I have a known issue where DNS resolution is causing timeouts when attempting to authorize the access token. The Starlette OAuth Client relies on HTTPX for async requests, and HTTPX has a known timeout of 5 seconds.
Is there a way for me to configure Authlib's OAuth Client to have a longer timeout than the 5 seconds?
I finally managed to figure this out, anything you specify in client_kwargs in the register function will get passed to the HTTPX client. So, using this configuration worked for me:
# Setup Google OAuth
oauth = OAuth(config.local_config)
oauth.register(
name="google",
server_metadata_url="https://accounts.google.com/.well-known/openid-configuration",
authorize_params={"hd": config.FORCED_AUTHENTICATION_DOMAIN, "access_type": "offline"},
client_kwargs={"scope": "openid email profile", "timeout": Timeout(timeout=config.AUTHENTICATION_TIMEOUT)},
)
Related
I'm trying to send an email via smtp.live.com using an OAuth token generated via https://login.microsoftonline.com/common/oauth2/v2.0/… but I'm receiving the following error:
535 5.7.3 Authentication unsuccessful
I can make it work by obtaining an auth token via https://login.live.com/oauth20_authorize.srf (a legacy API) but that only works for free Microsoft accounts (I need to support business/Outlook365 accounts too).
The fact I can make it work using that legacy endpoint seems to validate that:
The server supports XOAUTH2 (which I also validated via Telnet EHLO)
That the encoding is correct (I'm using this process)
That I'm meant to pass the full access token via XOAUTH2 and not something odd like pass it in via LOGIN, or decode the JWT and pass in some component etc.
The access token seems valid (it works for other calls, including sending an email via the Graph API).
I've requested the following scopes:
[
'offline_access', 'User.Read', 'MailboxSettings.ReadWrite',
'Mail.Send', 'Mail.ReadWrite', 'Mail.Read', 'Mail.ReadBasic', 'Contacts.ReadWrite',
'Mail.Read.Shared', 'Mail.ReadWrite.Shared', 'Mail.Send.Shared', 'MailboxSettings.Read',
'profile', 'openid', 'email', 'Calendars.ReadWrite',
'EAS.AccessAsUser.All', 'EWS.AccessAsUser.All',
];
For the legacy token (the one which works), the scopes are different:
[
'wl.emails', 'wl.offline_access', 'wl.imap'
];
(I've tried including these scopes when requesting the v2 token too, but it's invalid).
Other things I've tried:
Using smtp.office365.com instead of smtp.live.com
Obtaining fresh access tokens
Ensuring app settings/permissions are configured correctly, as per this article
Enable Exchange SMTP Auth
Office 365 SMTP servers do not support OAuth authentication as of this time.
Office 365 SMTP servers is supporting OAuth authentication only through Code Authorization Flow not with the other mechanisms like Client Credentials flow e.t.c
The Paypal API doesn't recognize my Client ID and Secret I got from https://developer.paypal.com/developer/applications/
I wanted to include a server side checkout according to this tutorial https://developer.paypal.com/docs/archive/checkout/how-to/server-integration/
When I do the request to https://api-m.paypal.com/v1/payments/payment I always get a 401 Error with the message "Authentication failed due to invalid authentication credentials or a missing Authorization header.".
I checked multiple times if my credentials were correctly included into the request. I also tested the endpoint in my server environment and as well via Postman.
I also tried the route https://api-m.sandbox.paypal.com/v1/oauth2/token to exchange my credentials with an access token and got the same problem.
I also tried to create multiple Sandbox and Live Accounts and always got the same error.
Has anyone an idea what the problem could be?
There are two separate issues here.
You first need to use /v1/oauth2/token to obtain an access token, and then use that access token to call any of the other actual APIs.
The credentials you obtain from PayPal Developer will be for either "Sandbox", or "Live". Make sure you choose the correct tab (sandbox, for development). Sandbox credentials will only work for api-m.sandbox.paypal.com , and Live credentials will only work for api-m.paypal.com . The two environments are completely separate.
If you still have issues, post the SANDBOX client ID and secret you are using, and the full request and response to the api-m.sandbox.paypal.com endpoint. There should be a PayPal-Debug-Id in any error response, in the headers if nowhere else.
I have a query about how keycloak is supposed to be working with client without GUI access.
Basically I have:
A keycloak server configured with a realm, clients(Access type confidential) and Users
A server application with a GUI that also provide API, secure with keycloak (client, user, blablabla)
This is kind of working already as I am able to log on the GUI, have the redirect, etc..
Even accessing the APIs works well, when I have access to a GUI: I log on my UI, follow the redirect and get my UI to display the token. The the human (to differentiate the user from an application), can use the token in any API client.
In this context the user never sees the client secret, which is instinctively the right way. (note that I am very opened to people telling me my instinct is wrong!)
What I am NOT able to do so far is to find the way a server application (without GUI) can get a valid token?
The authorization_endpoint, as far as I understand it, requires both the client id and the client secret) to get a token, which I would rather avoid: I don't think giving my client secret to all my "customers" is the proper way to do it.
Alternatively I could create an API on my client that woudl ask for user credential and ask for the token in its behalf, but that would expose the clients credentials to my application, which is against the whole concept!
I tried setting my client Access type as public, but when I use the API call below I also get a error:
POST /auth/realms/realmname/protocol/openid-connect/tokenAPI
'grant_type=client_credentials'
'client_id=client_id'
'username=username'
'password=password'
{
"error": "unauthorized_client",
"error_description": "Public client not allowed to retrieve service account"
}
Would anyone know how this is supposed to be done ?
Thanks in advance.
Max
(...) A server application (without GUI) can get a valid token... typically using the Client Credentials flow.
But we would define in this case a dedicated Client for your server (client?) application to authenticate against. The returned token (not bound to a specific user) will serve for authorizations on allowed applications (i.e. your classic GUI or API clients).
So, basically you should (in very short):
define a specific confidential Client in your Keycloak
add the desired applications (or other Clients) to the Client Scope(s). Those you want to authorize transitively from this Client.
authenticate against this Client with Client Credentials flow (given the token endpoint, client id, credentials, scope)
ensure that you are authenticating through TLS and that parameters are included in request body (and not in headers - for enhanced privacy)
further harden security of your Client(s)
When you do not want anymore this particular server (client?) application to access your applications, you can change the corresponding "authentication" Client's secret/credentials or simply delete it.
"I don't think giving my client secret to all my "customers" is the proper way to do it."
You are right and the proposed method above strictly avoids that. Each customer would have its own credentials.
EDIT
(adding more details)
By performing as above, you would end up with the following scheme:
Flow Keycloak Server
C/S app. or Customer X <--- Client Creds ---> Auth. Client X
--- Access Token ---> Appl. Client <--> Appl. Server
C/S app. or Customer Y <--- Client Creds ---> Auth. Client Y
--- Access Token ---> Appl. Client <--> Appl. Server
Browser users <--- Standard ------> Appl. Client <--> Appl. Server
Note: this is not a detailed flow chart. Arrows mostly show relationships here.
Finally, please note that the terminology may differ a little here, but the proposed method is basically the same that Google uses. So you may aswell take some inpiration from there:
https://developers.google.com/identity/protocols/oauth2
I just had the same problem some weeks ago
In my case, I have a backend API and a frontend application that the users can use.
Eventually, I can't share the client_secret to the frontend application.
So here is my solution:
On keycloak, create a client (ex front_end_client) with grant type public
This client is going to be used by the frontend application to authenticate users using implicit flow (with PKCE will be more secure)
On keycloak, create a second client (On the same REALM as the first client) with grant type confidential, this client is going to be used by the backend API
Now, this is how it works:
Frontend app authenticate users and get the access token (Using the font_end_client)
The frontend app sends this token for every request to the backend
Backend app verify this token, and can retrieve permissions from it
I am trying to get realtime updates from facebook for my application as documented in https://developers.facebook.com/docs/reference/api/realtime/. I am struggling now when it comes back to the Subscription Verification. I have set up a callback server which accepts both GET and POST requests. I verified that the server works by making curl requests to it.
However, I stil get this error when attempting to create a subscription issuing the POSt request below
{"error":{"message":"(#2200) callback verification failed:
","type":"OAuthException","code":2200}
From what I read in the documentation and other threads, I assume that this means that the single GET request to my callback URL fails. The callback url does not get requested by neither GET nor POST requests indeed. I suppose that facebook is somehow blocked from accessing the endpoint. However, I am able to auth as a user using the auth dialog (https://developers.facebook.com/docs/reference/dialogs/oauth/) where I pass a callback url on the same server as well. The server runs http (for now).
This is the curl I am using to post the subscription. Host file has an entry to redirect dev.minggler.com to localhost =>( 127.0.0.1 dev.minggler.com)
curl -XPOST 'https://graph.facebook.com/256139341164822/subscriptions?callback_url=http%3A%2F%2Fdev.minggler.com%3A3000%2Ffacebook%2Frealtimeupdates&object=user&fields=friends&verify_token=abcd123&access_token=$MYTOKEN'
Can anybody help me out on this?
finally found the problem. the server wasn't reachable from outside. resolving it solved the problem
While testing I started walking through authorizing my test machine (192.168.15.6, a local IP) with YouTube, which seemed successful. That IP is listed under my authorized sites. However, any actual requests say I'm not authenticated. I'm guessing it isn't going to work because the requests seem to be coming from my Public IP, right?
The documentation is split up between the API reference, the gdata guide, and the python client guide. The examples seem limited. I didn't get, from the Python guide, that the session token is a new token, rather than an upgrade of the existing one-use token.
yt_service.SetAuthSubToken(token)
yt_service.UpgradeToSessionToken()
session_token = yt_service.current_token.get_token_string()
This gives you the new token after upgrading for a session.
Everything has worked for me developing locally except getting a secure token. Just leave that set as false.