I can't seem to get a refresh_token whenever I'm authorized, I've tried setting headers, kind of like how it would be done with google oauth, but not luck. Here's my process:
Using oauth2 gem
Instantiate client
client = OAuth2::Client.new(
salesforce_app_key,
salesforce_secret_key,
site: 'https://login.salesforce.com/services/oauth2/',
authorize_url: 'https://login.salesforce.com/services/oauth2/authorize',
token_url: 'https://login.salesforce.com/services/oauth2/token',
raise_errors: false
)
Authorize connection
auth = client.auth_code.authorize_url(
redirect_uri: 'https://my_app_callback.com/oauth/authorize'
)
Fetch token
token = client.auth_code.get_token(
code,
redirect_uri: 'https://my_app_callback.com/oauth/authorize'
)
From this point, I have the connection set, but when I do token.refresh_token I get a nil value.
By using:
access_token = OAuth2::AccessToken.new(oauth, token)
The session was reestablished successfully. It's in the docs, but not written in a way I could uderstand it's used to reauthenticate.
Related
I am trying to develop a simple tool that uses Authlib OAuth2 server to get refresh tokens but example server here does not issue a refresh token. When I print the token I get the following:
{'access_token': '....', 'scope': 'profile', 'token_type': 'Bearer', 'expires_in': 864000, 'expires_at': 1532191887}
The flow is Authorization code as referred here; first I handle the consent part:
client_id = '...'
client_secret = '.....'
scope = '...'
session = OAuth2Session(client_id, client_secret, scope=scope)
authorize_url = '.../oauth/authorize'
uri, state = session.authorization_url(authorize_url)
Then I try to get the token:
urlset = '.../?code=...&state=...'
access_token_url = '.../oauth/token'
token = session.fetch_access_token(access_token_url,authorization_response=urlset)
Add a config of OAUTH2_REFRESH_TOKEN_GENERATOR=True, added in commit:
https://github.com/authlib/example-oauth2-server/commit/4f2f48cc3e74b631d9c4c3bdf8558da3de7365a2
See documentation: https://docs.authlib.org/en/latest/flask/2/
I'm struggling to retrieve access token using django.
I want to get access token from users using oAuth.
This is what I have setup so far.
class GoogleExhangeViewSet(viewsets.ViewSet):
queryset = User.objects.all()
#list_route(
methods=["GET"])
def auth(self,request,pk=None):
client_id = ''
client_secret = ''
flow = OAuth2WebServerFlow(client_id=client_id,
client_secret=client_secret,
scope='https://www.googleapis.com/auth/calendar',
redirect_uri='http://localhost:8001/api/googleAuth/complete')
auth_uri = flow.step1_get_authorize_url()
return HttpResponseRedirect(auth_uri)
def complete(self, request, pk=None):
client_id = ''
client_secret = ''
host = Site.objects.get_current().name
flow = OAuth2WebServerFlow(client_id=client_id,
client_secret=client_secret,
scope='https://www.googleapis.com/auth/calendar',
redirect_uri='http://localhost')
credentials = flow.step2_exchange(request.GET.get('code'))
return Response(status=200,data=credentials.access_token)
under urls.py I have
api_router.register(r'api/googleAuth', GoogleExhangeViewSet)
This is the error I get with the following code
As seen in your error, you are encountering a redirect_uri_mismatchBad Request if you are using a wrong redirect uri. From this link, the redirect_uri_mismatch will be thrown if it was not matched between auth and token requests.
Additional references:
Google oAuth2 redirect_uri_mismatch in token access
Google OAuth 2.0 redirect_uri_mismatch error
Here's a tutorial if you want to use an Access Token to authenticate users against Django’s authentication system.
You need a fully-functional OAuth2 provider which is able to release access tokens: just follow the steps in the part 1 of the tutorial. To enable OAuth2 token authentication you need a middleware that checks for tokens inside requests and a custom authentication backend which takes care of token verification.
Here is my work flow for getting access token and refresh token for youtube api. Im generating authorization url with parameters
access_type=offline, response_type=code, redirect_uri=uri, scope=scopes, state=state, client_id=id
from authorization url I´m receiving authentication code, then I´m generating another url to get access_token and refresh_token using code from authorization url with these parameters
code: code, client_id: CLIENT_ID, client_secret: CLIENT_SECRET, redirect_uri: serviceCallback, state: state.callback, grant_type: "authorization_code"
As far as I know user should complete this process only once and then it should be automatic. My problem is that I´m always have to complete authorization and I´m getting always new access_token and refresh_token without forcing it on request.
here is code part where I´m getting authentication url
getAuthUrl: function(scopes, applicationCallback, serviceCallback, siteId,
selectChannel, websiteUrl) {
var requestedClientId = CLIENT_ID;
var scopess =
"https://www.googleapis.com/auth/yt-analytics.readonly https://www.googleapis.com/auth/youtube.readonly https://www.googleapis.com/auth/userinfo.email " +
scopes.replace(",", " ");
return "https://accounts.google.com/o/oauth2/auth?" +
"access_type=offline" +
"&response_type=code" +
/*"&approval_prompt=auto" +*/
"&redirect_uri=" + serviceCallback +
"&scope=" + scopes +
"&state=" + JSON.stringify({
service: NAME,
callback: applicationCallback,
scopes: scopes,
siteId: siteId,
selectChannel: selectChannel,
websiteUrl: websiteUrl
}) +
"&client_id=" + requestedClientId;
},
From there Im getting back code and using that code, clientID and clientSecret to get access token and refresh token
getAuthTokens: function(code, state, res, serviceCallback) {
// Google oAuth endpoint
var endpoint = "https://www.googleapis.com/oauth2/v4/token";
const scopes = state.scopes.split(" ");
// Setup request data
var data = {
code: code,
client_id: CLIENT_ID,
client_secret: CLIENT_SECRET,
redirect_uri: serviceCallback,
state: state.callback,
grant_type: "authorization_code"
};
request.post(endpoint).send(data).type('form').set('Accept',
'application/json').end(function(err, oAuthResponse) {});
},
I was using wrong endpoint url I changed it to different one to one provided by youtube api documentation and removed state parameter from data variable but still doesnt fix the problem
new endpoint url
var endpoint = "https://accounts.google.com/o/oauth2/token";
I´m really confused right now because I´m not forcing authorization and on google apps section there is my app already authorized and it does not update authorization that means it gives permission only first time and after that when I´m pressing allow it doesn´t do anything. OAuth should check if I have refresh token or not, so my conclusion is that I don´t fully understand how it should work or I´m somehow testing everything on debug or test mode where authorization prompt is automatically forced.
I would be really thankful for any kind of help because I feel like I tried everything.
The issue is that the access token that you are using has expired before the next time you use as you have not updated the access token manually using the refresh token.
You need to use the refresh token to update the access token if [ (time you last updated the access token) + (the expiry time) ] has already surpassed.
The concept of refresh tokens is that if an access token is compromised, as it is short-lived, the attacker has a limited time period in which it can be used. Refresh tokens, if compromised, are useless because the attacker requires the client id and client secret in addition to the refresh token in order to gain an access token.
The YouTube API documentation demonstrates the procedure here
By default, the expiry time is around 3 seconds.
This will surely, work in your case.
Adding the following parameter to your authentication object may help...depending on your requirements:
prompt: 'none'
This would mean no consent is gained or needed, after an initial authorization to use the app.
Go to the my accounts settings of google for this account---> go to connected apps and sites ----> manage apps:
Over there can you see the permissions for youtube like this:
I am currently working on connecting the withings api via web and have been able to automate getting token secret and getting the userId from the callback function inside auth, however when trying to implement step 3 (generating token) I always get signing error. Here is the base logic please help if possible.
nonce = getNonce(32);
date = Math.round((new Date()).getTime() / 1000.0);
var requestSig = oauthSign.hmacsign(
'GET',
'https://oauth.withings.com/account/access_token',
{oauth_consumer_key: <myconsumerkey>,
oauth_nonce: nonce,
oauth_signature_method: 'HMAC-SHA1',
oauth_timestamp: date.toString(),
oauth_token: oauth_token,
oauth_version: '1.0'
}, newSecret);
var hey = encodeURIComponent(requestSig);
var permanentTokensLink = "https://oauth.withings.com/account/access_token?oauth_consumer_key=<myconsumerkey>&oauth_nonce="+nonce+"&oauth_signature="+hey+"&oauth_signature_method=HMAC-SHA1&oauth_timestamp="+date+"&oauth_token="+oauth_token+"&oauth_version=1.0";
return {link:permanentTokensLink, newSecret: newSecret, tokensecret: oauth_token_secret, dataObj: dataObj, token: oauth_token};
newSecrect is a consumersercret&tokensecret, and permanentTokensLink is where I should be able to click to to get the access key and secret. Why is this not working?
I was missing an oauth verifier in the signing params and inside the link I was creating, and the secret should have been broken up into two parts (consumer-secret, token-secret) to be used correctly by the npm package hmacsign.
I'm trying to make authenticated calls to the Bitbucket REST API, with Oauth authentication. I've successfully retrieved an oauth_token and an oauth_token_secret (although they are the same as the request_token and request_token_secret, which seems strange but not outside of the spec). When I make an API call to another endpoint, I get a 401 (not authenticated). I've tried using header authentication and/or passing the oauth_token and oauth_token_secret as HTTP params with the sane result.
Here's the code:
account_name_url = 'https://api.bitbucket.org/1.0/user'
feedback_oauth_hook = OAuthHook(
access_token='REDACTED',
access_token_secret='ALSO_REDACTED',
consumer_key=CLIENT_ID,
consumer_secret=CLIENT_SECRET,
header_auth=True
)
params = {
'access_token': auth_tokens['access_token'],
'access_token_secret': auth_tokens['access_secret']
}
response = requests.get(account_name_url, data=params, hooks={'pre_request': feedback_oauth_hook})
import oauth2 #pip install oauth2
accessToken = oauth2.Token(OAUTH_TOKEN, OAUTH_TOKEN_SECRET)
consumer_key = YOUR_COMSUMER_KEY
consumer_secret = YOUR_CONSUMER_SECRET
consumer = oauth2.Consumer(consumer_key, consumer_secret)
client = oauth2.Client(consumer, accessToken)
api_url = "https://api.bitbucket.org/1.0/user"
resp, content = client.request(api_url, "GET")
print resp, content
The above python code works for me.
I print the request info, notice that it contains oauth_version=1.0 which is required.
I tried removing it, then 401 was returned. I think BitBucket should document this.