Here is my auth url
https://login.uber.com/oauth/v2/authorize?client_id={{client id}}&response_type=code&scope=profile request
Is theire any issue in above url.
Is the request scope configured in your app? The list of scopes in the scope parameter has to be a subset of the scopes you configured.
You could try the same request without the scope parameter. That'll default to whatever scopes you configured (you'll need at least one for your authorization to go through).
Did you try replacing the spaces with %20, like so?
https://login.uber.com/oauth/v2/authorize?client_id={{client id}}&response_type=code&scope=profile%20request
They forgot an 's' in the documentation file.
Try scopes=... instead of scope=...
Related
I'm trying to make some GET calls through Postman to the following endpoint:
https://api.xero.com/api.xro/2.0/Reports/BalanceSheet
getting this error:
{"title":"Unauthorized","status":401,"detail":"AuthorizationUnsuccessful","instance":"674c99d2-0ae3-4940-b23b-aec74cef79ea"}
The docs say this is a user roles issue, and suggests "view reports" access is off, but I'm pretty sure that's all set up correctly:
screenshot of user role options
It works fine through the API previewer, so I can't see what I'm missing.
Any help?
If it makes a difference, I'm using Oauth2.0 route.
You'll likely be missing the accounting.reports.read scope.
During the authorisation process, when you direct your user to the https://login.xero.com/identity/connect/authorize... url, try including accounting.reports.read in scope query parameter (along with your existing scopes, of course).
In March of 2018 Facebook began requiring "Strict Mode" for redirect URIs. This means any redirect URI needs to be known in advance, and added to your app's profile (Valid OAuth Redirect URIs). The problem is when the redirect URI contains a dynamic parameter, like a state variable, guid, or user id, etc.
The answer I have found on many websites is that you can hold dynamic state in a "state" parameter. So if your allowed redirect uri is "www.example.com/signin" then this will also allow "www.example.com/signin?state=12344". However, this seems to be no longer allowed. The state parameter no longer seems to be ignored by this strict rule - it fails validation (there is a valid url checker on your facebook app settings page). To test this, I simply put "a.com" in the allow uri field, and "a.com?state=x" in the Redirect URI Validator, and it fails. Without the ?state-x it succeeds. What am I missing?
So I have two questions:
1) First, how to I find out what redirect url my app is actually sending to FB? I can't sniff my traffic since it's https (also required now by fb). I think I know what it is (https://www.example.com/signin-facebook?state=xxxxxx) but I can't be sure and there is no way to verify. The logic that calls FB is wrapped up in the MS Identity library.
2) Second, if it's the state parameter that is causing my login fails, is there any way to disable that in my ASP.NET Core app, or allow it in FB?
Just to clarify, here are two images showing that without the state parameter, the url is valid, but adding the state parameter makes it an invalid URL. Clearly the 'state' parameter is not being ignored by this strict rule checker, as many people have claimed. If I add the state param url to the list of allowed urls, it works but only with that exact state value, not with any different value.
The state parameter is dynamic to begin with (or at least it should be, because its original purpose is CSRF protection), so it is not taken into account when the URL is checked for a “strict” match to the one you have configured.
If you want to use
https://www.example.com/signin-facebook?state=xxxxxx
then configure
https://www.example.com/signin-facebook
as your Valid OAuth Redirect URI.
If you have other (static!) parameters besides the dynamic state, then those must be input into the field as well. You want to use
https://www.example.com/signin-facebook?action=foobar&state=xxxxxx
then the URL in your settings needs to be
https://www.example.com/signin-facebook?action=foobar
And since, as mentioned, the original purpose of this parameter is CSRF protection, it might still be a good idea to add a “random“ component to it, if the actual value you are trying to transport via it is “guessable”, or from a limited range of pre-defined values only.
In that case, I would probably go with an encoded JSON object as the parameter value -
state={"mystate":"foobar","random":8473628}
(Don’t forget to apply proper URL encoding, if your system doesn’t do that automatically.)
I'm using OpenAM for authentication on my application. I access to my app using such URL:
http://my.company.com/appfolder/appservlet?lang=EN&user=test
On first access, OpenAM agent catches the URL and redirect my browser to the authentication page using this redirection URL:
...openam/UI/Login?goto=http%3A%2F%2Fmy.company.com%3A8080%2Fappfolder
After correct authentication, I'm finally redirected to the following URL:
http://my.company.com/appfolder
This is logic since this is the URL referenced in goto param. But it's not the same than original one: the servlet and custom params (lang and user) are missing.
Any idea how to configure my agent to make it keep servlet and params after redirection ?
take a look at this step of the tutorial "Add Authentication to a Website using OpenAM".
In section "Creating An Access Policy" -> "Wildcard matching" is your answer:
The wildcard * in policy URLs does not match '?'. As such if you
wish to allow GET parameters to be submitted then a second policy for
http://webserver.example.com/*?* is required.
Thanks for your answer. As mentionned in my previous comment, the adding of new policy does not resolve my issue. Actually, I'm not sure to understand how the policies can solve the issue since the goto parameter is generated by the J2EE agent, which acts before policies are applied (as far as I know... I'm maybe wrong).
Anyway, I could solve my problem by re-compiling the J2EE Agent: I've build a new agent.jar based on v3.0.3 available at forgerock. Then I replaced the AmFilterRequestContext.class by a new one, build on source available here:
http://www.docjar.com/html/api/com/sun/identity/agents/filter/AmFilterRequestContext.java.html
With this new agent, my goto is now correct, and redirection works well (and I don't have to define any policy).
The strange thing is that I don't understand why it works now ! I couldn't find any difference between java source mentionned above and uncompiled version of original class! I just added some System.out.println to get variables values and functions results, and built the jar. After restaring my jboss, the goto was correct. I'll try to understand why this finally work now when I've time.
Hi
I have Facebook register in my website. I have integrated it completely without any bugs and the values are stored in the database.After the successful registration , it doesn't redirect to the exact url that i have mentioned below.
header("location:http://www.facebook.com/dialog/oauth/?scope=publish_stream&client_id=yyyyy&redirect_uri=".SITE."business.php?action=favouriteshare&id=".$bid."");
It always through invalid url details.Could anyone please suggest some ideas to get this redirect correctly.
Try the following:
wrap the redirect url with quotes '
use the urlencode() method.
The scope parameter is not yet supported. Please vote this ticket to make it happen.
to connect to an app on facebook, the user types in
www.facebook.com/login.php?api=12312312323123123
how can I add an extra get var to this url and pass it to my script on successful login?
Do you add a redirect_url as part of the login call?
If so you can add the GET parameter to that. For instance let us say you are asking Facebook to redirect to http://tld/fbhandler after user logs in. You can change that to http://tld/fbhandler?extra=value.
This URL is specified at the time of making the (OAuth) login call to Facebook and therefore you can change the value as you see fit.
You cannot do this. Facebook will strip custom query values from the url. I have found that there are two ways to do this. The first is that they will let you have a single query value at the end of the url if you encode the ? to %3F. For example:
redirect_url=http://www.example.com%3FmyextraParameter
You could use this approach to do something like base64url encode your values and add them at the end.
The other thing that I have done is to change the parameters to be path variables
redirect_url=http://www.example.com/realUrl/parameter1/parameter2
Neither are great solutions, but I have yet to find a way to send querystring values without them being stripped off.