I implemented the outlook REST api on my Rails app following this official tutorial: https://dev.outlook.com/restapi/tutorial/ruby
By the way, it needs to be updated. Outlook now requires more permissions ('profile') to get the email of the user in the auth controller:
SCOPES = [ 'openid', 'profile', 'https://outlook.office.com/mail.read' ]
Anyhow, I am storing the email and token after authenticating, but that token is very short lived. I need a way to permanently store authentication for the user.
When I run things as suggested and want to get the emails the response is:
...
response_headers: !ruby/hash-with-ivars:Faraday::Utils::Headers
elements:
content-length: '0'
server: Microsoft-IIS/8.5
set-cookie: exchangecookie=afaeef5a8a6747aab24dad1ddb97a8fb; expires=Fri, 16-Jun-2017
00:07:54 GMT; path=/; HttpOnly
www-authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000#*",
token_types="app_asserted_user_v1 service_asserted_app_v1", authorization_uri="https://login.windows.net/common/oauth2/authorize",
error="invalid_token",Basic Realm="",Basic Realm=""
request-id: c59488ab-62b5-4a9f-a3f5-43bda739c9ab
x-calculatedbetarget: BLUPR07MB260.namprd07.prod.outlook.com
x-backendhttpstatus: '401'
x-ms-diagnostics: '2000010;reason="ErrorCode: ''PP_E_RPS_REASON_TIMEWINDOW_EXPIRED''.
Message: ''Failed the Validate call, reason: Time window expired.%0d%0a''";error_category="invalid_msa_ticket"'
x-diaginfo: BLUPR07MB260
x-beserver: BLUPR07MB260
x-powered-by: ASP.NET
x-feserver: BN3PR16CA0057
x-msedge-ref: 'Ref A: 3E2E02429DE244F7A738A7BE6CF9E06B Ref B: CAA6321D024D5B725BA8FFE7DAC85411
Ref C: Wed Jun 15 17:07:54 2016 PST'
date: Thu, 16 Jun 2016 00:07:54 GMT
connection: close
ivars:
:#names:
content-length: content-length
server: server
set-cookie: set-cookie
www-authenticate: www-authenticate
request-id: request-id
x-calculatedbetarget: x-calculatedbetarget
x-backendhttpstatus: x-backendhttpstatus
x-ms-diagnostics: x-ms-diagnostics
x-diaginfo: x-diaginfo
x-beserver: x-beserver
x-powered-by: x-powered-by
x-feserver: x-feserver
x-msedge-ref: x-msedge-ref
date: date
connection: connection
status: 401
How do I adjust this code to store a permanent token?
OK< I found a few answers on StackOverflow for different stacks. I would normally delete my post, but for Rails developer who may need this, the answer to my questions is simply adding 'offline_access' to SCOPES = [ 'openid', 'profile', 'offline_access', 'https://outlook.office.com/mail.read' ]
Related
I need to create REST Assured api code using java for the below api configuration :
My Code is as below :
// First convert data table to the String map.
Map<String, String> map = tableData.asMap(String.class, String.class);
// We need headers params for this request. So first we are making headers params map for passing it to the request.
HashMap<String, String> header_params = new HashMap<>();
header_params.put("x-auth-token", getValueFromPropertyFile(PropertyFileKeys.X_AUTH_TOKEN));
// Add content type as form-data.
header_params.put("Content-Type", "application/json");
// Get the SIP Device number based on the customer id.
String sip_device_number = FaxerUsefullResource.getSIPDeviceNumberForCustomerAccount(admin_login_token,customer_id);
print("SIP Device number of customer account id : "+customer_id+" is : " + sip_device_number);
// Build the request specification.
RequestSpecification request_specification_builder = new RequestSpecBuilder()
// Set the Base Uri. Value of baseURL we are taking from the "config.properties" file.
.setBaseUri(getValueFromPropertyFile(PropertyFileKeys.BASE_URL))
// Set up the header params.
.addHeaders(header_params)
// Build entire request specification.
.build();
// Make the Request specification from the built request specification.
request_specification = given()
// Bind the built configuration with request.
.spec(request_specification_builder)
// Add form data parameter with values.
.formParam("id","1")
.formParam("token",admin_login_token)
.formParam("action","faxer_create")
.formParam("sip_device",sip_device_number)
.formParam("fax_number",map.get("fax_number"))
.formParam("fax_type",map.get("fax_type"))
.formParam("description",map.get("description"));
// Calling the request and store the response for further verification.
response = hit_https_request_and_return_response("FaxerAPI", API_method, request_specification);
But when run the code everytime i got the session issue. That i am logged out.
SIP Device number of customer account id : 412 is : 2540285577
Resource name : FaxerAPI
End point : /admin/faxer/
Request method: POST
Request URI: https://alpha.astppbilling.org/admin/faxer/
Proxy: <none>
Request params: <none>
Query params: <none>
Form params: id=1
token=OTlEckI5QjJBb3dCMy9vM0EwZDM2dz09
action=faxer_create
sip_device=2540285577
fax_number=0001
fax_type=1
description=APIAutomationDescription
Path params: <none>
Headers: x-auth-token=PRLgav3UWUAkh5OAL6zL6EizBuRm37Ok
Accept=*/*
Content-Type=application/json
Cookies: <none>
Multiparts: <none>
Body: <none>
HTTP/1.1 400
Server: nginx/1.18.0
Date: Wed, 09 Nov 2022 06:16:10 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: ITPLATPci_session=a%3A0%3A%7B%7D; expires=Tue, 09-Nov-2021 16:16:10 GMT; Max-Age=0; path=/
Set-Cookie: ITPLATPci_session=B2ECYFUzBGkHeABzUTUFOAM7Vj4HJVEgUmJQJQIlAm0GNFNtBAxRalEyVC4BaQAkAD4AM1Q4ADZWfF1tUWACNFdkUm0FNwEzAWxTNwM1UTIHOQI5VTcEZAc0AGZRPwU6Az9WMgc%2BUTVSY1BvAm8CYgZvU2IEYlFlUWFULgFpACQAPgAxVDoANlZ8XWZRIQJfV2NSMAU1AXUBOVNwAydRIQc7AilVPARiBzcAOlEtBTgDOlYzBylRYVI1UGUCeAIyBm9TLQRiUTpRZVQuAWkAJAA%2BADFUOgA2VnxdelEiAmVXcFILBTABYAE5U20DIFEhBzsCKVU8BGAHOgA6US0FSAN7VmUHZFE7UmJQewIeAnAGL1NzBBBRb1E%2FVGkBPAAjACsANFQkADlWcF0%2BUWICIFcqUh4FMAFxAT1TLANlUTIHLgJqVSgEYgcwAClRLQUyA3hWPgc2UWBSPVB0AjoCZQYoU3cEDFFiUTVUeAE7ACEAbQB0VHMALlZlXWZRawIxVzRSYgVmAT4Ba1M3A2FRNAcwAmFVdQRpBzoAOlEtBXwDeFZhB3VRDFJjUDcCIgJlBnlTOAQgUTlRZlQ2AXAAdQA%2FAH0%3D; expires=Wed, 09-Nov-2022 08:16:10 GMT; Max-Age=7200; path=/
Set-Cookie: ITPLATPci_session=AWdXNVYxCmdQLwR3UjYHOggwUztRc1EgUGBWIw0qUD9dbwE%2FBw8FPlEyWSNaMgouBTsAM1Y6BzECKFRkBzYHMQo5CjUENlFjVDkBZQE3DG8BP1dsVjQKalBjBGJSPAc4CDRTN1FoUTVQYVZpDWBQMF00ATAHYQUxUWFZI1oyCi4FOwAxVjgHMQIoVG8HdwdaCj4KaAQ0USVUbAEiASUMfAE9V3xWPwpsUGAEPlIuBzoIMVM2UX9RYVA3VmMNd1BgXTQBfwdhBW5RZVkjWjIKLgU7ADFWOAcxAihUcwd0B2AKLQpTBDFRMFRsAT8BIgx8AT1XfFY%2FCm5QbQQ%2BUi4HSghwU2BRMlE7UGBWfQ0RUCJddAEhBxMFO1E%2FWWRaZwopBS4ANFYmBz4CJFQ3BzQHJQp3CkYEMVEhVGgBfgFnDG8BKFc%2FVisKbFBnBC1SLgcwCHNTO1FgUWBQP1ZyDTVQN11zASUHDwU2UTVZdVpgCisFaAB0VnEHKQIxVG8HPQc0CmkKOgRnUW5UPgFlAWMMaQE2VzRWeA%3D%3D; expires=Wed, 09-Nov-2022 08:16:10 GMT; Max-Age=7200; path=/
Expires: Tue, 01 Jan 2000 00:00:00 GMT
Last-Modified: Wed, 09 Nov 2022 06:16:10 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
{
"status": false,
"error": "You are already logged out. Please login again",
"response_code": 400
}
How can i resolved this ?
Try changing the content-type header to 'application/x-www-form-urlencoded' instead of 'application/json'
You can also check this article for more details: https://www.baeldung.com/postman-form-data-raw-x-www-form-urlencoded
I'm trying to follow the documentation "https://developers.google.com/accounts/docs/OAuth_ref" to migrate oAuth to oAuth2 but keep getting an error
In the "APIs & auth" - "Credentials" Section in our API developers console we have 1 Client ID for web application set up along with a number of service account client Ids.
The client Ids appear to be in a format xxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com for each client ID that is set up.
If I use the exact Id for the 'client ID for web application' in the format [xxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com] then I get an error
{
"error" : "invalid_client"
}
If I use the more generic client ID [ xxxxxxxxxxxx.apps.googleusercontent.com
] then I get the following error
{
"error" : "disabled_client",
"error_description" : "The OAuth client was disabled."
}
Here is my post request from Fiddler
POST https://accounts.google.com/o/oauth2/token HTTP/1.1
Authorization: OAuth realm="",oauth_consumer_key="<consumerKey>",oauth_token="<token>",oauth_timestamp="1400680750",oauth_nonce="6637551",oauth_signature_method="HMAC-SHA1",oauth_signature="I%2FCOsR1BrGQHnqTeyhX4GUrKrv8%3D"
Content-Type: application/x-www-form-urlencoded
Host: accounts.google.com
Content-Length: 151
Expect: 100-continue
Connection: Keep-Alive
grant_type=urn:ietf:params:oauth:grant-type:migration:oauth1&client_id=<clientID>.apps.googleusercontent.com&client_secret={<client_secret>}
Here is the base string I use for oauth_signature
POST&https://accounts.google.com/o/oauth2/token&client_id=<clientID>.apps.googleusercontent.com&client_secret=<clientSecret>&grant_type=urn:ietf:params:oauth:grant-type:migration:oauth1&oauth_consumer_key=<consumerKey>&oauth_nonce=2648138&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1400681371&oauth_token=<token>
Here is the response I get from Google
HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Wed, 21 May 2014 13:59:16 GMT
Content-Disposition: attachment; filename="json.txt"; filename*=UTF-8''json.txt
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alternate-Protocol: 443:quic
Transfer-Encoding: chunked
5b
{
"error" : "disabled_client",
"error_description" : "The OAuth client was disabled."
}
0
Any suggestions?
Here a related post: https://groups.google.com/forum/#!topic/google-analytics-data-export-api/yveoPwSVzCQ
As for Owen's suggestion, I am pretty sure the error is not related to oauth1 vs oauth2 client type validation but rather to the provided oauth2 credentials (client id and client secret).
It turns out that the POST body that I was sending to google was incorrect.
Originally I had sent
grant_type=urn:ietf:params:oauth:grant-type:migration:oauth1&client_id=<clientID>.apps.googleusercontent.com&client_secret={<client_secret>}
Note the { } around the client_secret. When I removed these then I no longer got the errors.
Now I can pass in the client_id in the format xxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com and the client_secret without { } and I get a sucessful response.
The reason for the other error that I had been receiving was that the client id in the format xxxxxxxxxxxx.apps.googleusercontent.com was an old client_id that had been deleted and was no longer visible on the Google Developer console.
When using httpClient to connect to twitter I Always get this response
responseString{StatusCode: 401, ReasonPhrase: 'Unauthorized', Version:
1.1, Content:System.Net.Http.StreamContent, Headers: { strict-transport-security: max-age=631138519 Date: Fri, 31 Jan 2014
00:35:10 UTC Set-Cookie: guest_id=v1%3A139112851013762159;
Domain=.twitter.com; Path=/; Expires=Sun, 31-Jan-2016 00:35:10 UTC
Server: tfe Content-Length: 63 Content-Type: application/json;
charset=utf-8 } }
System.Net.Http.HttpResponseMessage
I googled
strict-transport-security: max-age
found people suggested to change the access setting of the twitter app to Read, Write and Access direct messages, i Did so but nothing changed , so if any one faced the same problem or any body has suggestions , it would be appreciated
There are multiple reasons this might happen. I have this question on the LINQ to Twitter FAQ with several suggestions on how to debug:
https://linqtotwitter.codeplex.com/wikipage?title=LINQ%20to%20Twitter%20FAQ
I don't know what I do wrong, but everytime I tried to obtain the token (after user authentication of course), the result is always Invalid grant_type parameter or parameter missing
Possibly related to Box API always returns invalid grant_type parameter on obtaining access token
Here is my fiddler result:
POST https://api.box.com/oauth2/token HTTP/1.1
Host: api.box.com
Content-Length: 157
Expect: 100-continue
Connection: Keep-Alive
grant_type=authorization_code&code=nnqtYcoik7cjtHQYyn3Af8uk4LG3rYYh&client_id=[myclientId]&client_secret=[mysecret]
Result:
HTTP/1.1 400 Bad Request
Server: nginx
Date: Thu, 07 Mar 2013 11:18:36 GMT
Content-Type: application/json
Connection: keep-alive
Set-Cookie: box_visitor_id=5138778bf12a01.27393131; expires=Fri, 07-Mar-2014 11:18:35 GMT; path=/; domain=.box.com
Set-Cookie: country_code=US; expires=Mon, 06-May-2013 11:18:36 GMT; path=/
Cache-Control: no-store
Content-Length: 99
{"error":"invalid_request","error_description":"Invalid grant_type parameter or parameter missing"}
Even following the curl example gives the same error. Any help would be appreciated.
Edit: tried with additional redirect_uri params but still the same error
POST https://api.box.com/oauth2/token HTTP/1.1
Content-Type: application/json; charset=UTF-8
Host: api.box.com
Content-Length: 187
Expect: 100-continue
Connection: Keep-Alive
grant_type=authorization_code&code=R3JxS7UPm8Gjc0y7YLj9qxifdzBYzLOZ&client_id=*****&client_secret=*****&redirect_uri=http://localhost
Result:
HTTP/1.1 400 Bad Request
Server: nginx
Date: Sat, 09 Mar 2013 00:46:38 GMT
Content-Type: application/json
Connection: keep-alive
Set-Cookie: box_visitor_id=513a866ec5cfe0.48604831; expires=Sun, 09-Mar-2014 00:46:38 GMT; path=/; domain=.box.com
Set-Cookie: country_code=US; expires=Wed, 08-May-2013 00:46:38 GMT; path=/
Cache-Control: no-store
Content-Length: 99
{"error":"invalid_request","error_description":"Invalid grant_type parameter or parameter missing"}
Looks like Box requires a correct Content-Type: application/x-www-form-urlencoded request header in addition to properly URL encoding the parameters. The same seems to apply to refresh and revoke requests.
Also, per RFC 6749, the redirect_uri is only
REQUIRED, if the "redirect_uri" parameter was included in the authorization request
as described in Section 4.1.1, and their values MUST be identical.
I was facing a similar issue.
The problem is not with Content-Type.
The issue is with the lifecycle of code you receive.
One key aspect not mentioned in most places is that the code you get on redirect lasts only 30 seconds.
To get the access token and refresh token, you have to make the post request in 30 seconds or less.
If you fail to do that, you get the stated error. I found the info here.
Below code worked for me. Keep in mind, the 30-second rule.
import requests
url = 'https://api.box.com/oauth2/token'
data = [
('grant_type', 'authorization_code'),
('client_id', 'YOUR_CLIENT_ID'),
('client_secret', 'YOUR_CLIENT_SECRET'),
('code', 'XXXXXX'),
]
response = requests.post(url, data=data)
print(response.content)
Hope that helps.
You are missing the redirect URI parameter. Try:
POST https://api.box.com/oauth2/token HTTP/1.1
Host: api.box.com
Content-Length: 157
Expect: 100-continue
Connection: Keep-Alive
grant_type=authorization_code&code=nnqtYcoik7cjtHQYyn3Af8uk4LG3rYYh&client_id=[myclientId]&client_secret=[mysecret]&redirect_uri=[your-redirect-uri]
I have also face same issue implementing oauth2. I have add Content-Type: application/x-www-form-urlencoded. When I add content-type my issue solved.
Check and add valid content-type.
Not sure who might need this in the future but be sure you're sending a POST request to get the access token and not trying to retrieve it by using GET or if you're testing- pasting in the address bar won't work, you need to send a POST request with the data in the BODY and not as query parameter.
Also the code usually lasts for a few seconds, so you need to use it as soon as its sent back.
I am using JBoss 7.1 and have secured my web application with Basic authentication but I want only the first call to require the Basic authentication header, sequent calls should use the jsessionid for authentication. How to accomplish this?
So far I have created a rest servlet enforcing the creation of a session with a call to request.getSession()
#Path("/rest/HelloWorld")
public class HelloWorld {
#GET()
#Produces("text/plain")
public String sayHello(#Context HttpServletResponse response,
#Context HttpServletRequest request) {
HttpSession session = request.getSession();
return "Hello World! " + request.getUserPrincipal().getName();
}
My idea was that any other calls should only require the jsessionid cookie, but when looking in fiddler I see that the first call is behaving as expected. First you get a 401 and the client is re-sending including the basic authorization header and a jsessionid is returned. On the second call the jsessionid cookie is included but I still get an 401 that triggers the client to re-send the Basic authorization header.
This is the returned headers from the successful authenticated first call.
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
Set-Cookie: JSESSIONID=AFDFl2etiUNkn-mpM+DXr3KE; Path=/Test
Content-Type: text/plain
Content-Length: 18
Date: Tue, 29 Jan 2013 09:12:48 GMT
Hello World! test1
when I make a second call the jsessionid is included
GET /Test/index.html HTTP/1.1
Host: cwl-rickard:8080
Cookie: JSESSIONID=AFDFl2etiUNkn-mpM+DXr3KE
and I am getting a 401 enforcing the client to re-send the request including the basic authorization header.
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
WWW-Authenticate: Basic realm="ApplicationRealm"
Content-Type: text/html;charset=utf-8
Content-Length: 958
Date: Tue, 29 Jan 2013 09:12:48 GMT
Any ideas what I am missing.