user revoked that access?
Currently i do the following to see if i have access:
//$token json fetched from database
$gclient->setAccessToken($token);
if ($gclient->getAccessToken())
//i should have access
Well this code unfortunately does not detect the revoked permission. How can i handle that?
Once you have detected that the user has revoked the permission you can ask the user to grant the permission again.
To detect that the grant has been revoked: Provided that you had authorization before,
Making an API call using a revoked access_token will result in a response with status code 401. Like this
{
"error": {
"errors": [
{
"domain": "global",
"reason": "authError",
"message": "Invalid Credentials",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Invalid Credentials"
}
}
Attempting to refresh a token after the revocation will result in a response with a 400 status code and an invalid_grant message. Just as specified in the RFC 6749, Section 5.2
invalid_grant The provided authorization grant (e.g., authorization
code, resource owner credentials) or refresh token is
invalid, expired, revoked, does not match the redirection
URI used in the authorization request, or was issued to
another client.
Here is an example of such response:
```lang-js
{
"error" : "invalid_grant"
}
```
Google APIs should only return 401 for lack of authorization. Since you had authorization before, receiving a 401 is a reliable indication that the user has revoked access.
Are you looking for a detection mechanism that notifies you of such changes before you make the API call? Today there is not a push notification mechanism from Google that can inform your application of such events. Of course, a pull-based mechanism is not useful -- you can simply make the API call and handle the 401 more efficiently.
I have a Rails website that has Google OAUTH2 implemented and working.
We are developing an iOS app, which is going to talk to my web server using APIs. Some of the APIs need the user to be authenticated. The idea, is that the iOS app authenticates the user using OAUTH2 on the device, then POSTs the token over SSL from the device to the web as the authentication. I need the website to verify the token.
In the Google API console, I added the client ID for the iPhone device, and got an access token by going to:
https://accounts.google.com/o/oauth2/auth?
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&
redirect_uri=urn:ietf:wg:oauth:2.0:oob&
response_type=code&
client_id={my client id}
Then, I pass the token to my site. On my site, I validate the token via:
google = OmniAuth::Strategies::GoogleOauth2.new(ENV['GOOGLE_API_KEY'],['GOOGLE_CLIENT_API_SECRET'])
client = OAuth2::Client.new(ENV['GOOGLE_API_KEY'],['GOOGLE_CLIENT_API_SECRET'], google.options.client_options)
access_token = OAuth2::AccessToken.new(client, params[:token], google.options.access_token_options || {})
google.access_token = access_token
google.auth_hash
When I attempt to auth_hash, the following error is returned:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "authError",
"message": "Invalid Credentials",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Invalid Credentials"
}
}
From here, I have no clue why I have specified invalid credentials.
ENV['GOOGLE_API_KEY'] points to the same API key as the website, and ENV['GOOGLE_CLIENT_API_SECRET'] points to the secret for the iOS client.
The URL I used above, I thought, gave me an access token. In reality, it returns to me an authorization code (which can then be used to get an access token).
The solution, is to exchange the authorization code, for an access token, then I can pass the token around and use it.
The difference between an authorization code and an access token is somewhat vague on the Google site, but you can read about how to exchange them here:
https://developers.google.com/accounts/docs/OAuth2WebServer