I have a problem when trying to get the oauth_token and oauth_token_sceret from linkedin oauth api. I can get requestToken (1st request), but in the callback page (after the user approved the app) I'm trying to get the token and the secret but I always get 401 and it says the signature is invalid.
I'm posting the following values to https://api.linkedin.com/uas/oauth/accessToken:
- oauth_consumer_key
- oauth_nonce
- oauth_signature_method
- oauth_timestamp
- oauth_token
- oauth_verifier
- oauth_version
as a side note i don't understand why I'm getting the verifier (I don't need the PIN since it's running in a browser) .
The only way I was able to get the token and the secret was when I also post the "oauth_token_secret" I received in the 1st requrst (when I asked for requestToken).
But I can't get this oauth_token_secret in the callback page.
I found out you need to pass in the secret token you get in the first request for requestToken (1st request) to the access token and it is working.
Once you have the first stage done and you have the request token, you should have been passed back the request token and the verifier, per:
https://developer.linkedin.com/documents/oauth-overview
Then, pass the request token back along with the verifier in the same way you did for the request token (signing the request, etc) and you should receive the access token.
Related
I'm trying to understand OAuth 2.0 which is scarcely, badly documented and I'm trying to implement OAuth 2.0 client call in my App. I am using Postman to simulate API calls, which works. Postman shows big orange button "Get New Access Token", where I select Grant Type, URL, Client ID, Client Secret, Scope and Authentication type. Upon clicking button Request Token, new bearer token is returned by the API, meaning the authentication succeeded. This of course is completely useless approach to me, because I have no idea what just happened. I need to create actual request that shows me exactly how it is formed, so that successful response with bearer token is returned. Postman, for absolutely no reason, will not let me see that or convert it's useless UI into a functional API request. All I have is black box with orange button "Request Token", which does who knows what.
Does anyone know, how to form a working OAuth 2.0 bearer token request in Postman, preferably to convert their useless token request dialog directly into a request?
After some research I have been able to form a valid OAuth2 token request. For clarity, here is a code sample, which we need to convert to Postman response:
var client = new RestClient("https://api_address/token");
client.Timeout = -1;
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "Basic hash");
request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
request.AddParameter("grant_type", "client_credentials");
IRestResponse response = client.Execute(request);
Console.WriteLine(response.Content);
The hash part of the request is formed from client_id and client_secret values. In Postman, this is defined as such:
Create a simple POST request with token API url.
Go to Authorization tab.
Select Basic Auth
Enter client_id and client_secret into corresponding fields as username and password.
Go to Body tab.
Select x-www-form-urlencoded.
Enter key grant_type with value of client_credentials.
This example is for the client credentials flow. OAuth2 authors felt that calling auth scenarios as auth scenarios isn't cool enough, so they are called flows, which is nonsense, but sounds cooler.
Process one:
Process two:
First, determine whether your token is passed through the header
It could be:
else process:
I got the temporary access token, serverAuthCode, web client id and its secret, i am trying to get refresh token from oathplayground but i am getting invalid grant error. I have rechecked the tokens many times but still getting same error. Here are the screenshots :
What can i do to get the refresh tokens ? For more information, i am using react-native-google-sign-in library, from this library, i got the 1. access_token, ServerAuthCode. From Google Developers console, i got the 1.Web Client Id 2.Client Secret , I am using these credentials inside the react native app and i am getting the tokens successfully, but the problem is sometimes they work and most of the times i get "invalid credentials" error when i try to use the access token, it is because the access token is expired, that's why i need the refresh token. If you have any idea why i am not able to get refresh token or how to get refresh token using another method, please let me know.
I understood what i was doing wrong, i was using the serverAuthCode that was not new, it should be the latest one + the first time when you allowed the app for permissions, and it will work only first time, after you have exchanged it for a refresh token, it will not work again and will always give you grant_error. So after getting the refresh token you can get a new refreshed access token. I was using react-native-google-sign-in and was in need of refreshed token, read below to know more about the same.
For React-native-google-sign-in :
The access token you will receive from GoogleSignin.getTokens(); will only last for about an hour, to get a new access_token we need to send serverAuthCode to https://oauth2.googleapis.com/token with fields : client_id, client_secret, code(this is serverAuthCode), grant_type(its value should be authorization_code), redirect_uri(can set it from developers console). Remember to only use the serverAuthCode that you get on your first attempt when you just allowed your app for the permissions FIRST TIME otherwise you will get grant_error every time. After getting the refresh_token, we need to get the new access_token using refresh token that we just got, so now just replace the value of grant_type from authorization_code to refresh_token and also replace the value of code field to refresh_token , fill its value and send a post request to the same url, you will get a fresh access_tokenthat will be valid for 1 hour.
I am trying to call OKTA logout api from client. But it ends up with 404 Bad request. It expects 3 parameters: id_token_hint, post_logout_redirect_uri and state(optional). I am hitting request with format
https://{oktaDomain}.com/oauth2/default/v1/logout?id_token_hint={someToken}&post_logout_redirect_uri={someUri}
Purpose is just to wipe out the user session at OKTA by making some implicit call and redirecting user to {someUri}. This uri has been registered in OKTA configuration under Logout redirect uri, as per documentation. After all these efforts, whenever i am hitting request it return me 404 Bad request (token is Invalid)
The id_token_hint which i am passing is jwt id_token, which was returned at the time of authorizing user(login).
Not sure what i am missing ?
Is id_token_hint is some different token from id_token ?
or Is there any problem with URL itself ?
I want users to request Uber rides from my app.
https://developer.uber.com/docs/rides/authentication
Under OAuth 2.0 section at the above url, there are 6 steps :
1. Authorize (done)
2. Receive Redirect (done)
3. Get an Access Token ('invalid_grant' error)
The following screenshot is from Postman.
I tried passing client_id, client_secret, grant_type, redirect_uri and code as params, form-data and x-www-form-url-encoded. But everytime it returns the same error.
I have put 'http://localhost:3000/auth/uber/callback' as redirect url in my Uber App dashboard.
I have even tried the following curl command in the terminal,but it returns the same 'invalid_grant' error
Can someone help me with this issue.
Your postman request looks correct to me. My best guesses at whats going on:
1) You have multiple redirects set up, and you're using one redirect url when you do the authorization phase and a different one when you try and do token exchange
2) You're doing authorization for one client_id, and trying to do token exchange for another
3) You're authorization code has already been used / expired. Keep in mind its only good for one request.
Could you try the following and tell me what happens:
1) Do the authorization flow and pay special attention that the client id and redirect uri you put in your authorization URL are correct
2) After your browser redirects, copy the authorization code out of the redirect URL
3) Put the authorization code into the postman request / curl statement and make sure that the client id / redirect URI is correct when you do it.
Status Code: 401 Unauthorized
{
"error": "invalid_grant"
}
You are using an invalid refresh_token. You can generate multiple
access tokens, but you can only use the latest generated
refresh_token.
You supplied an invalid code when exchanging an authorization code
for an access_token.
I followed the tutorial on https://dev.twitter.com/docs/auth/implementing-sign-twitter to use OAuth on my homepage. Everything worked and after the last step I have an oauth_token (after converting it to an access token) and an oauth_token_secret. Now I want to post a new status on twitter. So I did everything on this page https://dev.twitter.com/docs/auth/authorizing-request which is just a post request to /1/statuses/update.json. On that page nothing is said about the oauth_token_secret, so I haven't used it in my request and just have put the oauth_token in it. After submitting the post request twitter gives me the status code 401 Unauthorized. Why that? Do I have to use the oauth_token_secret somewhere?
The token secret is used to hash the signature base. Something like a password. You don't send the password, you use it to compute a secure hash of the thing the service sent to you. You send that secure hash, then the service checks that secure hash against the request you sent. If they match, you're authorized.
The gory details are described in the OAuth spec, RFC 5849.
Twitter uses OAuth1.0a, but is mostly consistent with that spec.
here's the relevant bit:
https://www.rfc-editor.org/rfc/rfc5849#section-3.4.2