so - tearing my hair out here
im sending this a POST to https://api.twitter.com/oauth/request_token
my Authorisation header is
OAuth oauth_callback="splat%3A%2F%2F",
oauth_consumer_key="Fh71vIGgcR9zJO7eF1Rc4NC5t",
oauth_nonce="c0ec4fcb6b84b089821a4eea187e8dbc0b4629fb1760203805304cb25193b72f%2C",
oauth_signature="OTkyYmI2NDM1MTc4YjY0OTQwYzYwZTUwNWEyZGVkZDI3MzYyNjBkZg%3D%3D",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1414442911001",
oauth_version="1.0"
and my base string used to generate this was
POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_callback%3Dsplat%253A%252F%252F%26oauth_consumer_key%3DFh71vIGgcR9zJO7eF1Rc4NC5t%26oauth_nonce%3Dc0ec4fcb6b84b089821a4eea187e8dbc0b4629fb1760203805304cb25193b72f%252C%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1414442911001%26oauth_version%3D1.0
i keep getting a 401 however, my example seems to match any examples i can find
any help/obvious mistakes would be much appreciated...
Without your consumer key (and I suggest you don't post it here!), we can't check whether your signature is correct or not.
However you could try verifying your signature using one of the online signature generators such as:
The LinkedIn OAuth Test Console
Had the same problem, what fixed it for me was to remove the oauth_callback altogether.
Just specify a callback in the app settings, then it should work.
I know the documentation labels it as required, but somehow with the callback it doesn't work.
Your header should look like this:
OAuth oauth_consumer_key="XXXXXXXXXXXXXXX",
oauth_nonce="Lhw1HTTtPojMXTsPNWwlXMp1J8UPST9GftzelvW6rQ6",
oauth_signature="zQyHupvnJwFaRPU8IR%2F2axaMFVc%3D",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1415554564",
oauth_version="1.0"
And your basestring something like this:
POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_consumer_key%XXXXXXXXXXXXXX%26oauth_nonce%3DLhw1HTTtPojMXTsPNWwlXMp1J8UPST9GftzelvW6rQ6%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1415554564%26oauth_version%3D1.0
Related
I have 2 internal Rails services, which need to speak to each other.
I need an advice how to make it secure enough and with minimum effort.
Currently service A sends Authorization HTTP header to service B, which contains secret token. Simple HTTP Token-based method, nothing special. But I also need somehow to communicate a user token, so service B will know, which user is talking to it.
My current solution is following:
send Authorization Token token=blabla user_token=blabla2
use existing in Rails methods to parse it
identify user by provided user_token
inspired by this StackOverflow post
Alternatives:
Amazon way with something like: Authorization: MY-APP-V1 Token=blabla Credential=user_token, but I need custom parser for it.
Custom HTTP header like X-USER-TOKEN, but seems like RFC is not in favor of this idea.
Your proposal or suggestion
Thank you very much for any help.
I'm curious as to why the user token is not enough, can you elaborate on this?
But assuming you want to continue with the double-token approach, something like JWT could be used to encode the user token with the secret token. That way you will just have 1 token and can send it simply as Authorization: Bearer xxxxxx.
I'm working on an API, i need to get a token access using PostMan, it's an openid connect token i've tried to get using a GET Method and a POST Method but the result is the same i always have Invalid Request , with missing form parameter for the grant type key.
As you can see bellow the grand type is already setted but not working.
Do you have any ideas ?
Thanks
As a guess, as I don't know the full details, I would have thought it would need to be something like this:
Add the details for the client_id, client_secret and grant_type to the request body. These should be placed in the x-www-form-urlencoded option.
As I don't know the full details, I'll be happy to update the answer if more are provided.
I just starting working on an iOS Swift 3 application that will integrate with a certain EHR. I had it working several months ago, but when I tried it this eve I noticed the application froze when I tried to get the access token. it appears that the token part of the OAuth2 exchange has changed and now looks like this:
POST https://api.xxxxxx.com/oauth2/access_token
curl -X POST https://api.xxxxxx.com/oauth2/access_token \
-H 'Authorization: Basic Y2xpZW50X2lkOnNlY3JldA==' \ //dummy auth
--data "code=a14d2c8e-9c8a-4820-8ae1-d9313bb6abe2&grant_type=authorization_code&redirect_uri=YOUR_REDIRECT_URI" //dummy code
I was going to include a pic of their documentation concerning this, but its copyrighted. Basically this is what must be included in the post to the token URL:
The Authorization header is required and must be in the format API_KEY:SECRET_KEY and then url safe base64 encoded.
The body of the request must include the following fields:
code - The authorization code that was sent to your Redirect URI at the end of the OAuth login process (see above).
grant_type - The type of authorization grant in use. In this case code for the authorization code.
redirect_uri - The redirect URI for the application, URL encoded.
Any idea of how to do this in Paw would be greatly appreciated! Right now the only way I can figure it to do each call manually as a request and pass along the pertinent items.
thanks!
Mark
From what I see here, it should be nicely supported by Paw. Here's an example config that should fit your needs:
In Paw, if you do NOT check "Set client credentials in the body", it will set the Client Key and Secret in the Authorization header exactly as you described (base64, separated by a :, that's the Basic Auth format).
Otherwise, things should be working ok. Let me know if you need any help.
I'm using intridea/oauth2 for oauth2 functionality. Everything is working fine with authentication and making requests with an access token.
But what i can not find out is how to make a request without an access token. I thought it would simply work with
client = OAuth2::Client.new(key, secret, :site => site)
client.request(:post, "/api/users", {params: {param1: "val1"}})
but that does not seem to work. It is not setting any oauth header in the request.
How do i make a request like that?
Leave out oAuth completely then. Use simple Net::HTTP requests or use a library like REST Client for example.
It seems like the library isn't capable of something like that. So i now have two ways of authentication. You can find some information on this page: http://railscasts.com/episodes/352-securing-an-api?view=asciicast
I generated my OAuth signature using twitter's own tool at https://dev.twitter.com/docs/api/1/post/statuses/update How do I use the "signature base string" and "authorization header" with CFHTTP to post a new status on my own twitter account. I'm not trying to access anyone else's account, just need to be able to post status updates to my own account. Your help is really appreciated.
Don't bother writing it yourself, use this: http://monkehtweet.riaforge.org/ its great I have used it many times for twitter integration.
If you want to write it yourself, you'll have to follow the instructions documented on https://dev.twitter.com/docs.
A signature is a serialization and encoding of all your request values in combination with a signing key. It's all very well documented at https://dev.twitter.com/docs/auth/creating-signature
You'll need the hmac-sha1 encoding to create a valid signature. If you're not using coldfusion 10, you'll need something like this: HMAC SHA1 ColdFusion