I am trying to work with the Box API and need an access token. I followed the tutorial video here: https://www.youtube.com/watch?v=ha26tN8amI0 to get an authorization code and then exchange it for an access and refresh token. Here is the post request I made into Post Man:
https://api.box.com/oauth2/token?grant_type=authorization_code&client_id=<my_client_id>&client_secret=<my_client_secret>&code=<code_given_on_redirect>&redirect_uri=http://0.0.0.0
The response I get is:
{
"error": "invalid_client",
"error_description": "The client credentials are invalid"
}
Unless I am completely losing my mind, I am positive I am entering the correct client_id and client_secret from my application page. (I tried several times.)
I sent this post request in less than 30 seconds after it was generated.
Any idea what I might be missing? Thanks.
Related
has anyone succeeded in connecting to Linkedin API here?
I followed the instructions on the docs but failed to retrieve the Authorization Code.
Here's the result of my POST request to get the access_token
{
"error": "invalid_redirect_uri",
"error_description": "Unable to retrieve access token: appid/redirect uri/code verifier does not match authorization code. Or authorization code expired. Or external member binding exists"
}
I'm using the https//airbyte.io as a redirect_uri
My GET get request to obtain the authorization token is the following:
https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id=78oy2gu644mxz2&redirect_uri=https%3A%2F%2Fairbyte.io&scope=r_ads,r_ads_reporting,r_organization_social
I followed a couple advices in the different thread in SO
double checked my client_id and client_secret
encoded the URI in GET request
added scope parameters to the redirect_url at the POST request
Tested the request with the code within 20 seconds window.
Couple of things:
Ensure your redirect URI is also defined within your app's configuration as an allowed redirect URI. See https://learn.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin%2Fmarketing%2Fcontext&view=li-lms-2022-11&tabs=HTTPS1#step-1-configure-your-application. The documentation specifies a certain URL to use when testing with Postman.
In your authorization call, your scopes are comma-delimited. They should be space-delimited and URL-encoded. See https://learn.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin%2Fmarketing%2Fcontext&view=li-lms-2022-11&tabs=HTTPS1#step-2-request-an-authorization-code.
I'm currently trying to get a small app to authenticate my own user.
First I navigate to
https://auth.ebay.com/oauth2/authorize?
client_id=...&
response_type=code&
redirect_uri=...&
scope=...
Which asks me to log in then gives me an authorization code via the url.
I url decode this and use postman to request the access token by hitting:
https://api.ebay.com/identity/v1/oauth2/token
with Headers:
Authorization: Basic ...
Content-Type: application/x-www-form-urlencoded
These both appear to be correct, since if I change either of them I get an error saying that they're wrong.
And in the body:
grant_type: authorization_code
redirect_uri: ...
code: ...
Once again these all error individually if I change them to something else.
The error that I get is:
{
"error": "invalid_grant",
"error_description": "the provided authorization grant code is invalid or was issued to another client"
}
Which is very strange to me. This is using the same redirect_uri and client_id as the previous request.
I've tried generating a new redirect url, I've tried rotating the client secret, I've tried not url decoding the auth code, but whatever I try I get the same error.
Interestingly, if I request a grant_type of client_credentials that works perfectly, but is of little use to me.
I'm very confused and the ebay forums are no help whatsoever, any help will be greatly appreciated.
I've actually managed to fix this myself.
I was url decoding the code using js's decodeURI, which was not actually decoding anything. Switched over to decodeURIComponent and now it seems to work ok
We have a Grails 3.2.7 application and use the org.grails.plugins:spring-security-oauth2-provider:3.0.0-RC2 plugin in our application and everything works so far.
But recently we're starting to introduce user activation after registration. This means that the "enabled" field is false before the user activates his account.
So for an user that hasn't been activated yet, when I make a POST request to authenticate him using /oauth/token, I get an HTTP Status 400 with a response body of:
{
"error": "invalid_grant",
"error_description": "User is disabled"
}
The problem is, even for a user for whom I typed in the wrong password, he gets an HTTP Status 400 with a response body of:
{
"error": "invalid_grant",
"error_description": "Bad credentials"
}
As you can see, both have HTTP Status 400 (Bad Request) and an "error" of "invalid_grant". So really the only way for me to differentiate between these two cases is through the "error_description". But I don't want to do that because according to RFC 6749 (The OAuth 2.0 Authorization Framework), that is an
OPTIONAL, Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred.
which is not meant to be reliable for discerning the type of error we have (inactive user vs. bad credentials). Is there a better way to solve my problem?
Or if I may be so bold to ask, how would one override the default behavior of /oauth/token? I can't seem to find any documentation on how to do that.
I have a hobby project in mind to use battle.net login. I'm wondering how I can obtain the access token from the API after receiving the authorization code.
This is Oauth flow question rather than a battle.net question.
Currently I can successfully authorize the user for my app which is registered in dev.battle.net and then I try to use the authorization code returned from the battle.net login to obtain the access token by sending a request to https://<region>.battle.net/oauth/token.
However I keep receiving this error:
{
"error": "unauthorized",
"error_description": "An Authentication object was not found in the SecurityContext"
}
I use postman extension to send post requests to that uri. I authenticate my request with my client id and secret. I pass redirect_uri (https://localhost), granty_type (authorization_code), code(the code returned from the previous authorization step). However I keep getting the error above.
I couldn't find much about battle.net online. There are other oauth related help articles but couldn't really find my way.
Wondering if you can help me with this easy stuff. I'm just wondering what I'm skipping here.
Here is the documentation:
https://dev.battle.net/docs/read/oauth
https://localhost is added in my mashery dev account's app settings.
Me again, I resolved this problem after trying almost every combination in the universe:)
Steps to apply:
Don't use the same authorization token for different access token trials, they are not valid
Always use https on every domain you test including localhost, you
redirect_uri must be https as well.
You must use the "basic authentication" in the header of your POST request while requesting the token from the authorization code you obtained from the previous step.
This is one of the most important ones: For requesting token, Pass redirect_uri, client key and secret as POST form parameters to the authenticated request. This is interesting because it's already an authenticated request; why would i need to pass my secret again? Anyways, that's how it works.
Here are the full text:
http://hakanu.net/oauth/2017/01/26/complete-guide-of-battle-net-oauth-api-and-login-button/
This is working prototype:
https://owmatch.me
Thanks.
I am getting the following error when I use the linkedin V1 API:
response body: {
"errorCode": 0,
"message": "[unauthorized]. The token used in the OAuth request has been revoked. 75--5cfb9cdb-3c9c-47c2-b3f8-XXXXXXXX",
"requestId": "I2GQ0ZMWIE",
"status": 401,
"timestamp": 1408976297742
}
I am using this guide here, I am doing exactly what this person is doing but I get a different result:
https://github.com/PrincessPolymath/LinkedIn-OAuth-Sample-Client
I have no idea why I get The token used in the OAuth request has been revoked. for an error. The HTTP request is identical. Could it be something with my bundle ID?
I cannot find anything from linkedin on the matter. Why don't linkedin have normal error-code lookups like other API's.
Here are some photos of the two request objects, one from the example and one from mine.
I'm taking a guess here based on my understanding of the problem you're describing, have not tested this. I'm also assuming you got your credentials right...
You should checkout this answer by Kamyar Mohager (#39), he explains how to bypass this error:
When obtaining access token, error occurs if:
POST https://www.linkedin.com/uas/oauth2/accessToken
Body:
{
grant_type=authorization_code,
code={auth-code},
redirect_uri={uri},
client_id={id},
client_secret={secret}
}
The error WON'T occur if you obtain the access token by passing the params as query params:
POST https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&code={auth-code}&redirect_uri={uri}&client_id={id}&client_secret={secret}
Error clearly states that the user is authorized to make a call using the token which you are using.
"message": "[unauthorized]. The token used in the OAuth request has been revoked. 75--5cfb9cdb-3c9c-47c2-b3f8-XXXXXXXX",
In the two photos which you pasted above I can see that your request object has different values "tokenKey and tokenSecret" parameters than the example request object, which is correct as your request should have the token information which received from LinkedIn.
But the thing which I don't understand is why both the request objects have same values for "consumeKey & consumerSecret" parameters. I think you need to use your "consumerKey & consumerSecret" with your "tokenkey & tokensecret" to make this OAuth call. "consumer" and "token" detail combination should match then only you will be allowed to make the successful oauth call.
I guess you saw this error because you used your token with some other consumer key.
One more thing I can see that you are passing the "verifier" in your request object hence I want to know are you making a call to get the "access token" which is a 3rd leg of oauth. If yes then there could be scenario that "requestToken" is getting expired before you are making this "access_token" call as "requestToken" is actually a "temporary token" and expires quickly.
HTH...
The issue was code re-use.
As stated in the comments for the API, the API will give you a token and secret upon the first request. This only happens during authentication and then the token and secret can basically be thrown away, and the one issues at developer.linkedin can be used.
I fixed this by constructing my own request object rather than relying on the old HTTPRequestBody in the oAuth process.