It does not appear that I can setup scope in a service config for grant_type of client_credentials.
Is this possible? When requesting a token, I do get back an empty "scope" value. The only way I can get a value to appear is if I pass a query parameter of &scope=foobar. But this does not make sense that the client application is setting the scope.
I want to grant a token with permission to read from API1 and write to API2 but not read/write to API3. It seems I should be able to have a config as scope: [ "java.util.HashSet", [ "api1_read", "api2_write" ] ] basic on clientId config on the cas authorization server.
Then I would image that the resource service, when validating the token would also get a list of scopes allowed.
What am I missing?
You are not missing anything. This capability does not exist and could possibly be added to CAS 6.3 assuming time and sponsorship would be available. Support for scopes are only available as of this writing for OpenID Connect. For OAuth, they would need to be added to the codebase and released.
Looking for some AzureAD help with this error -
"error": "invalid_request", "error_description": "AADSTS50146: This
application is required to be configured with an application-specific
signing key.\r\nTrace ID:
6fb978c1-0d74-478c-991c-3ad48ca65f00\r\nCorrelation ID:
81c05804-175c-456b-8d45-d5365818b599\r\nTimestamp: 2019-12-17
19:28:29Z",
I get the error above in one AzureAD env. when trying to do a OAuth2.0 token request. I have another test AzureAD where the same request works fine.
Doing a POST to https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token with clientId, clientSecret and grant_type=client_credentials.
Found this via google - https://github.com/MicrosoftDocs/azure-docs/issues/5394 but wanted to understand how does one go about configuring the "scope" parameter in AzureAD.
You probably have additional/mapped claims.
If you do not want to bother with creating application-specific signing keys,
you need to set "acceptMappedClaims": true in the manifest.
Setting "accessTokenAcceptedVersion": 2 can also help.
The api permissions in Azure AD portal is the value of scope.
You can also expose an API, then you can add your own scope.
In IS I retrieve token by call https://wso2is.local:9443/oauth2/authorize?response_type=id_token%20token&client_id=NgTICXFPYnt7ETUm6Fc8NMU8K38a&redirect_uri=http://wso2is.local:8080/playground2/oauth2client&nonce=abc&scope=openid+scope_1+scope_2+scope_3[1].
But when I try get token for all scopes my url becomes very long.
Can I make request e.g scope=openid+global ?
[1] https://docs.wso2.com/display/IS530/Implicit+Client+Profile+with+Playground
That is not supported due to security reasons. Only requested scopes are considered when issuing a token.
I am trying to update a primary email domain for a google apps account. And I can't seem to figure out the scope needed.
I keep receiving a 403 error when I make a request
Here is what I have tried.
After generating an access token with oAuth2, through postman. The settings below:
Auth URL: https://accounts.google.com/o/oauth2/auth
Access Token URL: https://accounts.google.com/o/oauth2/token
ClientID: id
Client Secret: secret
Scope: https://www.googleapis.com/auth/admin.directory.customer
Making a GET request to https://www.googleapis.com/admin/directory/v1/customers/my_customer with the token and I get a 403 insufficient permissions error back.
Is there something I am missing? I know steps to update the URL require making a get to get the users ID before making the PUT request. But I am not able to GET anything.
Is there something I am missing? Here is the URL to the DOCS if needed.
Thanks.
See domain rename known issues. The rename won't work if you are a reseller, purchased your domain via Google Domains or have Chrome licenses.
I'm making requests against the Instagram API from a mobile app. Currently, I'm just directing the user to the Instagram auth url and specifying the response type to be "access_token". Specifying this response_type is known as implicit auth.
Explicit auth: response_type=code
Implicit auth: response_type=access_token
I'm trying to get around needing to stand up a web service to facilitate explicit auth. This would be necessary because in explicit auth flow, the Instagram API needs to make a call to a redirect URL and pass in a "code" parameter. The code would then be used by my server-side code to make a final request to Instagram for an access token.
It's much more efficient for a mobile app to use implicit flow because no extra privately-maintained auth service needs to be stood up to handle it.
Instagram supports the following scopes:
basic - to read any and all data related to a user (e.g.
following/followed-by lists, photos, etc.) (granted by default)
comments - to create or delete comments on a user’s behalf
relationships - to follow and unfollow users on a user’s behalf
likes - to like and unlike items on a user’s behalf
When I make any other type of scope specification besides "basic", I get the following response when the user provides the credentials at the auth URL:
{"code": 400, "error_type": "OAuthException", "error_message": "Invalid scope field(s): basic+likes"}
Any combination of scopes other than "basic" gives the same response.
So, my question are these:
Is explicit auth required in order to specify scopes beyond "basic"??
Do I need to specify response_type=code in order for extended scopes to work?
Is this an Instagram limitation, or is it a limitation of OAuth 2.0?
Thanks in advance.
I just tried with implicit oauth flow with my client_id and scope=basic+likes and it worked. Replace the url below with your client_id and redirect_uri, and try.
https://instagram.com/oauth/authorize/?client_id=CLIENT_ID&redirect_uri=REDIRECT-URI&response_type=token&scope=basic+likes
May be Instagram is not allowing scope other than basic with new client accounts...
The answer here is that YES, scopes can be requested by implicit auth flow just fine. My problem was related to an OAuth component that I was using. The component was silently URL-encoding the value of the scope param, which was rejected by the Instagram auth endpoint. I updated the component (Xamarin.Auth) to accomodate a non-encoded scope param and issued a pull request.
Thanks to #krisak for providing a working URL that I could test.
So I had similar issues regarding the encoding of the + when trying to get permission for multiple scopes (basic, likes, comments). The solution I found was to use spaces between the individual scopes:
In the config/initializers/omniauth.rb file:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :instagram, 'TOKEN', 'SECRETKEY' , {:scope => "basic likes comments"}
end
Unfortunately starting from April 14th 2015 new clients cannot get access for any scope but basic. Official message could be found at the client configuration page:
Starting April 14th 2015, new clients need to request access to be able to post likes, follows, and comments. For more information please read the Developer Blog at http://developers.instagram.com.
The message refers following blog entry: http://developers.instagram.com/post/116410697261/publishing-guidelines-and-signed-requests
Instagram requires personal request to be sent to enable scopes for your application (client ID), but your app has to meet certain conditions described in the blog entry.
i have the same problem i found this solution and works fine
Go to Manage clients under instagram/developer. Then click edit under your app and uncheck Disable Implicit OAuth. It will now work as intended.
Instragram changed this for a reason though, so should probably think twice before going public with your app: http://instagram.com/developer/restrict-api-requests/
At this time, May 2015, YES.
As explained on instagram documentation about authentication:
The Instagram API uses the OAuth 2.0 protocol for simple, but
effective authentication and authorization. OAuth 2.0 is much easier
to use than previous schemes and developers can start using the
Instagram API almost immediately. The one thing to keep in mind is
that all requests to the API must be made over SSL (https:// not
http://).
You first need to register your app here and then, with CLIENT ID provided by instagram, you can do this request:
https://api.instagram.com/oauth/authorize/?client_id=CLIENT-ID&redirect_uri=REDIRECT-URI&response_type=code
Where you have to put your client_id and redirect_uri.
Just for information, in redirect_uri field you can insert also
http://localhost
you must be add "+" between scopes like that is "basic+comments+follower_list+likes+public_content+relationships"