I am trying to connect to QuickBooks Online, but when I try to request a token from https://oauth.intuit.com/oauth/v1/get_request_token
I am getting a signaure_invalid message. My signature matches what what googles signature generator makes: http://oauth.googlecode.com/svn/code/javascript/example/signature.html
So I am really at a loss for what QuickBooks is expecting and I am not providing. I have tried including the oauth_callback in the signature, but this did not make a difference. Does anyone have some pointers for where are I am wrong?
Here are my test app details:
ConsumerKey: qyprd46Is0FZ3v1tuE4unkw3iq6cUB
oauth_timestamp: 1398355877
oauth_nonce: X3e3aflZMeKPDwMI
oauth_callback: /qbGetOAuthToken
oauth_signature_method: HMAC-SHA1
Signature Base String: POST&https%3A%2F%2Foauth.intuit.com%2Foauth%2Fv1%2Fget_request_token&oauth_consumer_key%3Dqyprd46Is0FZ3v1tuE4unkw3iq6cUB%26oauth_nonce%3DX3e3aflZMeKPDwMI%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1398355877%26oauth_version%3D1.0
Authorization Header:
Authorization: OAuth oauth_signature_method="HMAC-SHA1",oauth_nonce="X3e3aflZMeKPDwMI",oauth_timestamp="1398355877",oauth_consumer_key="qyprd46Is0FZ3v1tuE4unkw3iq6cUB",oauth_version="1.0",oauth_signature="SJNPyQU7yuhcVvoLRUgyzw9KTlA%3D",oauth_callback="%2FqbGetOAuthToken"
For everyone's benefit-
The developer resolved this issue by twice encoding the callback URL.
How properly create oauth signature base string?
Related
I am trying to use an OAuth token to connect to Snowflake from Databricks.
I have configured using the official documentation (https://docs.snowflake.com/en/user-guide/oauth-azure.html#step-3-collect-azure-ad-information-for-snowflake).
When request the token I also retrieve what appears to be a valid token. The json in the format {'token_type': 'Bearer', 'expires_in': 3599, 'ext_expires_in': 3599, 'access_token': 'token here}'
However, when I try to use this token it comes as invalid - checking in Snowflake the result is the following:
Using https://jwt.ms/ to look at the claims in my token I find the following: aud, iss, iat, nbf, exp, aio, appid, appidacr, idp, oid, rh, roles, sub, tid, uti, ver.
Which claims are missing?
Most likely the issue issue is that the claim parameter set for OAuth integration object on Snowflake is not passing the right value. Review the following article which details the steps:
https://community.snowflake.com/s/article/Create-Security-Integration-User-To-Use-With-OAuth-Client-Token-With-Azure-AD
I am trying to secure my web api (.net core 2.2) with Azure Ad using implicit flow.
I registered my application in Azure AD using the Azure Portal > Azure Active Directoy > App Registrations > New Application Registration:
Name = MyWebApi
Application Type = Web app / API
Sign-on URL = http://localhost:55000
Once this app is created, I opened its Manifest file and changed oauth2AllowImplicitFlow from false to true.
Thats all I did for the app registration in azure portal.
Then I called the following URL manually from my chrome browser to get access_token:
https://login.microsoftonline.com/MY-AD-TENANT-GUID/oauth2/v2.0/authorize?client_id=MY-REGISTERED-APP-GUID&response_type=token&redirect_uri=http%3A%2F%2Flocalhost%3A55000&scope=openid&response_mode=fragment
the response from calling the above url is:
http://localhost:55000/#access_token=MY-ACCESS-TOKEN&token_type=Bearer&expires_in=3600&scope=profile+openid+email+00000003-0000-0000-c000-000000000000%2fUser.Read&session_state=b2be972a-cfbc-49f1-bfc0-6c93f6c87d02
when I pass MY-ACCESS-TOKEN as Bearer token in Authorization header to my Web API (.net core 2.2) I get the following exception:
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey , KeyId: N-lC0n-9DALqwhuHYnHQ63GeCXc'.
I then tried manually verifying the signature:
when I paste MY-ACCESS-TOKEN in https://jwt.io/ the header is:
{
"typ": "JWT",
"nonce": "AQABAAAAAACEfexXxjamQb3OeGQ4Gugvm6YdOT-bkA0IPllKMt06-J8If5AQ075TVCav94X_ZYcEYKaPneqdJcqYry-Z4XjX0eMN_fiJX_8wXe9D2b6eRiAA",
"alg": "RS256",
"x5t": "N-lC0n-9DALqwhuHYnHQ63GeCXc",
"kid": "N-lC0n-9DALqwhuHYnHQ63GeCXc"
}
I then went to this URL to obtain the public key for kid: N-lC0n-9DALqwhuHYnHQ63GeCXc
https://login.microsoftonline.com/common/discovery/keys
I then pasted the following as a public key on jwt.io to validated token signature:
-----BEGIN CERTIFICATE-----
OBTAINED-PUBLIC-KEY-FROM-THE-ABOVE-URL-HERE
-----END CERTIFICATE-----
and I again get Invalid Signature.
I have been to this thread: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/609, but I am not sure why does my token header has nonce value or if this is an issue at all in my case or not.
Any ideas what I am doing wrong here?
I tried this on my side, it worked well.
Request url:
https://login.microsoftonline.com/tenant-name/oauth2/v2.0/authorize?client_id=application_id&response_type=token&redirect_uri=https://snv2app.azurewebsites.net&scope=api://f3d966c0-517e-4e13-a5bb-9777a916b1a0/User.read openid&response_mode=fragment
And when I got the access_token, I parsed it in the jwt.io and entered the public key, I got the result:
What is happening here is the token you are receiving is an access_token for the userInfo endpoint. The audience is graph. Tokens for graph have been modified in a special way so that they must be transformed before the signature can be validated. This allows for graph to forward the token downstream (after transforming) and not worry about a forwarding attack to occur.
To validate see if 'aud == graph'.
I'm adding the ability to post todos to my Todist list via a simple app. At the moment I am getting the response "error"=>"invalid_grant" when exchanging my code for an access_token.
I'm unsure exactly what 'invalid_grant' is referring too in this context. Other answers I find seem to be regarding various Google APIs. The Todoist API documentation makes no mention of it.
The post request for token exchange is:
uri = URI('https://todoist.com/oauth/access_token')
result = Net::HTTP.post_form(uri, client_id: ENV['TODOIST_CLIENT_ID'], client_secret: ENV['TODOIST_CLIENT_SECRET'], code: params[:code])
json_body = JSON.parse(result.body) # <- prints error
Any help understanding and solving this is much appreciated.
Update
After reading Takahiko Kawasaki's answer, I have updated the request to the following, but have the same error message.
uri = URI('https://todoist.com/oauth/access_token')
data = {
:client_id => ENV['TODOIST_CLIENT_ID'],
:client_secret => ENV['TODOIST_CLIENT_SECRET'],
:code => params[:code],
:grant_type => 'authorization_code',
}
result = Net::HTTP.post_form(uri, data)
json_body = JSON.parse(result.body)
Add the following.
grant_type: 'authorization_code'
See RFC 6749, 4.1.3. Access Token Request for details.
Additional comment for the revised question.
It seems that the OAuth implementation by Todoist is not mature. I took a look at their API document and soon found some violations against RFC 6749.
For example, (1) scopes must be delimited by spaces but their document says commas should be used. (2) Their token endpoint does not require the grant_type request parameter, which is required by the specification. (3) The value of the error parameter in the response from a token endpoint should be invalid_grant when the presented authorization code is wrong, but their API document says the value will be bad_authorization_code, which is not an official value.
In addition, this is not a violation, but the specification of their API to revoke access tokens implies that they don't know the existence of the official specification for access token revocation, RFC 7009.
For public clients (RFC 6749, 2.1. Client Types), e.g. smartphone applications, the client_secret request parameter of a token endpoint should be optional, but their API document says it is required.
Because their OAuth implementation does not comply with the specification, it would be better for you to ask Todoist directly.
The latest version of the Todoist API (v8) does not require the grant_type parameter so this is not currently the issue.
Two possible reasons for receiving the invalid_grant error are:
The code was not used within a certain length of time and has expired
The code has already been used to generate an access token and so is no longer valid
In both cases, generating a new code before making the POST request should sort the problem.
Getting authentication errors when I try and obtain my upload authorization token
https://developers.google.com/youtube/2.0/developers_guide_protocol_error_responses
Using a packet sniffer, my first error message is>
401 Token invalid - Invalid token: Cannot parse AuthSub token:
In addition to perhaps improperly formatted Auth key value, I'm wondering exactly what headers I should be including for my upload auth request.
I am using the following though think clientId has been deprecated
"Authorization", "GoogleLogin auth=\"" + authToken + "\""
"X-GData-Client", clientId
"X-GData-Key", "key=" + devKey
After changing
"Authorization", "AuthSub token="+authToken
to
Authorization", "GoogleLogin auth="+authToken
in my request I no longer get 'Cannot parse AuthSub token' error message but
I still get
Error #2032: Stream Error. URL: http://gdata.youtube.com/action/GetUploadToken
<errors>
<error>
<domain>yt:authentication</domain>
<code>Unknown</code>
</error>
</errors>
Stumped. Would really appreciate any feedback as I'm not even certain now where my error(s) exist!
ok working but not really sure how:)
Am using these 2 headers in my POST request to
'http://gdata.youtube.com/action/GetUploadToken'
"Authorization", "GoogleLogin auth="+authToken
"X-GData-Key", "key=" + devKey
And also needed to associate my youtube user developer credentials with a channel
https://groups.google.com/forum/#!msg/youtube-api-gdata/76x8vaADJWM/36O05FD7mC0J
A packet sniffer or at least adding support to read the XMl error responses is essential!
I resolved this problem by providing the correct developer key
I am following oauth authorization flow(http://developer.yahoo.com/oauth/guide/oauth-requesttoken.html) for accessing Yahoo's Contact API . I am able to get consumer key and consumer secret for my application from first step.
However I am getting "File Not Found" in 2nd step while giving URI request.
My URI request is given below===>
https://api.login.yahoo.com/oauth/v2/
get_request_token?oauth_nonce=rs2130523f788f313f76314ed3965ea6
&oauth_timestamp=1325661943
&oauth_consumer_key=dj0yJmk9VndXdnhUbkJMc2MyJmQ9WVdrOVUzcFdkbnA0TXpnbWNHbzlNamMxTXpJeU9UWXkm
cz1jb25zdW1lcnNlY3JldCZ4PTkw
&oauth_signature_method=plaintext
&oauth_signature=1daaeb467916f4331023fc5fce3cb6b6c27ac7ed
&oauth_version=1.0
&xoauth_lang_pref="en-us"
&oauth_callback="http://mysitename.freetzi.com/index.html"
Can you please tell why I am getting "File not found"?
The response status code is 401 if there is something wrong with your parameters. So you got the "File not found" error. But you can see the error message in the http header with Firebug. Your problem is if the oauth_signature_method is plaintext, you should add a %26 after your oauth_signature
Like this
&oauth_signature_method=plaintext
&oauth_signature=1daaeb467916f4331023fc5fce3cb6b6c27ac7ed%26
&oauth_version=1.0
Hope this helps.