I am having the same problem that is described in LinkedIn OAuth2: "Unable to verify access token"; however, the solution described there does not fix my problem.
I am able to successfully request an access token; however, when I make a request with it (using either the Authorization header or the oauth2_access_token query param), I get a 401 failure:
$ curl "https://api.linkedin.com/v1/people/~?format=json&oath2_access_token=############"
{
"errorCode": 0,
"message": "Unable to verify access token",
"requestId": "Z9ZJ1MOUM0",
"status": 401,
"timestamp": 1440096560396
}
$curl --header "Authorization: Bearer #############" 'https://api.linkedin.com/v1/people/~?format=json'
{
"errorCode": 0,
"message": "Unable to verify access token",
"requestId": "Y1P2PEBEC3",
"status": 401,
"timestamp": 1440096564518
The strange thing about this is:
This problem doesn't surface if the user is logged into Linkedin.
If you wait five minutes, the request will just start working.
My guess this is a bug in Linkedin about latency of authorizing access codes based the users' logged in state, but I don't know.
Also I find it strange that the Linkedin authorization form reads, "Sign in to LinkedIn and allow access:"; however, when you put in your credentials and click "Allow access", you are not actually logged into Linkedin.
My code was working fine on last week. Anyone else seeing this?
Looks like you have oath2_access_token there instead of oauth_access_token ? Not sure if this is a hand-paste failure or the actual issue.
curl "https://api.linkedin.com/v1/people/~?format=json&oath2_access_token=############"
Try this it work for me
get('https://api.linkedin.com/v1/people/~?oauth2_access_token=*******&format=json');
Hope that help some one
This seems to be caused by triggering a security watchdog, i.e. after an invalid request or after requesting several access tokens without using them linkedin seems to stop validating tokens and responds 401 instead.
in fact you need to add the two following header :
Authorization : Bearear #ACCESS TOKEN#
x-li-src : msdk
regards
Related
When I use this endpoint in postman https://discordapp.com/api/guilds/1068721953185206354/members/460428342781542402
I keep getting
{ "message": "Invalid OAuth2 access token", "code": 50025 }
the status code is 403
Here are my headers and body:
Response
Headers
`Body
Please help I have looked everywhere and nothing worked.
I have tried to reset the token a couple try (Revoke it then regenerate it)
I have tried to use it on https://discord.com/api/oauth2/#me and it worked so it's not the access token.
I have tried to use https://discordapp.com/api/guilds/1068721953185206354/members/460428342781542402 as PATCH and it did tell me the info of the user.
I have searched everywhere on the internet.
I have checked that the bot is on the same application as the token
The request https://www.googleapis.com/youtube/v3/members fails with code 403 "Access forbidden. The request may not be properly authorized." even in the Google OAuth 2.0 Playground while all other requests succeed. Does that mean I am missing the approval from YouTube? I have completed the forms to request the approval several weeks ago, but I have yet to get any response from YouTube.
API request with parameters used
https://youtube.googleapis.com/youtube/v3/members?part=snippet
Result
{
"code" : 403,
"errors" : [ {
"domain" : "youtube.common",
"message" : "Access forbidden. The request may not be properly authorized.",
"reason" : "forbidden"
} ],
"message" : "Access forbidden. The request may not be properly authorized."
}
Expected result
Response body with Members List
Is it 100% reproducible?
Yes
Reproducible API explorer link
https://developers.google.com/oauthplayground/
approval
If you check the top of the page for
members.list you will see that this method has been replaced by sponsors.list
So calling Members.list isnt going to work. You ened to call sponsors.list and you need permission from google inorder to call that
authorization
Assuming you have summited the form and requested access to the new sponsors.list method and have been granted access you should know that calling memebers.list wont work. As its been deprecated you need to call sposors.list and it needs to be authorized. I would guess with the same scope as before.
The message is telling you that you have summited the request without being properly authorized to access the data.
Access forbidden. The request may not be properly authorized.
You need an access token sent as an authorization header before you will be able to make that call please check authorization
As this new method isn't documented I would have to guess it would be something like this.
GET https://youtube.googleapis.com/youtube/v3/sponsors?part=snippet?key=[YOUR_API_KEY] HTTP/1.1
Authorization: Bearer [YOUR_ACCESS_TOKEN]
Accept: application/json
If you have been granted access to this method then you might have an email contact at google that you can ask what the actual call is if its not working.
I have scoured the web to try and find an answer to what seems to be a simple solution but unable to come across one.
I am using Postman. On the Authorisation tab, I have entered the details as defined in the Twitter Application Management.
In the header, I have a key of Authorization and value of
OAuth oauth_consumer_key="my-consumer-key",
oauth_token="my-consumer-token",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1538075001",
oauth_nonce="zXeiLqV5GzK",
oauth_version="1.0",
oauth_signature="SYdcrIrRT6jdgo57b1qP9a9THcc%253D"
When I run a GET request for https://api.twitter.com/1.1/search/tweets.json?q=test I get the expect results.
However, trying to search for a hashtag
https://api.twitter.com/1.1/search/tweets.json?q=%23test&include_entities=true I get the following in the response body
{
"errors": [
{
"code": 32,
"message": "Could not authenticate you."
}
]
}
with a status of 401: Authorization Required
Why would this be the case, would there be a step I missed in setting up or can you not search for hashtags on the free version?
Any help would be appreciated.
Solution is to use OAuth2
Twitter OAuth1 seems to have issue with url encoding.
I ended up using OAuth2 too. Requesting Bearer's Token to https://api.twitter.com/oauth2/token and giving it App Consumer API keys as authorization credentials.
Reference can be found here
I am trying to develop a simple background app to connect to my onedrive account (work) and regularly download some files.
I followed this tutorial https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds
I have registered the app here https://apps.dev.microsoft.com/portal/register-app
I have written down the client_id and client_secret
To get an access token I make a POST request to
https://login.microsoftonline.com/common/oauth2/v2.0/token
with the following form encoded data
{
'client_id': 'clientid here',
'client_secret': 'secret is here',
'scope': 'https://graph.microsoft.com/.default',
'grant_type': 'client_credentials',
}
I get back an access_token
{'ext_expires_in': 0,
'token_type': 'Bearer',
'expires_in': 3600,
'access_token': 'eyJ0eXAiOiJKV1QiLCJhbGciO---SHORTENED FOR BREVITY'}
Next I make a GET request (with Bearer header properly set) to https://graph.microsoft.com/v1.0/me
and get this eror response (which I get for any endpoint fwiw)
{
"error": {
"code": "BadRequest",
"message": "Current authenticated context is not valid for this request",
"innerError": {
"request-id": "91059f7d-c798-42a1-b3f7-2487f094486b",
"date": "2017-08-05T12:40:33"
}
}
}
I have these permissions configured in the app setting
Any ideas what might be wrong?
I'll file a bug to improve this awful error message. The problem is that you are making a request using application permissions (client_credentials flow) - where there is no signed-in user context. Your request is to /me, and /me is basically an alias for the signed-in user - and in this case there isn't one!
You should try a call to https://graph.microsoft.com/v1.0/users instead. But, before you do that. In the app registration portal, you've selected delegated permissions, but you are calling with application permissions. You should remove the delegated permissions, and select the appropriate application permissions - to call users, select User.Read.All for example. Then make sure to consent/reconsent your app by going to the /adminconsent endpoint.
Please also read more on permissions and delegated and application permissions here: https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
Hope this helps,
i used https://graph.microsoft.com/v1.0/users/{{Emailid}}/messages to get all the messages in my inbox
In clientCredential flow you are accessing as an with Client secret or with client certificate . So Graph API no linger understands who is me. So you need use https://graph.microsoft.com/v1.0/users/<Your_userId> or https://graph.microsoft.com/v1.0/users/<your_userprincipalname>.
eg.https://graph.microsoft.com/v1.0/users/1sd1353as..
or
eg.https://graph.microsoft.com/v1.0/users/John_doe#contso.com
Reference: https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http
I am using the PHP Google client library. I successfully get a token and refresh token from user/google to use with the API.
As soon as the user revokes the permission for my website in Googles settings on the Google page i get following error:
Error calling GET https://www.googleapis.com/calendar/v3/users/me/calendarList: (401) Invalid Credentials
That is expected behavior since the user revoked my permission.
However, how do I detect that a user revoked that access?
Currently i do the following to see if i have access:
//$token json fetched from database
$gclient->setAccessToken($token);
if ($gclient->getAccessToken())
//i should have access
Well this code unfortunately does not detect the revoked permission. How can i handle that?
Once you have detected that the user has revoked the permission you can ask the user to grant the permission again.
To detect that the grant has been revoked: Provided that you had authorization before,
Making an API call using a revoked access_token will result in a response with status code 401. Like this
{
"error": {
"errors": [
{
"domain": "global",
"reason": "authError",
"message": "Invalid Credentials",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Invalid Credentials"
}
}
Attempting to refresh a token after the revocation will result in a response with a 400 status code and an invalid_grant message. Just as specified in the RFC 6749, Section 5.2
invalid_grant The provided authorization grant (e.g., authorization
code, resource owner credentials) or refresh token is
invalid, expired, revoked, does not match the redirection
URI used in the authorization request, or was issued to
another client.
Here is an example of such response:
```lang-js
{
"error" : "invalid_grant"
}
```
Google APIs should only return 401 for lack of authorization. Since you had authorization before, receiving a 401 is a reliable indication that the user has revoked access.
Are you looking for a detection mechanism that notifies you of such changes before you make the API call? Today there is not a push notification mechanism from Google that can inform your application of such events. Of course, a pull-based mechanism is not useful -- you can simply make the API call and handle the 401 more efficiently.