I am using OKTA.
Looks like that i got an error when clicking on login button:
OAuthError: Could not acquire access token from authorization code.
My app is in LIVE. All the settings in app dashboard look correct, because I took a simple js sdk in index.html file and made it work. So Something happens on okta Size. I am using social/identity providers.
Anyone has ever used okta and reached this error?
Another hint is that their support somehow on their back-end admin panel checked and they also get another error message: "Cannot call API on behalf of this user"
I had the same issue, in my case the issue was because the security secret key didn't match with the one in the IDP database.
If you have generated manually the secrete key check that the key is created using ssh256 hash.
You can find how to generate a secrete key here
https://stackoverflow.com/a/44013730/4878365
Related
Using the App Console, I am generating an Access Token for use by my java application.
Why is my access token expiring? It worked yesterday but today I get the below error.
How do I get a permanent token for my application to use? (Usage is similar to a "Google Service Account" that generates a permanent token.)
Exception:
InvalidAccessTokenException
{
"error_summary": "expired_access_token/...",
"error": {
".tag": "expired_access_token"
}
}
UPDATE 2022 12 02:
Thanks for the below information and links. After about 5 hours of working on wrapping my brain around the concepts and the example code, I finally got something working by doing the following:
(1) Using the example code and manual process at https://github.com/dropbox/dropbox-sdk-java/blob/main/examples/examples/src/main/java/com/dropbox/core/examples/authorize/ShortLiveTokenAuthorize.java I obtained an auth code.
(2) I then wrote java code to post the auth code to the https://api.dropbox.com/oauth2/token end point and receive tokens including the refresh token.
(3) I then wrote code to post the refresh token to the same end point to receive an access token.
It appears I can hold on to the refresh token and repeat step 3 to get access tokens each time.
HOWEVER, I must be missing something here.
This is WAY too much extra work that should be done either by the App Console and/or the SDK.
Also, it seems to me that a “Client Credentials Flow” should be available in the API and SDK.
Your thoughts?
Dropbox is in the process of switching to only issuing short-lived access tokens (and optional refresh tokens) instead of long-lived access tokens. You can find more information on this migration here.
Apps can still get long-term access by requesting "offline" access though, in which case the app receives a "refresh token" that can be used to retrieve new short-lived access tokens as needed, without further manual user intervention. You can find more information in the OAuth Guide and authorization documentation.
The official Dropbox Java SDK can actually handle the process for you automatically, as long as you supply the necessary credentials, e.g., as shown retrieved in the examples here.
I am building a flutter app that needs the user to authenticate against an identity provider in order to user the app.
I am using the package simple_auth_flutter to do the authentication stuff. So far this works as expected: When clicking on the log in button, the users is queried for its credentials and after passing the correct credentials I get a valid token.
I only got an issue, when the user logs out from the identity provider. When the user clicks on the log in button he gets automatically logged in without querying for the current users credentials.
While logging out I delete the token from within the package and I revoke the token on identity providers side.
Any idea what could be the reason for this behaviour?
OIDC based Identity Providers issue a session cookie when you login. This is what enables single sign on across multiple apps.
To force a new login prompt, logout typically needs to send an End Session Request so that this cookie gets removed.
My Android sample code does this, though I am using different libraries. Not sure if Flutter has end session support?
Also worth being aware that some identity providers require vendor specific messages.
I had the same issue with my flutter app using Firebase and Microsoft as identity provider. I solved the issue by using the "prompt" parameter within the authentication request. Below you can see my code for oAuth authentication with Microsoft.
await FirebaseAuthOAuth().openSignInFlow(
"microsoft.com",
["email openid profile offline_access"],
{
'tenant': 'your tenant id',
'clientId': 'your client id',
'prompt': 'login'
},
);
Also see the Microsoft documentation where the "prompt" parameter is described in detail with all the supported values (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc).
Fixed
When you logout on Firebase you are only clearing the app's state not the browser. One possible solution is to check if your provider offers a logout endpoint which you can call in your app during logout to invalidate the browser cookies. Microsoft is an example of a provider offering this.
The user data is attached with the provider session.
https://docs.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-protocols-openid-connect-code#send-a-sign-out-request
BEST SOLUTION:
User? user =
await firebaseAuthOAuth.openSignInFlow(provider, scopes, parameters);
Make sure parameters has a prompt key with an applicable value mentioned here: Fixed:
User? user =
await firebaseAuthOAuth.openSignInFlow(provider, scopes, parameters);
Make sure parameters has a prompt key with an applicable value mentioned here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#send-the-sign-in-request
The only one I got to work to an acceptable criteria is:
'prompt': 'select_account'
My provider, scopes, and parameters:
'microsoft.com', ['email'], {'prompt': 'select_account'}
The only one I got to work to an acceptable criteria is:
'prompt': 'select_account'
My provider, scopes, and parameters:
'microsoft.com', ['email'], {'prompt': 'select_account'}
I have simple jQuery page that makes calls to azure restful API to get the status of VMs.
I'm facing a problem that it's complaining about Cross-Origin Resource Sharing and I can't find where to set that for the Web app/API I have.
I'm using client credentials grant to get the token
https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow
I have finished my testing and when I tried to do the calls from jQuery/JS I got the CORS problem.
My setup involved:
From Azure portal, I used App registrations to register an app of type "Web app/API", give it a homepage address "this is where it lives", created a key.
Using
POST https://login.microsoftonline.com/<tenant id>/oauth2/token
grant_type=client_credentials
client_id=application id
client_secret=application key
resource=https://management.core.windows.net/
Am I missing any missing anything? my search keeps leading me to Azure hosted apps
Okay, here is how to do it in short:
Add Function App (charge per request)
Open the Newly created function app
In Proxies, select that from the right list
Give it a name, route template will be your new endpoint URL, backend URL is your login endpoint eg: https://login.microsoftonline.com//oauth2/token
After that, back to your function app, select the platform feature tab, Select CORS, delete all of them and enter your application URL or simply a *
You can be more specific with these, but this is enough to get the token. And all the other endpoint didn't have CORS problem.
Good luck.
You cannot use a client secret from front-end Javascript.
Your client secret will be public, it's basically your app's password.
Client credentials grant is for back-end applications.
You need to use e.g. the implicit grant flow with ADAL.JS/MSAL.JS to acquire tokens.
Your front-end app also should be registered as Native since it is a public client.
Here is a sample app: https://github.com/Azure-Samples/active-directory-javascript-singlepageapp-dotnet-webapi
Oh, and the CORS error comes from Azure AD's token endpoint.
You cannot do anything about it.
I am playing around with IBM Cloud Functions (OpenWhisk) and trying to setup authentication through OAuth with Facebook as the provider. I have setup an app with Facebook, I am able to successfully connect with this and fetch my token and I am able to verify this by fetching basic profile information (name and userID).
My problems starts when I enable OAuth in the IBM Cloud Functions API. I get a HTTP code 500 back from the call with very little information about what actually went wrong.
{"code":500, "message":"Oops. Something went wrong. Check your URI and try again."}
The only thing that is stated in the dashboard is:
You can control access to your API through the OAuth 2.0 standard. First require an end user to log in via IBM Cloud App ID, Facebook, GitHub, or Google. Then include the corresponding OAuth token in the Authorization header of each API request. The authenticity of the token will be validated with the specified token provider. If the token is invalid, the request will be rejected and response code 401 will be returned.
With this information I got that I need pass the token with the Authorization header. My best guess is that the call fails somewhere when the token is being validated.
I am using Vue and Vue-axios to perform the API call. My current call looks like this:
this.$http.get(API_URL+"?user_id="+localStorage.user_id,{headers :{'authorization':localStorage.token}}).then((response) => {
console.log(response);
});
I have tried adding bearer/Bearer or token/Token in front of the token (some posts I read indicated that you should do this), but this had no impact on the response.
If I disable the OAuth authentication from the Cloud Functions side, the code above works and correctly retrieves the data (with or without the header option).
From the Chrome Dev tools it looks to me like the token is added correctly to the request, since the request headers have the Authorization header with the token.
I am not that familiar with OAuth or IBM Cloud Functions, so the problem might have a very easy fix. However, I am unable to find documentation which clearly shows me how I am supposed set this up. I am also unable to find any logs or more information about what actually fails here. Am I missing something obvious here?
Kjetil
We are having troubles with getting the access token from fiware since 4th August.
We are using this URL to ask for the token: https://orion.lab.fiware.org/token but it seems like it does not work.
Before using that URL we used to ask for this one:
http://cloud.lab.fi-ware.org:4730/v2.0/tokens
Could anyone, please, help us?
Thank you in advance.
It depends on how you want to get the token. The current OAuth2 URL to get the tokens is https://account.lab.fiware.org/oauth2/token. This is the central authority for authentication, if you are accessing any common GE, but you will need to register your application in FIWARE Account and use your application credentials and some OAuth2 grant to get it.
If you want to get the token for the global instance without using a registered application, the URL you have mentioned contains a token service that can give you a valid token for your user and that purpose. You can test it (and see an example) with the following script:
https://raw.githubusercontent.com/fgalan/oauth2-example-orion-client/master/token_script.sh