I'm using the GTMOAuth-2 library to implement an OAuth 2 Authorization Code Grant flow to the Asana API, but consistently getting back a server error 500. The GTMHTTPFetcher log is as follows (selectively redacted):
fetch tokens for app.asana.com
2013-05-08 16:46:58 +0000
Request: POST https://app.asana.com/-/oauth_authorize
Request headers:
Content-Type: application/x-www-form-urlencoded
User-Agent: gtm-oauth2 <user-agent>
Request body: (199 bytes)
client_id=<client-id>&client_secret=_snip_&code=<client-secret>&grant_type=authorization_code&redirect_uri=http%3A%2F%2Fwww.google.com%2FOAuthCallback
Response: status 500
Response headers:
Cache-Control: no-store
Content-Length: 303
Content-Type: text/html; charset=UTF-8
Date: Wed, 08 May 2013 16:46:56 GMT
Pragma: no-cache
Server: nginx
Set-Cookie: <cookie>
X-Asana-Content-String-Length: 303
X-Asana-Preferred-Release-Revision: 20130508_073846_310cafc985fd5fb43121784b58d5dcd2503ffffe
Response body: (303 bytes)
<html>
<head>
<title>Error</title><script>__FILE__="(none)";var config = {
"CLUSTER": "prod",
"PRETTY_JS_CODEGEN": false,
"ENABLED_FEATURES": ""
};</script><link rel="shortcut icon" href="/-/static/luna/browser/images/favicon.ico" />
</head>
<body>
<h3>Error</h3><pre>Server Error</pre>
</body>
</html>
I've double-checked the auth and token URLs, client ID and secret, made sure the redirect URIs match on Asana and in-app. Interestingly, the authorization flow seems to get as far as authorizing the app (and the Asana site records the app as authorized), but it then never seems to return the authorization token. Is there anywhere I might be going wrong, or is this truly an internal server error?
(I work at Asana). I'm unsure where in the flow this request is being made, but it doesn't look correct. Once you've obtained the authorization code (by having the user interact with the Asana form), the library should then make a request to our /-/oauth_token endpoint, and pass us the code. So it's possible that you just need to be using the /-/oauth_token endpoint instead of the /-/oauth_authorize endpoint as you're doing.
If you look at our OAuth examples you'll note that there are two different URLs, one for authorization and one for token exchange.
Asana is probably returning a 500 because it's not expecting this and we're not doing a good enough job catching the problem.
Related
I have an API Gateway that publishes the request in SQS. This Gateway has SQS SendMessage policy, and this issue I am describing here does not happen when I use the Test option of the gateway.
I am using Insomnia to make requests to the server, with these headers:
Content-Type: application/x-www-form-urlencoded
x-api-key: <My API Key>
Basically the configuration was done following this tutorial:
https://medium.com/#pranaysankpal/aws-api-gateway-proxy-for-sqs-simple-queue-service-5b08fe18ce50
The only difference I included the MessageGroupId on the Mapping template for deduplication:
Action=SendMessage&MessageBody=$input.body&MessageGroupId=$context.resourcePath
The response I am getting is vey weird, because it is a Http 200, with header:
date: Mon, 12 Apr 2021 13:05:53 GMT
content-type: application/json
content-length: 377
x-amzn-requestid: xxxxxxxxxxxxxxxxxxx
x-amz-apigw-id: xxxxxxxxxxxxx
x-amzn-trace-id: Root=xxxxxx
And the body:
<?xml version="1.0"?>
<ErrorResponse
xmlns="http://queue.amazonaws.com/doc/2009-02-01/">
<Error>
<Type>Sender</Type>
<Code>AccessDenied</Code>
<Message>Access to the resource https://sqs.xxxxxxx.amazonaws.com/arn:aws:sqs:us-xxxx-x:xxxxxxxx:xxxxxxxxx.fifo is denied.</Message>
<Detail/>
</Error>
<RequestId>xxxxxxxxxxxxxx</RequestId>
</ErrorResponse>
x's are used to hide information I am not sure are sensible.
I am not sure how to proceed, it seems to an issue while publishing in the queue.
In my inexperience, I was not aware that API Gateway requires Deploy for most of the changes.
As per PKCE spec, OAuth provider uses code_verifier to avoid the man in the middle attack. My understanding that, it is the best alternative for JavaScript based single page application (SPA) to exchange OAuth code for token.
When I experiment this with Google API, it says "client_secret is missing".
Here is the HTTP Request and Response.
ID: 1
Address: https://oauth2.googleapis.com/token
Http-Method: POST
Content-Type: application/x-www-form-urlencoded
Headers: {Content-Type=[application/x-www-form-urlencoded], Accept=[/]}
Payload: grant_type=authorization_code&code=4%2F1AH3Ubnm550IoT8AZ_e_eqLYDn3-JyXVo22LOcAlsWPnxTV_o0tV2N1YMNFtqhvFm65n4tuZmHfK5tkKLOsbnRw&scope=openid+profile+email&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fdemo&client_id=myclientid.apps.googleusercontent.com&code_verifier=iv8n89-Dh3QD1uroYm6e6jcpZwxff60m-RYYlmLYArun6KF8o0z%7Ee3EjyVyYUp.4XxSbyI47QQSCMrY542sLWSUnxAG8e0a%7ETjmF_UFioJMA_ctB2jz6qbcYtu9uUOKp
ID: 1
Response-Code: 400
Encoding: UTF-8
Content-Type: application/json; charset=utf-8
Headers: {Accept-Ranges=[none], Alt-Svc=[h3-28=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"], Cache-Control=[private], content-type=[application/json; charset=utf-8], Date=[Mon, 22 Jun 2020 04:41:53 GMT], Server=[scaffolding on HTTPServer2], transfer-encoding=[chunked], Vary=[Origin,Accept-Encoding, Referer, X-Origin], X-Content-Type-Options=[nosniff], X-Frame-Options=[SAMEORIGIN], X-XSS-Protection=[0]}
Payload: {
"error": "invalid_request",
"error_description": "client_secret is missing."
}
Is my understanding that "we don't need client_secret when passing code_verifier" wrong or Google is not supporting PKCE or Do I miss some other parameter in the request? Please help.
I took a look and experienced the same problem when trying to use the latest Single Page App Standards. Looking at Google docs their implementation seems to still be based on the implicit flow.
I verified that you can send response_type='token id_token' and successfully get tokens, though I'd also prefer to use Authorization Code Flow (PKCE).
I tried without client_secret using keycloak on flutter app but it failed. code_verifier did not work; Hence I moved to use client_secret in my payload.
I have two DotNet MVC sites. One accesses a Web API from the other with an AJAX GET call.
This all worked, but has stopped functioning now. I've hardly made any changes on my side, so I'm wondering if my host might have made changes (in IIS, for example) that would stop this from working?
Here's how I initially got it working...
I installed the Microsoft.Aspnet.Cors and Microsoft.Aspnet.WebApi.Cors packages.
I added the following code...
public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
config.EnableCors();
And in the controller for my API I added...
namespace Webscope.Controllers
{
[EnableCors(origins: "[URL of my other website]", headers: "*", methods: "*")]
public class EventAPIController : ApiController
This used to work, but now get the following error in the console:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https:[my website URL]/EventRead/1-1-2015/12-12-2099. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
In response to #FoggyDay's answer below, I've called the API from Fiddler and got the following headers...
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-Frame-Options: AllowAll
X-Powered-By: ASP.NET
Date: Fri, 13 Mar 2020 03:56:39 GMT
Content-Length: 198
So it looks as if CORS headers have not been included in the response. Can anyone tell me why this would be?
UPDATE
I found some extraneous code from a previous attempt to get CORS working. Now that I've removed this code, I am seeing the CORS headers in Fiddler.
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: *
Access-Control-Allow-Origin: https://[ calling website's URL ]/
However I'm still getting the following error in my calling site's console...
Access to XMLHttpRequest at
'https://[ destination site URL ]/api/EventRead/1-1-2015/12-12-2099' from
origin '[ calling website's URL ]' has been blocked by CORS
policy: Response to preflight request doesn't pass access control
check: No 'Access-Control-Allow-Origin' header is present on the
requested resource.
SUGGESTIONS:
Back out your "new" changes. It sounds like you've inadvertantly introduced a second header.
Read this: Reason: CORS header 'Access-Control-Allow-Origin' missing
Look at your HTTP traffic, for example in Fiddler. Verify that you're sending the header ... and verify that you're allowing the correct combination of host and port.
If you're still having problems, post back with the exact error message and relevant HTTP headers.
I'm at a loss for what's wrong. I'm always getting com.google.gdata.client.GoogleService$SessionExpiredException: Token invalid Token invalid when making API requests.
I have the following flow:
link user account
use credentials to get video upload entries
The code I use to link the user (get permission for my application) uses the JdoDataStoreFactory to persist user tokens and refresh info between API calls.
I used the following scopes when I ask the user to authorize my apps:
https://www.googleapis.com/auth/youtube.upload
https://www.googleapis.com/auth/youtube.readonly
Using GoogleAuthorizationCodeFlow I do a loadCredentials passing in the userId from my application that I used when requesting their auth token. I then feed those credentials to YouTubeService's getFeed method, requesting the url for video feeds: http://gdata.youtube.com/feeds/api/users/default/uploads
It looks like this:
service.setOAuth2Credentials(credentials)
videoFeed = service.getFeed(new URL(USER_FEED_PREFIX + DEFAULT_USER
+ UPLOADS_FEED_SUFFIX), VideoFeed.class)
After this executes, I always get the stacktrace:
com.google.gdata.client.GoogleService$SessionExpiredException: Token
invalid Token invalid Token invalid Error
401
at
com.google.gdata.client.http.GoogleGDataRequest.handleErrorResponse(GoogleGDataRequest.java:570)
at
com.google.gdata.client.http.HttpGDataRequest.checkResponse(HttpGDataRequest.java:560)
at
com.google.gdata.client.http.HttpGDataRequest.execute(HttpGDataRequest.java:538)
at
com.google.gdata.client.http.GoogleGDataRequest.execute(GoogleGDataRequest.java:536)
at com.google.gdata.client.Service.getFeed(Service.java:1135) at
com.google.gdata.client.Service.getFeed(Service.java:998) at
com.google.gdata.client.GoogleService.getFeed(GoogleService.java:645)
at com.google.gdata.client.Service.getFeed(Service.java:1017)
The way I'm initiating my request to my service is via curl, my command looks like this:
curl http://localhost:8080/user/someUserId/content
Using Wireshark I see the following in my request:
GET /feeds/api/users/default/uploads HTTP/1.1
Authorization: Bearer <the_auth_token_for_the_user>
User-Agent: MyApp YouTube-Java/1.0 GData-Java/null(gzip)
X-GData-Client: MyApp
Accept-Encoding: gzip
GData-Version: 2.0
Cache-Control: no-cache
Pragma: no-cache
Host: gdata.youtube.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
I'm stuck.
Ok, I figured this out. I was trying to query the user's uploaded videos, and apparently for an app to do that it has to be authorized for the https://www.googleapis.com/auth/youtube scope, not the scopes I had configured
Trying for hours to get a request token using Google OAuthGetRequestToken but it always returns "signature_invalid".
For a test I use the oAuth Playground to successfully request the token. Here are the results:
Signature base string
GET&https%3A%2F%2Fwww.google.com%2Faccounts%2FOAuthGetRequestToken&oauth_callback%3Dhttp%253A%252F%252Fgooglecodesamples.com%252Foauth_playground%252Findex.php%26oauth_consumer_key%3Dwww.embeddedanalytics.com%26oauth_nonce%3D56aa884162ed21815a0406725c79cf79%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp%3D1321417095%26oauth_version%3D1.0%26scope%3Dhttps%253A%252F%252Fwww.google.com%252Fanalytics%252Ffeeds%252F
Request/Response
GET /accounts/OAuthGetRequestToken?scope=https%3A%2F%2Fwww.google.com%2Fanalytics%2Ffeeds%2F HTTP/1.1
Host: www.google.com
Accept: */*
Authorization: OAuth oauth_version="1.0", oauth_nonce="56aa884162ed21815a0406725c79cf79", oauth_timestamp="1321417095", oauth_consumer_key="www.embeddedanalytics.com", oauth_callback="http%3A%2F%2Fgooglecodesamples.com%2Foauth_playground%2Findex.php", oauth_signature_method="RSA-SHA1", oauth_signature="qRtorIaSFaQdOXW1u6eMQlY9LT2j7ThG5kgkcD6rDcW4MIvzluslFgYRNTuRvnaruraNpItjojtgsrK9deYRKoHBGOlU27SsWy6jECxKczcSECl3cVAcjk7dvbywFMDkgi1ZhTZ5Q%2BFoD60HoVQUYnGUbOO0jPXI48LfkiA5ZN4%3D"
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Date: Wed, 16 Nov 2011 04:18:15 GMT
Expires: Wed, 16 Nov 2011 04:18:15 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 118
Server: GSE
oauth_token=4%2FmO86qZzixayI2NoUc-hewC--D53R&oauth_token_secret=r0PReF9D83w1d6uP0nyQQm9c&oauth_callback_confirmed=true
I am using Fiddler to trace my calls. It returns the Signature base string:
GET&https%3A%2F%2Fwww.google.com%2Faccounts%2FOAuthGetRequestToken&oauth_callback%3Dhttp%253A%252F%252Fgooglecodesamples.com%252Foauth_playground%252Findex.php%26oauth_consumer_key%3Dwww.embeddedanalytics.com%26oauth_nonce%3Dl9Jydzjyzt2fJfM3ltY5yrxxYy2uh1U7%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp%3D1321417107%26oauth_version%3D1.0%26scope%3Dhttps%253A%252F%252Fwww.google.com%252Fanalytics%252Ffeeds%252F
Aside from the oauth_timestamp and oauth_nonce (which should be different), the base string are pretty much identical.
Anyone know what I am doing wrong?
Update 11/20/2011 Thinking it might be something wrong with my RSA-SHA signing, I have since tried HMAC-SHA. It gives the same results. I thought it might be beneficial to include the Fiddler results (I added carriage returns to have it format better).
GET https://www.google.com/accounts/OAuthGetRequestToken?
scope=https%3A%2F%2Fwww.google.com%2Fanalytics%2Ffeeds%2F HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth oauth_version="1.0",
oauth_nonce="7C4C900EAACC9C7B62E399A91B81D8DC",
oauth_timestamp="1321845418",
oauth_consumer_key="www.embeddedanalytics.com",
oauth_signature_method="HMAC-SHA1",
oauth_signature="ows%2BbFTNSR8jVZo53rGBB8%2BfwFM%3D"
Host: www.google.com
Accept: */*
Accept-Encoding: identity
Response
HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=UTF-8
Date: Mon, 21 Nov 2011 03:16:57 GMT
Expires: Mon, 21 Nov 2011 03:16:57 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 358
Server: GSE
signature_invalid
base_string:GET&https%3A%2F%2Fwww.google.com%2Faccounts%2FOAuthGetRequestToken
&oauth_consumer_key%3Dwww.embeddedanalytics.com
%26oauth_nonce%3D7C4C900EAACC9C7B62E399A91B81D8DC
%26oauth_signature_method%3DHMAC-SHA1
%26oauth_timestamp%3D1321845418
%26oauth_version%3D1.0
%26scope%3Dhttps%253A%252F%252Fwww.google.com%252Fanalytics%252Ffeeds%252F
Update 11/24/2011 - I want to add more information based on the answers from #Meysam and #Bob Aman. First, my domain is properly registered with Google. I have been using AuthSub for quite some time now with Target URL path prefix set to http://www.embeddedanalytics.com/authsubsuccess.html. Now when I go to the Manage Domains section it states my oAuth consumer key is www.embeddedanalytics.com. Now perhaps this could be a problem. In the Registration for Web-Based Applications document it states:
If you're using the OAuth interface, this URL (the "Target URL path prefix") must match the value of the oauth_consumer_key parameter
In my case I have a target URL different from my oauth_consumer_key. Could this be a problem? I use www.embeddedanalytics.com as the consumer_key in the playground and it works. I don't want to mess with the target URL because it is currently being used with my AuthSub authorizations.
I assume you have not registered your application domain with Google. Therefore, whatever consumer secret you are using to sign your request (in HMAC-SHA1 method) will be denied unless you provide anonymous as your oauth_consumer_key and consumer secret. This way, Google will recognize you as an unregistered application and will successfully return you a Request Token.
If you use the HMAC-SHA1 method, the Consumer Secret and Token Secret will be used to sign your requests. These two secret parameters are known both to your application, and Google, and act like a secret key in a symmetric encryption algorithm.
In order to use RSA-SHA1 method however, you should have already uploaded your Public Key to the server (Google Server) during the registration process of your application. After that, you will use your Private Key to sign your OAuth requests. In your case, since you have not registered your application, Google is not aware of your Public Key, and therefore using RSA-SHA1 method to sign your requests with an unknown Private Key is of no use.
The first method is usually preferred over the RSA-SHA1 method for performance reasons. (symmetric encryption is faster than asymmetric one)
So this is the way I could successfully get a Request Token in the OAuth Playground:
Set 'oauth_consumer_key' to anonymous (unless you have
registered your application and have a real Consumer Key)
Set 'consumer secret' to anonymous (unless you have registered your
application and have a real Consumer Secret)
Choose https://www.google.com/analytics/feeds/ as the scope of request.
Press 'Request token' button
Result:
GET /accounts/OAuthGetRequestToken?scope=https%3A%2F%2Fwww.google.com%2Fanalytics%2Ffeeds%2F HTTP/1.1
Host: www.google.com
Accept: */*
Authorization: OAuth oauth_version="1.0", oauth_nonce="116d4df85e784f51cf40f0bc3a967883", oauth_timestamp="1322083727", oauth_consumer_key="anonymous", oauth_callback="http%3A%2F%2Fwww.googlecodesamples.com%2Foauth_playground%2Findex.php", oauth_signature_method="HMAC-SHA1", oauth_signature="vVxpbtHlTR%2BJ1yT%2BYS1HOvRzhOs%3D"
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Date: Wed, 23 Nov 2011 21:28:47 GMT
Expires: Wed, 23 Nov 2011 21:28:47 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 118
Server: GSE
oauth_token=4%2F7E_YtZFHuKFPbuAGuCzyj2AsHcha&oauth_token_secret=NHZBJCj2BPxR2HQZhCTwdq2A&oauth_callback_confirmed=true
Now that you have acquired oauth_token and oauth_token_secret, you can press Authorize button. This will redirect you to the login page of Google (if you are not signed in) and then to the page you grant access to the application. By granting access, you will get back to the callback url in the playground with a verifier code. Pressing 'Access token' button, will get you the access token:
GET /accounts/OAuthGetAccessToken HTTP/1.1
Host: www.google.com
Accept: */*
Authorization: OAuth oauth_version="1.0", oauth_nonce="c222a88cc9f027430b239f4cc6f3f154", oauth_timestamp="1322084080", oauth_consumer_key="anonymous", oauth_verifier="TA6vWcDJC51A9YwMNfmUzmUQ", oauth_token="4%2F7E_YtZFHuKFPbuAGuCzyj2AsHcha", oauth_signature_method="HMAC-SHA1", oauth_signature="q9M%2BjeHNxB2ONPd1DPMn6GriUC8%3D"
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Date: Wed, 23 Nov 2011 21:34:40 GMT
Expires: Wed, 23 Nov 2011 21:34:40 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 103
Server: GSE
oauth_token=1%2Fxy49iwSQEcqSDbo3cKO-UuPLqvt9qKFit9vaLqR6P-M&oauth_token_secret=IJWB1CVSQfYJJPrf9jXv6SS8
*Note: One time, I got the signature_invalid response too, even though I had entered anonymous credentials. But after trying again and pressing 'Request token' button one or two more times I made it. I think this should be due to how nonce and timestamp parameters work to sign the request. This could be the cause of problem. Read this article for more info.
Further reading:
Managing the OAuth key and secret
Registration for Web-Based Applications
Googler here. Haven't fielded OAuth 1 questions in a long time because everyone's moving to OAuth 2 (and you should too) but I'll try to go through the usual suspects on invalid signature errors:
Your server's clock may be wrong. There's a timestamp component and it needs to match ours pretty closely. Try updating your clock against one of the major reference time servers. This happens, but it's an uncommon issue.
Depending on how low-level the OAuth client you're using is, you may have forgotten to supply part of the key used to generate the signature. The key has two pieces, colon-separated, IIRC. In some parts of the protocol, only one half is needed, but for other parts of the protocol, you need both. I've seen cases where someone kept supplying only the first half when both were needed. Actually, I think I made this mistake myself a couple times.
Probably not an issue in your case, because you haven't even gotten past the request token, but OAuth 1 requires you to sign the URI query parameters. Failure to do this will cause the signature base strings to mismatch, thus causing the signature to be invalid.
By far the most common issue is improper encoding. This usually gets expressed as signatures that work sometimes, but fail other times, because sometimes you get lucky and nothing needs to get encoded. I suspect this is what #Meysam ran into based on his comment that he pressed the button a few more times and suddenly it worked.
By the way, if you have to use OAuth 1, you should be using HMAC-SHA1 unless you've got a really good reason to do RSA-SHA1.