Bearer tokens not working for Twitter's public stream APIs - twitter

I've got a bearer token from api.twitter.com/oauth2/token.
However it works only with the REST APIs. Using it against public stream APIs returns me 401 unauthorized.
I can't find any oauth doc specific to stream APIs.
What am I missing?
EDIT 1
Here is the curl command I'm using for my tests:
curl --verbose \
Streaming : -H "Authorization: Bearer <token>" \
--get "https://stream.twitter.com/1.1/statuses/filter.json" \
--data "follow=150367205"
Am I missing some headers? Again, it works fine for the REST APIs.
EDIT 2
I've found an answer on twittercommunity.com, dating from 2013/06, saying that Twitter's public streaming APIs don't support application-only authentication.
Is it still the case?

OK I missed a key point of Twitter's official documentation on app-only authentication:
And it won’t be able to:
* ...
* Connect in Streaming endpoints;
* ...

Related

Uploading image to Twitter returns a 403 error

I am trying to upload an image to Twitter using their upload media endpoints. However, I always get a 403 Forbidden error.
I have created an application in my Twitter Developer Console, which gave me a bearer token and I am using that to pass in my headers. Here is what things are looking like in postman:
Here is the generated cURL:
curl --location --request POST "https://upload.twitter.com/1.1/media/upload.json?media_category=tweet_image" ^
--header "Content-Length: 53466" ^
--header "Authorization: Bearer AAAAAAAAAAAAAAAAAAAAAD1mTQ<REST_OF_BEARER_TOKEN>" ^
--header "Cookie: guest_id=v1%3A163072111368923415; personalization_id=\"v1_Enx+SO8Z5+LYLTsABCKDtg==\"" ^
--form "media=#\"/C:/Users/mikel/Desktop/lions_gate.jpg\""
I am clearly missing something. Why do I continue to get a 403 error?
Thanks!
A Bearer Token will not work with the media upload endpoints. A Bearer Token only provides “app authentication”. You need to use “user authentication” (also known as 3-legged OAuth) in order to identify as a user. Per the documentation:
Requires authentication? Yes (user context only)

Is Google Sign In Required everytime to upload a Video to Youtbe using JAVA..?

I am trying to upload a Video to my YouTube account using my own Application(Spring-boot) with the help of Google Library. But every time when I try to call the insert API of YouTube it asks for a Physical Sign in to Google Account. I want to upload my Video without Google Signin via passing the API Key or the client credentials(generated in Google Console for OAuth) in a post Request. I don't want to signin to google every time to upload a video. My account should be verified with the credentials I provide in the post Request.
curl --request POST
'https://youtube.googleapis.com/youtube/v3/videos?key=[YOUR_API_KEY]'
--header 'Authorization: Bearer [YOUR_ACCESS_TOKEN]'
--header 'Accept: application/json'
--header 'Content-Type: application/json'
--data '{}'
--compressed
Another Question is How I can get [YOUR_ACCESS_TOKEN] ..?
End Point URL : POST https://www.googleapis.com/upload/youtube/v3/videos
Google Link : YouTube Upload Video steps
Any Suggestion would be Very Helpful.
JAVA code snippet :
you can find this on Google Link.
The only way to do that would be to request offline access. At which point you should get a refresh token back. You can then use the refresh token to request a new access token at a later date without requiring that you login to google again.
Since your code is in Curl i have posted a response using Curl, even though your question mentons java.
# Authorization link. Place this in a browser and copy the code that is returned after you accept the scopes.
https://accounts.google.com/o/oauth2/auth?client_id=[Application Client Id]&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=[Scopes]&response_type=code
# Exchange Authorization code for an access token and a refresh token.
curl \
--request POST \
--data "code=[Authentcation code from authorization link]&client_id=[Application Client Id]&client_secret=[Application Client Secret]&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code" \
https://accounts.google.com/o/oauth2/token
# Exchange a refresh token for a new access token.
curl \
--request POST \
--data 'client_id=[Application Client Id]&client_secret=[Application Client Secret]&refresh_token=[Refresh token granted by second step]&grant_type=refresh_token' \
https://accounts.google.com/o/oauth2/token
Code ripped from my Gist

wso2 apim 3.0-m24 token api issue?

I was using apim 3-m18 previously and post'ing to localhost:9443/api/auth/oauth2/v1.0/token?grant_type=password&scope=apim:api_view with the basic auth token of clientid:clientsecret returned from /api/id4entity/oauth2/dcr/v1.0/register endpoint worked fine in giving me the oauth token for admin api's - e.g. the logic laid out at wso2 API-M 3.0 - how to get oauth token for product/admin api calls
However, I upgraded to latest rev (m24) and the dcr register endpoint still works fine, but when I then hit the token api with the base64-encoded clientid:clientsecret from dcr, the request hangs before i get a timeout error.
When I exit m24 and restart m18 and make the exact same requests (dcr call for clientid/secret, then token api call), it works. Then switching to m22 fails with same requests.
I didn't see any documentation or issues in github on this, so was curious if anyone knows what I might need to change to get the oauth token. Thanks.
Could you please use the following curl command
curl -X POST -H "Authorization: Basic N2Y4MzM0ODEtNjk1ZS00OWY4LTg0OTgtOGU0NjUwNzhmYjljOmU1NmZlOTM3LTQwZjYtNGEwMy04MDIzLTE4ZGE0YmZmNWU3OA==" -H "Content-Type: application/x-www-form-urlencoded" -d 'username=admin&password=admin&grant_type=password&scope=scope' "https://localhost:9443/api/auth/oauth2/v1.0/token" -kv
Authorization token is Base64 encoded(clientId:clientSecret)

Google OAuth 2 implicit flow on iOS, refresh token manually

Hi I have the Google OAuth 2 explicit flow working according to:
https://developers.google.com/identity/protocols/OAuth2WebServer
I also have the implicit flow working on iOS with GIDSignIn, specifically I get the GIDSignInDelegate::sign(_ signIn: GIDSignIn!, didSignInFor user: GIDGoogleUser!, withError error: Error!) callback and have access to user.authentication.accessToken and user.authentication.refreshToken.
I'm trying to pass that refreshToken back to our private app server so that it can make requests on behalf of the user (mainly because it's easier to just sign in with the SDK than make the front end developers deal with raw URL requests).
However, when I try to use that refresh token to get a new access token on the back end:
curl --request POST \
--url https://www.googleapis.com/oauth2/v4/token \
--header 'cache-control: no-cache' \
--header 'content-type: application/x-www-form-urlencoded' \
--data 'client_id={client_id}&client_secret={client_secret}&refresh_token={refresh_token}&grant_type=refresh_token'
It returns:
{ "error": "invalid_grant", "error_description": "Bad Request" }
I think the issue is that my server has a client id and secret, but iOS only has a client id. Without a secret (sometimes called key) corresponding to the iOS client id, there is no way for me to refresh the token on the back end. I was hopeful that Google would detect that both the server client id and iOS client id were registered to the same app and let the server refresh the token with its credentials, but that doesn't work.
I've looked at both the "API keys" and "OAuth 2.0 client IDs" sections at:
https://console.developers.google.com/apis/credentials
But am at a loss.
Does anyone know a curl command for refreshing a token acquired through the iOS SDK?
Or is this simply not possible?
Thanks!
For anyone reading this, I got it working:
On a whim I tried calling the refresh token endpoint without passing client_secret (as there isn't one when using implicit flow on mobile). Here is the curl:
curl --request POST \
--url https://www.googleapis.com/oauth2/v4/token \
--header 'content-type: application/x-www-form-urlencoded' \
--data 'client_id={client_id}&refresh_token={refresh_token}&grant_type=refresh_token'
This appears to be undocumented. The closest example I found is at https://developers.google.com/identity/protocols/OAuth2InstalledApp#refresh but it shows client_secret=your_client_secret& and never mentions that with implicit flow, front end web and mobile apps don't normally use a client secret.
Please don't upvote my answer, as I haven't done anything. OAuth is generally not documented very well, or contains code snippets pertaining to platform SDKs without the underlying URL requests or curl examples. SDKs are often opaque/closed-source so would require dropping down to tcpdump or packet sniffing to see what's going on. I didn't do the due diligence, I just got lucky.
I have sent feedback to Google but if this issue has affected you, you can click the gear in Gmail and "Send feedback" to hopefully get documentation updated more quickly.
Please refer to this link:
https://developers.google.com/identity/sign-in/ios/offline-access
From the reference, you have to do 2steps below to let your server able to refresh your access token
Make sure your server and iOS app use credentials of the same project, 1 browser key and 1 iOS key
Add this line: [GIDSignIn sharedInstance].serverClientID = your_server_client_id

Uber API iOS OAuth 2.0

I was trying to make a iOS which will use the Uber API to do things like get rides and what not. I am trying to implement the OAuth 2.0 on the iPhone without using any server side help.
Is that possible? Has anyone done this?
Here are some references:
Uber Authentication: https://developer.uber.com/v1/auth/
Oauth 2.0: https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified
Yes, this is possible. I was able to configure OAuth2 for my app using Uber API. Here are step-by-step instructions:
In your app, redirect to https://login.uber.com/oauth/authorize with your client_id and response_type=code in order to allow user to authorize your app.
Upon successful authorization, Uber will redirect to your redirect_uri (you can specify any redirect_uri, including localhost:xxxx for testing purposes, etc.) to provide you with an auth code that is single-use and valid for 10 min. Implement a callback to retrieve this auth code.
With the valid auth code from Step 2, make a POST request to exchange for an access token. As a simple check, I would recommend using curl to confirm access token validity. For ex:
curl -F 'client_secret=YOUR_CLIENT_SECRET' \
-F 'client_id=YOUR_CLIENT_ID' \
-F 'grant_type=authorization_code' \
-F 'redirect_uri=YOUR_REDIRECT_URI' \
-F 'code=AUTHORIZATION_CODE' \
https://login.uber.com/oauth/token
Upon successful exchange, use the access token as the value for the 'Authorization' header for subsequent endpoint calls. For ex:
curl -H 'Authorization: Bearer YOUR_ACCESS_TOKEN' 'https://api.uber.com/v1/products?latitude=37.7759792&longitude=-122.41823'

Resources