I have an app that conects to WSO2 to generate its access token and refresh token, but when I use special characters in the password, the server answers with an invalid grant error
Im testing it with postman with this url:
https://localhost:9443/oauth2/token?grant_type=password&username=XXXXX&password=123Abc$#
Basic auth with OAuth client key and secret and Content-Type: application/x-www-form-urlencoded
The answer is:
{
"error_description": "Authentication failed for Ceiba2#carbon.super",
"error": "invalid_grant"
}
Is there any way to scape these special characters? because WSO2 allows me to change the password to use special characters both from the app directly and using its SOAP service.
Thanks
I solved it encoding the url characters
The final url was:
https://localhost:9443/oauth2/token?grant_type=password&username=XXXXXX&password=123Abc%24%23
Related
I want to connect to SharePoint by using username#company.com and password instead of client id and client secret. Do I need to get any authorization for my ID? If yes, how to get? I know the process for fetching authorization for client ID and client secret.
In this URL: https://{tenant}.sharepoint.com/sites/{sitename}/_layouts/15/user.aspx
I add my user id and password with permission levels as "Full control".
But in this URL: https://{tenant}.sharepoint.com/sites/{sitename}/_layouts/15/appprincipals.aspx
I am able to see only client id and client secret. Not my user id.
When I send POST request using Postman it is giving me "error": "unsupported_grant_type".
Postman Inputs:
POST https://accounts.accesscontrol.windows.net/{tenant_id}/tokens/OAuth/2
Headers
Content-Type : application/x-www-form-urlencoded
Body (x-www-form-urlencoded)
grant_type: password
username: username#company.com
password: password
resource:00000003-0000-0ff1-ce00-000000000000/{tenant}.sharepoint.com#{tenant_id}
SharePoint rest api does not support "Password Grant Flow". You can either use "Client Credentials Flow" or "Implicit Flow".
If you want to allow users to use their username & password, Use implicit flow.
NOTE: User will always require to sign in to get access token. You can not simply pass username and password with post request.
Here is the complete guide for configuring azure ad app for implicit flow : https://frankchen2016.medium.com/how-to-access-the-spo-rest-api-using-implicit-authentication-flow-40d65750554f
I'm making a request to WSO2-AM to get the OAuth Token to access the api published in the API Manager on behalf of the user. Everything is working with the big string returned in access_token but I'd like to use the short one version, probably encoded.
Request:
curl -X POST -H 'Content-Type:application/x-www-form-urlencoded' -u
<consumer-key>:<consumer-secret> -k -d
'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=<id_token>'
https://<apim>:8243/token
Response:
{"access_token":"eyJ4NXQiOiJNell4TW1Ga09HWXdNV0kwWldObU5EY3hOR1l3WW1NNFpUQTNNV0kyTkRBe
lpHUXpOR00wWkdSbE5qSmtPREZrWkRSaU9URmtNV0ZoTXpVMlpHVmxOZyIsImtpZCI6Ik16WXhNbUZrT0dZd01XSTBaV05
tTkRjeE5HWXd....bZ-CD_r-2qkypeER7f8QMrLpozRipgHeCkpIKXx5PzSM6zBq5VjMW4EXSRg7LSu0JAJfD2UD6H4bqAiZPNiGy9vTLXc
Zr4g8WNzfKkr...
-hiAOt4SauSZxB1WWCFEZ0xyHVhbx7nAFzBVzfssF0DOYGXkc9hRJZGbG8VfiXb6PWtSfEjqJTSSY_aZWXw",
"refresh_token":"d3062fa0-1132-3532-b1b2-83c3c66136ff","token_type":"Bearer","expires_in":3600}
Expected:
{"access_token":"400f2a54-53d8-3146-88e3-be1bf5e7450d",
"refresh_token":"c2656286-449f-369f-9793 2cee9132de9f",
"scope":"default","token_type":"Bearer","expires_in":3600}
What I'm doing wrong that is not returning the short one?
I assume, that the expected by you access_token is the Opaque(Reference) Access Token, described in this WSO2 API Manager 3.1.0 documentation: Secure APIs using OAuth2 Opaque(Reference) Access Tokens.
But, according to the Release notes, from WSO2 API Manager 3.2.0, they removed this type of access token:
Out-of-the-box support to generate an opaque access token via the Developer Portal has been removed. Application Developers can create applications that only generate a JWT type access tokens.
So, the big string, you get is nothing more, like this JWT token, described here in documentation: JWT (Self Contained) Access Tokens, which you can decode on jwt.io site.
You can decode your long JWT from https://jwt.io/ and get the JTI value of it as the short one which will look similar to 400f2a54-53d8-3146-88e3-be1bf5e7450d.
Refer to the example shown below.
.
As you were referring to the short token. It is the opaque token and APIM 3.2.0 It is not shown while you creating the Application. You can get the default Token (opaque) By the WSO2 carbon management console.
Change Token Issuer to Default from JWT in ISP list for particular Application that you need to use.
enter image description here
Where I am generating opaque (Short) Token in APIM 4.0.0
enter image description here
I have a JWT issued by app.vstoken.visualstudio.com.
When I tried to do validate that token using
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.Validate();
its throwing following exception
An unhandled exception of type 'Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException' occurred in System.IdentityModel.Tokens.Jwt.dll
IDX10500: Signature validation failed. No security keys were provided to validate the signature.
I suspect its because its not able to locate the public key for the issuer having
thumbprint = x5t attribute value present in the JWT header
How to get that public certificate or how to tell JwtSecurityTokenHandler.Validate() to fetch the required certificate to validate the JWT signature.
My first approach was to validate token issued by remote website locally.
To validate locally I needed to validate signature of the token using public key of the remote website (since it has used its private key to sign the token).
But instead of doing that I found out that the remote website exposes set of rest apis accessing which requires user to provide valid token as part of "bearer" header in the http request.
Currently I am using that api to determine authenticity of the user.
The remote website was dev.azure.com and it exposes set of apis and sdk to authenticate the token.
Library used : Microsoft.VisualStudio.Services.WebApi
I am using the Swagger OpenAPI 3.0.2 version for describing my API.
I built swagger-codegen 3.0.5 snapshot from the Swagger gihub repo.
I want a Java client that will obtain the OAUTH2 token for a grant type of client_credentials. I want client credentials because this is one machine talking to another, I am not asking a user for their credentials. I have the following bit in my spec file:
securitySchemes:
oAuth2ClientCredentials:
type: oauth2
description: Standard OAUTH2
flows:
clientCredentials:
tokenUrl: my_token_url
scopes: {}
security:
- oAuth2ClientCredentials: []
I want a Basic Authentication header with the client ID and the client secret in the standard base64 encoding with the grant_type as a URL encoded form. This is pretty standard OAuth2 authentication.
I seem to sometimes get code for the OAuth authentication and sometimes not. The python library has nothing for OAuth other than me proving the access token by hand. The Java library doesn't have it unless I ask for retrofit as the base library, but it generates a Bearer Authentication header, rather than a Basic Authentication Header. Retrofit2 doesn't even work, the handlebars template has an illegal character in it that handlebars barfs on.
So what do people do to get their access tokens when they have a client ID and a client secret? Do you craft the code to get the access token by yourself? Or is there some magic way of getting swagger-codegen-cli to generate the code for me, depending on the libraries that I use?
If anyone has managed to get swagger-codegen-cli to generate everything they need for OAuth 2 client credentials with an OpenAPI 3.0 specification, please let me know.
I am unable to get access token of dynatrace via REST api. I have used the sample REST call provided in the dynatrace documentation but still cannot get the token, but I can log into the account on the portal using these credentials. I have signed up for a free trial account on dynatrace synthetic. Are there any permissions need to be given in order to use APIs.
GET https://datafeed-api.dynatrace.com/publicapi/rest/v1.0/login?
user=sampleuser&password=samplepw HTTP/1.1
Accept-Encoding: gzip,deflate
Accept: application/json
User-Agent: Jakarta Commons-HttpClient/3.1
Host: datafeed-api.dynatrace.com`enter code here`
I get "Invalid username or password"
This means either the account has expired or your username + password are incorrect.