How to make OAuth request with access token linkedin - oauth

How I can make authenticated request if I have access token?
I follow this post:
https://developer.linkedin.com/documents/authentication
and pass access token like this:
https://api.linkedin.com/v1/people/~?oauth2_access_token= some token
I always receive error:
<error>
<status>401</status>
<timestamp>1412404356540</timestamp>
<request-id>01GPXMMPI4</request-id><error-code>0</error-code>
<message>Invalid access token.</message>
</error>
Can somebody give me some advice? I am very new in OAuth.

Access token should not be sent in the query string. It should be included in the header in the authorization field.
GET /v1/people/~
...
Authorization: Bearer <access_token>

Related

LinkedIn - Getting Access Token Error invalid_redirect_uri

has anyone succeeded in connecting to Linkedin API here?
I followed the instructions on the docs but failed to retrieve the Authorization Code.
Here's the result of my POST request to get the access_token
{
"error": "invalid_redirect_uri",
"error_description": "Unable to retrieve access token: appid/redirect uri/code verifier does not match authorization code. Or authorization code expired. Or external member binding exists"
}
I'm using the https//airbyte.io as a redirect_uri
My GET get request to obtain the authorization token is the following:
https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id=78oy2gu644mxz2&redirect_uri=https%3A%2F%2Fairbyte.io&scope=r_ads,r_ads_reporting,r_organization_social
I followed a couple advices in the different thread in SO
double checked my client_id and client_secret
encoded the URI in GET request
added scope parameters to the redirect_url at the POST request
Tested the request with the code within 20 seconds window.
Couple of things:
Ensure your redirect URI is also defined within your app's configuration as an allowed redirect URI. See https://learn.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin%2Fmarketing%2Fcontext&view=li-lms-2022-11&tabs=HTTPS1#step-1-configure-your-application. The documentation specifies a certain URL to use when testing with Postman.
In your authorization call, your scopes are comma-delimited. They should be space-delimited and URL-encoded. See https://learn.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin%2Fmarketing%2Fcontext&view=li-lms-2022-11&tabs=HTTPS1#step-2-request-an-authorization-code.

Microsoft Graph API Authentication - Access token is empty

I'm trying to get a bearer token to upload a file to Microsoft Teams.
When doing a post request to
https://graph.microsoft.com/{tenantId)/oauth2/v2.0/token
body:
client_id,
scope= https://graph.microsoft.com/.default,
grant_type= authorization_code,
client_secret & redirect uri (https://myenvironment.com/callback)
code: I got this by doing a request to
https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize?client_id={client_id}&response_type=code&redirect_uri={redirect_uri}&response_mode=query&scope=https://graph.microsoft.com/.default
I get a 401 Unauthorized with error code InvalidAuthenticationToken and error message Access token is empty.
I'm not sure which api you wanna call here, but I can show you an example. For instance, I want to call this api to upload a file on behalf of me.
Then I need to give api permission for calling this api, you can see api permission here.
Then open the browser to send a request like this
https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize?
client_id=client_id
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost:8080%2F
&response_mode=query
&scope=Files.ReadWrite Files.ReadWrite.All Sites.ReadWrite.All
&state=12345
Then you will get a code in the url, then cope the code.
Post: https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
request header
Content-Type:application/x-www-form-urlencoded
request body
client_id:
client_secret:
code: copy_from_browser_url
redirect_uri:http://localhost:8080/
grant_type:authorization_code
scope:Files.ReadWrite Files.ReadWrite.All Sites.ReadWrite.All

WSO2 IS: Error using OAuth Authorization Code flow with SOAP API

I'm using the OAuth Authorization Code flow to authenticate the user and authorize my application against the WSO2 Identity Server. I'm using a simple node/express server, with Passport.js, to get the Access Token, and Postman to use that Access Token to make a few test requests to the SOAP APIs.
When using a Bearer Token method to authorize my application, I get the following error in the IS logs: 0 active authenticators registered in the system. The system should have at least 1 active authenticator service registered. I get the following error in Postman: 500 Internal Server Error, with the following response body, <faultstring>Authentication failure</faultstring>.
Here is what it looks like in Postman:
The same Access Token works with a REST API request, like "https://localhost:9443/scim2/Me".
Can anyone tell me what I'm missing here?
SOAP APIs in WSO2 Identity Server cannot be authenticated with Bearer tokens. They can be authenticated with Basic authentication and cookies. That's the reason for getting Authentication failure in the response.
But REST APIs in the Identity Server can be authenticated with Bearer tokens. So /scim2/Me authenticate successfully with access token.
Try to get the Access token manually from Authorize service and use it
Step 1: Get authorization code
https://<is_server_url>:9443/oauth2/authorize?client_id=<id>&redirect_uri=<callback_url>&response_type=code&scope=openid
You will get an authorization code on the callback URL
Step 2: Call token service to get access token
Post https://<is_server_url>:9443/oauth2/token
Content-Type:application/x-www-form-urlencoded
Authorization:Basic <base64encoded "<client_id>:<client_secret>">
grant_type:authorization_code
scope:openid
code:<code_from_step_1>
redirect_uri:<callback_url>
exp:
client_id=**abcdefgh12345678**
client_secret=**xyzsecretkey**
callback_url=**http://locahost/callback**
scope=openid
server: localhost
base64encode(client_id:client_secret)= base64encode(abcdefgh12345678:xyzsecretkey) => YWJjZGVmZ2gxMjM0NTY3ODp4eXpzZWNyZXRrZXk=
GET https://localhost:9443/oauth2/authorize?client_id=**abcdefgh12345678**&redirect_uri=**http://locahost/callback**&response_type=code&scope=openid
it will make a request back to the callback url with a parameter code, lets say code=this01is02your03code, please check your browser address bar
POST https://localhost:9443/oauth2/token
HEADERS
Content-Type:application/x-www-form-urlencoded
Authorization:Basic **YWJjZGVmZ2gxMjM0NTY3ODp4eXpzZWNyZXRrZXk=**
BODY
grant_type:authorization_code
scope:openid
code:this01is02your03code
redirect_uri:http://locahost/callback
this will return an access token, let say token returned by the server is 12345678ASDFGH
Now you could use this token to call any RestFull or SOAP service
Authorization: Bearer 12345678ASDFGH

microsoft_graph oAuth refresh error

I allow users to authorize their Microsoft accounts using oAuth and the Microsoft Graph API. I am using this omniauth strategy to facilitate the authorization. In the OmniAuth strategy, it includes the resource for both authorize_params and token_params "https://graph.microsoft.com". This allows me to authenticate just fine but when I go to refresh the auth, I get this error returned:
{"error"=>"unauthorized_client", "error_description"=>"AADSTS70001: Resource 'https://graph.microsoft.com/' is not supported as resource.\r\n"}
Along with a trace_id and some other things that I will post if needed.
The endpoint I am hitting to refresh is POST https://login.microsoftonline.com/common/oauth2/v2.0/token with the client_id, refresh_token and grant_type: "refresh_token" params.
Refreshing this oAuth token was working fine as recently as last week. Did something change with the Microsoft Graph API or something?
You may want to take a look at Refreshing a Token.
It sounds like you were partially there, you were just missing some additional parameters:
grant_type - Set as refresh_token
refresh_token - The refresh token value you received from the Provider
client_id - This is your Application ID from above
client_secret - This is the Password we generated before
scope - This should match the same set of scopes you first requested
redirect_uri - This is the redirect URI defined in your application registration
These are formatted application/x-www-form-urlencoded in you POST to https://login.microsoftonline.com/common/oauth2/v2.0/token
POST URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
POST HEADER: Content-Type: application/x-www-form-urlencoded
POST BODY: grant_type=refresh_token&refresh_token=[REFRESH TOKEN]
&client_id=[APPLICATION ID]&client_secret=[PASSWORD]
&scope=[SCOPE]&redirect_uri=[REDIRECT URI]
Turns out it was as simple as I was authing to v1.0 but attempting to reauth to v2.0. Not sure why this worked up until now but ensuring they are hitting the same version of the API has solved the issue.

When exchanging the Amazon Alexa grant_code for an access_token, where are the credentials?

I am trying to write the exchange and access endpoints and the docs here (https://developer.amazon.com/public/solutions/alexa/alexa-skills-kit/docs/linking-an-alexa-user-with-a-user-in-your-system#h2_login) are not clear on a couple of things:
how is the call to exchange a grant code for access token made - is it GET with credentials in QS or is it a POST with credentials in a body?
Is the access token delivered only in the JSON for an intent call or is it set properly as a bearer token?
It's a POST with credentials in the request body. Amazon follows the Oauth2 RFC correctly in this case.
The access token is delivered by Amazon only in the JSON for the intent request and not properly set as a bearer. This is annoying.
In my case, I had to hack around it by first validating if the request was a valid alexa request which contained a session with an access token, then setting the HTTP_AUTHORIZATION header to Bearer <token>, then using existing request auth logic to authenticate (I was using Django with django-oauth-toolkit, so YMMV if you're using something else).
That code looks something like this:
# get the access_token from the POST request
if access_token is not None:
request.META["HTTP_AUTHORIZATION"] = "Bearer " + access_token
if not hasattr(request, 'user') or request.user.is_anonymous():
user = authenticate(request=request)
if user:
request.user = request._cached_user = user
if request.user.is_authenticated():
# Do whatever with the logged in user

Resources