Using Box with JWT (Server Authentication) - jwt

I using Box API JWT Server Authentication:
IAccessTokenCache accessTokenCache = new InMemoryLRUAccessTokenCache(100);
Reader reader = new FileReader("D:\\config.json");
BoxConfig boxConfig = BoxConfig.readFrom(reader);
BoxAPIConnection api = BoxDeveloperEditionAPIConnection.getAppUserConnection(USER_ID,boxConfig);
but the Box exception:
{"error":"unauthorized_client","error_description":"This app is not authorized by the enterprise admin"}

#kendomen is correct. Here's some more detail:
Go to api.box.com. Then select Admin Console.
Now this is where it gets funky. Click on the Security step.
Then the fine print.
This gives the tool bar that should have been displayed three steps ago. Click Apps.
Then click on Authorize New App.
This puts up a pop-up where you enter the app key. This is referred to as the "ClientID" in the json file you may have downloaded from Box.com.

The admin of Box has to go to Admin Console -> Enterprise Settings -> Apps and authorize your app.

Related

Actions on Google implicit account linking works in simulator/browser, but not on device (via Google Home app)

I've implemented the implicit flow for Actions on Google account linking, and am using Dialogflow (previously API.AI) to define intents.
The full flow works in the device simulator (from AOG). The first intent gets a "It looks like your account isn't linked yet..." response, and the debug pane includes a URL to initiate linking:
https://assistant.google.com/services/auth/handoffs/auth/start?account_name=[account]#gmail.com&provider=[project_id]_dev&scopes=email&return_url=https://www.google.com/
If I follow this URI in a cache-less window:
I'm redirected to my app's authentication page
I choose to sign in with my Google account (same as [account] above)
I'm redirected to google.com with a success message in the URI bar
The simulator now accepts actions via my app and responds correctly
However, if I follow the same flow using a physical Google Home & the gH app for Android.
Device tells me account not yet linked
Open Google home and follow 'Link to [my app]' link
Browser opens to authentication page
Sign in as user
Redirected to a white page with a single link "Return to app", which has an href: about:invalid#zClosurez
Linking was unsuccessful, so additional attempts to run intents on the Google Home get the same "Account not yet linked" response.
I've inspected the intermediate access_token and state variables at length, and they all match and look to be correctly formatted:
Authentication URL (app sign in page): https://flowdash.co/auth/google?response_type=token&client_id=[client_id]&redirect_uri=https://oauth-redirect.googleusercontent.com/r/[project_id]&scope=email&state=[state]
After authenticating, redirected to (this is the white screen with 'return to app' broken link): https://oauth-redirect.googleusercontent.com/r/genzai-app#access_token=[token]&token_type=bearer&state=[state]
So, it seems there's something non-parallel about the way the simulator and physical devices work in terms of implicit flow account linking.
I've been struggling with this, and with the AOG support team for a very long time to no avail. Anyone else see a similar issue?
Updated with response redirect code:
Login handled by react-google-login component with profile & email scopes. On success we call:
finish_auth(id_token) {
let provider = {
uri: '/api/auth/google_auth',
params: ['client_id', 'redirect_uri', 'state', 'response_type'],
name: "Google Assistant"
}
if (provider) {
let data = {};
provider.params.forEach((p) => {
data[p] = this.props.location.query[p];
});
if (id_token) data.id_token = id_token;
api.post(provider.uri, data, (res) => {
if (res.redirect) window.location = res.redirect;
else if (res.error) toastr.error(res.error);
});
} else {
toastr.error("Provider not found");
}
}
provider.uri hits this API endpoint:
def google_auth(self):
client_id = self.request.get('client_id')
redirect_uri = self.request.get('redirect_uri')
state = self.request.get('state')
id_token = self.request.get('id_token')
redir_url = user = None
if client_id == DF_CLIENT_ID:
# Part of Google Home / API.AI auth flow
if redirect_uri == "https://oauth-redirect.googleusercontent.com/r/%s" % secrets.GOOGLE_PROJECT_ID:
if not user:
ok, _email, name = self.validate_google_id_token(id_token)
if ok:
user = User.GetByEmail(_email, create_if_missing=True, name=name)
if user:
access_token = user.aes_access_token(client_id=DF_CLIENT_ID)
redir_url = 'https://oauth-redirect.googleusercontent.com/r/%s#' % secrets.GOOGLE_PROJECT_ID
redir_url += urllib.urlencode({
'access_token': access_token,
'token_type': 'bearer',
'state': state
})
self.success = True
else:
self.message = "Malformed"
else:
self.message = "Malformed"
self.set_response({'redirect': redir_url}, debug=True)
I am able to make it work after a long time. We have to enable the webhook first and we can see how to enable the webhook in the dialog flow fulfillment docs If we are going to use Google Assistant, then we have to enable the Google Assistant Integration in the integrations first. Then follow the steps mentioned below for the Account Linking in actions on google:-
Go to google cloud console -> APIsand Services -> Credentials -> OAuth 2.0 client IDs -> Web client -> Note the client ID, client secret from there -> Download JSON - from json note down the project id, auth_uri, token_uri -> Authorised Redirect URIs -> White list our app's URL -> in this URL fixed part is https://oauth-redirect.googleusercontent.com/r/ and append the project id in the URL -> Save the changes
Actions on Google -> Account linking setup 1. Grant type = Authorisation code 2. Client info 1. Fill up client id,client secrtet, auth_uri, token_uri 2. Enter the auth uri as https://www.googleapis.com/auth and token_uri as https://www.googleapis.com/token 3. Save and run 4. It will show an error while running on the google assistant, but dont worry 5. Come back to the account linking section in the assistant settings and enter auth_uri as https://accounts.google.com/o/oauth2/auth and token_uri as https://accounts.google.com/o/oauth2/token 6. Put the scopes as https://www.googleapis.com/auth/userinfo.profile and https://www.googleapis.com/auth/userinfo.email and weare good to go. 7. Save the changes.
In the hosting server(heroku)logs, we can see the access token value and through access token, we can get the details regarding the email address.
Append the access token to this link "https://www.googleapis.com/oauth2/v1/userinfo?access_token=" and we can get the required details in the resulting json page.
`accessToken = req.get("originalRequest").get("data").get("user").get("accessToken")
r = requests.get(link)
print("Email Id= " + r.json()["email"])
print("Name= " + r.json()["name"])`
Not sure which python middleware or modules you are using but
self.set_response({'redirect': redir_url}, debug=True)
seems to be setting parameters for a returning a response which isn't correct. Instead you should redirect your response to the redirect_url. For example importing the redirect module in Flask or Django like:
from flask import redirect or from django.shortcuts import redirect
then redirect like:
return redirect(redirect_url)
It appears Google has made a change that has partially solved this problem in that it is now possible to complete the implicit account linking flow outside of the simulator, in the way outlined in my question.
It seems the problem stemmed from an odd handling (on the AOG side) of the client-side redirect case used after sign in with the Google sign-in button.
From Jeff Craig in this thread:
The current workaround, where we provide the "Return to app" link
currently what we're able to provide. The issue is with the way that
redirecting to custom-scheme URIs is handled in Chrome, specifically,
with regard to the redirect happening in the context of a user action.
XHR will break that context, so what is happening is that you click
the Google Sign-In Button, which triggers an XHR to Google's servers,
and then you (most likely) do a client-side redirect back to the
redirect_url we supply, our handler executes, and isn't able to do a
JS redirect to the custom scheme URI of the app, because were outside
of the context of a direct user click.
This is more of a problem with the Implicit (response_type=token) flow
than with the authorization code (response_type=code) flow, and the
"Return to app" link is the best fallback case we currently have,
though we are always looking for better solutions here as well.
The current behavior shows the 'Return to app' link, but as of last week, this link's href is no longer about:invalid#zClosurez, but instead successfully completes the sign-in and linking process. It's an odd and confusing UX that I hope Google will improve in the future, but it was sufficient to get my app approved by the AOG team without any changes to my flow.

Facebook API error code 190, subcode 460 in Meteor app even after refreshing login

I use accounts-facebook in Meteor 1.4.3.2 to allow my app's users to log in via Facebook. The app also makes other Facebook API calls using the Facebook token accounts-facebook stores in the user document.
Sometimes, when I try to make a call, I get an error:
{
message: 'Error validating access token: Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons.',
type: 'OAuthException',
code: 190,
error_subcode: 460,
fbtrace_id: '...'
}
Facebook says users will need to log in again. I built a flow to fix this problem. When we get a 190/460, we set the services.facebook.accessToken property in their user document to false and email them a link to a page with a "Refresh Facebook Login" button which simply logs them in to the app again via Facebook.
The flow appears to work. I can see the accessToken gets set to false. When I click through on the link in the email and then click the "Refresh" button, I get a token that is different from the previous token. However, when the app tries to make another FB API request, it gets the same 190/460 error with the new token.
If the fix for 190/460 is to have the user log in again, why do I continue to get the error after the user has refreshed the token?
I had a similar issue and solved it going to Facebook developer page
-> Messenger option from the left menu
-> Configuration
then scroll to "access tokens", click "generate token" button and copy that token to your code.
For example in php looks like
$accessToken = 'EAAKHOkhtsDABAJgyp....';

Thinktecture IdentityServer3 Facebook Login Button Issue

I am using "IdentityServer3 - IdentityManager - MembershipReboot" in my project for User Management, Authentication & Resources Authorization.
I started from below sample and have gone good for creating users, authenticating them via /connect/token api and authorizing resources.
https://github.com/thinktecture/Thinktecture.IdentityServer.v3.Samples/tree/master/source/MembershipReboot
A brief architecture for my solution is
MySql as database. Communication via MembershipReboot.EF to MembershipReboot.
The client project is developed using html + angularjs.
Resources APIs are developed using Nancy & hosted on Owin+Katana in a seperate project.
Authentication Services(IdSvr+IdMgr+MR) are hosted in a seperate project.
Now I want to create a simple button/link clicking on which leads me to facebook login. The functionality of this button should be same as defined in IDSvr default login page's(https://localhost:44333/core/login?signin=4f909a877cc465afd26d72f60ec08f51) "Facebook button".
I have tried googled internet a lot but none of cases are matching my scenario.
I even tried to replicate the request-response behaviour of default IdSvr facebook login but that does not work as cookies are not being saved on end client.
Also i tried to hit "https://localhost:44333/core/signin-facebook" and getting response as HTTP/1.1 500 Internal Server Error from server. So i think might be I am somewhere wrong in setting facebook options in IdSrv project.
So if someone can just provide me a single IdSvr API to connect or tell me how to config Id Svr so that mapping a url can redirect it to facebook login. Or can tell me that where I am wrong in setting facebook authentication options in IdSrv.
A short and simple answer for my question is that I was looking for url.
https://localhost:44333/connect/authorize?client_id=implicitclient&response_type=token&scope=read&redirect_uri=http://localhost:8088/login/auth&nonce=random_nonce&acr_values=idp%3AFacebook&response_mode=form_post
Read further if you want to get better idea about this url
After lots of Hit&Trial & Study efforts, I have got solution for this. Well I think root cause for this problem was that sudden new technical things(Owin, Katana, OAuth, IdentityServer, IdentityManagement, MembershipReboot, Owin Facebook) and a meager time to understand them all.
I would advice folks that whoever is in same situation as me then first get an idea about OAuth. I found below link as a short and good one.
http://tutorials.jenkov.com/oauth2/index.html
After this I learnt that in our scenario we are dealing with two applications and hence two authentication.
For connecting User to Facebook. We created an app on developers.facebook.com
For connecting User to IdentityServer. We created a client in Clients.cs file on AuthenticationServices project.
So now here is the final solution.
localhost:44333 where AuthenticationService is running
locahost:8088 where FrontEnd services are running which iscalling AuthenticationService .
1. Create client app in AuthenticationServices as below
new Client
{
ClientName = "Implicit Clients",
Enabled = true,
ClientId = "implicitclient",
ClientSecrets = new List<ClientSecret>{
new ClientSecret("secret".Sha256())
},
Flow = Flows.Implicit,
RequireConsent = true,
AllowRememberConsent = true,
RedirectUris = new List<string>
{
"http://localhost:8088/login/auth" //This should be redirect url you want to hit after your app(not facebook app) redirects.
},
ScopeRestrictions = new List<string>
{
Constants.StandardScopes.OpenId,
Constants.StandardScopes.Profile,
Constants.StandardScopes.Email,
"read",
"write",
},
//SubjectType = SubjectTypes.Global,
AccessTokenType = AccessTokenType.Jwt,
IdentityTokenLifetime = 360,
AccessTokenLifetime = 360,
},
2 Create Authorize URL as below
var client = new OAuth2Client(new Uri("https://localhost:44333/core/connect/authorize"));
var startUrl = client.CreateAuthorizeUrl(
clientId: "implicitclient",
responseType: "token",
scope: "read",
redirectUri: "http://localhost:8088/login/auth",
nonce: "random_nonce",
responseMode: "form_post",
acrValues: "idp:Facebook");
The facebook app after successful authorization will redirect default to http://localhost:44333/signin-facebook. So no need to do any changes there.
Finally on http://localhost:8088/login/auth you will get access_token(+ few other parameters) after successful authentication. Here onwards you can use this token to access resources from Resources server.

PayPal Login with Java Rest API

I am currently trying to integrate a PayPal Login into my JSF application.
The user should be redirected to PayPal, login and then be redirected back to our site. With the redirected token, I want to fetch the users email.
I am using the latest Java Restful API and used the exact sample PayPal provided.
Map<String, String> configurationMap = new HashMap<String, String>();
configurationMap.put("mode", "sandbox");
APIContext apiContext = new APIContext();
apiContext.setConfigurationMap(configurationMap);
List<String> scopelist = new ArrayList<String>();
scopelist.add("openid");
scopelist.add("email");
String redirectURI = "https://22af922.ngrok.com/";
ClientCredentials clientCredentials = new ClientCredentials();
clientCredentials.setClientID("my_client_id");
String redirectUrl = Session.getRedirectURL(redirectURI, scopelist, apiContext, clientCredentials);
Generating the redirect url works fine, however, on redirect, it keeps telling me that the redirect_uri does not match the redirect_uri in my application settings, even though I am using the exact same url I have setup in my PayPal app.
Any help is very appreciated. Thanks in advance.
I fixed it by doing the following.
Go to http://developer.paypal.com/ and login
Go to Sandbox > Accounts
Click on the -developer account -> Profile -> API Credentials
Make sure the return url is the same as the return url you are trying to use
Press Save
Even though the return url in those settings was equal to the one in my app settings, just using the save button in that specific place did the trick. I have absolutely no idea why this fixed it...
Have you verified that the "redirectURI" has the same URI as the one in the REST apps in your Developer account? Steps:
Go to https://developer.paypal.com and login with your PayPal account
Click 'Dashboard'
On the REST apps page, select the REST app that you use in your Java application (the client ID and secret is the same)
Under 'SANDBOX APP SETTING' section, check whether you use the same url as the one in 'Return URL' field

Grails social plugins for facebook give error response after user authenticate application

I am new to grails and i am trying to add facebook plugin to my web application. i have successfully(as i believe) installed plugins and addED necessary code in my application. I followed the documentation found at http://splix.github.io/grails-spring-security-facebook/ , when I run my app I see the facebook connect button on gsp page,after clicking on connect button a popup opens up asking for permissions required in app and when user clicks on allow button i receive error "No authentication provider found". I dont know where i am wrong ,can any one help me please.
Thanks in advance
You have custom list of providers:
grails.plugins.springsecurity.providerNames = [ 'myAuthenticationProvider',
'anonymousAuthenticationProvider',
'rememberMeAuthenticationProvider']
And none of them supports FacebookAuthToke, so Spring Security cannot authenticate using Facebook Authentication plugin.
If you really need to have custom provider, just put original provider into this list:
grails.plugins.springsecurity.providerNames = [ 'myAuthenticationProvider',
'facebookAuthProvider',
'anonymousAuthenticationProvider',
'rememberMeAuthenticationProvider']