I`m trying to run playground2 example and authorize with WSO2 Identity server 5.0.0 using OAuth2. And when I choose the authorization_code grant type application failed to obtain token since identity server returns 401 error.
But with Identity Server 4.6.0 it works fine.
Authentication parameters is:
grant_type: authorization_code
client_id: XXXXXXX
scope:
callback url: http://localhost:8081/oauth2client
authorize endpoint: https://localhost:9443/oauth2/authorize
Is it a bug of WSO2IS 5.0.0?
Pls obtain the latest playground app from this location.
You call back url seems to be wrong. Please follow the steps given in this document which is explained for Identity Server 5.0.
Related
I'm trying to implement the authorization code model using the Google Identity Services SDK, as described in Use Code Model. I would like to use the popup mode.
I managed to initialize the code client and receive an auth code with this Javascript code:
tokenClient = google.accounts.oauth2.initCodeClient({
client_id: CLIENT_ID,
scope: SCOPES,
callback: '', // defined later
ux_mode: 'popup',
})
...
tokenClient.requestCode({prompt: 'consent'});
When I receive the auth code in my callback, I relay it to an endpoint on my platform, as described in Step 5: Exchange authorization code for refresh and access tokens and I try to exchange the auth code for a refresh and access token in Python:
flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
'client_secret.json',
scopes=scopes,
state=state
redirect_uri=redirect_uri
)
flow.fetch_token(code=code)
The problem is that I use this code with an empty redirect_uri, I get an error "missing redirect_uri parameter". If I specify a redirect URL defined in Google Cloud Console, I get an error "redirect_uri mismatch". And if I try to use the same redirect_uri as the one sent in the initial popup request (Google seems to use storagerelay://... in this case), I get an error that "it doesn't comply with Google Oauth2 policy".
It appears that in any authorization flow when you get an authorization code on the client side and then pass that to your server for token exchange you have to use the string literal "postmessage" as your setting for redirect_uri.
flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
'client_secret.json',
scopes=scopes,
state=state
redirect_uri="postmessage"
)
flow.fetch_token(code=code)
This very important fact seems to be curiously absent from the documentation from most of the google client libraries, but it works for me. Hope this helps!
I'm wondering if anyone has run into this problem. I'm trying to authenticate to OneDrive using AAD v2.0, and the device code flow. My app has the following permissions configured in the Azure portal:
Microsoft Graph:
email
Files.ReadWrite.All
offline_access
openid
profile
User.Read
Each time I try to authenticate, I get the following error message from the token endpoint:
AADSTS70011: The provided value for the input parameter 'scope' is not valid. One or more scopes in 'https://graph.microsoft.com/.default openid offline_access' are not compatible with each other.
However, when I use the usual authorization code flow, it works. Similarly, if I use the scope https://graph.microsoft.com/Files.ReadWrite.All openid offline_access instead of https://graph.microsoft.com/.default openid offline_access, it also works.
Is there something about the .default scope that is incompatible with the device code flow?
More info:
The app can be used by "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)". I'm authenticating to the "consumers" tenant because I want to access my personal OneDrive.
Just remove openid offline_access from the scope, it should be https://graph.microsoft.com/.default, when you use /.default, they are not needed, all permissions registered by the application will be included.
Reference - https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#the-default-scope
Update:
I can reproduce your issue with /consumers and a personal account in the auth url, if I modify it to /<tenant-id>, it works fine, you could refer to the steps below.
1.In the postman, use the request below.
Request URL:
POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/devicecode
Request Body:
client_id=<client-id>
scope=https://graph.microsoft.com/.default
2.In the browser, navigate to the https://microsoft.com/devicelogin, input the code and login your user account, the app will let you consent the permission, click the Accept.
3.After login successfully, in the postman, use the request below.
Request URL:
POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
Request Body:
grant_type: urn:ietf:params:oauth:grant-type:device_code
client_id: <client-id>
device_code: <device_code in the screenshot of step 1>
I've been trying to connect Microsoft Power Automate to my API. My API has a OAuth2 Code Flow.
According to Power Automate, the connector can make a connection to my API. and execute a test. But the problem is that Microsoft sends a Bearer token that was generated by them, and not the one that I gave to them via OAuth2, resuting on my API giving a 401 Error (Invalid Token) as expected.
In the Power Automate Custom Connector page, in the security tab I have the following:
Authentication type
OAuth2.0
OAuth2.0 Settings
Identity Provider: Generic OAuth2
Client ID: SomeValue
ClientSecrect: SomeValue
Authorization URL: mydomain.com/auth/authorize
Token URL: mydomain.com/auth/token
Refresh URL mydomain.com/auth/token
Redirect URL: microsoft-flow.com/redirect (Not the real one)
When Microsoft makes a POST request to mydomain.com/auth/token, I return the following body:
{
access_token: "non JWT token", // simillar to a hash
refresh_token: "non JWT token",
expires_in: 3600
}
The request above is final request that microsoft before accepting as a valid connection. The token that microsoft sends me is a JWT one, not the one I provided.
I've seen some guys using Azure AD authentication within the APP, but I was trying to implement something simillar to other platoforms(e.g Github, Spotify, e.t.c)
So my question is it possible to connect Power Automate to a custom API with using OAuth2? If yes, how to do it?
It's possible.
In addition to the OAuth2.0 Settings you listed, there is another important property Scope which you have missed.
Since your API is protected in Azure AD, so I assume that you have created an Azure AD app for your API and exposed scopes.
After that, you can get the application ID URI (api://{clientId}) for your API.
You should put this value into the "Scope" in Power Automate, like this:
Then this access token will be considered valid by your API.
I've done two steps to fix this problem.
Step 1
Previously my API returned the body with access_token, refresh_token and expires_in, but then I added scope and token_type. Example:
{
access_token: "2346ad27d7568ba9896f1b7da6b5991251debdf2",
refresh_token: "4468e5deabf5e6d0740cd1a77df56f67093ec943",
expires_in: 3600,
scope: "none",
token_type: "Bearer"
}
Step 2
Delete the custom connector and create a new one with the same parameters. When I got to the "Test" section, Power automate finally could make the GET request successfully.
In my case, even if the the API was updated, Power automate was still using its faulty token, so I had to delete that custom connector and create new one.
Conclusion
By updating the API and deleting the old custom connector, I was able to get the connector working.
I'm using the OAuth Authorization Code flow to authenticate the user and authorize my application against the WSO2 Identity Server. I'm using a simple node/express server, with Passport.js, to get the Access Token, and Postman to use that Access Token to make a few test requests to the SOAP APIs.
When using a Bearer Token method to authorize my application, I get the following error in the IS logs: 0 active authenticators registered in the system. The system should have at least 1 active authenticator service registered. I get the following error in Postman: 500 Internal Server Error, with the following response body, <faultstring>Authentication failure</faultstring>.
Here is what it looks like in Postman:
The same Access Token works with a REST API request, like "https://localhost:9443/scim2/Me".
Can anyone tell me what I'm missing here?
SOAP APIs in WSO2 Identity Server cannot be authenticated with Bearer tokens. They can be authenticated with Basic authentication and cookies. That's the reason for getting Authentication failure in the response.
But REST APIs in the Identity Server can be authenticated with Bearer tokens. So /scim2/Me authenticate successfully with access token.
Try to get the Access token manually from Authorize service and use it
Step 1: Get authorization code
https://<is_server_url>:9443/oauth2/authorize?client_id=<id>&redirect_uri=<callback_url>&response_type=code&scope=openid
You will get an authorization code on the callback URL
Step 2: Call token service to get access token
Post https://<is_server_url>:9443/oauth2/token
Content-Type:application/x-www-form-urlencoded
Authorization:Basic <base64encoded "<client_id>:<client_secret>">
grant_type:authorization_code
scope:openid
code:<code_from_step_1>
redirect_uri:<callback_url>
exp:
client_id=**abcdefgh12345678**
client_secret=**xyzsecretkey**
callback_url=**http://locahost/callback**
scope=openid
server: localhost
base64encode(client_id:client_secret)= base64encode(abcdefgh12345678:xyzsecretkey) => YWJjZGVmZ2gxMjM0NTY3ODp4eXpzZWNyZXRrZXk=
GET https://localhost:9443/oauth2/authorize?client_id=**abcdefgh12345678**&redirect_uri=**http://locahost/callback**&response_type=code&scope=openid
it will make a request back to the callback url with a parameter code, lets say code=this01is02your03code, please check your browser address bar
POST https://localhost:9443/oauth2/token
HEADERS
Content-Type:application/x-www-form-urlencoded
Authorization:Basic **YWJjZGVmZ2gxMjM0NTY3ODp4eXpzZWNyZXRrZXk=**
BODY
grant_type:authorization_code
scope:openid
code:this01is02your03code
redirect_uri:http://locahost/callback
this will return an access token, let say token returned by the server is 12345678ASDFGH
Now you could use this token to call any RestFull or SOAP service
Authorization: Bearer 12345678ASDFGH
Found samples for Custom grant, password and credentials. Is there some sample (nodejs, curl, java or any other option) that you can test the authorization code with the playground2?
Oauth with Grant Type Password:
http://xacmlinfo.org/2015/03/09/openid-connect-support-with-resource-owner-password-grant-type/
Oauth with Grant Type Credentials:
http://xacmlinfo.org/2013/12/02/client-credential-grant-type-with-oauth-2-0/
Alternatively, you can try the Authorization Code grant type in the browser without having to use any web app. I wrote a blog post on how to do it [1]
You can test the authorization grant with a combination of a browser redirect and a curl command. The step by step guide with screenshots to achieving this is explained in the blog post.
Let me explain the summary of steps here,
Log in to Identity Server (5.1.0 or higher)
Create a Service Provider and enable Inbound OAuth Authentication
Provide the callback URL as "https://localhost/callback"
Open a private window in a browser and type in the below URL. Replace {client_id} with the client_id of the OAuth client_id of the Service Provider
https://localhost:9443/oauth2/authorize?response_type=code&client_id={client_id}&redirect_uri=https://localhost/callback&scope=read
Next, you will be prompted to login and thereafter to approve for consent.
You will be redirected with the authorization code as "code"
query param in the URL
Use a CURL request to the token endpoint to get a valid access token
curl -k -v --user {client_id}:{client_secret} -d "grant_type=authorization_code&code={authorization_code}&redirect_uri=https://localhost/callback" https://localhost:9443/oauth2/token
(replace {client_id},{client_secret} and {authorization_code} with correct values)
You can refer [1] for screenshots.
[1] http://blog.farazath.com/2016/05/trying-out-oauth2-authorization-code.html
You can quickly download and spin up an IS 5.0.0 and then configure it with the Info Recovery Sample.
https://docs.wso2.com/display/IS500/Recovering+Account+Information+Using+a+Webapp
The sample is a simple self service account management tool.