I'm new to rest and oauth. I was granted developer access to my law firm's billing software. I received a "developer account" with a username and password, and I registered my "app", at which point the sum total of all information I have is the following:
API Key
Secret Key
Username used to register the app (an email address)
Password used to register the app
The app name, which I came up with
The redirect url, which I provided
The "documentation" says that I need to pass the following URL-encoded line in the body of my request, with all parameters being required:
client_id={client_id}&client_secret={client_secret}&grant_type={grant_type}&code={code}&redirect_uri={redirect_uri}
I'm having a little trouble figuring out what's what. I believe client_id and client_secret are the api key and secret key provided when I registered the app. Does that sound correct?
I have no idea which grant type to use.
I have no idea what the "code" is or where to get it.
It almost seems like the developers didn't give me all the info I needed, but I could be wrong.
No it doesn't seem like enough info! Yes the API key and secret sound like the client_id and client_secret.
Generally the grant type will be dependent on what type of application you are developing. The most commonly used ones are:
Web App with user = Authorisation Code Grant
Javascript Browser App = Implicit Grant
Native / Mobile App = Authorisation Code Grant with PKCE.
Web App / API with no user context required = Client Credentials
Grant.
With the information you provide I'm not sure of the best fit for you but here's an example of the usual protocol to get a token using a couple of grant types:
The Authorisation Code Grant:
So you would make 2 calls to the law firm's Authorisation server:
1) GET /authorize?response_type=code&client_id=yourclientid
&redirect_uri=https%3A%2F%2Fyourappserver%2Ecom%2Fcallback HTTP/1.1
You would get a code sent back to your redirect endpoint which you'd then send on to the /token endpoint of the auth server.
2) POST /token HTTP/1.1
Host: server.yourlawfirm.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fyourappserver%2Ecom%2Fcallback
Note in this example the basic authentication code contains the client id and secret but often they are sent in the request body e.g.
2) POST /token HTTP/1.1
Host: server.yourlawfirm.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fyourappserver%2Ecom%2Fcallback
&client_id=yourclientid&client_secret=yoursecret
The authorisation server would then return you an access token from step 2)
If your application is going to talk to the law firm's billing software without the need for / context of a user then you would use the client credentials grant.
The Client Credentials Grant.
An example of this protocol is one call to the law firm's Auth server:
POST /token HTTP/1.1
Host: server.yourlawfirm.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
And this would return an access token.
Again the client id and secret are wrapped up in the basic auth header but it may be that you can supply them in the request body as I showed before.
e.g.
POST /token HTTP/1.1
Host: server.yourlawfirm.com
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id=yourclientid&client_secret=yoursecret
This information is based on the OAuth2.0 specification.
Related
I'm currently trying to retrieve a user token from the keycloak token endpoint using a POST request (instead of using one of the designated adapters). I have set up a keycloak realm and added my own machine as a client. In the documentation the Token Endpoint is described as:
/realms/{realm-name}/protocol/openid-connect/token
As far as I have read in the openid specification, I will need to set the body parameter grant_type=authorization_code as well as the parameters code and redirect_uri. I will also need to set the Authorization header, for which I will need a Basic Token.
So far I will get the response:
"error": "unauthorized_client", "error_description":
"INVALID_CREDENTIALS: Invalid client credentials"
Where do I get the Basic Authorization Token from? I expected that I need to provide a username and a password, since the JWT token is what I'm trying to recieve as response. Do I need to set the redirect_url if I just want to request a token?
Keycloak offers more than one way to retrieve a user access token, following the OpenId Connect spec. Here you have the steps to do it for Authorization code flow (the one recommended for web applications) according to the openid connect spec: https://rograce.github.io/openid-connect-documentation/explore_auth_code_flow
Basically, if you're not using any adapter, when detecting a request to some protected resource you should:
Perform a redirection to the keycloak login page (keep in mind keycloak uses the REALM entity, so you'll need to specify it too):
HTTP/1.1 302 Found
Location: https://mykeycloakinstance.org/auth/realms/demo/protocol/openid-connect/auth?
response_type=code
&scope=openid
&client_id=s6BhdRkqt3
&state=af0ifjsldkj
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
You'll need to keep the state value in the client, as it needs to survive the redirection process:
It is recommended that client’s use this parameter to maintain state
between the request and the callback. Typically, Cross-Site Request
Forgery (CSRF, XSRF) mitigation is done by cryptographically binding
the value of this parameter with a browser cookie.
You don't interact with username/passwords. The keycloak authentication page does. Once the login is successful, it will redirect to your page with a valid code:
HTTP/1.1 302 Found
Location: https://client.example.org/cb?
code=SplxlOBeZQQYbYS6WxSbIA
&state=af0ifjsldkj
Here you'll need to either check that the state is the one you originally sent (you may need to track it through web session, using cookies) and also to obtain the token using that code. You do a POST to the authorization endpoint with this code:
POST /auth/realms/demo/protocol/openid-connect/auth HTTP/1.1
Host: https://mykeycloakinstance.org
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
This is the flow in summary, I haven't tested the code myself, so use it as an example and don't hesitate to fix it if you consider ;-)
See also:
What are Keycloak's OAuth2 / OpenID Connect endpoints?
I am trying to get tweets from a user with his screen name, but I am getting code 32 401 unauthorized error, i tried encoding the details it's not working, Please let me know what is the issue here
Below is the get request I am sending via postman, I have attached photo for more understanding
GET /1.1/statuses/user_timeline.json?screen_name=urstrulyMahesh HTTP/1.1
Host: api.twitter.com
Authorization: OAuth oauth_consumer_key="hwWrdsCbnYA6duRPn9b5eOL2b",oauth_token="920656878140645376-spRRFqnUdYyRKXJdP2Bd1SuN1TeJP8B",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1508349347",oauth_nonce="JKLMNOPQRSTUVWXYZABC123DEFGHI494",oauth_version="1.0",oauth_signature="A0mdEkSUjwWOO8AfX0S4oU296Q4%253D"
Cache-Control: no-cache
Postman-Token: b5bfb83b-e2c6-0e23-81b0-38daee989fec
I am sure access tokens and customer tokens are entered correctly
Please point out the error
That won't work because your Authorization header doesn't follow the OAuth protocol. All of your credentials are in plain text, but the value must pass through several steps of encoding and encryption before they can be sent to Twitter. You'll have to do this with code because part of the protocol includes a timestamp, which is likely to expire before you can do it by hand. Here's the process, on Twitter's site:
Authorizing a Request
There are several 3rd party Twitter Libraries that do this in several programming languages. One of the things you might be able to do is write the code with the same parameters you're using for Postman, set a breakpoint, and copy the Authorization header when the code hits the breakpoint.
Note: You've posted code and a picture with your application secrets.
That means that anyone who wants to can use your secrets to interact
with Twitter on your behalf. To protect yourself, you should either
re-key or delete the Twitter application (if it was just for test) and
create a new one with new secrets.
I would like to implement the Streamlined Identity Flow base on this documentation:
https://developers.google.com/actions/identity/oauth2-assertion-flow
I created my server (Node.js + node-oauth2-server) and successfully tested with OAuth 2.0 Playground.
Authorization code flow implemented, account linking enabled.
According to the documentation: "When Google needs to access your service's resources, and the user is signed in to their Google Account, Google sends a signed JWT with information about the user to your token exchange endpoint.".
The expected request is:
POST /token HTTP/1.1
Host: oauth2.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&intent=ACTION&assertion=JWT&consent_code=CONSENT
The problem is that there is no such request, the token endpoint get called with grant_type=authorization_code without any JWT information.
I tried the Google Account Linking Demo and the Action simulator, same results.
Why is the JWT grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer request is missing? What should be changed in order to receive such requests?
I encountered the same problem. In my case, every time I validated the "Quick account linking" I had an error during the tests with the simulator. And as a result, the 'seamless account linking' was not engaged.
It was enough that I fill the field: Link to Terms of Service 'in App information for the simulator to start test without error.
I saw then arrive the screen described in the doc "Exchange JWT assertions for tokens" which allows to select a google account
then google sent to my OAuth2 server a request with grant_type = urn: ietf: params: oauth: grant-type: jwt-bearer
and I saw the arrival of the famous JSON Web Token (JWT)
(For the test authentication, you have to use https://gala-demo.appspot.com/ with the name of the project with _dev).
In my case, now, seeamless account linking works well.
I hope It can help.
So I am testing the REST API's given by uber to implement uber service into my app, while sending a request to one of their api it sends me response massage:
{
"message": "No authentication provided.",
"code": "unauthorized"
}
while iam doing the same request as given in their doc
the request iam creating:
headers:
Authorization: Bearer <TOKEN>
Accept-Language: en_US
Content-Type: application/json
to url https://api.uber.com/v1.2/me
where iam getting wrong and what else do I need to add?
In order to be able to use any Uber API endpoint, you will need to authorize your user and get access_token. From your sample code we can see that you did not follow the instructions on Uber documentation. So to make sure you are following full authentication process like it supposes to be please find below info:
The Authorization Code flow is a two-step authorization process. The first step is having the user authorize your app and the second involves requesting an OAuth 2.0 access token from Uber. This process is mandatory if you want to take actions on behalf of a user or access their information.
The redirect URL "YOUR_REDIRECT_URI" is the URL we will redirect back to after an authorization by the resource owner. The base of the URI must match the redirect_uri used during the registration of your application. If none is provided the default is the first redirect URI provided in the application's dashboard
"YOUR_LIST_OF_SCOPES" is the list of scopes you have requested in the authorizations tab. Based what you want to achieve and what API calls you want to make - you will need the certain scope to be used in your two-step authorization process. You can use multiple scopes as comma delimited list.
Please follow the steps of the authentication guide.
Briefly, you need to:
• Send user to authorize url. It starts by redirecting the user to the authorize endpoint: https://login.uber.com/oauth/v2/authorize?client_id=YOUR_CLIENT_ID&response_type=code&redirect_uri=YOUR_REDIRECT_URI&scope=YOUR_LIST_OF_SCOPES .
• Receive the redirect with an authorization code. After the user approves the scopes the user will be redirected to the redirect_uri with an auth code that you can post to the /v2/token endpoint to receive an access token.
• Make a POST call to: 'https://login.uber.com/oauth/v2/token'. This call will return access_token and refresh_token.
• After you get your access_token you can use it in the API's endpoints
In Oauth 2 Password Grant Type, when retrieving the access token, where should I pass the parameter like username, password and grant_type?
Is it as query param, in body or in header?
Following OAuth 2.0 rules you'll pass them in the HTTP POST request entity-body using the application/x-www-form-urlencoded format.
Additionally, if the client application was issued client credentials in the form of a client ID and client secret you will pass those in an Authorization request header using the Basic authentication scheme.
This is stated in section 4.3.2 of the specification.
The client makes a request to the token endpoint by adding the following parameters using the "application/x-www-form-urlencoded" format per Appendix B with a character encoding of UTF-8 in the HTTP request entity-body.
For doubts around the exact syntax of the requests you should always refer to the spec. For additional information, example code, you can always refer to the documentation of identity providers, like Auth0 and/or Google that implement these protocols.