I'm user HWIOAuthBundle (let's call it MyClient) to connect to a Symfony 2.3.2 OAuth 2 server using FOSOAuthServerBundle (let's call it MyServer). I am able to connect and login and do the requests that I need to but I keep getting booted out of "MyServer" after an hour (401 error). I have done a lot of reading about this issue but can't seem to find a solution.
I'm new to OAuth but I believe that the access_token I'm using expires after an hour.
I was wondering if there is a way to configure both machines to use the refresh token (which expires in 2 years) to "refresh" my access_token when it expires?
I have been unable to find an example on how to do this. Any help would be great.
Cheers
I had the same problem with HWIOAuthBundle to authenticate using Google Login. Finally I found how to request offline access. In config.yml set the option access_type to offline:
hwi_oauth:
firewall_name: main
fosub:
properties:
google: googleId
connect:
account_connector: acme.security.provider.user
resource_owners:
google:
type: google
client_id: <my_id>
client_secret: <my_secret>
scope: "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/analytics.readonly"
options:
access_type: offline
See more https://github.com/hwi/HWIOAuthBundle/issues/375
Related
I've been trying to connect Microsoft Power Automate to my API. My API has a OAuth2 Code Flow.
According to Power Automate, the connector can make a connection to my API. and execute a test. But the problem is that Microsoft sends a Bearer token that was generated by them, and not the one that I gave to them via OAuth2, resuting on my API giving a 401 Error (Invalid Token) as expected.
In the Power Automate Custom Connector page, in the security tab I have the following:
Authentication type
OAuth2.0
OAuth2.0 Settings
Identity Provider: Generic OAuth2
Client ID: SomeValue
ClientSecrect: SomeValue
Authorization URL: mydomain.com/auth/authorize
Token URL: mydomain.com/auth/token
Refresh URL mydomain.com/auth/token
Redirect URL: microsoft-flow.com/redirect (Not the real one)
When Microsoft makes a POST request to mydomain.com/auth/token, I return the following body:
{
access_token: "non JWT token", // simillar to a hash
refresh_token: "non JWT token",
expires_in: 3600
}
The request above is final request that microsoft before accepting as a valid connection. The token that microsoft sends me is a JWT one, not the one I provided.
I've seen some guys using Azure AD authentication within the APP, but I was trying to implement something simillar to other platoforms(e.g Github, Spotify, e.t.c)
So my question is it possible to connect Power Automate to a custom API with using OAuth2? If yes, how to do it?
It's possible.
In addition to the OAuth2.0 Settings you listed, there is another important property Scope which you have missed.
Since your API is protected in Azure AD, so I assume that you have created an Azure AD app for your API and exposed scopes.
After that, you can get the application ID URI (api://{clientId}) for your API.
You should put this value into the "Scope" in Power Automate, like this:
Then this access token will be considered valid by your API.
I've done two steps to fix this problem.
Step 1
Previously my API returned the body with access_token, refresh_token and expires_in, but then I added scope and token_type. Example:
{
access_token: "2346ad27d7568ba9896f1b7da6b5991251debdf2",
refresh_token: "4468e5deabf5e6d0740cd1a77df56f67093ec943",
expires_in: 3600,
scope: "none",
token_type: "Bearer"
}
Step 2
Delete the custom connector and create a new one with the same parameters. When I got to the "Test" section, Power automate finally could make the GET request successfully.
In my case, even if the the API was updated, Power automate was still using its faulty token, so I had to delete that custom connector and create new one.
Conclusion
By updating the API and deleting the old custom connector, I was able to get the connector working.
We have an inquiry from our client, to enable Autodesk Model Viewer from within our App. The first step is to implement OAuth2 authentication (2 legged). I followed Forge Autodesk tutorials, but this is completely new to me, and I cannot configure that to work. I do http request (using jQuery) from our App, passing client_id and client_secret, grant_type and a scope. When looking on the developer menu (F12) - I can see that request is hitting their server and returns with the access_token, expire time, authorization "Bearer" with the status 200. So far so good.
I understand that now I need to make a call back to the API and pass this access_token I received. And here is where I lost: console shows me error, Cross origin ... And the success part of http request is not fireing (in http request success part I'm trying to redirect user to the Model Viewer url + access_token we just received). But it is never fires. Was digging forums and tutorials but can't find any good sample or explanation what I'm doing wrong. Below is my code example:
$.post("https://developer.api.autodesk.com/authentication/v1/authenticate",
{
client_id: 'here_is_a_client_id',
client_secret: 'here_is_a_client_secret',
grant_type: 'client_credentials',
scope: 'viewables:read'
},
function(data, status){
console.log("Data: " + data);
window.location.href = 'https://viewer.autodesk.com/id/here_is_a_long_id_number&Authorization=Bearer&' + data;
});
Any help highly appreciated. Also, I was trying to follow Autodesk tutorials using Node.js, but again, after seeing that access_token get back from their server, can't make a callback and attach this access_token to it. New to all these Authorization/Authentication/Tokens so can't figure out the way it works. Thanks in advance.
I could advice you how to avoid this Cross Origin error, but it is critical not to and very dangerous to authorise your application on the client side. Exposing you client secret key will give everyone the right to access your account and spend cloud credits on your behalf. And access all your content. That is the reason you do should not have that approach.
You should never expose the client secret, neither an read/write scoped access token on a client, those should resides on the server, and server only. The only access token you could eventually see on the client should be a viewables:read scoped token only. And even when using a viewables:read token, I prefer to use a proxy instead myself (see here).
Up until today I have been able to use Google's api for exchanging an authorization code for an access token. Haven't had any problems with this for the past year. But now I'm getting a 403 status code. My POST body looks like this:
code=4%2FUwDPiS*********&
redirect_uri=https%3A%2F%2Flocalhost%3A57081&
client_id=123******&
client_secret=123*******&
scope=&
grant_type=authorization_code
The api endpoint is:
https://www.googleapis.com/oauth2/v4/token/
The Google API playground works fine when exchanging authorization tokens.
I thought that maybe Google was getting strict and required https to the redirect (which I did not have originally). But even after adding https, it didn't help. Is it possible that Google is now blocking redirects to localhost? If not, what other problem could it be?
Either Google's OAuth service was down at the time or my limit on calling the api was reached. Have no idea what caused the problem but it worked 24 hours later. In the event that you suspect that your limit was reached, you should check out this link:
https://support.google.com/cloud/answer/9028764
I'm using the google-api-client gem in my Rails project. I have omniauth and devise working, and I have users authenticate through Google.
I thought I had this going very well, until recently. I've noticed my app will throw an error when it fetches the Google Calendar API after one hour. The expiration is one hour from authentication time, and from then I get this error:
Signet::AuthorizationError (Authorization failed. Server message:
{
"error" : "invalid_grant",
"error_description" : "Token has been revoked."
}):
This is separate from invalid refresh tokens, as I do have the refresh token stored in the database. It is sending the refresh token request, which spurs that error above, with this code:
client = Google::APIClient.new(
:application_name => APP_NAME,
:application_version => APP_VERSION,
)
client.authorization.client_id = CLIENT_ID
client.authorization.client_secret = CLIENT_SECRET
client.authorization.refresh_token = user.auth_refresh_token
token_result = client.authorization.fetch_access_token!
I have been very careful as to not sign in and out of my Google accounts, so I cannot figure out why Google would send back this message. If I refresh the page after 55 minutes, all is okay. If I refresh the page after 1 hour, it complains about the access token being revoked.
Has anyone had this issue before? If so, what did you do to fix it? Was it something you had to change in Google's Developer Console?
I ended up figuring out the issue, so I thought I'd share what fixed it.
In config/initializers/devise.rb, I have:
scope: 'userinfo.profile, userinfo.email, calendar, https://www.googleapis.com/auth/gmail.readonly', prompt: 'select_account consent' }
What did it for me was the prompt: 'select_account consent' part. Asking the user for consent at each login seems to keep the refresh token up to date. When the user logs in via Google I check if there was a refresh token in the response, and if there was I save that to the database. If not, I keep their current refresh token in the database.
In all honesty, I really don't get why it was necessary for me to do this but for other users who've shared their code examples it was fine. Perhaps there was a change in the Google's OAuth2 or maybe there's a discrepancy in my method of handling the authorization.
I'm having issues with Google OAuth2 in iOS; I'm getting an "invalid_grant" error. I am doing the following steps:
I created the project and Credential ( iOS app ) Google Console;
I did request the CODE;
I did request the access token (working well);
10 minutes before the expiry of the access token , I do request a refresh token.
The problem is intermittent . Sometimes the request for refresh ( refresh_token ) returns " invalid_grant " and so the access_token becomes invalid and my application just stops .
If forcing the user login to generate a new access_token and refresh_token not work. I have to revoke the permissions of the account and try again.
What I need is access to IMAP and SMTP Gmail . If I check the access_token ( https://www.googleapis.com/oauth2/v1/tokeninfo ) is active and valid , but the IMAP and SMTP denies access.
I'm actually thinking of going back to the login username and password . The service is very unstable for not having the same reaction . I'm sure I'm not bursting any limitations and been the message " invalid_grant " would at least not appropriate.
Please , any employee of Google, HELP ME !
Thank you.
I was facing this problem as well. I wasn't doing anything with IMAP, but I was getting an invalid_grant pretty frequently when trying to handle auth. Eventually I got things working using the following settings:
authentication.refreshToken = savedRefreshToken;
authentication.accessToken = savedAccessToken;
authentication.additionalTokenRequestParameters = #{#"access_type":#"offline"};
I think it was mainly that last one that did the trick. I found it somewhere in the Google documentation, but I didn't save where. Their docs are pretty messy.