I get the request token via browser Javascript.
The following Java code works trading it for an access token.
import com.google.api.client.googleapis.auth.oauth2.GoogleTokenResponse;
import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeTokenRequest;
GoogleTokenResponse tokenResponse = new GoogleAuthorizationCodeTokenRequest(TRANSPORT, JSON_FACTORY, clientId, clientSecret, authCode, "postmessage").execute();
My problem is that the google library call comes with fairly heavy footprint.
Hence, I tried scribe (the Kobee1203 oauth 2.0 fork). It did not work for me:
OAuthService service = new ServiceBuilder()
.provider(GoogleApi20.class)
.apiKey(apiKey)
.apiSecret(apiSecret)
.scope(SCOPE)
.grantType(OAuthConstants.GRANT_TYPE_AUTHORIZATION_CODE)
.accessType("offline")
.build();
Verifier verifier = new Verifier(authcode);
Token accessToken = service.getAccessToken(null, verifier);
Google response with and error complaining about and indirect redirect url. There is no redirect url set in the api console and the former code works fine without.
I'd like a lightweight Java based solution trading the request- for an access token to make one basic authorized call. It does not necessarily have to be scribe.
It's just a REST URL that you can construct and call directly from your app.
If you go through the steps in the Oauth Playground https://developers.google.com/oauthplayground you can see the URLs and responses. For example, to convert the auth code to a refresh token, you would call
POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-length: 250
content-type: application/x-www-form-urlencoded
user-agent: google-oauth-playground
code=4%2FcQ7Nh2AZL3QgfynGKSloFTND3hlv.8jT4Txflqs8WXE-sT2ZLcbQTyOPFgQI&redirect_uri=https%3A%2F%2Fdevelopers.google.com%2Foauthplayground&client_id=407408718192.apps.googleusercontent.com&scope=&client_secret=************&grant_type=authorization_code
The URLs and responses are documented at https://developers.google.com/accounts/docs/OAuth2
Related
I am trying to create Test Automation framework for Apipgee Proxy URLs.
I am using Rest Assured Framework for Apigee proxy URLs with generating Bearer token on the fly ,Xapi Keyand use Apigee proxy URL. For now token is generated manually using CURL command . I can test well in postman.
// accessToken,apiKey below is defined as string
// inputrequest.getInputStream() reads JSON needed for body
response= RestAssured
.given()
.headers("Authorization","Bearer "+ accessToken)
.headers("apiKey", apiKeyVar)
.contentType("application/json")
.body(inputrequest.getInputStream()).When()
.post(apigeeProxyURL).then().statusCode(200).extract().response();
I am getting 401 (Unauthorized error) instead of 200. My query here to summarize--
Does RestAssured Framework Supports Apigee Proxy URL .
if same x-api Key and Bearer token works in postman for same end point, why its throwing an error
I read some blogs with variation on how to pass x-api Key and Bearer Token
Please revert back and share directions on how to approach for REST API Automation for Apigee Proxy URLs
Thanks and Regards,
Aditya Mandlekar
Check if you are passing the apikey at the correct place . By default it should pass in the query param. Check your verifyapikey policy which you must have attached to your proxy.
I'm trying to understand OAuth 2.0 which is scarcely, badly documented and I'm trying to implement OAuth 2.0 client call in my App. I am using Postman to simulate API calls, which works. Postman shows big orange button "Get New Access Token", where I select Grant Type, URL, Client ID, Client Secret, Scope and Authentication type. Upon clicking button Request Token, new bearer token is returned by the API, meaning the authentication succeeded. This of course is completely useless approach to me, because I have no idea what just happened. I need to create actual request that shows me exactly how it is formed, so that successful response with bearer token is returned. Postman, for absolutely no reason, will not let me see that or convert it's useless UI into a functional API request. All I have is black box with orange button "Request Token", which does who knows what.
Does anyone know, how to form a working OAuth 2.0 bearer token request in Postman, preferably to convert their useless token request dialog directly into a request?
After some research I have been able to form a valid OAuth2 token request. For clarity, here is a code sample, which we need to convert to Postman response:
var client = new RestClient("https://api_address/token");
client.Timeout = -1;
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "Basic hash");
request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
request.AddParameter("grant_type", "client_credentials");
IRestResponse response = client.Execute(request);
Console.WriteLine(response.Content);
The hash part of the request is formed from client_id and client_secret values. In Postman, this is defined as such:
Create a simple POST request with token API url.
Go to Authorization tab.
Select Basic Auth
Enter client_id and client_secret into corresponding fields as username and password.
Go to Body tab.
Select x-www-form-urlencoded.
Enter key grant_type with value of client_credentials.
This example is for the client credentials flow. OAuth2 authors felt that calling auth scenarios as auth scenarios isn't cool enough, so they are called flows, which is nonsense, but sounds cooler.
Process one:
Process two:
First, determine whether your token is passed through the header
It could be:
else process:
I am currently using OpenID Connect/Oauth2 Implicit Flow in a mobile app. I am bringing up a Web View for the user to login and obtaining the access token and expiry. However, when the access token expires, do I need to ask the user to log in again? Or is there a way to get a new access token silently using the current one, without bugging the user. I guess another option is to set the token expiry to be a really long time, but I have read that this is a bad idea.
Am I missing something here?
Since Implicit flow does not send a refresh token (as explained in section 9 of RFC6746), usage of refresh tokens is not possible. But as a workaround one can use client credential grant to obtain an access token.
A viable solution is to first follow the implicit flow and authenticate the client. Then client authentication grant can be used to do the required API calls.
Sample request (from RFC6749)
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
rant_type=client_credentials
Sample resposne (from RFC6749)
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600,
"example_parameter":"example_value"
}
P.S -
If you are using authorization code flow, you can use refresh_token to get a new access token. How the request should be formed can be obtained from OAuth2 documentation. Note that to do so, your authorization response should contain a `refresh_token.
A refresh token should be protected as valuable as a credential for a user. More can be read from keycloak documentation from here
Sample request and a response (from RFC6749)
Request
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
Response
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token": "TlBN45jURg",
"token_type": "Bearer",
"refresh_token": "9yNOxJtZa5",
"expires_in": 3600
}
The recommended way is to use an external browser and the Authorization Code Flow. Check the OAuth 2.0 for Native Apps RFC. For Android, there is also a supporting library AppAuth. With this flow, you can use a refresh token to get a new access token, but there is an issue with a client secret (usually needed for accessing /token endpoint), because you cannot keep it safe in a mobile app (it's described in the RFC).
If you decide to stick with the WebView and the Implicit Flow, which is not safe (your app can see the password) you could use the same technique as in JavaScript applications - request a new token with /auth?...&prompt=none URL which will return a new token without asking the user for credentials if he still has an open session there.
We are trying to implement Google's OAuth 2.0 cross-client sign-on functionality so that our server keeps the tokens and associates them with users, as shown in the diagram for the flow here: Google OAuth 2.0 Server-Side Flow
I am able to successfully retrieve a one-time access code on the client app. I then send that code to the server via a post to "http://example.com/oauth2callback/code="
It gets to the server just fine. The server then attempts a POST to Google that looks like this:
POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded
code={My Code}&
client_id={My Client ID}&
client_secret={My Client Secret}&
redirect_uri="http://example.com/oauth2callback"&
grant_type=authorization_code
However, each time the server is returning "Error: redirect_uri_mismatch."
We have tried everything. We double-checked the redirect_uri matches EXACTLY in the Google console and the client ID and client secret are correct. It still doesn't work. Any ideas?
In the "server-side" flow your redirect_uri should be set to postmessage. Unfortunately that is not clearly documented by Google. See also Google OAuth 2.0 "error" : "redirect_uri_mismatch" and related questions/answers.
We figured this out eventually, but I wanted to post this here so that others can find it. It turns out that you should NOT specify a redirect URI if you are exchanging a one-time access code for an access token via communicating with Google's servers from your own server. Instead, it should look like this:
POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded
code={My Code}&
client_id={My Client ID}&
client_secret={My Client Secret}&
redirect_uri=''&
grant_type=authorization_code
I want to use Google drive api in my application, that's why I'm using OAuth 2.0 for Installed Applications. But I have a problem - I can't get an access token. At first I successfully get the authorization code using the following request:
https://accounts.google.com/o/oauth2/auth?
scope=https://www.googleapis.com/auth/drive.file&
redirect_uri=[my redirect_uri from from Developers Console]&
response_type=code&
client_id=[My client ID for native application from Developers Console]
Then I try to get an access token using received authorization code using the following request:
POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded
code={My uthorization code}&
client_id=[My client Id]&
client_secret=[My clien secret]&
redirect_uri=[my redirect_uri from from Developers Console]&
grant_type=authorization_code
All the time server returns 400. Can you tell me what could be the problem?
Trace the http request
Go to OAuth2 Playground and do the same
Spot the difference
It may be that you aren't urlencoding the params