I was trying to make a iOS which will use the Uber API to do things like get rides and what not. I am trying to implement the OAuth 2.0 on the iPhone without using any server side help.
Is that possible? Has anyone done this?
Here are some references:
Uber Authentication: https://developer.uber.com/v1/auth/
Oauth 2.0: https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified
Yes, this is possible. I was able to configure OAuth2 for my app using Uber API. Here are step-by-step instructions:
In your app, redirect to https://login.uber.com/oauth/authorize with your client_id and response_type=code in order to allow user to authorize your app.
Upon successful authorization, Uber will redirect to your redirect_uri (you can specify any redirect_uri, including localhost:xxxx for testing purposes, etc.) to provide you with an auth code that is single-use and valid for 10 min. Implement a callback to retrieve this auth code.
With the valid auth code from Step 2, make a POST request to exchange for an access token. As a simple check, I would recommend using curl to confirm access token validity. For ex:
curl -F 'client_secret=YOUR_CLIENT_SECRET' \
-F 'client_id=YOUR_CLIENT_ID' \
-F 'grant_type=authorization_code' \
-F 'redirect_uri=YOUR_REDIRECT_URI' \
-F 'code=AUTHORIZATION_CODE' \
https://login.uber.com/oauth/token
Upon successful exchange, use the access token as the value for the 'Authorization' header for subsequent endpoint calls. For ex:
curl -H 'Authorization: Bearer YOUR_ACCESS_TOKEN' 'https://api.uber.com/v1/products?latitude=37.7759792&longitude=-122.41823'
Related
I am trying to implement the new TikTok Login Kit for Web and am stuck on the getting the access token.
Here's this specific step described in TikTok's doc.
https://developers.tiktok.com/doc/manage-user-access-tokens
I have registered the app.
I am able to reach the OAuth login screens.
I'm also able auth. and get a response from the auth. endpoint with an authorization code.
But when fetching the access token using the said authorization code my POST request comes back to my redirect URL with a "Status=Temporary Redirect, StatusCode=307" in the response.
I assume 307 means there's something missing on the tiktok server, but their support isn't very responsive unfortunately.
Perhaps someone in the community has dealt with this before?
I'm sending my POST request with the following parameters.
URL: https://open-api.tiktok.com/oauth/access_token
?code=atGaIopCm2M9L2vfad0l4IJzzX8qFfg7aButDrjqerJqs5rhIqmWZLLGk1YRJZUZ6-mGBaYxX_asSdw1TNe7NHhvysS99Yz5o4MtkNv2-nA*1
&client_key= <client key in plain text>
&client_secret=<secret in plain text>
&grant_type=authorization_code
Any ideas what could that 307 Error be hinting at in general?
Add -L in your curl command to enable redirections automatically
curl -X -L POST -H 'Content-Type:application/json' --data '{"secret": "xxx","app_id":"xxx","auth_code":"xxx" }' "https://business-api.tiktok.com/open_api/v1.2/oauth2/access_token/"
See the document here:
https://ads.tiktok.com/marketing_api/docs?id=1709207085043713
I'm in the context of an embedded devices that uses an HTTPS client to request an access token on behalf of a user (delegated permission needed for the app).
I'm currently using OAuth 2.0 ROPC (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc) to get my token and everything works fine.
But since this authentication is deprecated I'd like to change to a more secure solution that works in hybrid identity federation scenarios.
I see that many other solutions exists, but I can't find one that doesn't need to interpret an HTML/JS response.
Here a CURL example to explain my point:
ROPC request:
curl -X POST "https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token" --data "grant_type=password&scope=EWS.AccessAsUser.All&username=<username>&password=<password>&client_id=<client_id>&client_secret=<client_secret>" -H "Content-Type: application/x-www-form-urlencoded"
Response:
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"eyJ0eX....1234"}
Here I can extract the token directly from the response.
But using other ways to get delegated permission token such as OAuth 2.0 Implicit Grant flow (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow), responses are always an HTML that I can't interpret.
So here I am wondering if there is a solution to this situation.
Thanks in advance,
Aloïs KYROU
You cannot use the implicit flow to obtain the token in the tool, you can only run the request url in the browser. Because using the implicit flow requires you to log in. Please note that before this, you must enable id token and access token.
Request the id token and access token in the browser.
https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client id}
&response_type=id_token token
&redirect_uri={redirect_uri}
&scope=openid EWS.AccessAsUser.All
&response_mode=fragment
&state=12345
&nonce=678910
I was using apim 3-m18 previously and post'ing to localhost:9443/api/auth/oauth2/v1.0/token?grant_type=password&scope=apim:api_view with the basic auth token of clientid:clientsecret returned from /api/id4entity/oauth2/dcr/v1.0/register endpoint worked fine in giving me the oauth token for admin api's - e.g. the logic laid out at wso2 API-M 3.0 - how to get oauth token for product/admin api calls
However, I upgraded to latest rev (m24) and the dcr register endpoint still works fine, but when I then hit the token api with the base64-encoded clientid:clientsecret from dcr, the request hangs before i get a timeout error.
When I exit m24 and restart m18 and make the exact same requests (dcr call for clientid/secret, then token api call), it works. Then switching to m22 fails with same requests.
I didn't see any documentation or issues in github on this, so was curious if anyone knows what I might need to change to get the oauth token. Thanks.
Could you please use the following curl command
curl -X POST -H "Authorization: Basic N2Y4MzM0ODEtNjk1ZS00OWY4LTg0OTgtOGU0NjUwNzhmYjljOmU1NmZlOTM3LTQwZjYtNGEwMy04MDIzLTE4ZGE0YmZmNWU3OA==" -H "Content-Type: application/x-www-form-urlencoded" -d 'username=admin&password=admin&grant_type=password&scope=scope' "https://localhost:9443/api/auth/oauth2/v1.0/token" -kv
Authorization token is Base64 encoded(clientId:clientSecret)
I've got a bearer token from api.twitter.com/oauth2/token.
However it works only with the REST APIs. Using it against public stream APIs returns me 401 unauthorized.
I can't find any oauth doc specific to stream APIs.
What am I missing?
EDIT 1
Here is the curl command I'm using for my tests:
curl --verbose \
Streaming : -H "Authorization: Bearer <token>" \
--get "https://stream.twitter.com/1.1/statuses/filter.json" \
--data "follow=150367205"
Am I missing some headers? Again, it works fine for the REST APIs.
EDIT 2
I've found an answer on twittercommunity.com, dating from 2013/06, saying that Twitter's public streaming APIs don't support application-only authentication.
Is it still the case?
OK I missed a key point of Twitter's official documentation on app-only authentication:
And it won’t be able to:
* ...
* Connect in Streaming endpoints;
* ...
I have tried this and that.
But requesting this:
https://api.twitter.com/1.1/statuses/user_timeline.json?user_id=monyetbego
keep giving me Bad Authentication data.
I don't know exactly how to get authenticated.
You need to register an application through Twitter's developer site. Once your application is approved you will be given a set of Oauth keys, which you can use within an API request to receive a response. Note that in API V1.1, you can no longer submit unauthenticated requests (i.e. send requests through a unauthenticated URL like the one you posted).
For example, once you have your authentication information, you can use curl to submit a show_timeline request (see your Application's OAuth tool on the Twitter Dev website for parameters specific to your authentication information):
curl --get 'https://api.twitter.com/1.1/user_timeline.json' --header 'Authorization: OAuth
oauth_consumer_key="XXXXXXXXXXXXXXXX", oauth_nonce="XXXXXXXXXXXXXXXXXXXXXXXX",
oauth_signature="XXXXXXXXXXXXXXXXXXXXXXXXXXX", oauth_signature_method="XXXX-XXXXX",
oauth_timestamp="XXXXXXXXXXX", oauth_token="XXXXXXXX-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", oauth_version="1.0"' --verbose