So I asked the following question a few days ago: Redirect URI not redirecting correctly
I've since gotten further along, but now I need my access token to verify a JWT.
According to this, googleUser.getAuthResponse().access_token should return the access token, but it's coming back undefined.
I'm a bit confused by all of the different ways that Sign In with Google can be implemented, so if I already have a JWT and the access token is undefined, is that OK? I'm trying to verify the JWT with the code found here, but I'm not using an X509 cert. If figured I should be able to just do it with my client_id and secret.
Can someone please help me get out of this maze? :)
Related
I'm stuck with an issue while trying to use Google's OAuth2 php lib. On the server side, after I instantiate an OAuth2 object I redirect the user to Google's sign in page, after which they hopefully grant permissions based on the scopes (the APIs I declared for use in the OAuth2) I declared. Now here's my issue: after the user grants permission I get redirected to the redirectUri I specified during the instantiation of OAuth2. This redirectUri contains as params state, code, and scope k-v pairs. I always get a "Missing authorization code" if I don't send back the value code to server and set it as a property of the OAuth2 object. However, if I send back the value of code to the server and set it as a property of the OAuth2 object I get a
"Client error: POST https://www.googleapis.com/oauth2/v4/token
resulted in a 400 bad request response. Error: "invalid_grant"`
So, I'm at lost here. I should mention that I actually managed to make 2 authorized calls to Google Ad Manager (the scope I declared) using the same flow I described above, but after that I keep getting the same 2 errors as above.
Does anybody know what's going on? I must be missing something but I can't see what. I'm using this guide so it's not really convoluted or complicated code but I just can't get it to work somehow. https://github.com/googleads/googleads-php-lib/wiki/API-access-on-behalf-of-your-clients-(web-flow)
Cheers everybody,
we have been deeply reading google documentation on exchanging access_token from google in order our (delphi)desktop application to SSO with google from server side. Here is the payload we send first look like:
https://accounts.google.com/o/oauth2/v2/auth?client_id=1000217514248-t1lojs6f8ed7l9ocrpbm98leahtum8n1.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&state=E1DF2FBA-0A66-4D69-B594-5EB8F7828AF7&scope=openid+profile&include_granted_scopes=true&code_challenge=C832DA50-E55A-499D-89B8-493BB4123C94&login_hint=test#Speelkriebel.be
Normally after this it redirects me to login in to our test user and after this according to the documentation we send a POST request to the end point token in order to get the access_token and refresh_token...: 'https://oauth2.googleapis.com/token
with the following parameters, the 'code' is generated we also send it as follow:
client_id=1000217514248-t1lojs6f8ed7l9ocrpbm98leahtum8n1.apps.googleusercontent.com
grant_type=authorization_code
client_secret=******
code= 4/1AY0e-g4GlavO38PI5Oo3vq04Pc4lMWN77et-02UiVWOsT-IyRQnU1lq19qo
redirect_uri = urn:ietf:wg:oauth:2.0:oob
The response is always
{
"error_description": "Missing code verifier.",
"error": "invalid_grant"
}
We have tried to send the client secret id also, Does it have to do with our code_challenge ? are the end points url and initial url okay? What are we missing? We are using CEF4Delphi as "browser like experience in order for the user to type in their google credentials. We have been reading this: https://developers.google.com/identity/protocols/oauth2/web-server#offline
We were also trying the playground :https://developers.google.com/oauthplayground/
we were sending the initial url in a chrome which generated a "code" and in the playground we inserted the code, and still got the same error of missing code verifier.
Thanks Guys
You seam to have URL encoded a lot of the values try not doing that. Also try using the basic call, before you start adding everything else. It should help you figure out which one of those extra parameters you are sending that's causing your issues.
https://accounts.google.com/o/oauth2/auth?client_id={clientid}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=profile&response_type=code
Also make sure that the client id is from an installed / other type client
This may also help Google 3 Legged OAuth2 Flow
For installed apps, the code challenge and verifier are parameters for enhancing the security of the OAuth flow through PKCE [1].
There is additional documentation about generating a code challenge and verifier here [2].
[1] https://www.rfc-editor.org/rfc/rfc7636
[2] https://developers.google.com/identity/protocols/oauth2/native-app#step1-code-verifier
I have a hobby project in mind to use battle.net login. I'm wondering how I can obtain the access token from the API after receiving the authorization code.
This is Oauth flow question rather than a battle.net question.
Currently I can successfully authorize the user for my app which is registered in dev.battle.net and then I try to use the authorization code returned from the battle.net login to obtain the access token by sending a request to https://<region>.battle.net/oauth/token.
However I keep receiving this error:
{
"error": "unauthorized",
"error_description": "An Authentication object was not found in the SecurityContext"
}
I use postman extension to send post requests to that uri. I authenticate my request with my client id and secret. I pass redirect_uri (https://localhost), granty_type (authorization_code), code(the code returned from the previous authorization step). However I keep getting the error above.
I couldn't find much about battle.net online. There are other oauth related help articles but couldn't really find my way.
Wondering if you can help me with this easy stuff. I'm just wondering what I'm skipping here.
Here is the documentation:
https://dev.battle.net/docs/read/oauth
https://localhost is added in my mashery dev account's app settings.
Me again, I resolved this problem after trying almost every combination in the universe:)
Steps to apply:
Don't use the same authorization token for different access token trials, they are not valid
Always use https on every domain you test including localhost, you
redirect_uri must be https as well.
You must use the "basic authentication" in the header of your POST request while requesting the token from the authorization code you obtained from the previous step.
This is one of the most important ones: For requesting token, Pass redirect_uri, client key and secret as POST form parameters to the authenticated request. This is interesting because it's already an authenticated request; why would i need to pass my secret again? Anyways, that's how it works.
Here are the full text:
http://hakanu.net/oauth/2017/01/26/complete-guide-of-battle-net-oauth-api-and-login-button/
This is working prototype:
https://owmatch.me
Thanks.
I'm struggling to find any documentation for DotNetOpenAuth on how to do this.
I know the client sends the bearer token, but how do I verify it (other than verifying it's in the appropriate header). How do I verify it's valid, or that is hasn't expired? Is there a hook to allow DotNetOpenAuth to do this for me? I don't see it.
Thanks.
So, I figured it out. Hopefully this will help anyone else who finds this.
Part of it was me being a n00b to OAuth. I setup my Authorization server just fine, but didn't realize (at first) that the ResourceServer is responsible for validating the token and validating that the access to the requested resource is still valid. Once I realized this it was easy to find the ResourceServer class in DONA, and you can parse the BEARER token with two lines of code:
ResourceServer server = new ResourceServer(new StandardAccessTokenAnalyzer(signingKey, encryptionKey));
AccessToken token = server.GetAccessToken();
The returned token will have the date it was issues and the user it was issued under, as well as any scope requests for you to validate access.
Hope this helps anyone like me who struggled with this!
As of yesterday, my application is able to authenticate with google (youtube) via oAuth 2.0 the first time no problem but the 2nd time (re-authentication, same app + same user), when I exchange the requestToken for an accessToken I get an error:
error : invalid_grant
I'm using:
grant_type = authorization_code
like they suggest. What used to happen, before 2 days ago, was on re-authentication the web page would say 'you've already authenticated with this application before, would you like to grant it access again?'. What has changed or what could I be doing wrong?
I found a way to fix this (at least for us). When redirecting to the accounts.google.com/o/oauth2/auth url, we had to add both approval_prompt=force and access_type=offline. If one was missing, we got no refresh token.
This url documents all of the parameters, but says nothing about the refresh token: http://code.google.com/apis/accounts/docs/OAuth2WebServer.html
I think I may have found the answer here:
https://groups.google.com/forum/#!searchin/oauth2-dev/invalid_grant/oauth2-dev/eaOa6THER0k/z4eO-taUFxgJ
The problem was that that the "code" parameter that you need to send needs to be encoded. It will work when you set the approval_prompt to force because the return code contains URL-safe characters. However, this is not the case for the return code upon a second authorization request.
For me this fixed it, I hope it does for you as well.