I'm struggling to find any documentation for DotNetOpenAuth on how to do this.
I know the client sends the bearer token, but how do I verify it (other than verifying it's in the appropriate header). How do I verify it's valid, or that is hasn't expired? Is there a hook to allow DotNetOpenAuth to do this for me? I don't see it.
Thanks.
So, I figured it out. Hopefully this will help anyone else who finds this.
Part of it was me being a n00b to OAuth. I setup my Authorization server just fine, but didn't realize (at first) that the ResourceServer is responsible for validating the token and validating that the access to the requested resource is still valid. Once I realized this it was easy to find the ResourceServer class in DONA, and you can parse the BEARER token with two lines of code:
ResourceServer server = new ResourceServer(new StandardAccessTokenAnalyzer(signingKey, encryptionKey));
AccessToken token = server.GetAccessToken();
The returned token will have the date it was issues and the user it was issued under, as well as any scope requests for you to validate access.
Hope this helps anyone like me who struggled with this!
Related
I'm passing state=;xyz in authorization request. I can see the same in url on browser on Allow screen. After clicking "Allow" button, i get access token i.e. code with the redirect uri, but Linkedin does not return state in the redirect_uri.
Can someone please help me with this?
Thanks in advance.
The state parameter is either not required or MUST be present in responses according to the grant and part of flow in question. I have to go out on a limb and say that LinkedIn haven't written a spec violating OAuth 2.0 implementation, so perhaps you are using/expecting state when you shouldn't be or are using it in the right place but incorrectly?
Authorization Code Grant (https://www.rfc-editor.org/rfc/rfc6749#section-4.1) state will not be in the access_token response, only in the Authorization code response if you sent one with the request for the code.
Implicit Grant (https://www.rfc-editor.org/rfc/rfc6749#section-4.2) state will be returned with the access_token if you sent one in your token request.
Resource Owner Password Credentials Grant (https://www.rfc-editor.org/rfc/rfc6749#section-4.3) state is not used at all.
Client Credentials Grant (https://www.rfc-editor.org/rfc/rfc6749#section-4.4) state is not used at all.
If you find LinkedIn are in violation of the spec, then it'd be worth letting them know!
Solved it just by doing trial and error. The error was silly on my end.
I was passing state=;xyz but linkedin expects state=%3Bxyz.
Linkedin just ignores ; and following characters and since i did not have anything before ;, linkedin was considering it as empty value and was not returning state. Silly on my end.
#starlight54 thanks for spending some time for me.
I have a hobby project in mind to use battle.net login. I'm wondering how I can obtain the access token from the API after receiving the authorization code.
This is Oauth flow question rather than a battle.net question.
Currently I can successfully authorize the user for my app which is registered in dev.battle.net and then I try to use the authorization code returned from the battle.net login to obtain the access token by sending a request to https://<region>.battle.net/oauth/token.
However I keep receiving this error:
{
"error": "unauthorized",
"error_description": "An Authentication object was not found in the SecurityContext"
}
I use postman extension to send post requests to that uri. I authenticate my request with my client id and secret. I pass redirect_uri (https://localhost), granty_type (authorization_code), code(the code returned from the previous authorization step). However I keep getting the error above.
I couldn't find much about battle.net online. There are other oauth related help articles but couldn't really find my way.
Wondering if you can help me with this easy stuff. I'm just wondering what I'm skipping here.
Here is the documentation:
https://dev.battle.net/docs/read/oauth
https://localhost is added in my mashery dev account's app settings.
Me again, I resolved this problem after trying almost every combination in the universe:)
Steps to apply:
Don't use the same authorization token for different access token trials, they are not valid
Always use https on every domain you test including localhost, you
redirect_uri must be https as well.
You must use the "basic authentication" in the header of your POST request while requesting the token from the authorization code you obtained from the previous step.
This is one of the most important ones: For requesting token, Pass redirect_uri, client key and secret as POST form parameters to the authenticated request. This is interesting because it's already an authenticated request; why would i need to pass my secret again? Anyways, that's how it works.
Here are the full text:
http://hakanu.net/oauth/2017/01/26/complete-guide-of-battle-net-oauth-api-and-login-button/
This is working prototype:
https://owmatch.me
Thanks.
So I asked the following question a few days ago: Redirect URI not redirecting correctly
I've since gotten further along, but now I need my access token to verify a JWT.
According to this, googleUser.getAuthResponse().access_token should return the access token, but it's coming back undefined.
I'm a bit confused by all of the different ways that Sign In with Google can be implemented, so if I already have a JWT and the access token is undefined, is that OK? I'm trying to verify the JWT with the code found here, but I'm not using an X509 cert. If figured I should be able to just do it with my client_id and secret.
Can someone please help me get out of this maze? :)
I can't figure out if oAuth 2.0 server should revoke old Authorization Codes (not Authorization Tokens) when new code requested? Also I can't figure out in what format oAuth server should show the error if valid redirect_uri parameter not specified neither registered in app settings.
Thank you for helping me understand this RFC.
https://www.rfc-editor.org/rfc/rfc6749
As far as I know, your questions are not covered by the specs, so the answers below reflects only my personal opinion on a practical implementation.
A client may legally request several authorization codes with different scopes. You can argue if this makes sense (though I think it does), but the standard does not forbid it. Consequently, I think old codes should be revoked only if a client resends a request (i.e. with exactly the same request details: client id, redirect uri, scopes).
For missing redirect_uri, servers should return HTTP 400 Bad Request and include error details in the message body (and/or appropriate HTTP headers).
I'm currently working on an app that needs to integrate Vimeo. I'm therefore adapting my working OAuth2 client to allow authorization to Vimeo it's new beta API.
However, there are some things that are unclear to me, and the documentation is a bit vague on the matter.
Should I get the client authorized before authentication?
The user authentication url is https://api.vimeo.com/oauth/authorize, should I send a GET or POST request to this URL with the required parameters?
Should I send a basic authorization header (Authorization : basic base64(client_id:client_secret) along with authentication or should it be unauthenticated authorization header (Authorization : Bearer unauthenticated_access_token)?
Should I handle the authentication dialog through a UIWebView or through Safari?
Furthermore, I seem to get the error: { "error": "An unknown error has occured. Please let us know!"} when handling authentication through Safari. Does anyone have a clue on what actually went wrong or provide a way to find out? (Seems Vimeo improved their error displaying overnight ;))
The actual error I get is that the redirect_uri and client_id are missing, but I'm reasonably sure they get provided in the request body when doing a POST, or in the parameters when doing a GET. Any pointers?
Client authorization is not necessary to generate User authentication. Client authorization is only necessary to make unauthenticated api requests.
You don't make a request to api.vimeo.com/oauth/authorize, you send your user there. You should create a link, and put it on a page for your user to click. They will make a GET request to that endpoint, but it should not happen through your server.
Since your client is making a request to /oauth/authorize, there is no way you can define the headers. You will need to provide an authorization header to /oauth/access_token, and this should be Authorization : basic base64(client_id:client_secret)
We did fix a bug last night in our oauth error reporting :D. Sorry for the temporary confusion.
Without more information I can't really answer your error message. I'll add some comments, and then update this answer with more information.