Invalid signature for signature method HMAC-SHA1 - oauth

I am using oauth 1.0 provider implementation to protect my api as security mechanism.
I am using Oauth Test Client to request token, authorize and get access token and it is working quite fine. But I can not access my protected resources using it as it does not provide such facility.
So i tried to use Netflix Client to generate calls for oauth provider. But when I try to run such calls they are not succeeded but give me HTTP Status 401 - Invalid signature for signature method HMAC-SHA1. I tried to generate signature manually and using some Automatic Method but all ended in same error.
Please can you tell me what I am doing wrong? or could you please refer me to some good material or suggest any solution? Any help will be deeply appreciated.

Related

Issue with invalid_grant error with Google Oauth2

Cheers everybody,
we have been deeply reading google documentation on exchanging access_token from google in order our (delphi)desktop application to SSO with google from server side. Here is the payload we send first look like:
https://accounts.google.com/o/oauth2/v2/auth?client_id=1000217514248-t1lojs6f8ed7l9ocrpbm98leahtum8n1.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&state=E1DF2FBA-0A66-4D69-B594-5EB8F7828AF7&scope=openid+profile&include_granted_scopes=true&code_challenge=C832DA50-E55A-499D-89B8-493BB4123C94&login_hint=test#Speelkriebel.be
Normally after this it redirects me to login in to our test user and after this according to the documentation we send a POST request to the end point token in order to get the access_token and refresh_token...: 'https://oauth2.googleapis.com/token
with the following parameters, the 'code' is generated we also send it as follow:
client_id=1000217514248-t1lojs6f8ed7l9ocrpbm98leahtum8n1.apps.googleusercontent.com
grant_type=authorization_code
client_secret=******
code= 4/1AY0e-g4GlavO38PI5Oo3vq04Pc4lMWN77et-02UiVWOsT-IyRQnU1lq19qo
redirect_uri = urn:ietf:wg:oauth:2.0:oob
The response is always
{
"error_description": "Missing code verifier.",
"error": "invalid_grant"
}
We have tried to send the client secret id also, Does it have to do with our code_challenge ? are the end points url and initial url okay? What are we missing? We are using CEF4Delphi as "browser like experience in order for the user to type in their google credentials. We have been reading this: https://developers.google.com/identity/protocols/oauth2/web-server#offline
We were also trying the playground :https://developers.google.com/oauthplayground/
we were sending the initial url in a chrome which generated a "code" and in the playground we inserted the code, and still got the same error of missing code verifier.
Thanks Guys
You seam to have URL encoded a lot of the values try not doing that. Also try using the basic call, before you start adding everything else. It should help you figure out which one of those extra parameters you are sending that's causing your issues.
https://accounts.google.com/o/oauth2/auth?client_id={clientid}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=profile&response_type=code
Also make sure that the client id is from an installed / other type client
This may also help Google 3 Legged OAuth2 Flow
For installed apps, the code challenge and verifier are parameters for enhancing the security of the OAuth flow through PKCE [1].
There is additional documentation about generating a code challenge and verifier here [2].
[1] https://www.rfc-editor.org/rfc/rfc7636
[2] https://developers.google.com/identity/protocols/oauth2/native-app#step1-code-verifier

ss_domain parameter in context of OAUTH or OpenID?

I'm trying to learn about OAUTH and OpenID Connect.
Thus I am investigating my own traffic, listening to Authorization Requests and Grants by checking for required parameters in OAUTH as described in https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1 and https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2 for the Authorization Code Flow as well as described in section 4.2.1 and 4.2.2 for the Implicit Flow.
Unfortunately, by using the SSO option for Google on joinhoney.com, I am only able to catch the Request, but not the Authorization Grant.
So, while debugging and having a look at the actual request, I can see the following parameters in the query part of the url:
Parameter
Value
redirect_uri
storagerelay://https/www.joinhoney.com?id=auth[censoredID]
response_type
permission id_token
scope
email profile openid
openid.realm
client_id
705229005811-2fdpup66d8aefq4qs2ru1n8qiosuq4fb.apps.googleusercontent.com
ss_domain
https://www.joinhoney.com
fetch_basic_profile
true
gsiwebsdk
2
Now, to get to the actual question:
Where can I find some specified information about the ss_domain parameter?
I could not find any information in https://www.rfc-editor.org/rfc/rfc6749 as well as on https://openid.net/, however when using google, I can find some people using the ss_domain parameter (only without further explanation), so I doubt it is something only used by joinhoney.com.
Would be happy if somebody could bring some light in here!
Thank you!
If you are at www.example.com, and you your redirect_uri is to a different domain e.g. subdomain.example.com, you need to set ss_domain to https://subdomain.example.com.
This custom ss_domain change, however, is not possible using the Google login client side sdk. You got to push the url manually.

Access Protected Resource API gives “401 Unauthorized” error

I want to add authorization to my project based on this tutorial. I've got the part of retrieving an access token working. But when using the token to access a protected resource API I get a 401 unauthorized error.
The request has an authorization header with scheme Bearer and containing the access token. Like in the tutorial the API is protected with the [Authorize] attribute. During startup I setup Bearer Authentication with
UseOAuthBearerAuthentication(new Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationOptions())
It is not clear to me why the request is unauthorized. What can I check to find the cause of this problem?
After trying and checking many things, I noticed the authorization server and the resource server were using a different version of Owin and Owin.Security. After updating the older one, it worked. The tokens must have changed between the 2 versions.

Eloqua OAuth2 authentication get token URL inaccessible

I want to use OAuth2 authentication in my application for calling Eloqua APIs using access token.
I'm following instructions given in the link http://docs.oracle.com/cloud/latest/marketingcs_gs/OMCAB/Developers/GettingStarted/Authentication/authenticate-using-oau… and using Resource Owner Password Credentials grant flow for getting access token.
POST https://login.eloqua.com/auth/oauth2/token
Authorization: Basic Q09NUEFOWVhcdXNlcjE6cGFzc3dvcmQxMjM=
{
"grant_type":"password",
"scope":"full",
"username":"testsite\\testuser",
"password":"user123"
}
But I'm getting exception "java.net.ConnectException: Connection timed out: connect" while calling get token endpoint https://login.eloqua.com/auth/oauth2/token from java code.
I tried the endpoint using browser but getting similar error. Also tried accessing the endpoint using REST client but again same connection error.
I'm unable to understand that why the endpoint is giving connection timeout exception. I also tried increasing timeout but same error.
Please guide me as I'm stuck.
Is there any other endpoint for getting Eloqua access token?
Below is a POSTMAN Screenshot in case it helps.
Also written out in case someday that screenshot isn't there. Don't use built in Auth in POSTMAN since you need to base64 encode the clientid:clientsecret with the : in the middle. These values are provided when you created an App in Eloqua.
Be sure to include the content type as application/json and the Authorization. Use a double backslash in the Json for the username in between the site and username (clientsite\\username).
JSON body should look like this:
{"grant_type":"password","username":"clientsite\\username","password":"password"}
Make sure you are doing a POST to login.eloqua.com/auth/oauth2/token
From the docs:
POST https://login.eloqua.com/auth/oauth2/token
Authorization: Basic Q09NUEFOWVhcdXNlcjE6cGFzc3dvcmQxMjM=
{
"grant_type":"authorization_code",
"code":"SplxlOBeZQQYbYS6WxSbIA",
"redirect_uri":"https://client.example.com/cb"
}
From your request, it looks like you are missing the redirect_uri and the code.
Try using the body contract from the docs: http://docs.oracle.com/cloud/latest/marketingcs_gs/OMCAB/index.html#Developers/GettingStarted/Authentication/authenticate-using-oauth.htm

IOS twitter login get request_token error

I'm trying to get request_token from https://api.twitter.com/oauth/request_token. But I always got following error.
"Failed to validate oauth signature and token"
Below is my signature_base:
POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_callback%3Dhttp%3A%2F%2Fwww.google.com%26oauth_consumer_key%3DydxYUl45Mleo5LNyoExnAF4mY%26oauth_nonce%3D9C918901-EF8A-4B84-BDF5-B7E754C46397%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1415174195%26oauth_version%3D1.0
The auth header generated is:
{
Authorization = "OAuth oauth_version=\"1.0\",
oauth_nonce=\"9C918901-EF8A-4B84-BDF5-B7E754C46397\",
oauth_signature_method=\"HMAC-SHA1\",
oauth_consumer_key=\"ydxYUl45Mleo5LNyoExnAF4mY\",
oauth_timestamp=\"1415174195\",
oauth_callback=\"http://www.google.com\",
oauth_signature=\"j6k3CY4Fr40SKAWiG%2B5%2BwkErdYc%3D\"";
}
I verified the signature with my secret key and it's correct. Really can't figure out where the problem is...
One clue is that when oauth_callback is not used at all, I'm able to get request token... Please help!
Thanks,
Lee
Edit:
If I don't use oauth_callback, I'm able to get request token and the callback I set in dev twitter website is used. However, I can't set it to URL Scheme of my app since it's not valid url...
You are not encoding the oauth_callback url correctly.
In the signature base it should be encoded as:
oauth_callback%3Dhttp%253A%252F%252Fwww.google.com
and then in the Authorization header as:
oauth_callback="http%3A%2F%2Fwww.google.com"
The same problem i was struggling as well.
Approach that help is bellow.
Using Twitter to authenticate is quite uncomfortable to do due to the errors and bad documentation. I will defiantly recommend you, to use one of the two approaches that are : Github library that is well documented and easy to implement. Or use iOS Social framework to write own logging.

Resources