I am working on an application that allows user to authenticate with Devise and Omniauth and then connect his social network account to the app. I wanted to add Wordpress integration (their website states they support OAuth 2.0 authentication and REST API access).
Unfortunately, there was no Omniauth strategy for this provider. I looked into some other gems and decide to write my own - it didn't seem so complicated. The source code can be found here.
I have added all required informations (according to Wordpress docs), then I have signed up for an app ID and secret. I have encountered my first problem here - Wordpress demanded a live, public domain as a redirect URI. I didn't want to use one - I wanted to test in development mode first, so localhost was fine for me. I have entered a dummy address, then changed it back to localhost (surprise! They didn't validate it on update, just on create).
I have added the credentials to my initializer (config/initializers/devise.rb):
config.omniauth :wordpress, "my_app_id", "my_app_secret"
It seemed to work - I got the authentication dialog I expected, it mentioned my application. But when I clicked 'Authorize' and got redirected to my application back, I got an error saying invalid credentials.
I have checked the credentials, but they were correct (no typos, proper order). I have reset the app secret - no luck. I have created two another applications, but still nothing.
I have already ran out of ideas. What can cause such error? Is it possible that it's because of the local address in redirect_uri?
I suspected it was something easy to miss, and it was. Wordpress' server responded with JSON string, but the response was not parsed as one. Therefore Omniauth gem couldn't find an access token in it and was raising the invalid credentials error. Setting up correct content type worked like a charm.
Related
I am developing a web-based application that will allow my trusted staff to edit the titles, descriptions, tags, etc. of my YouTube channel. In attempting to "Opt In" to my own application, I was sent to the callback URI with an error message:
You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure. You can let the app developer know that this app doesn't comply with one or more Google validation rules.
Some history - when I first attempted to obtain a code to exchange to an authorization token, it actually worked! However, as I was writing the code to harvest the code and exchange it for the authorization token, I repeated the "Opt In" process multiple times. Before I was ever able to perfect my code to exchange the code for an authorization token, I began getting the error message to the effect that the app is insecure and cannot be signed in to.
More history - after reading a Stack Overflow article describing something similar, I deleted the project, created a new project, generated a new Client ID and Client Secret, and then repeated the test with the same failure.
I am the only Test User of the app. I can't find any notification in my console alerting me to nature of the security issue triggering the failures. I have reviewed the OAuth policies at
OAuth 2.0 Policies
and cannot find anything even remotely wrong.
What is wrong and how can I fix it?
I also had the same issue.
For me, it turned out that my redirect_uri is not valid. The redirect_uri that gives error:
http://localhost:8000api/vi/oauth/google
What are wrong in my case:
I should put a / before api.
vi is different from what I registered on GCP. It should be v1
I would suggest you to print out the redirect_uri when your app is performing code exchange, and verify every single characters carefully.
Additionally, check out the documentation of Redirect URI validation rules on Google to see if your redirect_uri comply with all the rules.
You probably changed the port where the project is running or you did not define the address where the project is running in Google Cloud.
Google Cloud → APIs and Services → Credentials → OAuth 2 Client ID → change Authorized JavaScript origin to the port that your app runs on the local or shared host.
The URL may take time to define, so it may not work right away, so you can also create a new credential.
For me the redirect_uri was correct, but as a result of an error, the access code was requested for a different client ID.
I have dockerized our Angular application which have been using WSO2 as API manager . After doing the configurations, i was able to run the application successfully and able to hit all existing api's. The only issue arises when i tried to use oath2/token api for performing login operation of our customer . Even though, the same code was used to perform authentication earlier(before dockerization) without any issues,now i am getting error as
{
"error": "invalid_grant",
"error_description": "Provided Authorization Grant is invalid"
}
Token generation api for login :
https://<myapplicationurl>:9443/oauth2/token
Errors am getting in docker console while trying to login using username 'devtest7#mailinator.com' :
Things to note :
WSO2 AM version is 2.1.0 , WSO2 IS version is 5.3.0
Arguments(headers & parameters) for the request is the same as that
used earlier(except the username and password).
I am able to create a new users and the corresponding user is listed
in Carbondb users list.
The issue exists while trying to login using existing user as well as
newly created users.
I have recently generated new ssl certificate for the application.
Able to login using super admin only . Login using newly created email and username is not working.
I tried solutions seen on stackoverflow which doesn't fixed my issues. Can any one please help?
There is a line in the above logs saying that SP tenant is not equal to user tenant and SP is not SaaS. Are the SP and users are from different tenants? Normally users cannot access SP across different tenants.
If you want to make the SP accessible across different tenants then you need to enable SaaS application option in the SP. Check this doc to learn more about SaaS application https://docs.wso2.com/display/IS530/Adding+and+Configuring+a+Service+Provider
Thanks for everyone who commented and tried to figure out the solution for the issue i mentioned. I got the resolution for the issue . As i tried multiple times to login by doing permutations and combinations in configurations, authentication was blocked for me. As a reason, i couldn't login and generate access token . I was able to resolve it by changing a flag in identity.xml file inside IS .
Changed the UserOperationEventListener enabling from 'true' to 'false' .
Before:
<EventListener enable="true" name="org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener" orderId="95" type="org.wso2.carbon.user.core.listener.UserOperationEventListener"/>
After:
<EventListener enable="false" name="org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener" orderId="95" type="org.wso2.carbon.user.core.listener.UserOperationEventListener"/>
This change allowed me to block the invalid authentication check. We are anyway adding that check from our code side.
According to the logs, it says
Non-SaaS service Provider's tenant domain is not same as user tenant
domain; carbon.super != mailinator.com
From the logs, the SP's is in the carbon.super tenant. But it considers the user as in the tenant mailinator.com.
When we specify the username for password grant with email as username, we have to use the full username with the tenant domain. (devtest7#mailinator.com#carbon.super).
I have an interesting problem. We have set up the Thinktecture Authorization Server from the trusty Identity Server 2 and gotten it to work a few months back. It is configured as a relying party for an already existing corporate identity server, so when we use the Code Flow example, click the "Start authorization handshake" we bounce over to the identity server, supply our credentials and get bounced back to the callback of the code flow with an access code, click the Get Token, and are granted with this fine jwt token. All seems fine.
However,
When we try this either from, for instance, postman, or our app development team from their development devices (android and iphone), it starts fine but when we call the token endpoint with our newly minted access code we get an "Anonymous client" response.
Looking at the web example from the CodeFlow example I see it posts basic authentication including a base64 value of the secret wich is missing from postman and our app team. I see no reference to this in the CodeFlow example so I have no idea where this comes from. If I hard code the Authorization BASIC [including the Base64 secret I snatched from the previous example] it does not change anything.
We'be been stuck for several days on this so any help would be gratefully appreciated. Any Ideas?
After a lot of recearch and hair pulling it seems the Postman client we are using does not support Code Flow and therefore does not include the Authorisation header we are missing. After capturing the traffic from Postman with Fiddler we manually added the basic authorization header with the client name and secret and got everything working. So as of now, postman does not work.
I hope postman does add support for codeflow in the future.
Atli
I am using omniauth and logging into google and yahoo using the open_id strategy. This was working fine, until I enabled SSL on my site. There was a couple issues. First the URL's being generated were still pointing at http instead of https. I fixed that using a monkey patch from other posts(Omniauth and open_id with Google broken when running behind nginx in SSL mode, OpenID for rails app behind Apache)
Now it seems like the URLs are okay, but now I always get invalid credentials failure. I am using nginx and unicorn and hosting on EC2, if any of that is relevant. I see this in my unicorn logs:
(google) Request phase initiated.
WARNING: making https request to https://www.google.com/accounts/o8/id without verifying server certificate; no CA path was specified.
Generated checkid_setup request to https://www.google.com/accounts/o8/ud with assocication ...
(google) Callback phase initiated.
(google) Authentication failure! invalid_credentials encountered.
*Note I remove the association above because I was not sure if thats some private key or something.
Also, I see google posting to my callback "/auth/google/callback".
Finally, about the warning about making a request without verifying server certificate, I saw in another post that I should add this:
require "openid/fetchers"
OpenID.fetcher.ca_file = "/etc/ssl/certs/ca-certificates.crt"
which I did, and the messages go away but does not fix my problem. Am I supposed to point this to my ssl certificates instead?
Just confused about what is going on and not finding good logging output to identify the problem...
I have a working OAuth process for authorizing with Google. My app can get data from the Google Sites API from areas that only the account used to authorize it has access, so I know that much is working. The trouble is creating new data via the API. I consistently get "Unknown authorization header" when trying to POST to the endpoint. The real frustration appears when I try to use the Google Oauth Playground. I put in the credentials I have, put in the same endpoint and same request body, and try it there -- and everything works perfectly.
I'm using Ruby 1.9.3 on the API side, and I've tried with both oauth-ruby and the Google-written signet client. Both do the same thing. I've verified and re-verified that the credentials are as I expect them to be (both just checking, and using the same ones in the Oauth Playground and seeing them work).
I have no idea why this is happening, because there's precious little information coming from Google's API about what's actually wrong with my request.
For the record, I'm using;
Ruby 1.9.3
oauth-ruby and signet for clients
OAuth 1.0
HMAC-SHA1 hashing
3-legged authorization
As it turns out, the problem was because I was failing to include the Content-Type header in the request. Yes, this didn't make any sense to me, either, considering the error message, but that's what it was.