I am currently using Spring Security OAuth2 with Reddit - and trying to pass the duration parameter when redirecting the user to an authorization URL.
This URL is constructed via getRedirectForAuthorization - which is a private method in AuthorizationCodeAccessTokenProvider - so it's not immediately clear how the duration parameter should be added in.
Am I missing anything?
Thanks.
You can add query parameters to the authorization request using a RequestEnhancer. You can inject one into the AccessTokenProvider and the DefaultRequestEnhancer includes a list of parameters to include (empty by default).
Related
I´m using spring security rest. Actually to refresh token im using this url: /oauth/access_token?grant_type=refresh_token&refresh_token=token
However i'm using api rest and I want to use /api/oauth to refresh token instead of /oauth.
I tried redirect in urlMappings, but response 404 not found.
"/api/oauth"(redirect: '/oauth')
"/api/oauth"(redirect: '/oauth')
As you found, that mapping won't work but there may not be a good reason to use a redirect anyway. The plugin provides a mapping like this:
"/oauth/access_token"(controller: 'restOauth', action: 'accessToken')
(see https://github.com/alvarosanchez/grails-spring-security-rest/blob/d5940921b4aea466a961957e0599321d01e4c6de/spring-security-rest/grails-app/controllers/grails/plugin/springsecurity/rest/RestOauthUrlMappings.groovy#L24)
You can map whatever url you like to that controller. You could do this...
"/api/oauth"(controller: 'restOauth', action: 'accessToken')
*** Work for me grails spring refresh token
-method : Post
-http://localhost:8085/oauth/access_token?grant_type=refresh_token&refresh_token={your_access_token}
I am trying to GET an issue in Jira using POSTMAN. I have selected Type as OAuth 1.0. For that it is asking me some fields mentioned below. I have generated Token and Token Secret which I am passing to it. I have also configured my generic application to Jira in Application links. I am not aware of what to be passed in Consumer Secret and Signature Method (what should be the signature method). I am currently selecting HMAC-SHA1. For rest of the fields it is generating values based on the parameters passed above.
Consumer Key : hardcoded-consumer
Consumer Secret : ?? (What should I pass here)
Token : ojn33TZALMlvp5eCa6HeErDSx9K8LL6A
Token Secret : inHfn2QFJkkYkWQ8FxT9mXkdcoNxYPf5
Signature Method : HMAC-SHA1
Timestamp : 1474290363 (Generated value)
Nonce : x1hs2v (Generated value)
Version : 1.0 (Generated value)
Realm : (It is optional)
After hitting my jira Url it is giving me oauth_problem=token_rejected error. Can anyone tell me where I am making the mistake?
Here is the Jira URL which I am hitting :
http://bmh1060149:8080/rest/api/2/issue/NWFM-1 (NWFM-1 is the Jira issue)
Please find the below screen shot for more reference.
After little bit of research I found the answer. Once we get the access token we can directly pass that to your Jira Url. There is no need to pass all those parameters.
To get all issue types we can use the following URL and passing access token as an argument.
http://bmh1060149:8080/rest/api/2/issuetype?access_token=euyyIxB6q5waBHeZ9zB7kGV21GRNNOud
Please see the attached screen shot for more reference.
I want to send some extra parameters to twitter's oauth/authorize endpoint (along withoauth_token) and get them back as it is in the callback request (along with oauth_token and oauth_verifier).
For example:
request(extra parameter - app_name):
https://api.twitter.com/oauth/authorize?oauth_token=FxHxpekZK8VVfNRr38i2WKJskIZY3Hj7&app_name=myTwitterApp
callback request should be(extra parameter returned as it is - app_name):
http://www.example.com?oauth_token=FxHxpekZK8VVfNRr38i2WKJskIZY3Hj7&oauth_verifier=Vq0yq2LRUBybevnjGvXyUOBPWH9Ew9DY&app_name=myTwitterApp
Please let me know if this doable in twitter as it is in Google and Facebook.
Asked this question on twittercommunity and got the answer. The trick was to add the extra parameters in the callback url itself while obtaining the request token.
We're making requests for bearer tokens using client_credentials OAuth 2 grant flow with Apigee. According to the spec:
4.4.2. Access Token Request
The client makes a request to the token endpoint by adding the
following parameters using the "application/x-www-form-urlencoded"
format per Appendix B with a character encoding of UTF-8 in the HTTP
request entity-body:
grant_type
REQUIRED. Value MUST be set to "client_credentials".
If we make a call however we get an error like this:
{"ErrorCode" : "invalid_request", "Error" :"Required param : grant_type"}
It seems that using Apigee we have to send grant_type as a query parameter.
Why is this? We have clients of Apigee that are unable to use OAuth libraries in their language of choice because of the way that Apigee deals with OAuth 2, and it would be good to know if there is by-design or not.
In addition it doesn't seem like it supports grant_type in the post body and sending id and key using basic auth.
Turns out you do not need to send in grant_type as a query parameter. There is a <GrantType> element in your GenerateAccessToken policy that takes in a variable. For instance, I can use the following:
<OAuthV2 name="GenerateAccessToken">
<DisplayName>GenerateAccessToken</DisplayName>
<FaultRules/>
<Properties/>
<!-- This policy generates an OAuth 2.0 access token using the password grant type -->
<Operation>GenerateAccessToken</Operation>
<!-- This is in millseconds -->
<ExpiresIn>1800000</ExpiresIn>
<Attributes/>
<SupportedGrantTypes>
<GrantType>password</GrantType>
</SupportedGrantTypes>
<GenerateResponse enabled="false">
<Format>FORM_PARAM</Format>
</GenerateResponse>
<GrantType>user.grant_type</GrantType>
<UserName>request.header.username</UserName>
<PassWord>request.header.password</PassWord>
</OAuthV2>
In this example, the grant_type is passed in as user.grant_type. But user.grant_type can be anything-- header, query param, form param, or even a hard-coded value. This way, you (the developer) are provided maximum flexibility on how you want to send in the grant_type.
Can you paste the exact API call that you are making (obviously you should obfuscate the key and secret)?
I'd like to understand what you say when you say "Apigee" -- it could mean API BAAS (https://api.usergrid.com) or a proxy that you defined using API services and attached an OAuth 2 policy to, or something else?
I am using tornado framework to use the Twitter API. I am not understanding why I am getting a callback url with the value of next in it
auth/login?next=%2F%3Foauth_token%3D
I understand that /auth/login is setup by me during AuthLoginHandler. But I am not understanding what is setting next token inside the url. This makes my other argument
self.get_argument('oauth_token', None)
return None.
I know that we can still parse the url the get the oauth_token, but any insights into how TwitterMixin or default Oauth class of tornado is doing this. I am a newbie to Tornado
Firstly, You can ignore the 'next' argument until you get your core code working.
'next' is an extra parameter so you can forward the user to to the original page you asked for like this:
self.redirect(self.get_argument('next', '/'))
The 'next' param is added in the request handler here after a call to get_current_user has returned None. [ie user is not logged in]
The Tornado docs describe how to write a handler for Twitter.