I want to use Google drive api in my application, that's why I'm using OAuth 2.0 for Installed Applications. But I have a problem - I can't get an access token. At first I successfully get the authorization code using the following request:
https://accounts.google.com/o/oauth2/auth?
scope=https://www.googleapis.com/auth/drive.file&
redirect_uri=[my redirect_uri from from Developers Console]&
response_type=code&
client_id=[My client ID for native application from Developers Console]
Then I try to get an access token using received authorization code using the following request:
POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded
code={My uthorization code}&
client_id=[My client Id]&
client_secret=[My clien secret]&
redirect_uri=[my redirect_uri from from Developers Console]&
grant_type=authorization_code
All the time server returns 400. Can you tell me what could be the problem?
Trace the http request
Go to OAuth2 Playground and do the same
Spot the difference
It may be that you aren't urlencoding the params
Related
I've implemented application capable of acquiring OAuth access token through authorization process using authorization code grand type. I've used it successfully with Google API services but I have a problem when I use it with AutoDesk Forge API services. I have suspicion that OAuth AutoDesk does not confirm well with OAuth 2.0 specification.
My application issues this HTTP POST request of the shape:
POST /authentication/v1/gettoken HTTP/1.1
Host: developer.api.autodesk.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
Here I send client_id and client_secret as username and password for Basic HTTP authorization. But I get an error:
{"developerMessage":"The required parameter(s) client_id,client_secret not present in the request","userMessage":"","errorCode":"AUTH-008","more info":"http://developer.api.autodesk.com/documentation/v1/errors/AUTH-008"}
However, OAuth specification says in chapter 2.3.1 (https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1):
The authorization server MUST support the HTTP Basic
authentication scheme for authenticating clients that were issued a
client password.
You can see example of such request that server MUST support in chapter 4.2.3 (https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3):
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
And AutoDesk wants it differently as per its documentation:
curl -v 'https://developer.api.autodesk.com/authentication/v1/gettoken'
-X 'POST'
-H 'Content-Type: application/x-www-form-urlencoded'
-d '
client_id=obQDn8P0GanGFQha4ngKKVWcxwyvFAGE&
client_secret=eUruM8HRyc7BAQ1e&
grant_type=authorization_code&
code=wroM1vFA4E-Aj241-quh_LVjm7UldawnNgYEHQ8I&
redirect_uri=http://sampleapp.com/oauth/callback
'
(Here, as you can see, AutoDesk expects client_id and client_secret to be in the POST request body.) That is additional way that server MAY support as written again in chapter 2.3.1 (https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1):
Alternatively, the authorization server MAY support including the
client credentials in the request-body
So, am I right that AutoDesk Forge API service only supports optional way and apparently doesn’t support mandatory way?
So, am I right that AutoDesk Forge API service only supports optional way and apparently doesn’t support mandatory way?
Affirmative - the only authentication format that's supported can be found here.
I'm using the OAuth Authorization Code flow to authenticate the user and authorize my application against the WSO2 Identity Server. I'm using a simple node/express server, with Passport.js, to get the Access Token, and Postman to use that Access Token to make a few test requests to the SOAP APIs.
When using a Bearer Token method to authorize my application, I get the following error in the IS logs: 0 active authenticators registered in the system. The system should have at least 1 active authenticator service registered. I get the following error in Postman: 500 Internal Server Error, with the following response body, <faultstring>Authentication failure</faultstring>.
Here is what it looks like in Postman:
The same Access Token works with a REST API request, like "https://localhost:9443/scim2/Me".
Can anyone tell me what I'm missing here?
SOAP APIs in WSO2 Identity Server cannot be authenticated with Bearer tokens. They can be authenticated with Basic authentication and cookies. That's the reason for getting Authentication failure in the response.
But REST APIs in the Identity Server can be authenticated with Bearer tokens. So /scim2/Me authenticate successfully with access token.
Try to get the Access token manually from Authorize service and use it
Step 1: Get authorization code
https://<is_server_url>:9443/oauth2/authorize?client_id=<id>&redirect_uri=<callback_url>&response_type=code&scope=openid
You will get an authorization code on the callback URL
Step 2: Call token service to get access token
Post https://<is_server_url>:9443/oauth2/token
Content-Type:application/x-www-form-urlencoded
Authorization:Basic <base64encoded "<client_id>:<client_secret>">
grant_type:authorization_code
scope:openid
code:<code_from_step_1>
redirect_uri:<callback_url>
exp:
client_id=**abcdefgh12345678**
client_secret=**xyzsecretkey**
callback_url=**http://locahost/callback**
scope=openid
server: localhost
base64encode(client_id:client_secret)= base64encode(abcdefgh12345678:xyzsecretkey) => YWJjZGVmZ2gxMjM0NTY3ODp4eXpzZWNyZXRrZXk=
GET https://localhost:9443/oauth2/authorize?client_id=**abcdefgh12345678**&redirect_uri=**http://locahost/callback**&response_type=code&scope=openid
it will make a request back to the callback url with a parameter code, lets say code=this01is02your03code, please check your browser address bar
POST https://localhost:9443/oauth2/token
HEADERS
Content-Type:application/x-www-form-urlencoded
Authorization:Basic **YWJjZGVmZ2gxMjM0NTY3ODp4eXpzZWNyZXRrZXk=**
BODY
grant_type:authorization_code
scope:openid
code:this01is02your03code
redirect_uri:http://locahost/callback
this will return an access token, let say token returned by the server is 12345678ASDFGH
Now you could use this token to call any RestFull or SOAP service
Authorization: Bearer 12345678ASDFGH
We are trying to implement Google's OAuth 2.0 cross-client sign-on functionality so that our server keeps the tokens and associates them with users, as shown in the diagram for the flow here: Google OAuth 2.0 Server-Side Flow
I am able to successfully retrieve a one-time access code on the client app. I then send that code to the server via a post to "http://example.com/oauth2callback/code="
It gets to the server just fine. The server then attempts a POST to Google that looks like this:
POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded
code={My Code}&
client_id={My Client ID}&
client_secret={My Client Secret}&
redirect_uri="http://example.com/oauth2callback"&
grant_type=authorization_code
However, each time the server is returning "Error: redirect_uri_mismatch."
We have tried everything. We double-checked the redirect_uri matches EXACTLY in the Google console and the client ID and client secret are correct. It still doesn't work. Any ideas?
In the "server-side" flow your redirect_uri should be set to postmessage. Unfortunately that is not clearly documented by Google. See also Google OAuth 2.0 "error" : "redirect_uri_mismatch" and related questions/answers.
We figured this out eventually, but I wanted to post this here so that others can find it. It turns out that you should NOT specify a redirect URI if you are exchanging a one-time access code for an access token via communicating with Google's servers from your own server. Instead, it should look like this:
POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded
code={My Code}&
client_id={My Client ID}&
client_secret={My Client Secret}&
redirect_uri=''&
grant_type=authorization_code
I am trying to use a custom java application of mine to upload videos to my youtube account via an access limited device like a Raspberry pi running as a server.
For this I am using the Google Oauth 2.0 for limited input device as a reference.
Here I am facing following problem:
After getting the Device code via following similar call (Step 2 from the link):
POST /o/oauth2/device/code HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded
client_id=1084945748469-eg34imk572gdhu83gj5p0an9fut6urp5.apps.googleusercontent.com&
scope=https://www.googleapis.com/auth/youtube
Google Oauth server responds with 'user_code' and 'verification_url' (Step 3 from the link):
{ "device_code" : "4/L9fTtLrhY96442SEuf1Rl3KLFg3y", "user_code" :
"a9xfwk9c", "verification_url" : "http://www.google.com/device",
"expires_in" : "1800" "interval" : 5, }
Now I am giving the requisite permission by opening the url as responded by google server.
Finally I am trying to get the access token from Google server (Step 4 from the link) by posting similar request:
POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded
client_id=1084945748469-eg34imk572gdhu83gj5p0an9fut6urp5.apps.googleusercontent.com&
client_secret=hDBmMRhz7eJRsM9Z2q1oFBSem&
code=4/YMSlR3fSCC1NtUh073DuZKTJJ3ss&
grant_type=http://oauth.net/grant_type/device/1.0
but instead of getting the 'access_token' as response I am getting the following :
Status Code:400 Response: { "error" : "invalid_request",
"error_description" : "Required parameter is missing: grant_type" }
Note : With or without url encoding, my problem stays the same.
Can someone please help me as to whether it's the Google Oauth 2.0 api is buggy or my request is faulty?
***************************************UPDATE*************************************
I tried the same steps with some alternative tools instead of my custom java application, so I tried Fiddler and curl, the surprise is as follows:
All of the calls worked right as mentioned by Google Oauth 2.0 for limited input device for curl.
Same issue was observed with Fiddler as was with my custom java app.
I am still unable to figure out the difference yet, still need help.
************UPDATE#2**************
Fiddler request:
(url encoded, obscured client secret)
(One can get oauth credentials (client_id and client_secret) by following this)
POST HTTP/1.1
https://accounts.google.com/o/oauth2/token?client_id=308065994473-ur9dd7003ajs6mvr5s4kqnugr6j8tsf2.apps.googleusercontent.com&client_secret=XXXXXXXXXXXXXXX&code=4%2FWR-qiTquqB0e4-0LCy0-7rZ2kkE2&grant_type=http%3A%2F%2Foauth.net%2Fgrant_type%2Fdevice%2F1.0
Content-Type: application/x-www-form-urlencoded
(non url encoded, obscured client secret)
POST HTTP/1.1
https://accounts.google.com/o/oauth2/token?client_id=308065994473-ur9dd7003ajs6mvr5s4kqnugr6j8tsf2.apps.googleusercontent.com&client_secret=XXXXXXXXXXXXXX&code=4/WR-qiTquqB0e4-0LCy0-7rZ2kkE2&grant_type=http://oauth.net/grant_type/device/1.0
Java code project is available at (maven project, check the test case for the Oauth calls):
https://docs.google.com/file/d/0B8ltWBtPF-DVMDZFNHNMZXpCQlk
The value is wrong, you should use grant_type=authorization_code as this says.
Hello kind people of the internet,
We can successfully use the Google Oauth 2.0 Playground to make a simple sql POST insert to a FusionTable, but when attempt the same basic HTTPS POST operation in anything else (from back end system, another browser session, Postman chrome tool, hurl.it, etc, etc), we always get a 403 error:
"message": "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup.",
I'm puzzled why the error is returned when doing an HTTPS post from other systems (other than OAuth playground)?...as at the time I'm supplying an active Access token (cut-n-pasted Access token from OAuth playground).
The successful-working-good Request block in OAuth 2.0 Playground is below (but the Access token is of course now expired):
POST /fusiontables/v1/query?sql=INSERT INTO 1CqwRGEEn4L0gN66JwGvCR5yOI8miNMVijcp4XlE (Name, Age) VALUES ('Forrest', 57) HTTP/1.1
Host: www.googleapis.com
Content-type: application/json
Authorization: Bearer ya29.AHES6ZRr9CkHptvLaYlba_u6wceIh29urI8FjFp8xMP08AcBm2qpHg
Here's the direct URL that is generated by several different REST based tools I'm attempting to use to simulate the HTTPS request to do a POST sql insert to FusionTables (which again: always generates a 403 error even with an active Access token):
https://www.googleapis.com/fusiontables/v1/query?sql=INSERT%20INTO%201CqwRGEEn4L0gN66JwGvCR5yOI8miNMVijcp4XlE%20(Name,%20Age)%20VALUES%20('Jim',%2057)=&Content-length:=0&Content-type:%20=application/json&Authorization:=%20Bearer%20ya29.AHES6ZRr9CkHptvLaYlba_u6wceIh29urI8FjFp8xMP08AcBm2qpHg
Some other notes:
-In my Google APIs Console, I'm using the "Client ID for web applications".
-I updated the FusionTable properties with the Api console email-address to allow edit capability on the fusiont table used in the above sql (1CqwRGEEn4L0gN66JwGvCR5yOI8miNMVijcp4XlE) Adding the email for edit capability to the FusionTable properties was kindly suggested by Odi for Service accounts on another related post on FusionTables).
Any help in explaining why HTTPS Post works in the OAuth playground for a sql insert to FusionTables, but not anywhere else would surely be appreciated...there must be something I'm missing, as supposedly the OAuth playground was to help illuminate how OAuth works at a detailed level so we could handle in other systems that don't necessarily have a developed OAuth library.
Update 8/23, per the suggested answer...here's a URL syntax that works in POSTMAN and uses both the OAuth API key and an active Access token which was obtained using the OAuth playground (access token is of course fake/expired).
https://www.googleapis.com/fusiontables/v1/query?sql=INSERT%20INTO%201CqwRGEEn4L0gN66JwGvCR5yOI8miNMVijcp4XlE%20(Name,%20Age)%20VALUES%20('Bob',%2031)=&Content-length:=0&Content-type:%20=application/json&key={OAuth API key}&access_token=ya29.AHES6ZST_c2CjdXeIyG8LwkprQMGGfoW45sonX0d1H51234
Try adding your API key to the POST. Even though the message refers to authentication I'm pretty sure it's not OAuth authentication but your API usage that needs to be verified.