I'm using this code/guide another twitter oAuth cURL access token request that fails to test signing my request to the API. I'm still trying to go through step 1 of this
Note: the keys are just random, they're not real :)
when I try to make a request without oauth_callback I get a valid response from the api
https://api.twitter.com/oauth/request_token?oauth_consumer_key=nHb2kSQ2CD9MW1MdW5VeQ&oauth_nonce=1356902849&oauth_signature=MbvhwGiNPKQR0klUPx9fsmUtdJY%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1356902849&oauth_version=1.0
when I add the oauth_callback string (mandatory to let users sign with a redirect!) I get "Failed to validate oauth signature and token"
https://api.twitter.com/oauth/request_token?oauth_callback=http%3A%2F%2F127.0.0.1%2Ftest%2F&oauth_consumer_key=nHb2kSQ2CD9MW1MdW5VeQ&oauth_nonce=1356902915&oauth_signature=2WTaI9jXNBaDd7f8AqIe6y3%2Beno%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1356902915&oauth_version=1.0
I mean there's no difference between the two URLs, they both go through the same execution and they respect the signing method.
How to fix it?
yes I added http://127.0.0.1/test/ as callback url in the twitter app settings.
Thank you
Have you set up the callback url in the twitter application settings?
If you don't set that up, the api may fail.
Check it from here:
Also check that your time is in sync (use an NTP server); see: https://dev.twitter.com/discussions/1043
Agreed that twitter API is badly documented :)
Follow this rule:
If your oauth_callback does not contain any query string = Nothing funky is required.
If your oauth_callback has any query string parameters = URL Encode the query string parameters separately.
Hope this explains.
I solved the issue. The problem was that even though the callback URL was sent correctly using the querystring method or headers as you can see on the links, it was also double escaped when creating the signature from the basestring. Since the documentation is pretty bad regarding this I didn't think that you shouldn't double escape it as well like other oauth_* parameters (aka percentage encode the "&"s).
Related
Cheers everybody,
we have been deeply reading google documentation on exchanging access_token from google in order our (delphi)desktop application to SSO with google from server side. Here is the payload we send first look like:
https://accounts.google.com/o/oauth2/v2/auth?client_id=1000217514248-t1lojs6f8ed7l9ocrpbm98leahtum8n1.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&state=E1DF2FBA-0A66-4D69-B594-5EB8F7828AF7&scope=openid+profile&include_granted_scopes=true&code_challenge=C832DA50-E55A-499D-89B8-493BB4123C94&login_hint=test#Speelkriebel.be
Normally after this it redirects me to login in to our test user and after this according to the documentation we send a POST request to the end point token in order to get the access_token and refresh_token...: 'https://oauth2.googleapis.com/token
with the following parameters, the 'code' is generated we also send it as follow:
client_id=1000217514248-t1lojs6f8ed7l9ocrpbm98leahtum8n1.apps.googleusercontent.com
grant_type=authorization_code
client_secret=******
code= 4/1AY0e-g4GlavO38PI5Oo3vq04Pc4lMWN77et-02UiVWOsT-IyRQnU1lq19qo
redirect_uri = urn:ietf:wg:oauth:2.0:oob
The response is always
{
"error_description": "Missing code verifier.",
"error": "invalid_grant"
}
We have tried to send the client secret id also, Does it have to do with our code_challenge ? are the end points url and initial url okay? What are we missing? We are using CEF4Delphi as "browser like experience in order for the user to type in their google credentials. We have been reading this: https://developers.google.com/identity/protocols/oauth2/web-server#offline
We were also trying the playground :https://developers.google.com/oauthplayground/
we were sending the initial url in a chrome which generated a "code" and in the playground we inserted the code, and still got the same error of missing code verifier.
Thanks Guys
You seam to have URL encoded a lot of the values try not doing that. Also try using the basic call, before you start adding everything else. It should help you figure out which one of those extra parameters you are sending that's causing your issues.
https://accounts.google.com/o/oauth2/auth?client_id={clientid}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=profile&response_type=code
Also make sure that the client id is from an installed / other type client
This may also help Google 3 Legged OAuth2 Flow
For installed apps, the code challenge and verifier are parameters for enhancing the security of the OAuth flow through PKCE [1].
There is additional documentation about generating a code challenge and verifier here [2].
[1] https://www.rfc-editor.org/rfc/rfc7636
[2] https://developers.google.com/identity/protocols/oauth2/native-app#step1-code-verifier
I have been toying around with the twitter API over the last few days, but seem to be stuck at requesting a "request token". (flow A)
Over at the twitter api, I should be hitting the following end point (https://api.twitter.com/oauth/request_token) and on a successful request this should net me an oauth_token, oauth_token_secret and oauth_callback_confirmed (should match what I pass). I attempted to just use my private key, but this of course is failing. Is my understanding of how to generate this request wrong?
I believe my issue is the way I am generating the oauth_signature. Reading the documentation at twitter, everything seems straight forward until I need to generate signing key documented Here. It states that the signing key should be Consumer Secret & OAuth token secret, but to me this is a circular reference. The response, for this request, should contain the oauth_token_secret.
With this request an empty oauth_token_secret is expected. Signing key should be consumer_secret&, the trailing & must be included.
Relevant quote from https://www.rfc-editor.org/rfc/rfc5849#section-3.4.2:
An "&" character (ASCII code 38), which MUST be included
even when either secret is empty.
As part of the OpenID Connect (OAuth2 for Login), my application is supposed to request an access token, given a one-time authorization code, via the endpoint https://www.googleapis.com/oauth2/v3/token. According to documentation, this request needs 5 parameters passed to it, client_id among them. That is exactly what my application does, using the Perl module Net::OAuth2.
Everything has been working fine for several months, but today I was notified that it stopped working. No updates were made to the application code nor the libraries used by it.
The message my application now receives from the server when calling the token endpoint is this, in a 400 error response:
OAuth 2 parameters can only have a single value: client_id
A Google search suggests nobody has ever seen this message before, or lived to tell the tale. There doesn't seem to be a general issue with Google's OpenID Connect (other services based on it are working flawlessly), and the imminent shutdown of the old login protocol doesn't seem relevant.
More testing: removing all parameters except client_id causes this error message:
Required parameter is missing: grant_type
Supplying only client_id and grant_type produces the original error message again.
Does anyone have an idea what's going on here?
Google changed this behavior few days ago, so any OAuth2 library using Basic Auth headers AND body request parameters will start to see messages like
OAuth 2 parameters can only have a single value: client_id
or
OAuth 2 parameters can only have a single value: client_secret
So, you must now do NOT use both (the Auth headers and body request parameters) at the same time to send credentials to Google.
And according RFC 6749, the preferable way to send credentials is through Auth headers (thanks #JanKrüger for alert me about this).
Got the same error. It seems the problem is that NET::OAuth2 sets the authorization header when exchanging authorization code for access token. If you remove this header everything works fine.
Check the get_access_token method in Net::OAuth2::Profile::WebServer module. The authorization header includes client_id:client_secret base64-encoded string. Apparently Google now treats this duplication as an error.
The right way of fixing this is to set the secrets_in_params parameter when creating Net::OAuth2::Profile::WebServer object. Look in the Net::OAuth2::Profile documentation for more details.
I'm trying to get request_token from https://api.twitter.com/oauth/request_token. But I always got following error.
"Failed to validate oauth signature and token"
Below is my signature_base:
POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_callback%3Dhttp%3A%2F%2Fwww.google.com%26oauth_consumer_key%3DydxYUl45Mleo5LNyoExnAF4mY%26oauth_nonce%3D9C918901-EF8A-4B84-BDF5-B7E754C46397%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1415174195%26oauth_version%3D1.0
The auth header generated is:
{
Authorization = "OAuth oauth_version=\"1.0\",
oauth_nonce=\"9C918901-EF8A-4B84-BDF5-B7E754C46397\",
oauth_signature_method=\"HMAC-SHA1\",
oauth_consumer_key=\"ydxYUl45Mleo5LNyoExnAF4mY\",
oauth_timestamp=\"1415174195\",
oauth_callback=\"http://www.google.com\",
oauth_signature=\"j6k3CY4Fr40SKAWiG%2B5%2BwkErdYc%3D\"";
}
I verified the signature with my secret key and it's correct. Really can't figure out where the problem is...
One clue is that when oauth_callback is not used at all, I'm able to get request token... Please help!
Thanks,
Lee
Edit:
If I don't use oauth_callback, I'm able to get request token and the callback I set in dev twitter website is used. However, I can't set it to URL Scheme of my app since it's not valid url...
You are not encoding the oauth_callback url correctly.
In the signature base it should be encoded as:
oauth_callback%3Dhttp%253A%252F%252Fwww.google.com
and then in the Authorization header as:
oauth_callback="http%3A%2F%2Fwww.google.com"
The same problem i was struggling as well.
Approach that help is bellow.
Using Twitter to authenticate is quite uncomfortable to do due to the errors and bad documentation. I will defiantly recommend you, to use one of the two approaches that are : Github library that is well documented and easy to implement. Or use iOS Social framework to write own logging.
I am Creating and Authorizing an OAuth Token according to this webpage: https://code.google.com/p/google-mail-oauth2-tools/wiki/OAuth2DotPyRunThrough
But I got this error: redirect_uri_mismatch.
The redirect URI in the request: urn:ietf:wg:oauth:2.0:oob did not match a registered redirect URI
from_login=1
cookie_policy_enforce=false
scope=https://mail.google.com/
response_type=code
access_type=online
redirect_uri=urn:ietf:wg:oauth:2.0:oob
as=-80019291b2cb8ed
display=page
pli=1
client_id=......
authuser=0
hl=en
I thought this might be helpful: Google OAuth 2 authorization - Error: redirect_uri_mismatch
But when I try to register the redirect url to my console, I was told that the url is invalid.
The redirect_uri (urn:ietf:wg:oauth:2.0:oob) is only applicable to those Google client ids that have been generated for installed applications. You can go to your console and create a new client id of this type.
Just in case if you're using Google+ javascript button (with web application), you have to put postmessage instead of actual URI. It takes me almost whole day to figure out this, because Google docs doesn't clearly stand it for some reason.
For my web application i corrected my mistake by writing
instead of : http://localhost:11472/authorize/
type : http://localhost/authorize/
When you register your app at https://code.google.com/apis/console and
make a Client ID, you get a chance to specify one or more redirect
URIs. The value of the redirect_uri parameter on your auth URI has to
match one of them exactly.
Please note that the 'redirect_uri' value of the Token request need to be the same as the 'redirect_uri' value of the Authorization request.
Lost 4 or 5 hours with this... use 'postmessage' as parameter value, not the real Redirect Uri...
$client->setRedirectUri('postmessage');
For anybody that is still stumped with this problem, you must have the 'Platform' set to 'Native (Windows Mobile, Blackberry, desktop, devices, and more)' when registering your app in the Google Cloud Console, otherwise, it will not let you use 'urn:ietf:wg:oauth:2.0:oob' as the redirect URI.
In my case, instead of creating web app, i just chose Other in:
OAuth Client ID > Other
and thats it.
2015July15 - working signin started causing Error 400 with Error: redirect_uri_mismatch
i posted a solution on a similar SO QUESTION: changed loading script to
<script src="https://apis.google.com/js/client:platform.js?onload=startApp></script>
For my native app, I tried dozens of different things. I finally got it to work by using "redirect_uri=http%3A%2F%2Flocalhost%3A1234" where 1234 is the port number. This has to be identical in the two requests (authorization code and the access token). Notice the use of percent encoding.
I was getting this error, because I was incorrectly following the steps for installed application flow here
https://github.com/googleads/googleads-python-lib/wiki
instead of the server to server flow.
The easiest way is to create the service account.
Create the document using your own account and share it with the service account.
redirect_uri must be an EXACT MATCH on the developers console.
In my case, this was due to a trailing slash( / ).
In the Google Cloud console, I had http://localhost:8080 under the redirect URIs in the list while my code was sending http://localhost:8080/ while making the oAuth call.