I have followed the blog http://blogs.msdn.com/b/exchangedev/archive/2015/01/22/building-demon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow.aspx to create a daemon application . I am able to get the app only token for the domain in which i have registered the application . But when I try to get for other organizations it throws an error
"
{"error":"invalid_client","error_description":"AADSTS70002: Error validating cre
dentials. AADSTS50012: Client assertion audience claim does not match Realm issu
er.\r\nTrace ID: 09e025f5-7db9-46c3-9df9-574c6820a011\r\nCorrelation ID: f4d0fa5
7-ee8c-4443-b28b-d372d945f81f\r\nTimestamp: 2015-05-04 13:51:51Z","error_codes":
[70002,50012],"timestamp":"2015-05-04 13:51:51Z","trace_id":"09e025f5-7db9-46c3-
9df9-574c6820a011","correlation_id":"f4d0fa57-ee8c-4443-b28b-d372d945f81f","subm
it_url":null,"context":null}"
But i have configured the application to be multi tenant .
this is the request i make
request https://login.windows.net/<tenantId>/oauth2/to
ken
grant_type=client_credentials
redirect_uri=http://localhost.com:9000
resource=https://outlook.office365.com/
client_assertion_type =urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertion="eyJhbGciOiJSUzI1NiIsIng1dCI6IjZlLzEra01scHhuTHArZFJ4d1BqS21EdmZCQT0ifQ.eyJhdWQiOiJodHRwczovL2xvZ2luLndpbmRvd3MubmV0L2ZmNjQxNTFmLTIwM2EtNGM0MC1hZDcxLTExOTE2YjY2Yzg3My9vYXV0aDIvdG9rZW4iLCJleHAiOjE0MzEwMDYzMDMsImlzcyI6ImFkMTkzY2I1LWU2NmUtNDdmNS1iMTc4LTQxM2NlODA3ZDg2YiIsImp0aSI6IjMyMDZiYWI5LTVmYmUtNDA3ZS02OWY2LTJlNGRjNDQ3NzQxYSIsIm5iZiI6MTQzMTAxMTMwMywic3ViIjoiYWQxOTNjYjUtZTY2ZS00N2Y1LWIxNzgtNDEzY2U4MDdkODZiIn0.eEOlhsl-vbdzIiV3AfGFOH187Yb8zpGSGm6RbMhDX4NRJbwOWjJr3eFK3rGXSkl1vhSfJ_oFc69pB1AGfUK8u_SWRl7U3GgH3EJryE-FiVluCQ-ONZ3Qj1u6VggXgTodi0bdvhQF4WlwazXmJGbpeVRUZBm2rlTcd8JtQY96sOu1CRDpZJOFnHzjqleVdrnw8_pNVUafwlnaosRT9tOIgiK9apjN_KY5JMM1QTYKhKk5ZApjmr8agTZpObdz-_Y9znjaSxQcYkFnQeCGc-qwISzH1OqG_7JbCDq6Dp1-oBU5sJneJaF6IxX8-sWyaju3ntMWQyINeuHnRCoPrlp2tg"
this is the assertion i create
token.Header["alg"] = "RS256"
token.Header["x5t"] = "thumbprint of certificate "
token.Claims["aud"] = "https://login.windows.net/" + TenantId + "/oauth2/token"
token.Claims["exp"] = time.Now().Add(time.Hour * 72).Unix()
token.Claims["iss"] = client_id
token.Claims["jti"] = some guid
token.Claims["nbf"] = (time.Now().Add(time.Hour * 72).Unix()) + 5000
token.Claims["sub"] = client_id
please let me what to be done so that i can get the access token for other organiztion's domain .
Thanks in advance
Related
I'm building an oauth2 client with Flask and Authlib. My code to register the oauth is:
google = oauth.register(
name='google',
client_id='',
client_secret="",
access_token_url="https://accounts.google.com/o/oauth2/token",
access_token_params=None,
authorize_url="https://accounts.google.com/o/oauth2/auth",
authorize_params=None,
api_base_url="https://www.googleapis.com/oauth2/v1/",
client_kwargs={'scope': 'openid email'},
server_metadata_url="https://accounts.google.com/.well-known/openid-configuration",
)
And my /authorize endpoint looks like this:
#app.route('/authorize')
def authorize():
google = oauth.create_client('google')
token = google.authorize_access_token()
resp = google.get('userinfo')
resp.raise_for_status()
userinfo = resp.json()
return str(userinfo)
But I am getting the error
authlib.jose.errors.InvalidClaimError: invalid_claim: Invalid claim "iss"
I had this issue and removing the openid value from scope fixed it. I guess my google config didn't accomodate it,
I'm trying to create a shiny app which links to my dropbox using the package rdrop2.
I have successfully managed to deploy the app and it runs as planned for around 4 hours. However, I need long lasting offline access. Dropbox help pages say that I'll need a 'refresh token'.
Currently to get my token I am using:
library(rdrop2)
token <- drop_auth() # gets credentials
saveRDS(token, "droptoken.rds") # saves credentials
token<-readRDS("droptoken.rds") # read in credentials
drop_auth(new_user = FALSE,
cache = TRUE,
rdstoken = "droptoken.rds")
ui <- # some UI code
server <- function(input, output,session) {
# some server code
}
shinyApp(ui = ui, server = server)
This creates a token that has a 'sl.' access token (short lived) which expires_in 14400, which is 4 hours. After 4 hours, the app no longer works due to an 'Unathorised HTTP 401' error.
Could anyone provide me help on how to adapt this code to obtain a refresh token?
NB: dropbox no longer allow tokens with no expiry (as of September 2021) so I need to go down the refresh token route.
I don't know if you still need help but I was recently tasked to address this issue in my internship program and managed to find a solution.
Currently, rdrop2's drop_auth() function will generate a token with these credentials: <credentials> access_token, token_type, expires_in, uid, account_id. Since access tokens last only 4 hours now, we will need a refresh token as a part of our credentials so that we may get a new access token every time it expires.
To generate a token object with a refresh token, we will need to modify the authorization endpoint inside the drop_auth() function. This will look something like this:
library(rdrop2)
.dstate <- new.env(parent = emptyenv())
drop_auth_RT <- function (new_user = FALSE, key = "mmhfsybffdom42w", secret = "l8zeqqqgm1ne5z0", cache = TRUE, rdstoken = NA)
{
if (new_user == FALSE & !is.na(rdstoken)) {
if (file.exists(rdstoken)) {
.dstate$token <- readRDS(rdstoken)
}
else {
stop("token file not found")
}
}
else {
if (new_user && file.exists(".httr-oauth")) {
message("Removing old credentials...")
file.remove(".httr-oauth")
}
dropbox <- httr::oauth_endpoint(authorize = "https://www.dropbox.com/oauth2/authorize?token_access_type=offline",
access = "https://api.dropbox.com/oauth2/token")
# added "?token_access_type=offline" to the "authorize" parameter so that it can return an access token as well as a refresh token
dropbox_app <- httr::oauth_app("dropbox", key, secret)
dropbox_token <- httr::oauth2.0_token(dropbox, dropbox_app,
cache = cache)
if (!inherits(dropbox_token, "Token2.0")) {
stop("something went wrong, try again")
}
.dstate$token <- dropbox_token
}
}
refreshable_token <- drop_auth_RT()
This will generate a token with these credentials: <credentials> access_token, token_type, expires_in, refresh_token, uid, account_id. The new token will now have a refresh token that the HTTP API can use to automatically refresh the access token.
It is very important that you specify the new token when calling rdrop2 functions, otherwise it will not work. Example:
> drop_dir()
Error in drop_list_folder(path, recursive, include_media_info, include_deleted, :
Unauthorized (HTTP 401).
> drop_dir(dtoken = refreshable_token)
# A tibble: 4 x 11
.tag name path_lower path_display id client_modified server_modified rev size
<chr> <chr> <chr> <chr> <chr> <chr> <chr> <chr> <int>
1 folder Screensh~ /screensh~ /Screenshots id:_~ NA NA NA NA
Hope this helps!
I am facing this issue connecting with Facebook's API using httr package, while testing on 'me' node I came along the following problem.
I was under the impression that me node does not require special permissions.
Testing on the browser with 'https://graph.facebook.com/me' gave the same results, it would be great if some one could provide an explanation.
# Define keys
app_id = 'my_app_id'
app_secret = 'my_app_secret'
# Define the app
fb_app <- oauth_app(appname = "facebook",
key = app_id,
secret = app_secret)
# Get OAuth user access token
fb_token <- oauth2.0_token(oauth_endpoints("facebook"),
fb_app,
scope = 'public_profile',
type = "application/x-www-form-urlencoded",
cache = TRUE)
response <- GET("https://graph.facebook.com",
path = "/me",
config = config(token = fb_token))
# Show content returned
content(response)
$error
$error$message
[1] "An active access token must be used to query information about the current user."
$error$type
[1] "OAuthException"
$error$code
[1] 2500
$error$fbtrace_id
[1] "ARRnb93rZHmWLlXK_MMJlfi"
Noting that I have signed in using the app.
is anyone ever tried this module NET::PayPal
because i tried it and i was getting this error
Authorization failed : 401 Unauthorized, {"error":"invalid_client","error_description":"Client Authentication failed"}
and am using valid client id and secret id
use Net::PayPal;
$client_id = 'asdasdasdasdsadasdasd';
$client_secret = 'sadasdasdsadasdsad';
my $p = Net::PayPal->new($client_id, $client_secret);
my $payment = $p->get_payment( 'PAY-9D023728F47376036KE5OTKY' );
According to the documentation, Net::PayPal always starts out in sandbox mode. You have to switch it to live mode in order to use your production credentials.
Net::PayPal->live( 1 );
my $pp = Net::PayPal->new($client_id, $secret);
How can pass username password as attributes in SAML Request as shown in the code below. I'm using lastpass-saml-sdk.jar to communicate with the GLUU IDP server.
SAMLInit.initialize();
String dir = Constants.METADATA_LOCATION;
if (dir == null)
throw new SAMLException("Unable to locate SAML metadata");
IdPConfig idpConfig = new IdPConfig(new File(dir + "\\gluu-idp-metadata.xml"));
SPConfig spConfig = new SPConfig(new File(dir + "\\sp-meta.xml"));
SAMLClient client= new SAMLClient(spConfig, idpConfig);
// when a login link is clicked, create auth request and
// redirect to the IdP
String requestId = SAMLUtils.generateRequestId();
String authrequest = client.generateAuthnRequest(requestId);
String url = client.getIdPConfig().getLoginUrl() +
"?SAMLRequest=" + URLEncoder.encode(authrequest, "UTF-8");
// redirect to url...
response.sendRedirect(url);
You do not pass username and passord directly to the Identity Provider. After you have redirected the user, the user himself will enter username and password at the IDP.
Here is one of my blog posts describing the flow in SAML Web rowser profile.