I have been authenticating user against facebook using an api call like
https://graph.facebook.com/oauth/authorize?client_id=715408518535970&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Foauth%2Fecho&scope=email%2Cread_stream
this would redirect and there would be an access_token query parameter.
Now during the redirect, there is only a query parameter called code.
Has this method of authenticating been deprecated?
Yes it is deprecated.
https://developers.facebook.com/docs/apps/changelog
[Oauth Access Token] Format - The response format of https://www.facebook.com/v2.3/oauth/access_token returned when you exchange a code for an access_token now return valid JSON instead of being URL encoded. The new format of this response is {"access_token": {TOKEN}, "token_type":{TYPE}, "expires_in":{TIME}}. We made this update to be compliant with section 5.1 of RFC 6749.
Related
I'm setting up oAuth generation in new testing software, Tosca. Tosca can only handle API calls with raw body types. I need to convert below x-www-form-urlencoded payload to plain/text. The request is denied with "developerMessage": "The authentication service denied the request".
I have tried changing all of the ":"'s to "=" and all linebreaks to "&." Which has worked for converting other x-www-form-urlencoded payloads to plain/text. I have removed our client_id and client_secret and added them to basic auth. I have removed any and all special characters and spaces from the body and still getting error.
scope:openid
realm:employer
auth_method:cleartrust
auth_id_user_token:A+B/C/D==
nonce:cd
identity_method:air
response_type:id_token token
grant_type:password
which I changed to
scope=openid&realm=employer&auth_method=cleartrust&auth_id_user_token=A+B/C/D==&nonce=cd&identity_method=air&response_type=id_token token&grant_type=password
The plain/text api call should get a successful response and bring back oAuth token.
Full disclosure: I work for Tricentis in the Support Department.
Tosca's API Engine can also handle url-encoded payloads. See this manual page for an example screenshot: https://support.tricentis.com/community/manuals_detail.do?lang=en&version=12.3.0&url=engines_3.0/api/api_create_url-encoded.htm
Additionally, please follow these steps:
In the Technical View tab, open the Headers pane on the right-hand side. There enter a Content-Type header param with value application/x-www-form-urlencoded.
In the Auth tab, select Basic Auth as the method and use the client_id as the username and the client_secret as the password. Tick the checkbox Pre-authenticate.
In the Payload tab, you can enter the url-encoded payload required by your web service. Since you use grant_type = password, the payload has to include at least the string grant_type=password&username=someUsername&password=somePassword
I am trying to authenticate my Facebook app against a user.
My application provides the following for starting the oauth authorization process:
https://graph.facebook.com/oauth/authorize?state=abc&response_type=code&client_id=292634984182123&redirect_uri=http://dev.foo.com:12020/app/c-rex/authorize-facebook-action/&scope=publish_pages,email&type=user_agent
Then the browser redirects to Facebook, asks for the permissions and redirects to the given redirection URL but with improper URL parameters:
http://dev.foo.com:12020/app/c-rex/authorize-facebook-action/?#state=abc&access_token=wqeqeqBAJmOBc25oYf64IaJBO8Y7k0pOgfo3q3PzoystyqvGPFeve5F8RxZCWtAVUyZB14YaWaZC4escFL69UxcZCHZBI2riqx88rUdKFx7riLPY83D1uY1Qtf9LJfZBuC1nv7sJH1BmIOXV0ZAP94jiaXV5M5tNU99lucTAZDZD&expires_in=6078
As you can see the query string is empty and instead the query strings after the '#' as URL fragment. It looks pretty weird...The URL would be correct if it would not contain the hashmark. Since fragment is irrelevant for the server I can not pick up the fragment from the URL inside my code.
Is this a Facebook bug?
https://developers.facebook.com/docs/apps/changelog
[Oauth Access Token] Format - The response format of https://www.facebook.com/v2.3/oauth/access_token returned when you exchange a code for an access_token now return valid JSON instead of being URL encoded. The new format of this response is {"access_token": {TOKEN}, "token_type":{TYPE}, "expires_in":{TIME}}. We made this update to be compliant with section 5.1 of RFC 6749.
I´m trying to connect via Linkedin Auth2 from a java web application:
Added my own app in linkedin.
Generate the authorization URL: https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=XXX&scope=r_basicprofile%20r_fullprofile%20r_emailaddress&state=DCEEFWF454Us5dffef424&redirect_uri=http://localhost:9090/springmvc/token.htm
Introduce my login/password for linkedin in the new popup.
Get back successful the request on the redirect_uri previus, and take the authorization code "code"
Generate the accessToken URL
Make a POST with: https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&code=YYY&redirect_uri=http://localhost:9090/SpringMVC/token.htm&client_id=XXX&client_secret=ZZZ
Get next error in response: {"error_description":"missing required parameters, includes an invalid parameter value, parameter more than once. : Unable to retrieve access token : appId or redirect uri does not match authorization code or authorization code expired","error":"invalid_request"}
I´ve verified url parameters are correct:
- "code" is the token receive on step 4.
"redirect_uri" is the same URL on step 2 and 4. I added this URL on section "OAuth 2.0 redirect URL" on my APP.
"client_id" and "client_secret" are the "Client API" and "Secret API" on my APP.
Time between first and second request is less than 20 seconds.
The value of your redirect_uri parameter must be URL-encoded, so at 6. do:
https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&code=YYY&redirect_uri=http%3A%2F%2Flocalhost%3A9090%2FSpringMVC%2Ftoken.htm&client_id=XXX&client_secret=ZZZ
and it need not be sent as a POST but as a GET.
If You Are Sending a Request For Access Token it must be POST Request
Refer the OAuth Documentation
I actually Copied the Whole URL From My Eclipse Console To URL It is Still Valid
In Your Case The Problem is with URL Encoding As HanZ said .
You Have to Encode Your URL For Post Request.
I too got bugged with this issue for long time. Please keep few things in mind which I did and eventually sorted it out.
Hit the api to get authorization code by using get request.
The authorization code has a life span of about 20 seconds, so its difficult to manually copy the code from the url and make a request for token access. You should do it pro-grammatically.
Make a post request for getting access token.
Most Important: Old linkedin applications that I had created was not working and giving the above error. Create a new linkedin application and try. Doing this worked for me.
I assume that all the other parameters like client_id, secret, redirect_uri are correct.
please try and let us know.
Thanks.
I noticed that the login-flow seems to have changed recently? Our desktop app requests extended permissions with this login-url:
https://www.facebook.com/dialog/oauth/?response_type=token&display=popup&scope=user_about_me,user_hometown,user_likes,user_location,read_stream,publish_actions,offline_access,read_mailbox,manage_pages,read_page_mailboxes&client_id=***&redirect_uri=https://www.facebook.com/connect/login_success.html
Facebook now seems to be sending additional stuff before the login_success-URL, like this:
https://www.facebook.com/v2.3/dialog/oauth?redirect_uri=http://www.facebook.com/connect/login_success.html&display=popup&scope=user_about_me,user_hometown,user_likes,user_location,read_stream,publish_actions,offline_access,read_mailbox,manage_pages,read_page_mailboxes&response_type=token&client_id=***&ret=login&ext=1428669119&hash=AeZzsa4rZm5pQOtL
This is new, isn't it? Is it now v2.3 per default? But we currently use v2.2. Is there any possibility to have the login-flow of a few weeks ago? I tried
...www.facebook.com/v2.2/dialog...
but it didn't change anything.
Would it be a problem to log in with v2.3 and then use v2.2 for fetching posts etc?
Where can I find information about this new behaviour?
Facebook also changed the access_token format from URL encoded to JSON.
[Oauth Access Token] Format - The response format of https://www.facebook.com/v2.3/oauth/access_token returned when you exchange a code for an access_token now return valid JSON instead of being URL encoded. The new format of this response is {“access_token”: , “token_type”:, “expires_in”:}. We made this update to be compliant with section 5.1 of RFC 6749.
Source: FB v2.3 changelog: https://developers.facebook.com/docs/apps/changelog
Would it be a problem to log in with v2.3 and then use v2.2 for fetching posts etc?
No, it shouldn't be a problem. You could also validate the applied version of the response the API returned in the 'facebook-api-version' HTTP header.
As for your first question, you could supply a version to your login dialog and Facebook will respect that version as mentioned here: https://developers.facebook.com/docs/apps/versions#dialogs
If you are facing a different behavior and believe this might be a bug, you can report it here: https://developers.facebook.com/bugs/
I'm tring to authenticate with facebook using the following request:
https://www.facebook.com/dialog/oauth?client_id=MYAPPID&redirect_uri=http://localhost:3000/oauth/callback.html&scope=email
The response is the following:
http://localhost:3000/oauth/callback.html?code=AQA6VzXu_In9_GIiqu-GFEo6d8sA4jM5L6rLQWtL9g2aMo2Ju5h9j_uCcqR-w7cYifyi0IYsOHtOk5S_jKBBlgQatybYDHOfSs2EpA3H3NHQIDIaKmC-9kje9_QQbhPd0Ge1pP-52OR7iOQWc_R8D-YapXcArTAmpIHLBHatOSHB0x3lFv4DVUECfb1IdYIZlVM#_=_
The problem is that I'm unable to retrieve an access token from this code. It should normally have a dot delimiter (".") whereas this has none, that's why I'm unable to decode it.
Any ideas on what I'm doing wrong?
You shouldn'T be able to decode it, it's not a signed_request.
You need to send a request to
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&
client_secret=YOUR_APP_SECRET&code=THE_CODE_YOU_RECEIVED
in order to get an access token
There is a difference between CODE and TOKEN, both are very widely confused.
Client-side login (Javascript + HTML)
If you want to use javascript only (work with HTML only) as it is probably your case you should add &response_type=token to your first request.
Also, I don't think you actually need to split and work with the token but give the JS api to do it for you.
Server-side login (PHP)
You know have a user that a accessed your page with the CODE.
Now you must access, with your server-side script, this url and it will return the access_token.
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&
client_secret=YOUR_APP_SECRET&code=CODE
If your callback was a PHP you could just filegetcontents along with json_decode but I recommend using the official Facebook SDK.
Highly recommended doc page -
http://developers.facebook.com/docs/authentication/