I'm trying to access Microsoft's Outlook.com Calendar REST API. I got OAUTH2 authentication set up correctly and have a valid access token and refresh token available.
However, if I try to access the calendar list # https://outlook.office.com with my access token:
GET /api/v1.0/me/calendars HTTP/1.1
Accept: application/json; odata.metadata=none
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciO[...]
the service returns with an 403 Forbidden
HTTP/1.1 403 Forbidden
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8
Server: Microsoft-IIS/8.5
Set-Cookie: ClientId=OD6KHQBTKOKMLXUI8OJEG; expires=Wed, 21-Sep-2016 18:37:21 GMT; path=/; secure; HttpOnly
Set-Cookie: exchangecookie=8e4f582170cb445780c7148e9494b293; expires=Thu, 22-Sep-2016 18:37:23 GMT; path=/; HttpOnly
Set-Cookie: ClientId=OD6KHQBTKOKMLXUI8OJEG; expires=Wed, 21-Sep-2016 18:37:21 GMT; path=/; secure; HttpOnly
request-id: 7113f37d-69e0-4f8c-a264-9f3599d47899
X-CalculatedBETarget: CY1PR08MB1801.namprd08.prod.outlook.com
X-BackEndHttpStatus: 403
OData-Version: 4.0
X-AspNet-Version: 4.0.30319
X-DiagInfo: CY1PR08MB1801
X-BEServer: CY1PR08MB1801
X-Powered-By: ASP.NET
X-FEServer: AM3PR04CA0074
X-MSEdge-Ref: Ref A: D69A31E4FAA44258B0B8C351A71D2F9E Ref B: 0D3CA60C0976F50C452293F8CF403D8C Ref C: Tue Sep 22 11:37:23 2015 PST
Date: Tue, 22 Sep 2015 18:37:22 GMT
{"error":{"code":"ErrorAccessDenied","message":"Access to OData is disabled."}}
I played around with Outlook's OAuth Sandbox, where the same request returns a 200 OK with the correct data in the body. Strangely enough, they spot a nice little Show me the cURL! button in the sandbox, but this exact curl command will fail again with a 403 error in my terminal.
What am I missing?
I talked to a Microsoft techie. My problem was, that the REST API is not public (yet) and Microsoft has not yet enabled the API for standard Outlook.com accounts.
I requested an Outlook developer preview account with the REST API enabled by writing an email to outlookdev#microsoft.com
It took some time until I got a response from Microsoft, but using the developer account everything works now as expected.
Related
I am trying to upload a video to Twitter using the chunked upload endpoint. For this I post to the endpoint '**https://upload.twitter.com/1.1/media/upload.json**' the 'INIT' command. n posting to the Twitter server I get the error below
{"errors":[{"code":32,"message":"Could not authenticate you."}]}
At first I had a doubt regarding the Oauth signature generation function. But I can post a tweet and upload a .png image to the https://upload.twitter.com/1.1/media/upload.json using the Oauth signature generated by this Oauth signature generation function
I could also post the 'INIT' command initiate the chunked upload of a video successfully using TWURL
I have pasted below the actual request and response which was captured using Fiddler
Request
POST https://upload.twitter.com/1.1/media/upload.json HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: upload.twitter.com
Authorization: OAuth oauth_consumer_key="", oauth_nonce="MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAw", oauth_signature_method="HMAC-SHA1", oauth_signature="BtxgmRxA1bt5FI2Hu3qhhVIb5Eg%3D", oauth_timestamp="1607577817", oauth_token="****", oauth_version="1.0"
Content-Length: 357
Connection: Keep-Alive
command=INIT&media_category=tweetvideo&media_type=video%252Fmp4&oauth_consumer_key=******&oauth_nonce=MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAw&oauth_signature=BtxgmRxA1bt5FI2Hu3qhhVIb5Eg%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1607577817&oauth_token=********&oauth_version=1.0
Response
HTTP/1.1 401 Authorization Required
cache-control: no-cache, no-store, max-age=0
content-length: 64
content-type: application/json; charset=utf-8
date: Thu, 10 Dec 2020 05:23:39 GMT
server: tsa_k
set-cookie: personalization_id="v1_jQ8zK7e0TgY2uCQKkiVOgA=="; Max-Age=63072000; Expires=Sat, 10 Dec 2022 05:23:39 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None
set-cookie: guest_id=v1%3A160757781933882195; Max-Age=63072000; Expires=Sat, 10 Dec 2022 05:23:39 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None
strict-transport-security: max-age=631138519
vary: Origin
x-connection-hash: 0e6ebd96e051b8f7a413fb79c51a8f42
x-frame-options: SAMEORIGIN
x-response-time: 182
x-tsa-request-body-time: 0
x-xss-protection: 1; mode=block
{"errors":[{"code":32,"message":"Could not authenticate you."}]}
i googled a lot for a solution to this issue but none of the solutions are working. I also read the relevant Twitter documentation many many times
Thanks in advance for any tips
Mathew
Finally found what was causing the error. While passing the URL to which data has to be posted to the function that I use to generate the Oauth signature I was passing 'https://upload.twitter.com/1.1//media/update.json.com' instead of 'https://upload.twitter.com/1.1/media/update.json.com'. One additional '/' character was the reason why the error was occurring.
Thanks and regards
Mathew
Iam working on a REST module in Yii2. The client is able to authenticate on the server and is also able to get the requested response. I have seen, that the client authenticates one time to the system. It seems that the client stores its authentication information, because no further authentication for following requests is needed.
Of course, Iam interested that each REST request needs an authentication. I have seen, that there could be one way to do some fixed settings in the configuration of the app, which I would like to avoid.
I guess that the authentication information is stored in a cookie. I assume that the cookie is named'_csrf-frontend'. Now I try to remove this cookie within a controller function.
$cookies = \Yii::$app->response->cookies;
$cookies->remove('_csrf-frontend');
unset($cookies['_csrf-frontend']);
I've added additionaly recommended settings of Idgs answer, but still no luck. After a refresh of the page the authentication information must be kept, because still no authentication is necessary.
A look in the Headers shows:
Response Header:
Cache-Control no-store, no-cache, must-revalidate
Connection Keep-Alive
Content-Type application/json; charset=UTF-8
Date Thu, 29 Mar 2018 06:36:37 GMT
Expires Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive timeout=5, max=100
Pragma no-cache
Server Apache/2.4.18 (Ubuntu)
Set-Cookie _csrf-frontend=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; HttpOnly _identity-frontend=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; HttpOnly
Transfer-Encoding chunked
Request Header:
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language de,en-US;q=0.7,en;q=0.3
Authorization Basic ZG9yaXMua3JhdXNAdmVydHJlbmQuY29tOktyYXVzMTAwMA==
Connection keep-alive
Cookie eafab809c11b0a847c07e9c4f2b93936=uv3f1tof6la24616p7bkf59p55; advanced-frontend=mobbni6v6492kde73amtdvcqi3; _csrf-frontend=4d2ddb54290d2fa7fcc9c4a9900726b795e83aadc658fc0f50395bf7ded0c86aa%3A2%3A%7Bi%3A0%3Bs%3A14%3A%22_csrf-frontend%22%3Bi%3A1%3Bs%3A32%3A%22Oiy_JOiLMg_X0Hz666f0OWpG_r-jcvnO%22%3B%7D
DNT 1
Host localhost
Upgrade-Insecure-Requests 1
User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Only, if I remove all of the Browsers Chronik in Firefox, then a new authentication request is coming up.
It's probably not the CSRF feature that's setting the login cookie, see: rest-authentication docs, which tells you how to disable the login session.
Disable Sessions
If you don't want to use the recommended config settings:
'user' => [
'enableSession' => false,
'enableAutoLogin' => false,
You can set the values in your controller like:
public function init()
{
parent::init();
Yii::$app->user->enableSession = false;
Yii::$app->user->loginUrl = null;
}
Disable CSRF
If you also want to turn off CSRF (e.g., if you have any web form POSTS to your API), either update the request component in your web config like:
'components' => [
'request' => [
'enableCsrfValidation' => false,
or to turn CSRF off in your controller, use:
$this->enableCsrfValidation = false;
(Obviously you would want to implement your own CSRF protection as applicable if you do turn it off.)
I have a facebook canvas app and I'm running both the same code and same redirect_uri for web and mobile, it works without issue in my web configuration but my mobile version doesn't. My app is a responsive app, so even the URLs within the facebook configuration are identical.
The method I'm using for both to generate the url
List<NameValuePair> qparams = new ArrayList<>();
qparams.add(new BasicNameValuePair("client_id", facebookClientId));
qparams.add(new BasicNameValuePair("redirect_uri", "https://apps.facebook.com/customdomain"));
qparams.add(new BasicNameValuePair("client_secret", facebookClientSecret));
qparams.add(new BasicNameValuePair("code", code));
uri = new URIBuilder()
.setScheme("https")
.setHost("graph.facebook.com")
.setPath("/oauth/access_token")
.setParameters(qparams)
.build();
website url https://local.mydomain.com:8443/test/facebook/auth
mobile url https://local.mydomain.com:8443/test/facebook/auth
Canvas URL
https://local.mydomain.com:8443/test/facebook/auth/
auth urls
https://local.mydomain.com:8443/test/facebook/auth/
https://apps.facebook.com/customdomain
App domain
https://apps.facebook.com/customdomain
Working url from website
https://graph.facebook.com/oauth/access_token?client_id=578152068997908&redirect_uri=https%3A%2F%2Fapps.facebook.com%2Fmydomain&client_secret=xxxx&code=AQBQ_VZlxKWqMfmC2neu8DIllor0Lrp1wvLvtSD5do3PyMfO_jxiEjcGEbZ-a0bEJbe6Ya9Noh9esXm2mgmgw0zP9OQOM-2h7VBYkruix0o7isKWwYkksFAi-i2qpUmTBcb0YxAqrn5y2aEWk8GxmhEVAgsW3GGLksNTndhZr3NYDs5Mi4GtmsjMKJbO8dTzePDrh4iSz_Qv0fmgalkDhIRmM7zsjodFPkytL4rlzG9Q4oN14qEhpBUmISnu8cAQcLvOlYACD17nFqhyq-BOVmX8PpUNRFdoHDk9KUTUv7c8PbfVGOBmWeJJKxWdZ0ncUu0
Non working mobile
https://graph.facebook.com/oauth/access_token?client_id=578152068997908&redirect_uri=https%3A%2F%2Fapps.facebook.com%2Fmydomain&client_secret=xxxx&code=AQBQ_VZlxKWqMfmC2neu8DIllor0Lrp1wvLvtSD5do3PyMfO_jxiEjcGEbZ-a0bEJbe6Ya9Noh9esXm2mgmgw0zP9OQOM-2h7VBYkruix0o7isKWwYkksFAi-i2qpUmTBcb0YxAqrn5y2aEWk8GxmhEVAgsW3GGLksNTndhZr3NYDs5Mi4GtmsjMKJbO8dTzePDrh4iSz_Qv0fmgalkDhIRmM7zsjodFPkytL4rlzG9Q4oN14qEhpBUmISnu8cAQcLvOlYACD17nFqhyq-BOVmX8PpUNRFdoHDk9KUTUv7c8PbfVGOBmWeJJKxWdZ0ncUu0
Response
InternalModule.PageLoader Loaded page 'facebook/Auth' (en) in 112.543 ms
response HttpResponseProxy{HTTP/1.1 400 Bad Request [WWW-Authenticate: OAuth "Facebook Platform" "invalid_code" "Error validating verification code. Please make sure your redirect_uri is identical to the one you used in the OAuth dialog request", Facebook-API-Version: v1.0, Content-Type: text/javascript; charset=UTF-8, Pragma: no-cache, Access-Control-Allow-Origin: *, X-FB-Rev: 1514665, Cache-Control: no-store, Expires: Sat, 01 Jan 2000 00:00:00 GMT, X-FB-Debug: WpyeYYw/BIs08HkafBWcrkbU5tICVgEHTKrPBAiTzZEqjgP3OGCP8eQwNVx2lx6b0iH9GGqIrir3S4iGu7VAIw==, Date: Tue, 02 Dec 2014 09:21:50 GMT, Connection: keep-alive, Content-Length: 190]}
facebook.FacebookAuth com.mydomain.test.pages.facebook.FacebookAuth 400 HttpResponseProxy{HTTP/1.1 400 Bad Request [WWW-Authenticate: OAuth "Facebook Platform" "invalid_code" "Error validating verification code. Please make sure your redirect_uri is identical to the one you used in the OAuth dialog request", Facebook-API-Version: v1.0, Content-Type: text/javascript; charset=UTF-8, Pragma: no-cache, Access-Control-Allow-Origin: *, X-FB-Rev: 1514665, Cache-Control: no-store, Expires: Sat, 01 Jan 2000 00:00:00 GMT, X-FB-Debug: WpyeYYw/BIs08HkafBWcrkbU5tICVgEHTKrPBAiTzZEqjgP3OGCP8eQwNVx2lx6b0iH9GGqIrir3S4iGu7VAIw==, Date: Tue, 02 Dec 2014 09:21:50 GMT, Connection: keep-alive, Content-Length: 190]}
facebook.FacebookAuth com.mydomain.test.pages.facebook.FacebookAuth
What could possible be causing this issue? Does it have something to do with canvas and mobile?
I am trying to use the REST web services API from Google (Analytics) and I am getting a meaningless response instead of the expected data from Google Analytics.
Here is my request and the corresponding response:
GET /auth/analytics.readonly?ids=ga:12660456&start-date=2012-01-01&end-date=2012-02-02&metrics=ga:visits HTTP/1.1
Host: www.googleapis.com
Authorization: OAuth ya29.mytokenhere
HTTP/1.1 200 OK
status: 200
content-length: 18
x-xss-protection: 1; mode=block
content-location: https://www.googleapis.com/auth/analytics.readonly?ids=ga:12660456&start-date=2012-01-01&end-date=2012-02-02&metrics=ga:visits
x-content-type-options: nosniff
x-google-cache-control: remote-fetch
expires: Mon, 21 May 2012 19:52:57 GMT
server: GSE
via: HTTP/1.1 GWA
cache-control: private, max-age=0
date: Mon, 21 May 2012 19:52:57 GMT
x-frame-options: SAMEORIGIN
content-type: text/plain
-content-encoding: gzip
analytics.readonly
Can anyone please help?
Regards,
OAuth isn't performed by requesting the auth scope URL, like you seem to be doing. The only reason the Google's auth scopes are URLs at all are (AFAIK) so that they can be guaranteed to be globally unique.
More details about how to do OAuth 2.0 with Google here: https://developers.google.com/accounts/docs/OAuth2
I tried to login to Facebook with cURL, but then I got this error:
HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: datr=_KpbTjHjH8CWs_EOFbCp4H5r; expires=Wed, 28-Aug-2013 15:06:36 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: lsd=Mh7wl; path=/; domain=.facebook.com
Set-Cookie: reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2Flogin.php%3Flogin_attempt%3D1; path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin.php%3Flogin_attempt%3D1; path=/; domain=.facebook.com
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.33.22.124
X-Cnection: close
Content-Length: 24058
Date: Mon, 29 Aug 2011 15:06:36 GMT
What's wrong?
It might be because you're not allowed to crawl the website nor access it with a robot. They have an API that can be accessed via cURL.
Using Chrome DevTools in your web-browser (also in Firefox, Opera and other), you can browse all pages and media files in Application tab. To convert it into curl command, go to Network tab (refresh page if necessary or tick Preserve log), find the page of your interest (list can be filtered by Img), right click on the request, then select Copy as cURL. Inspect the content in your clipboard or just paste the command to the terminal.
To convert from curl format to wget, do the following conversions:
remove --compress parameter,
change -H to --header in all places.
Then run the command.
Doing that, please consider Facebook's Automated Data Collection Terms.
If you're interested in a backup of all your data, check: Accessing & Downloading Your Information.
Related:
How to download files from Facebook group?
How to download Facebook page?
wget for fetching Facebook profile/friend pages
How do I use wget/curl to download from a site I am logged into?
How to download this webpage with Wget?
Using wget to download images in facebook conversations