I'm trying to implement a client that imports the events that a user has in Office 365 so that I can easily display them in the company's application.
I managed to get the user to authenticate with his / her Office 365 account and to approve my application and to also get an AccessToken, but when I try to use the token to retrieve the events from the API, I get a 401 HTTP error code, no body and in the headers I have this:
Content-Length →0
Date →Thu, 17 Mar 2016 08:56:00 GMT
Server →Microsoft-IIS/8.0
WWW-Authenticate →Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000#*", token_types="app_asserted_user_v1 service_asserted_app_v1", authorization_uri="https://login.windows.net/common/oauth2/authorize", error="invalid_token",Basic Realm="",Basic Realm=""
X-BEServer →DB4PR06MB522
X-BackEndHttpStatus →401
X-CalculatedBETarget →DB4PR06MB522.eurprd06.prod.outlook.com
X-DiagInfo →DB4PR06MB522
X-FEServer →AM3PR06CA022
X-Powered-By →ASP.NET
request-id →de1963bc-36df-4473-81f6-66ec37e8b415
x-ms-diagnostics →2000001;reason="OAuth token submitted with the request can not be parsed.";error_category="invalid_token"
The token I get from https://login.microsoftonline.com/common/oauth2/token with the following body:
grant_type=authorization_code
redirect_uri=https://example.com/redirect-uri
client_id=XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX
client_secret=[my-client-secret]
code=[code-received-from-user-auth]
The token I receive from the above call, I send through the Authorization header to https://outlook.office.com/api/v2.0/me/events like so:
Authorization: Bearer [access-token]
The response status I get from this call is 401 Unauthorized, I get an empty body and the headers are like so:
Content-Length →0
Date →Thu, 17 Mar 2016 08:56:00 GMT
Server →Microsoft-IIS/8.0
WWW-Authenticate →Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000#*", token_types="app_asserted_user_v1 service_asserted_app_v1", authorization_uri="https://login.windows.net/common/oauth2/authorize", error="invalid_token",Basic Realm="",Basic Realm=""
X-BEServer →DB4PR06MB522
X-BackEndHttpStatus →401
X-CalculatedBETarget →DB4PR06MB522.eurprd06.prod.outlook.com
X-DiagInfo →DB4PR06MB522
X-FEServer →AM3PR06CA022
X-Powered-By →ASP.NET
request-id →de1963bc-36df-4473-81f6-66ec37e8b415
x-ms-diagnostics →2000001;reason="OAuth token submitted with the request can not be parsed.";error_category="invalid_token"
Can you please tell me what I'm doing wrong?
I managed to fix the problem I had.
For future reference, the problem was that I wasn't telling the https://login.microsoftonline.com/common/oauth2/token endpoint what I needed the token for.
I had to provide a resource parameter with the base url of the resource I was going to interogate after.
In my case, it was https://outlook.office365.com.
Related
As per PKCE spec, OAuth provider uses code_verifier to avoid the man in the middle attack. My understanding that, it is the best alternative for JavaScript based single page application (SPA) to exchange OAuth code for token.
When I experiment this with Google API, it says "client_secret is missing".
Here is the HTTP Request and Response.
ID: 1
Address: https://oauth2.googleapis.com/token
Http-Method: POST
Content-Type: application/x-www-form-urlencoded
Headers: {Content-Type=[application/x-www-form-urlencoded], Accept=[/]}
Payload: grant_type=authorization_code&code=4%2F1AH3Ubnm550IoT8AZ_e_eqLYDn3-JyXVo22LOcAlsWPnxTV_o0tV2N1YMNFtqhvFm65n4tuZmHfK5tkKLOsbnRw&scope=openid+profile+email&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fdemo&client_id=myclientid.apps.googleusercontent.com&code_verifier=iv8n89-Dh3QD1uroYm6e6jcpZwxff60m-RYYlmLYArun6KF8o0z%7Ee3EjyVyYUp.4XxSbyI47QQSCMrY542sLWSUnxAG8e0a%7ETjmF_UFioJMA_ctB2jz6qbcYtu9uUOKp
ID: 1
Response-Code: 400
Encoding: UTF-8
Content-Type: application/json; charset=utf-8
Headers: {Accept-Ranges=[none], Alt-Svc=[h3-28=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"], Cache-Control=[private], content-type=[application/json; charset=utf-8], Date=[Mon, 22 Jun 2020 04:41:53 GMT], Server=[scaffolding on HTTPServer2], transfer-encoding=[chunked], Vary=[Origin,Accept-Encoding, Referer, X-Origin], X-Content-Type-Options=[nosniff], X-Frame-Options=[SAMEORIGIN], X-XSS-Protection=[0]}
Payload: {
"error": "invalid_request",
"error_description": "client_secret is missing."
}
Is my understanding that "we don't need client_secret when passing code_verifier" wrong or Google is not supporting PKCE or Do I miss some other parameter in the request? Please help.
I took a look and experienced the same problem when trying to use the latest Single Page App Standards. Looking at Google docs their implementation seems to still be based on the implicit flow.
I verified that you can send response_type='token id_token' and successfully get tokens, though I'd also prefer to use Authorization Code Flow (PKCE).
I tried without client_secret using keycloak on flutter app but it failed. code_verifier did not work; Hence I moved to use client_secret in my payload.
I have my backend(Ruby On Rails) running at port number 3000 with login endpoint(http://localhost:3000/login).I also have angular server running on port 4200.So with angular I am hitting login endpoint and upon successful login, response is sent back with Set-cookie option(authentication token is set).But it is not set in the browser.Below is the response header i am receiving:
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:*
Access-Control-Allow-Methods:POST, GET, OPTIONS
Access-Control-Allow-Origin:http://localhost:4200
Access-Control-Max-Age:1728000
Cache-Control:max-age=0, private, must-revalidate
Content-Type:application/json; charset=utf-8
ETag:W/"9dae161444bc908fd3289f4ed0fb15ed"
Set-Cookie:auth_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoyLCJleHAiOjE1MDU4NDM0Nzh9.0E22wlacZWvmazpdJPLC4oRq3QM-8DX-npQu3w-U8Vs; path=/
Transfer-Encoding:chunked
Vary:Origin
X-Request-Id:267cfe1f-e60c-40b5-9a7b-4801d358cfd4
X-Runtime:0.273751
Request Headers
view source
While if I hit that API with Postman then the cookie is saved without problem.
I have been trying to using oauth2 authentication with an api key.
i'm tracing out every step of the way. Its successfully getting a token, but then giving a 401 error when I try to access https://api.soundcloud/me.
oauth2.RoundTrip: credentials found
map[
access_token:1-156891-51311-fec80e6e640f49007
scope:non-expiring expires_in:0
]
oauth2.Get response:
401 Unauthorized 401 HTTP/1.1 1 1
map[
Access-Control-Allow-Headers:[Accept, Authorization, Content-Type, Origin]
Access-Control-Allow-Methods:[GET, PUT, POST, DELETE] Date:[Tue, 27 Oct 2015 02:12:17 GMT] Server:[am/2]
Access-Control-Allow-Origin:[*]
Access-Control-Expose-Headers:[Date]
Cache-Control:[private, max-age=0, must-revalidate private, max-age=0]
Content-Length:[0]] 0x18d47bc0 0 [] false map[] 0x18d880e0 0x18cbd440
]
Does anyone have any insight as to why this might happen? The same problem is not happening with other providers such as github. I am using github.com/stretchr/gomniauth for authentication.
I'm at a loss for what's wrong. I'm always getting com.google.gdata.client.GoogleService$SessionExpiredException: Token invalid Token invalid when making API requests.
I have the following flow:
link user account
use credentials to get video upload entries
The code I use to link the user (get permission for my application) uses the JdoDataStoreFactory to persist user tokens and refresh info between API calls.
I used the following scopes when I ask the user to authorize my apps:
https://www.googleapis.com/auth/youtube.upload
https://www.googleapis.com/auth/youtube.readonly
Using GoogleAuthorizationCodeFlow I do a loadCredentials passing in the userId from my application that I used when requesting their auth token. I then feed those credentials to YouTubeService's getFeed method, requesting the url for video feeds: http://gdata.youtube.com/feeds/api/users/default/uploads
It looks like this:
service.setOAuth2Credentials(credentials)
videoFeed = service.getFeed(new URL(USER_FEED_PREFIX + DEFAULT_USER
+ UPLOADS_FEED_SUFFIX), VideoFeed.class)
After this executes, I always get the stacktrace:
com.google.gdata.client.GoogleService$SessionExpiredException: Token
invalid Token invalid Token invalid Error
401
at
com.google.gdata.client.http.GoogleGDataRequest.handleErrorResponse(GoogleGDataRequest.java:570)
at
com.google.gdata.client.http.HttpGDataRequest.checkResponse(HttpGDataRequest.java:560)
at
com.google.gdata.client.http.HttpGDataRequest.execute(HttpGDataRequest.java:538)
at
com.google.gdata.client.http.GoogleGDataRequest.execute(GoogleGDataRequest.java:536)
at com.google.gdata.client.Service.getFeed(Service.java:1135) at
com.google.gdata.client.Service.getFeed(Service.java:998) at
com.google.gdata.client.GoogleService.getFeed(GoogleService.java:645)
at com.google.gdata.client.Service.getFeed(Service.java:1017)
The way I'm initiating my request to my service is via curl, my command looks like this:
curl http://localhost:8080/user/someUserId/content
Using Wireshark I see the following in my request:
GET /feeds/api/users/default/uploads HTTP/1.1
Authorization: Bearer <the_auth_token_for_the_user>
User-Agent: MyApp YouTube-Java/1.0 GData-Java/null(gzip)
X-GData-Client: MyApp
Accept-Encoding: gzip
GData-Version: 2.0
Cache-Control: no-cache
Pragma: no-cache
Host: gdata.youtube.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
I'm stuck.
Ok, I figured this out. I was trying to query the user's uploaded videos, and apparently for an app to do that it has to be authorized for the https://www.googleapis.com/auth/youtube scope, not the scopes I had configured
I'm using the GTMOAuth-2 library to implement an OAuth 2 Authorization Code Grant flow to the Asana API, but consistently getting back a server error 500. The GTMHTTPFetcher log is as follows (selectively redacted):
fetch tokens for app.asana.com
2013-05-08 16:46:58 +0000
Request: POST https://app.asana.com/-/oauth_authorize
Request headers:
Content-Type: application/x-www-form-urlencoded
User-Agent: gtm-oauth2 <user-agent>
Request body: (199 bytes)
client_id=<client-id>&client_secret=_snip_&code=<client-secret>&grant_type=authorization_code&redirect_uri=http%3A%2F%2Fwww.google.com%2FOAuthCallback
Response: status 500
Response headers:
Cache-Control: no-store
Content-Length: 303
Content-Type: text/html; charset=UTF-8
Date: Wed, 08 May 2013 16:46:56 GMT
Pragma: no-cache
Server: nginx
Set-Cookie: <cookie>
X-Asana-Content-String-Length: 303
X-Asana-Preferred-Release-Revision: 20130508_073846_310cafc985fd5fb43121784b58d5dcd2503ffffe
Response body: (303 bytes)
<html>
<head>
<title>Error</title><script>__FILE__="(none)";var config = {
"CLUSTER": "prod",
"PRETTY_JS_CODEGEN": false,
"ENABLED_FEATURES": ""
};</script><link rel="shortcut icon" href="/-/static/luna/browser/images/favicon.ico" />
</head>
<body>
<h3>Error</h3><pre>Server Error</pre>
</body>
</html>
I've double-checked the auth and token URLs, client ID and secret, made sure the redirect URIs match on Asana and in-app. Interestingly, the authorization flow seems to get as far as authorizing the app (and the Asana site records the app as authorized), but it then never seems to return the authorization token. Is there anywhere I might be going wrong, or is this truly an internal server error?
(I work at Asana). I'm unsure where in the flow this request is being made, but it doesn't look correct. Once you've obtained the authorization code (by having the user interact with the Asana form), the library should then make a request to our /-/oauth_token endpoint, and pass us the code. So it's possible that you just need to be using the /-/oauth_token endpoint instead of the /-/oauth_authorize endpoint as you're doing.
If you look at our OAuth examples you'll note that there are two different URLs, one for authorization and one for token exchange.
Asana is probably returning a 500 because it's not expecting this and we're not doing a good enough job catching the problem.