Oauth : can json have oauth token? - oauth

I am simulating an app where json requests are sent at the back. Now i have to add oauth support. I don't know how to move forward. Is the oauth token sent with the same json request?

Yes and no.. an oauth token is sent in the HTTP headers. So, ti's not in the json payload, but it is sent in the same HTTP request.
HOwever, before sending it, you have to accomplish some steps dictated by the standard, to exchange the proper token(s) (access and/or request)
Look at this good tutorial http://hueniverse.com/oauth/guide/ to understand the process more in depth. It even has an interactive part where you can dynamically change the parameters and see the headers and messages you should generate and exchange.

Related

Postman REST Client OAuth 2.0 - Extra Payload for Quizlet API

I'm trying to use the Postman REST Client to test the Quizlet API. Postman has a feature to do OAuth 2.0 for you. However, the Quizlet API requires a state parameter:
A random string generated by you. You send us this, and we'll send it back to you, and you verify that we send back the same thing you sent. You must send and verify this value in order to prevent CSRF attacks.
The default Postman helper does not have the ability to send more in the POST (as far as I know). Is there a known way to send the extra payload, or get around this (whether in Postman or the Quizlet API?)
Thanks in advance!
Steps:

Should oAuth 2.0 revoke older Authorization Codes if new code requested

I can't figure out if oAuth 2.0 server should revoke old Authorization Codes (not Authorization Tokens) when new code requested? Also I can't figure out in what format oAuth server should show the error if valid redirect_uri parameter not specified neither registered in app settings.
Thank you for helping me understand this RFC.
https://www.rfc-editor.org/rfc/rfc6749
As far as I know, your questions are not covered by the specs, so the answers below reflects only my personal opinion on a practical implementation.
A client may legally request several authorization codes with different scopes. You can argue if this makes sense (though I think it does), but the standard does not forbid it. Consequently, I think old codes should be revoked only if a client resends a request (i.e. with exactly the same request details: client id, redirect uri, scopes).
For missing redirect_uri, servers should return HTTP 400 Bad Request and include error details in the message body (and/or appropriate HTTP headers).

OAuth token rejected error

I want to get user profile for which I am using OAuth. http://developer.yahoo.com/oauth/guide/oauth-auth-flow.html
I have retreived the access token and now finally I need to call yahoo api by making a GET request according to http://developer.yahoo.com/oauth/guide/oauth-make-request.html#
The GET request I am sending is:-
http://social.yahooapis.com/v1/user/KMDUY7SWWTJOX4AS3XR47PNLQU/profile?format=json
&realm="yahooapis.com"
&oauth_consumer_key=my key
&oauth_nonce=24829.2331
&oauth_signature_method=plaintext
&oauth_timestamp=1219450170
&oauth_token=whole token here
&oauth_version=1.0
&auth_signature="consumer secret + token secret"
When I am sending this request it is giving me this error:-
{"error":{"lang":"en-US","description":"Please provide valid credentials. OAuth oauth_problem=\"token_rejected\", realm=\"yahooapis.com\""}}
Thankyou for your time and consideration.
I was having this issue for a while and then eventually I figured out that Yahoo! puts A= at the beginning of all of their access tokens in their response, but that is not actually part of the access token, so you should be sure to remove that part before responding back to Yahoo!
I hope this helps someone else that stumbles upon this page in the future.
probably in your case the issue is related with the protocol. You should use https when calling the Yahoo! API.
As they say in the Yahoo documentation here:
For requests to Yahoo API and Web services that require OAuth
authorization, you must use the HMAC-SHA1 encryption method because
requests are made insecurely using HTTP.

Asana API Cross-Domain Request Access Control Headers

I'm trying to make a GET request to the Asana API from the browser. Because this is a cross-domain request, the client first sends an OPTIONS request. I'm running into the same issue that was described in this Stack Overflow question a year ago, ASANA API and Access-Control-* headers, where the Asana API doesn't respond with the Access-Control parameters.
I'm wondering whether the new release of the Asana Connect and OAuth2 addresses this problem and I'm simply doing something wrong or if this is still unsupported.
(I work at Asana.) Sorry, looks like this slipped through the cracks.
We currently do not allow Cross-Origin requests. However, we do support JSONP if you use Oauth2 and authenticate with a bearer token. This allows you to make secure requests from a JS client.
Just append opt_jsonp=CALLBACK as a parameter to the request, where CALLBACK is the name of the javascript function you would like to be called back with the response data.

Sending POST instead of GET request to Google Contacts API (OAuth2)

Hoping someone can help me out here. I'm using Google Contacts API to fetch a list of contacts. To my understanding, this is done by sending a GET request:
https://www.google.com/m8/feeds/contacts/default/full?alt=json&max-results=9999&oauth_token=OATH_TOKEN_HERE
However, this is wildly insecure as any intruder can gain access to the oauth_token in the URL. To combat this, I'm trying to send this as a POST request with my parameters (alt, max-results, oauth_token) as the data. However, I simply get an error that "Authorization is required". I've tried adding "Authorization: OAuth" to my headers but to no avail (get an error that authorization type is not recognized).
Any advice? I need a secure way to send the oauth token to Google such that my security software won't complain about a security hole in my program ...
Thanks!
To answer your question directly, even though security is irrelevant as you are using HTTPS, you cannot POST to Google to get a list of contacts. Google requires you use Get.
The proper formatting for authorization (Because you can still use a Get and not pass the oauth_token as a query string is to use an HTTP Header formatted:
Authorization: Bearer 1/fFBGRNJru1FQd44AzqT3Zg
Using OAuth 2.0 to Access Google APIs

Resources