Trying to add twitter login using OAuth and it has been a nightmare to get the first step of requesting the token, which results in 401 error as always.
I used twitter's Test OAuth tool to compare the http request that my scala server sends.Curl request works while my server request fails. Pasting them below for comparison.
Curl Request
curl --request 'POST' 'https://api.twitter.com/oauth/request_token' --data 'oauth_callback=http%3A%2F%2F0.0.0.0%3A8081%2Fweb' --header 'Authorization: OAuth oauth_consumer_key="wRflKWWomJ9jKeK8wbTk0Jck3", oauth_nonce="46ef029600fcc2a6cbe068eb9711401c", oauth_signature="3ptB%2B6%2Fv9QYGgyQjO9DhuD7pmzA%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1422879905", oauth_version="1.0"' --verbose
Scala server Request
HttpRequest(POST,https://api.twitter.com/oauth/request_token,List(Authorization: OAuth oauth_consumer_key="wRflKWWomJ9jKeK8wbTk0Jck3", oauth_nonce="70449464359328", oauth_signature="yEni23tuzEveIMtDm7%2F8N2anU%2FM%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1422879900", oauth_version="1.0"),HttpEntity(application/x-www-form-urlencoded,oauth_callback=http%3A%2F%2F0.0.0.0%3A8081%2Fweb),HTTP/1.1)
Things I tried:
Made sure timestamp is within 5 minutes
Made sure "Allow this
application to be used to Sign in with Twitter" is set in twitter
settings.
Callback url is set - http://0.0.0.0:8081/web (even tried
proxy names for localhost by changing ip table)
Tried generating request token using Saclaj
Used custom OAuth signature request primarily using OAuth.scala
This 401 twitter request token seems to be a recurring theme for many folks, complicated by various failure points. Any help is much appreciated.
For anyone else facing this issue, I am listing down few things that you could benefit from.
After excruciating attempts of permutations and combinations,
oauth_token had to be a part of the signature (even if its value is
empty string). I am not sure if it is mentioned anywhere and particularly ironic that you had to remove access token and secret while using Twitter's OAuth testing tool (for the Curl command to work properly which took some bloody lot of time to figure out.)
It is good to validate your basestring - Tool
Validating if your signature process is correct - Check point (f)
Another possible scenario
In my Twitter client app settings screen, I set an option "Enable Callback Locking (It is recommended to enable callback locking to ensure apps cannot overwrite the callback url)" and this caused me getting 401 unauthorized error on trying to get request token.
Related
I'm in the context of an embedded devices that uses an HTTPS client to request an access token on behalf of a user (delegated permission needed for the app).
I'm currently using OAuth 2.0 ROPC (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc) to get my token and everything works fine.
But since this authentication is deprecated I'd like to change to a more secure solution that works in hybrid identity federation scenarios.
I see that many other solutions exists, but I can't find one that doesn't need to interpret an HTML/JS response.
Here a CURL example to explain my point:
ROPC request:
curl -X POST "https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token" --data "grant_type=password&scope=EWS.AccessAsUser.All&username=<username>&password=<password>&client_id=<client_id>&client_secret=<client_secret>" -H "Content-Type: application/x-www-form-urlencoded"
Response:
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"eyJ0eX....1234"}
Here I can extract the token directly from the response.
But using other ways to get delegated permission token such as OAuth 2.0 Implicit Grant flow (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow), responses are always an HTML that I can't interpret.
So here I am wondering if there is a solution to this situation.
Thanks in advance,
Aloïs KYROU
You cannot use the implicit flow to obtain the token in the tool, you can only run the request url in the browser. Because using the implicit flow requires you to log in. Please note that before this, you must enable id token and access token.
Request the id token and access token in the browser.
https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client id}
&response_type=id_token token
&redirect_uri={redirect_uri}
&scope=openid EWS.AccessAsUser.All
&response_mode=fragment
&state=12345
&nonce=678910
When we are accessing Asana API we are using the Asana node client v0.15.0 together with an Tampermonkey script. The Api is responding with an 401 (Unauthorized).
This worked a couple a days ago. I have tried with new Personal Access Tokens but still get the same error.
While fiddling the request I tried to change the auth-header Bearer to be lower cased.
Authorization: Bearer my-personal-access-token ->
Authorization: bearer my-personal-access-token.
This seems to work fine, that indicates that something changed on Asana's side.
The node-asana js client lib does not let me modify the request before sending it to Asana API.
According to Asana API support it is on stackoverflow that I should ask about help on this matter.
EDIT
By some further investigation it seems that when we send in the cookie
auth_token=My auth token we do get the 401 error. But If removing the cookie and reissue the request in fiddler it works fine.
Another note is that now we do not get any custom_fields in the response from e.g https://app.asana.com/api/1.0/tasks/TaskId
I'm a Developer Advocate at Asana. You've caught something that is a known issue and we're working on a fix :) We're rolling out a new version of our API. It's intended to be backwards-compatible with the older implementation, but giving us multiple forms of authentication is one of those cases where we do something different between the two.
For security purposes, we initially implemented this in the new version to not allow requests with multiple forms of authentication, but it turns out that in-browser integrations were affected in precisely the way you're seeing: being logged into Asana, which causes your browser to send your authorization credentials for requests to asana.com automatically, and also authorizing "the right way" for our API with OAuth or a Personal Access Token will end up breaking. We're working on a fix that will allow this to work for the case when both the logged in (cookie) user and the API (access token) user are the same.
If this is an urgent issue and you want to force the old behavior to happen while we roll out the fix in our newer API implementation, you can set a header as described in that link --^ to force your requests on to the old API. Once we get the new API fully deployed and stable, though, we'll deprecate that header, so please be cautious in relying on it for a long-term solution.
Sorry that this has caused issues for you, and thanks for creating this question to let us know!
As part of the OpenID Connect (OAuth2 for Login), my application is supposed to request an access token, given a one-time authorization code, via the endpoint https://www.googleapis.com/oauth2/v3/token. According to documentation, this request needs 5 parameters passed to it, client_id among them. That is exactly what my application does, using the Perl module Net::OAuth2.
Everything has been working fine for several months, but today I was notified that it stopped working. No updates were made to the application code nor the libraries used by it.
The message my application now receives from the server when calling the token endpoint is this, in a 400 error response:
OAuth 2 parameters can only have a single value: client_id
A Google search suggests nobody has ever seen this message before, or lived to tell the tale. There doesn't seem to be a general issue with Google's OpenID Connect (other services based on it are working flawlessly), and the imminent shutdown of the old login protocol doesn't seem relevant.
More testing: removing all parameters except client_id causes this error message:
Required parameter is missing: grant_type
Supplying only client_id and grant_type produces the original error message again.
Does anyone have an idea what's going on here?
Google changed this behavior few days ago, so any OAuth2 library using Basic Auth headers AND body request parameters will start to see messages like
OAuth 2 parameters can only have a single value: client_id
or
OAuth 2 parameters can only have a single value: client_secret
So, you must now do NOT use both (the Auth headers and body request parameters) at the same time to send credentials to Google.
And according RFC 6749, the preferable way to send credentials is through Auth headers (thanks #JanKrüger for alert me about this).
Got the same error. It seems the problem is that NET::OAuth2 sets the authorization header when exchanging authorization code for access token. If you remove this header everything works fine.
Check the get_access_token method in Net::OAuth2::Profile::WebServer module. The authorization header includes client_id:client_secret base64-encoded string. Apparently Google now treats this duplication as an error.
The right way of fixing this is to set the secrets_in_params parameter when creating Net::OAuth2::Profile::WebServer object. Look in the Net::OAuth2::Profile documentation for more details.
Hello kind people of the internet,
We can successfully use the Google Oauth 2.0 Playground to make a simple sql POST insert to a FusionTable, but when attempt the same basic HTTPS POST operation in anything else (from back end system, another browser session, Postman chrome tool, hurl.it, etc, etc), we always get a 403 error:
"message": "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup.",
I'm puzzled why the error is returned when doing an HTTPS post from other systems (other than OAuth playground)?...as at the time I'm supplying an active Access token (cut-n-pasted Access token from OAuth playground).
The successful-working-good Request block in OAuth 2.0 Playground is below (but the Access token is of course now expired):
POST /fusiontables/v1/query?sql=INSERT INTO 1CqwRGEEn4L0gN66JwGvCR5yOI8miNMVijcp4XlE (Name, Age) VALUES ('Forrest', 57) HTTP/1.1
Host: www.googleapis.com
Content-type: application/json
Authorization: Bearer ya29.AHES6ZRr9CkHptvLaYlba_u6wceIh29urI8FjFp8xMP08AcBm2qpHg
Here's the direct URL that is generated by several different REST based tools I'm attempting to use to simulate the HTTPS request to do a POST sql insert to FusionTables (which again: always generates a 403 error even with an active Access token):
https://www.googleapis.com/fusiontables/v1/query?sql=INSERT%20INTO%201CqwRGEEn4L0gN66JwGvCR5yOI8miNMVijcp4XlE%20(Name,%20Age)%20VALUES%20('Jim',%2057)=&Content-length:=0&Content-type:%20=application/json&Authorization:=%20Bearer%20ya29.AHES6ZRr9CkHptvLaYlba_u6wceIh29urI8FjFp8xMP08AcBm2qpHg
Some other notes:
-In my Google APIs Console, I'm using the "Client ID for web applications".
-I updated the FusionTable properties with the Api console email-address to allow edit capability on the fusiont table used in the above sql (1CqwRGEEn4L0gN66JwGvCR5yOI8miNMVijcp4XlE) Adding the email for edit capability to the FusionTable properties was kindly suggested by Odi for Service accounts on another related post on FusionTables).
Any help in explaining why HTTPS Post works in the OAuth playground for a sql insert to FusionTables, but not anywhere else would surely be appreciated...there must be something I'm missing, as supposedly the OAuth playground was to help illuminate how OAuth works at a detailed level so we could handle in other systems that don't necessarily have a developed OAuth library.
Update 8/23, per the suggested answer...here's a URL syntax that works in POSTMAN and uses both the OAuth API key and an active Access token which was obtained using the OAuth playground (access token is of course fake/expired).
https://www.googleapis.com/fusiontables/v1/query?sql=INSERT%20INTO%201CqwRGEEn4L0gN66JwGvCR5yOI8miNMVijcp4XlE%20(Name,%20Age)%20VALUES%20('Bob',%2031)=&Content-length:=0&Content-type:%20=application/json&key={OAuth API key}&access_token=ya29.AHES6ZST_c2CjdXeIyG8LwkprQMGGfoW45sonX0d1H51234
Try adding your API key to the POST. Even though the message refers to authentication I'm pretty sure it's not OAuth authentication but your API usage that needs to be verified.
Hoping someone can help me out here. I'm using Google Contacts API to fetch a list of contacts. To my understanding, this is done by sending a GET request:
https://www.google.com/m8/feeds/contacts/default/full?alt=json&max-results=9999&oauth_token=OATH_TOKEN_HERE
However, this is wildly insecure as any intruder can gain access to the oauth_token in the URL. To combat this, I'm trying to send this as a POST request with my parameters (alt, max-results, oauth_token) as the data. However, I simply get an error that "Authorization is required". I've tried adding "Authorization: OAuth" to my headers but to no avail (get an error that authorization type is not recognized).
Any advice? I need a secure way to send the oauth token to Google such that my security software won't complain about a security hole in my program ...
Thanks!
To answer your question directly, even though security is irrelevant as you are using HTTPS, you cannot POST to Google to get a list of contacts. Google requires you use Get.
The proper formatting for authorization (Because you can still use a Get and not pass the oauth_token as a query string is to use an HTTP Header formatted:
Authorization: Bearer 1/fFBGRNJru1FQd44AzqT3Zg
Using OAuth 2.0 to Access Google APIs