I am trying to connect to LinkedIn using the OAuth2Service provided by rauth.
I successfully retrieve the access token. To do so, I configured a specific decoder for the json response.
json_decoder = json.loads
params = {'decoder': json_decoder}
session = linkedin.get_auth_session(data=data, **params)
But when doing the API call via
r = session.get('people/~', data={"x-li-format":'json'},)
the following response is coming back:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error>
<status>401</status>
<timestamp>1369334215190</timestamp>
<request-id>F3SKIP4YUF</request-id>
<error-code>0</error-code>
<message>Unknown authorization header {Bearer AQU2HxhdXVHGG4sIWdZV7siahjVyTz0KIigEVvtMpAh...}
</message>
</error>
Is it possible that LinkedIn does not support the bearer token? If so, does rauth support other schemes?
Rauth supports turning off the default header-based authentication by passing in bearer_auth=False, see the documentation. This should correct problems with misbehaving providers that either don't support header-based authentication or implement it improperly. Hope that helps!
Related
Cheers everybody,
we have been deeply reading google documentation on exchanging access_token from google in order our (delphi)desktop application to SSO with google from server side. Here is the payload we send first look like:
https://accounts.google.com/o/oauth2/v2/auth?client_id=1000217514248-t1lojs6f8ed7l9ocrpbm98leahtum8n1.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&state=E1DF2FBA-0A66-4D69-B594-5EB8F7828AF7&scope=openid+profile&include_granted_scopes=true&code_challenge=C832DA50-E55A-499D-89B8-493BB4123C94&login_hint=test#Speelkriebel.be
Normally after this it redirects me to login in to our test user and after this according to the documentation we send a POST request to the end point token in order to get the access_token and refresh_token...: 'https://oauth2.googleapis.com/token
with the following parameters, the 'code' is generated we also send it as follow:
client_id=1000217514248-t1lojs6f8ed7l9ocrpbm98leahtum8n1.apps.googleusercontent.com
grant_type=authorization_code
client_secret=******
code= 4/1AY0e-g4GlavO38PI5Oo3vq04Pc4lMWN77et-02UiVWOsT-IyRQnU1lq19qo
redirect_uri = urn:ietf:wg:oauth:2.0:oob
The response is always
{
"error_description": "Missing code verifier.",
"error": "invalid_grant"
}
We have tried to send the client secret id also, Does it have to do with our code_challenge ? are the end points url and initial url okay? What are we missing? We are using CEF4Delphi as "browser like experience in order for the user to type in their google credentials. We have been reading this: https://developers.google.com/identity/protocols/oauth2/web-server#offline
We were also trying the playground :https://developers.google.com/oauthplayground/
we were sending the initial url in a chrome which generated a "code" and in the playground we inserted the code, and still got the same error of missing code verifier.
Thanks Guys
You seam to have URL encoded a lot of the values try not doing that. Also try using the basic call, before you start adding everything else. It should help you figure out which one of those extra parameters you are sending that's causing your issues.
https://accounts.google.com/o/oauth2/auth?client_id={clientid}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=profile&response_type=code
Also make sure that the client id is from an installed / other type client
This may also help Google 3 Legged OAuth2 Flow
For installed apps, the code challenge and verifier are parameters for enhancing the security of the OAuth flow through PKCE [1].
There is additional documentation about generating a code challenge and verifier here [2].
[1] https://www.rfc-editor.org/rfc/rfc7636
[2] https://developers.google.com/identity/protocols/oauth2/native-app#step1-code-verifier
I want to use OAuth2 authentication in my application for calling Eloqua APIs using access token.
I'm following instructions given in the link http://docs.oracle.com/cloud/latest/marketingcs_gs/OMCAB/Developers/GettingStarted/Authentication/authenticate-using-oau… and using Resource Owner Password Credentials grant flow for getting access token.
POST https://login.eloqua.com/auth/oauth2/token
Authorization: Basic Q09NUEFOWVhcdXNlcjE6cGFzc3dvcmQxMjM=
{
"grant_type":"password",
"scope":"full",
"username":"testsite\\testuser",
"password":"user123"
}
But I'm getting exception "java.net.ConnectException: Connection timed out: connect" while calling get token endpoint https://login.eloqua.com/auth/oauth2/token from java code.
I tried the endpoint using browser but getting similar error. Also tried accessing the endpoint using REST client but again same connection error.
I'm unable to understand that why the endpoint is giving connection timeout exception. I also tried increasing timeout but same error.
Please guide me as I'm stuck.
Is there any other endpoint for getting Eloqua access token?
Below is a POSTMAN Screenshot in case it helps.
Also written out in case someday that screenshot isn't there. Don't use built in Auth in POSTMAN since you need to base64 encode the clientid:clientsecret with the : in the middle. These values are provided when you created an App in Eloqua.
Be sure to include the content type as application/json and the Authorization. Use a double backslash in the Json for the username in between the site and username (clientsite\\username).
JSON body should look like this:
{"grant_type":"password","username":"clientsite\\username","password":"password"}
Make sure you are doing a POST to login.eloqua.com/auth/oauth2/token
From the docs:
POST https://login.eloqua.com/auth/oauth2/token
Authorization: Basic Q09NUEFOWVhcdXNlcjE6cGFzc3dvcmQxMjM=
{
"grant_type":"authorization_code",
"code":"SplxlOBeZQQYbYS6WxSbIA",
"redirect_uri":"https://client.example.com/cb"
}
From your request, it looks like you are missing the redirect_uri and the code.
Try using the body contract from the docs: http://docs.oracle.com/cloud/latest/marketingcs_gs/OMCAB/index.html#Developers/GettingStarted/Authentication/authenticate-using-oauth.htm
I have to integrate openid connect authentication provider to pentaho.
Currently, I am referring below url for doing this:
https://bitbucket.org/secureops/sops-pentaho
Above link targets only third party openId providers like (gmail, yahoo, facebook and so on) but in my requirement, client has SSO Authentication Provider implemented in IdentityServer3. I tried OpenId4Java APIs which are internally used in above link to consume client end points but It fails with following exception:
org.openid4java.consumer.ConsumerException: 0xa00: Authentication cannot continue: no discovery information provided.
It seems whatever openid provider its connecting to, Its expecting below XRDS kind of discorable document to be returned as response, If it doesn't find it gives above exception.
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS
xmlns:xrds="xri://$xrds"
xmlns:openid="http://openid.net/xmlns/1.0"
xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/server</Type>
<Type>http://specs.openid.net/extensions/pape/1.0</Type>
<Type>http://openid.net/srv/ax/1.0</Type>
<Type>http://specs.openid.net/extensions/oauth/1.0</Type>
<Type>http://specs.openid.net/extensions/ui/1.0/lang-pref</Type>
<Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type>
<Type>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier</Type>
<Type>http://www.idmanagement.gov/schema/2009/05/icam/no-pii.pdf</Type>
<Type>http://www.idmanagement.gov/schema/2009/05/icam/openid-trust-level1.pdf</Type>
<Type>http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf</Type>
<URI>https://open.login.yahooapis.com/openid/op/auth</URI>
</Service>
</XRD>
</xrds:XRDS>
But in IdentityServer3 openid provider, It doesn't implement such service which provides XRDS files shown as above.
Any idea how to resolve this, I have done search but didn't find anything to solve this issue.
I have also tried https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server API but the problem is this APIs are using advance version of Spring libraries and pentaho is using very old so library incompatibilities issues are coming.
Please suggest me any ideas to resolve above issue or suggest me any other approach.
I really appreciate your help.
There's a big difference between the original OpenID (1.0, 2.0) and the more recent OpenID Connect protocol. The Pentaho link that you provide points to OpenID 2.0 documentation. IdentityServer3 (and Google for that matter) only support OpenID Connect so you can't follow that documentation. I don't think Pentaho supports standards-based OpenID Connect yet.
I'm using Postman to make GET requests from the Twitter API, but having some quirky issues when using search/tweets for a particular hashtag. My goal is to return a list of recent tweets that have the same #hashtag. I'm following along with Twitter's instructions on how to do this, which can be found here (look under the header 'Query Parameters').
This returns the below JSON response
GET https://api.twitter.com/1.1/search/tweets.json?q=%23somehashtag
{
"errors": [
{
"message": "Could not authenticate you",
"code": 32
}
]
}
I'm using OAuth 1.0, also based on Twitter's docs. I can make successful calls to the same endpoint by simply removing the %23:
GET https://api.twitter.com/1.1/search/tweets.json?q=somehashtag
Since you use OAuth 1.0 this suggests the the code that generates the signature does not correctly include the %23 in the payload that is signed. Switching to OAuth 2.0 will make sending authorized requests easier and future proof.
Just need to encode the #. Don't need to go to OAuth2
var url="https....?q="+encodeURIComponent("#hashtag")
and it should work for you.
I am facing the same issue with POSTMAN, and it seems like a bug
I've found this in a different scenario
GET parameters that have been URL encoded need to be decoded before adding to oAuth.
https://github.com/J7mbo/twitter-api-php/pull/112
it seems there is no way to tell postman to not encode, but in my code it just works
Responding to an old post , but using Bearer Token on Postman is working for me to resolve this authorization issue ( code 32) of using #hashtag in query
https://api.twitter.com/1.1/search/tweets.json?q=%23somehastag&result_type=recent
Hoping someone can help me out here. I'm using Google Contacts API to fetch a list of contacts. To my understanding, this is done by sending a GET request:
https://www.google.com/m8/feeds/contacts/default/full?alt=json&max-results=9999&oauth_token=OATH_TOKEN_HERE
However, this is wildly insecure as any intruder can gain access to the oauth_token in the URL. To combat this, I'm trying to send this as a POST request with my parameters (alt, max-results, oauth_token) as the data. However, I simply get an error that "Authorization is required". I've tried adding "Authorization: OAuth" to my headers but to no avail (get an error that authorization type is not recognized).
Any advice? I need a secure way to send the oauth token to Google such that my security software won't complain about a security hole in my program ...
Thanks!
To answer your question directly, even though security is irrelevant as you are using HTTPS, you cannot POST to Google to get a list of contacts. Google requires you use Get.
The proper formatting for authorization (Because you can still use a Get and not pass the oauth_token as a query string is to use an HTTP Header formatted:
Authorization: Bearer 1/fFBGRNJru1FQd44AzqT3Zg
Using OAuth 2.0 to Access Google APIs