I have a problem when using yahoo Japan API.
When using order info API, the server always returns an error:
<?xml version="1.0" encoding="utf-8" ?>
<Error>
<Message>
Please provide valid credentials. Bearer realm="yahooapis.jp", error="insufficient_scope", error_description="insufficient scope"
</Message>
</Error>
Here is my request:
https://circus.shopping.yahooapis.jp/ShoppingWebService/V1/orderInfo
Authorization: Bearer accessToken
<Req>
<Target>
<OrderId>orderId here</OrderId>
<Field>PayStatus,SettleStatus</Field>
</Target>
<SellerId>sellerId here</SellerId>
</Req>
So, maybe you think my accessToken is expired or invalidate. But when I use this accessToken to access user info API, it's work, so the accessToken is not a problem.
https://userinfo.yahooapis.jp/yconnect/v1/attribute?schema=openid
Authorization: Bearer accessToken
I don't know what's wrong with my request, maybe you know. Thanks.
Update:
For people who have the same problem, here is my solution.
You need to contact with yahoo to ask them allow you permissions to use shopping API. That's it :))
I was also facing the same issue so what i did while doing authorization i added scope keyword in request params and while access yahoo site it ask me to give permission for other information like email, name and etc. so its works fine after that. check params added while authorization.
'scope' => $scope
home this will help you..
Related
I'm following step by step guide on Microsoft's site (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#refresh-the-access-token), everything is working correctly but every time I try to refresh the access token, I get this error: AADSTS70000: Provided grant is invalid or malformed. error_codes: 70000.
I've created a Postman collection for testing, also downloaded the official postman collection from the Microsoft's site, everything is working correctly until the access token does not expire. When it expire, trying to refresh the token always lead to an error and I'm pretty stuck with it. I've double and triple checked correspondence between redirect_url, permission, grant, copy/paste errors, waited for the access_token to expire before trying to refresh... I've done almost 100 tests, and every time I'm stuck at the refresh part!
I start with doing the normal call to Microsoft Login API in my browser, and getting the code in query string from the browser (no problems here) (please note that client_id is URL encoded because, in my test environment, client id is an URL due to the configuration of the Drupal portan we're using, I'm truing to recreate the same behaviour in postman)
https://login.microsoftonline.com/{tenant_guid}/oauth2/v2.0/authorize?client_id={myclient_id_urlencoded}&response_type=code&redirect_uri={redirect_uri_urlencoded}&scope=offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read&state=12345
Then with the code in query string, i POST to the token endpoint:
POST /{tenant_guid}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-url-form-urlencoded
cache-control: no-cache
Postman-Token: a0456a8d-6979-491f-b61e-86b5d614c577
client_id={myclient_id_urlencoded}
scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read
redirect_uri={redirect_uri_urlencoded}
grant_type=authorization_code
client_secret={client_secret_urlencoded}
code=OAQABAAIAAADCoMpjJXrxTq9VG9te-7FXujKZhF...
I receive back an accesso token (that is working like a charm in accessing https://graph.microsoft.com/v1.0/me for an hour) and a refresh token. I would love to get a new pair of access/refresh token when the original access token expires, using the refresh_token grant_type
POST /tenant_guid/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-url-form-urlencoded
cache-control: no-cache
Postman-Token: 5d71f813-768e-476c-a97f-c109fba3165e
client_id={myclient_id_urlencoded}
scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read
redirect_uri={redirect_uri_urlencoded}
grant_type=refresh_token
cclient_secret={client_secret_urlencoded}
refresh_token=OAQABAAAAAADCoMpjJXrxTq9VG9te-7FX8m6YMg-.....
But no matter if I try before access token expiration or after, closing and reopening postman, I always receive that error back. I've done almost 50 tests (always with the full round of login/authorization to use always a fresh refresh token) with no luck.
Seems like I'm missing something really stupid here because I can't imagine that everybody else is behaving correctly... but really can't find a way out!
So I just got mine working! Here are the required parameters I needed:
client_id = your client id
refresh_token = the refresh token here
grant_type = refresh_token,
client_secret = secret
NOTE: Everything I read told me to URLEncode the values. I found it worked with them UNENCODED - no idea if it will really make a difference or not. Since it is going in the body of the post, which means it is TLS encrypted.
The other important thing was the url I posted to. There seem to be so many examples and none seem to be consistent. I used this format:
https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token
The last thing is to be sure you are using the correct app id. In my case I was using the appId for the wrong app and it didnt have consent. Hope this helps. I do wish Microsoft would make a concerted effort to spell out things consistently and think like someone who doesn't do security for a living.
Finally resolved thanks yo the Azure Support.
The problem is the client id: as I supposed before, Microsoft allow you to define another application name, but always want to use the GUID client id to submit any request. Unfortunately, it was warning me when I didn't url-encoded it, but did not alert me that it was not correct until I tried to use the refresh token.
So just read very very well the documentation: client_id: The Application (client) ID that the Azure portal – App registrations experience assigned to your app (so not the one you choose).
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
Maybe including a format validation in the documentation would help!
Lets say we have SPA written in Angular 2 and have REST API using Spring Boot.
Both of them deployed in different servers. And now I have to protect this API via Facebook's OAuth2, but I don't know which grant type suits to my problem.
I don't want to be an auth server, I don't want facebook to be my resource server, instead my own REST API is supposed to be a resource server.
From FB I just want username or email or some identifier.
If I understood correctly I have to use implicit grant flow, because it's not a web application, correct me please, if I'm wrong.
Does "authorization code" grant also could be a choice ?
I really read almost all the threads related to oauth, spring security..
But I didn't find any info related to exactly SPA and REST API for separate servers.
Any link/resource related to above problem is appreciated.
Thanks in advance and sorry if I did something wrong, it's my very first post here.
You need to implement Implicit Grant flow https://oauth2.thephpleague.com/authorization-server/implicit-grant/
you need HTTPS for safety.
example:
OAuth Server: https://myoauthserver.com
restapi: https://myrestapi.com
client: https://myclient.com
send a get request to oauthserver "authorize" url with params
response_type = token (sometimes 'code')
redirect_uri = myclient.com or myclient.com/something (the one u assign while making an oauth client )
client id = dfuvhiurehvher (whatever id)
some providers require additional parameters like "scope".
when you send a request if everything works. you will be redirected to your client with the token in the url.
your request:
GET: https://myoauthserver.com/oauth/authorize?response_type=token&redirect_uri=https://myclient.com&client_id=yourClientIdHere
if successful you'll be redirected to
https://myclient.com?token=yourTokenValueIsHere
you can now use javascript to retrieve and store token value maybe to localStorage and attach it when sending requests to restapi (https://myrestapi.com)
heres an example request from auth0.com
$.ajax({
cache: false,
url: "http://localhost:7001/api/appointments",
headers: { "Authorization": "Bearer " + ATTACH_YOUR_TOKEN_VALUE_HERE }
});
for more details check this
https://auth0.com/docs/api-auth/tutorials/implicit-grant
I am following this document to secure the rest services. I am able to obtain the access token. However when I try to use the token to invoke a service, I am getting the error -
Status: 401
WWW-Authenticate Bearer realm="bkofc", error="invalid_token",
error_description="Didn't find publicKey for specified kid"
What am I missing here ? Anything to do with the realm settings ?
401 could actually only mean, that the token is not provided correctly. The Header "Authorization" needs to be set properly. It actually works fine, when you are doint it right.
Desides, the document you are using is written by a person, who knows exactly, what to do for people, who know exaclty what to do. So may be you are just doing something wrong, which is not recognisable from your question.
Here I am provideing you the complete scenario where I am getting the error while posting request for creating a new account.
I am using Intuit OAuth Access and OAuth API console for testing (Using all security tokens).(https://appcenter.intuit.com/Playground/OAuth)
And the URL and request:
URL: https://services.intuit.com/sb/account/v2/570357960
Method : Post
Format: XML/JSON
Request:
<?xml version="1.0" encoding="UTF-16"?><Add xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" RequestId="4df87bw2-916a-
4r95-h5d6-06dce3667562"
xmlns="http://www.intuit.com/sb/cdm/v2"><ExternalRealmId>570357960</ExternalRealmId><Objectxsi:type="Account"><Name>CurrentAccount</Name><Active>true</Active><Type>Expense<
/Type><Subtype>Expense</Subtype><AcctNum>1111</AcctNum></Object></Add>
And getting the response (error in html):
<div class="content-container"><fieldset>
<h2>500 - Internal server error.</h2>
<h3>There is a problem with the resource you are looking for, and it cannot be displayed.</h3>
and I have also checked with RESTClient utility, but getting the same above error.
Please note that the same url
(https://services.intuit.com/sb/account/v2/570357960) with same
security tokens is working fine for GET data , I am getting data from
QB desktop into my online Application.
As Keith said, check the Content-Type. You will also need to use a RestClient for testing. The playground will not work for testing API calls. It only works for platform calls.
If I had to guess... I'd guess you're sending the wrong Content-Type header... but it's impossible to tell for sure until you post more code/the rest of your HTTP request.
A few things to try. Be sure the XML is in the same order as this sample and try it.
the other is a common mistake when you use Oauth in a GET you are including just the url in the signature, but in a POST you need to include the Body in the signature too or it will not pass Oauth validation.
Lastly, as Keith mentioned to check the content type. Although you would generally get a content type error.
156234822
CurrentAccount
true
Expense
Expense
1111
I used curl to query Facebook's FQL and this happened:
> curl 'https://api.facebook.com/method/fql.query' -d "query=SELECT+now()+FROM+user+WHERE+name='Barry Carter';"
<?xml version="1.0" encoding="UTF-8"?>
<error_response xmlns="http://api.facebook.com/1.0/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://api.facebook.com/1.0/ http://api.facebook.com/1.0/facebook.xsd">
<error_code>102</error_code>
<error_msg>Session key invalid or no longer valid</error_msg>
<request_args list="true">
<arg>
<key>method</key>
<value>fql.query</value>
</arg>
<arg>
<key>query</key>
<value>SELECT now() FROM user WHERE name='Barry Carter';</value>
</arg>
</request_args>
</error_response>
Do I need to authenticate even to find users? On the website, you can
do that sans authentication?
If I do need authentication, how do I get it? I've read
http://developers.facebook.com/docs/authentication but do I need all
that for a simple curl call? If so, what should I do to get an auth
token? Do I need to store cookies/etc (using curl's -b and -c flags?).
This question is similar to
Facebook API - fql_query, Invalid session
but I'm using straight curl, not PHP.
I realize the query should be GET, not POST, but I'm pretty sure that's not the problem.
Yes you'll need to have an auth token for pretty much any query you perform.
It's not that hard to manually acquire one if you're just experimenting. The easiest way to do it manually is to follow the "client-side flow" section of the authentication doc page you linked by navigating to the specified URL in your browser, and use http://www.facebook.com/connect/login_success.html as the target URL (it's just a dummy page on facebook.com, so it is guaranteed to let you through), and then grab the access token from the address bar.