I have a working OAuth process for authorizing with Google. My app can get data from the Google Sites API from areas that only the account used to authorize it has access, so I know that much is working. The trouble is creating new data via the API. I consistently get "Unknown authorization header" when trying to POST to the endpoint. The real frustration appears when I try to use the Google Oauth Playground. I put in the credentials I have, put in the same endpoint and same request body, and try it there -- and everything works perfectly.
I'm using Ruby 1.9.3 on the API side, and I've tried with both oauth-ruby and the Google-written signet client. Both do the same thing. I've verified and re-verified that the credentials are as I expect them to be (both just checking, and using the same ones in the Oauth Playground and seeing them work).
I have no idea why this is happening, because there's precious little information coming from Google's API about what's actually wrong with my request.
For the record, I'm using;
Ruby 1.9.3
oauth-ruby and signet for clients
OAuth 1.0
HMAC-SHA1 hashing
3-legged authorization
As it turns out, the problem was because I was failing to include the Content-Type header in the request. Yes, this didn't make any sense to me, either, considering the error message, but that's what it was.
Related
When we are accessing Asana API we are using the Asana node client v0.15.0 together with an Tampermonkey script. The Api is responding with an 401 (Unauthorized).
This worked a couple a days ago. I have tried with new Personal Access Tokens but still get the same error.
While fiddling the request I tried to change the auth-header Bearer to be lower cased.
Authorization: Bearer my-personal-access-token ->
Authorization: bearer my-personal-access-token.
This seems to work fine, that indicates that something changed on Asana's side.
The node-asana js client lib does not let me modify the request before sending it to Asana API.
According to Asana API support it is on stackoverflow that I should ask about help on this matter.
EDIT
By some further investigation it seems that when we send in the cookie
auth_token=My auth token we do get the 401 error. But If removing the cookie and reissue the request in fiddler it works fine.
Another note is that now we do not get any custom_fields in the response from e.g https://app.asana.com/api/1.0/tasks/TaskId
I'm a Developer Advocate at Asana. You've caught something that is a known issue and we're working on a fix :) We're rolling out a new version of our API. It's intended to be backwards-compatible with the older implementation, but giving us multiple forms of authentication is one of those cases where we do something different between the two.
For security purposes, we initially implemented this in the new version to not allow requests with multiple forms of authentication, but it turns out that in-browser integrations were affected in precisely the way you're seeing: being logged into Asana, which causes your browser to send your authorization credentials for requests to asana.com automatically, and also authorizing "the right way" for our API with OAuth or a Personal Access Token will end up breaking. We're working on a fix that will allow this to work for the case when both the logged in (cookie) user and the API (access token) user are the same.
If this is an urgent issue and you want to force the old behavior to happen while we roll out the fix in our newer API implementation, you can set a header as described in that link --^ to force your requests on to the old API. Once we get the new API fully deployed and stable, though, we'll deprecate that header, so please be cautious in relying on it for a long-term solution.
Sorry that this has caused issues for you, and thanks for creating this question to let us know!
So I'm trying to do google oauth to get a refresh token for my users (not actually using google oauth to save the user). I had everything working when I used the client side OAuth for google api but they don't provide a refresh token when you do that handshake, only an access_token. I need a persisted refresh_token since I'm going to be making a lot of requests to the users google calendars.
So I set up omniauth on my rails server to make the flow go like this:
user clicks authenticate with google (client side) -->
popup screen goes to backend server (localhost:3001/users/auth/google_oauth2) -->
backend rails server redirects to google for authentication -->
they authenticate with google and get redirected to backend server's callback (localhost:3001/users/auth/google_oauth2/callback) -->
backend server saves token for appropriate user and then redirects back to client side app on localhost:3000 (nothing needs to be done on client, just need the token saved on my server for future use)
I do however need to know that the authentication was successful so I can dispatch appropriate actions in react/redux. In redux-auth they check for the access_token inside the popup.location URI. Problem is when I use this server side popup flow I get this nasty http/https error:
(original image: http://imgur.com/v5NgIGr)
If instead of redirecting back to the client I just redirect to a view in my backend server I could then have a script on that page that just does window.close() which works but seems hacky to me. Another potential solution I was thinking was to try and use the window.postMessage api but I don't know if that has great browser support/also seems hacky. I could emit a message to the other window (the main client app) from the popup saying the oauth was successful so my react code and do whatever it needs to do.
I feel like I'm just approaching this whole flow completely wrong or I'm missing something obvious.
I also feel like if I just had HTTPS on everything it would all work since before when it was 100% client side the popup worked beautifully and I didn't get this SecurityError. I spent some time figuring out how to get my webpack dev server using https and tried doing the same with rails (think I did something wrong on the rails side) but it was still not working. Also feel like I shouldn't need to force HTTPS on all my development servers in order to get it working...
If anyone has any thoughts or could give me some direction that would be much appreciated!!
You are approaching this the wrong way. Google's authentication and their APIs do have confusing documentation. I was also stuck with similar situation and after spending considerable time, I found the right way to do this.
From your question, I believe this seems like the relevant link: https://developers.google.com/identity/sign-in/web/server-side-flow
And following it, here is how your flow should look like:
To map it on your problem, this is what you will do:
user clicks authenticate with google (client side)
Client requests Google for authorization that includes your scopes
and receives a one time authorization code.
Client Sends this authorization code to your ruby server.
Ruby server uses the authorization code to exchange it with access_token and persisted refresh_token which you shall use in your subsequent requests to google apis.
Hope it helps.
I have an interesting problem. We have set up the Thinktecture Authorization Server from the trusty Identity Server 2 and gotten it to work a few months back. It is configured as a relying party for an already existing corporate identity server, so when we use the Code Flow example, click the "Start authorization handshake" we bounce over to the identity server, supply our credentials and get bounced back to the callback of the code flow with an access code, click the Get Token, and are granted with this fine jwt token. All seems fine.
However,
When we try this either from, for instance, postman, or our app development team from their development devices (android and iphone), it starts fine but when we call the token endpoint with our newly minted access code we get an "Anonymous client" response.
Looking at the web example from the CodeFlow example I see it posts basic authentication including a base64 value of the secret wich is missing from postman and our app team. I see no reference to this in the CodeFlow example so I have no idea where this comes from. If I hard code the Authorization BASIC [including the Base64 secret I snatched from the previous example] it does not change anything.
We'be been stuck for several days on this so any help would be gratefully appreciated. Any Ideas?
After a lot of recearch and hair pulling it seems the Postman client we are using does not support Code Flow and therefore does not include the Authorisation header we are missing. After capturing the traffic from Postman with Fiddler we manually added the basic authorization header with the client name and secret and got everything working. So as of now, postman does not work.
I hope postman does add support for codeflow in the future.
Atli
I am implementing yahoo OAuth 2.0. After a lot of struggle, I was able to get the authorization code.
When I try to get the access token in exchange for the authorization code, i get the error as follows
Description: Could not process your request for the document
because it would cause an HTTP proxy cycle. Please check the URL and your
browser's proxy settings.
I get this type of error randomly when i try to navigate from my app to yahoo authentication page. Can anyone give some details if they have overcome this problem.
I am not using any owin middleware and making a plain HttpClient based request
This problem is from yahoo side, i have checked a lot of forums and got to this conclusion. Whenever you see it just press F5 once and it will go for your that session.
I am connecting to the QB API using a Go library that I found for OAuth 1.0a: https://github.com/kurrik/oauth1a. I actually had everything working, and I cannot think of anything that I changed, but now every request I make is returned with token_rejected. From what I have read elsewhere, this usually means that my access token has expired, but even if I start the whole 3-legged OAuth process from the beginning I will get the same response as soon as I am verified. I have triple-checked my consumer key and secret, I know they are correct. I can plug in the Access Token and Secret created using the API Explorer into my code and it works just fine, so I know the problem is something related to the Access Token that I am getting back from QB. Everything looks OK when I print out the tokens that I am using, they do match what QB sends me back via the querystring after the handshake process. I have been banging my head against the wall all day now, any help would be great.
Just adding the answer, it was an issue with the Oauth Library code and is now resolved.
-Jarred