I need to get an OAuth token using a simple POST request.
In Postman, we configure OAuth tokens via the following configuration:
When I click "Get New Access Token", postman makes a request against the Access Token URL.
How does one see what that request looks like? Are these parameters (client id, client secret, etc.) placed in a POST body? What are the headers? I'd like to see the request structure in plain text.
Essentially I need to emulate this request in a script, where I have to include the credentials in the body itself, where the body would look something like this:
{
"Access_Token_URL":"myURL",
"Client_ID":"myClientId",
"Client_Secret":"myClientSecret",
"Scope":"myScope"
}
That request follows the OAuth 2.0 specification, using the client_credentials grant, and it will use an Authorization Basic header to authenticate the client; so its body will look like this:
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic bXlDbGllbnRJZDpteUNsaWVudFNlY3JldA
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&scope=MyScope
Where bXlDbGllbnRJZDpteUNsaWVudFNlY3JldA is the Base64-encoded value of myClientId:myClientSecret.
Note that the Content-Type is application/x-www-form-urlencoded.
Also note that what Postman calls the Access Token URL is actually named Token Endpoint in the OAuth 2.0 terminology.
Related
URL :
https://circuitsandbox.net/rest/v2/webhooks
My Headers :
Content-Type : application/x-www-form-urlencoded
Authorization : Bearer ot-xxxxxxxxxxxx
Body :
url - Some URl
filter - CONVERSATION.CREATE
Error I am getting :
"The permission to access this resource is not granted. Scopes ::= [ALL, READ_CONVERSATIONS, READ_USER]"
Plus If i want to send extra filters thn will it be comma separated values?
If you are getting a 403, I would suspect a scope error (as mentioned by Roger) or an authentication problem.
For the first, please show us which scopes are currently selected for the application ; for authentication, can you check if you can make other API calls successfully ?
Here is what it looks like in Postman
Make sure your app registration contains the scopes that your app is asking for. For a simple outgoing webhook registration you would only need the scope READ_CONVERSATIONS.
See https://github.com/circuit/circuit-REST-bot/blob/master/app.js for an example on how to register for a webhook. This example registers for CONVERSATION.ADD, but CONVERSATION.CREATE is very similar.
If you still have problems please post a code example, or even a link to an app on repl.it.
Here is an example HTTP request to register the webhook. Note that the body is sent as text/plain (which is the default and its header can be omitted). Also note that the callback url is http. https is not yet supported.
POST https://circuitsandbox.net/rest/v2/webhooks HTTP/1.1
Host: circuitsandbox.net
Content-Type: text/plain
Authorization: Bearer <token>
url=http://90587c6d.ngrok.io/webhook&filter=CONVERSATION.CREATE
and here is a curl command
curl -X POST https://circuitsandbox.net/rest/v2/webhooks -H "Authorization: Bearer <token>" -d "url=http://90587c6d.ngrok.io/webhook&filter=CONVERSATION.CREATE"
I need to implement xsolla payment solution into my CakePHP 2.6 webapp.
By contract my site should communicate via REST with Xsolla.
Every request should contain Authorization Signature header which is sha1 hash of JSON body and the secret token.
Where is the right place to check Signature from xsolla in cakePHP?
Example request from xsolla:
URL: http://example.com/rest
Accept: application/json
Content-Type: application/json
Content-Length: 78
Authorization: Signature 8189119fb35327cdee7787990df41001c4bd9122
{"data":{"notification_type":"user_validation","user":{"id":"user_id"}}}
I need to check Authorization: Signature
The correct way of handling this in CakePHP is to implement a custom authorization handler. See the following links for reference, they explain what you need to do in great detail.
The basic procedure is to read the auth header and compare it against the user in your database. You'll do that in your custom authorization handler.
CakePHP 2.x
Authorization
Creating custom authorization handlers
CakePHP 3.x
Authorization
Creating custom authorization handlers
JWT Token Auth (check the code for reference)
The JWT auth is basically exactly doing what you want. The auth adapters aren't that much different. So you can backport that to CakePHP 2.x
I am testing Facebook Graph API v2.3 with Postman.
While it is possible to get response by putting access token in query string as follow:
https://graph.facebook.com/v2.3/me?access_token=my_access_token
I am wondering whether it's possible to do the same thing with HTTP request headers, which would be something like this:
GET /v2.3/me HTTP/1.1
Host: graph.facebook.com
Authorization: <my_access_token>
Cache-Control: no-cache
Postman-Token: <postman_token>
Based on this similar question (i.e. How should a client pass a facebook access token to the server?) on Stackoverflow, it seems that this should be possible.
Any thoughts on this?
Edit:
What raised my interest is that, when I used the API Graph Explorer provided by Facebook Developers, it seems that there's no query string in that sandbox either. How does that work?
Facebook API Graph Explorer DO use query string for access token. Thanks to #CBroe's response.
Yes it is possible
Authorization: Bearer AccessTokenHere
e.g.
curl --header "Authorization: Bearer CAAC...ZD" https://graph.facebook.com/me
This answer previously recommended using "OAuth" instead of "Bearer" as the token type. Both will work, but "Bearer" is the type that shows up in the standard. Also, on completing Facebook's OAuth flow, the token_type in their response is bearer. So all in all "Bearer" makes more sense.
When calling GET /api/token for login, where to put the username and password?
URL parameters or header?
I'm confused, because I read, the token should go into a header, when I request some other data later.
(I'm writing an API myself, I'm not using someone elses)
Login should be a POST request (you create a token). That way you could send the username and password in the body of the request.
POST /app/token HTTP/1.1
username=example&password=example
If credentials are correct, the request could return the token in the body.
HTTP/1.1 201 Created
Content-Type: application/json
{
"token": "example"
}
You can then store this token on the client side (for example in local storage) and send it in the header for subsequent requests.
I have been using FB api for some simple demo and everything was quite easy with the authentication. Now I have to do something similar with twitter v1.1 but there is something that I really don't understand...
Example:
I want to do this request:
https://api.twitter.com/1.1/search/tweets.json?q=q=%23freebandnames
the problem is that I have to be authenticated, anyone have some examples? I don't want to create a twitter connection because I don't need different users to be connected to my applicaiton. I have just to perform some simple search request but I can't understand how to use the authentication parameters. Which type of Ajax request I have to use in order to perform the REST request authenticated??? (Obviously I have my secret token and my access secret token) but how to use them????
THanks in advance for answers
You can use this javascript library: codebird-js with the "Application-only auth".
or
Do it yourself: everything is explained in the documentation.
Basically you need to follow 3 steps (and you should do the 2 first just once):
An application encodes its consumer key and secret into a specially encoded set of credentials.
An application makes a request to the POST oauth2/token endpoint to exchange these credentials for a bearer token.
When accessing the REST API, the application uses the bearer token to authenticate.
The steps are detailed in the documentation.
You can do the first 2 separately and when you get your bearer token, you need to add a specific HTTP Header (Authorization) in each request with your bearer token (that's the 3rd step). With jQuery it could be something like that:
$.ajax({
headers: { Authorization: 'Bearer '+$my_bearer_token },
url: 'https://api.twitter.com/1.1/search/tweets.json?q='+$search
}).done(function (data) {
// Play with the data
});