I'm doing a Flutter app for iOS and Android, and I need to use authentification to access to the main content.
For that I used this pubdev package(aad_oauth), and it works very well. I need to get the token provided by Azure to send it to my API to authenticate my user.
I used this method :
var token = await oauth.getAccessToken();
But the token is considered invalid even by my API then by https://jwt.io/ with the error "invalid signature" but works in the Flutter app.
Here is a censored screen of jwt.io :
Did someone knows how to get a valid token to send it after ?
The invalid signature thrown by jwt.io is well known. You will need to manually obtain and set the Azure AD signing certificate content. Follow the steps detailed in USING JWT.IO TO VERIFY THE SIGNATURE OF A JWT TOKEN.
Regarding validation at the API, you may have to fine-tune its token validation routine. This varies depending on the platform or library used for such end. you can find samples for Microsoft backed libraries here.
For more information on recommended validation please take a look to Validate tokens.
I am unable to get token for my api using the set up as shown in the image. As you can see the hashed value does not have a '+'. The unhashed password is 'ecret'. That is not a typo. I have also tried RequirePkce to false. I have turned on logging for identity server but it has only limited information. There is a single message.
Client secret validation failed for client:api.client.
I have also seen SO entry here.
Finally I was able to figure out. The samples are behind the development. Documentation may be little more updated.
While searching for other authorization mechanisms, it occurred to me that HTTP had an authorization header as in the image.
I am using OKTA.
Looks like that i got an error when clicking on login button:
OAuthError: Could not acquire access token from authorization code.
My app is in LIVE. All the settings in app dashboard look correct, because I took a simple js sdk in index.html file and made it work. So Something happens on okta Size. I am using social/identity providers.
Anyone has ever used okta and reached this error?
Another hint is that their support somehow on their back-end admin panel checked and they also get another error message: "Cannot call API on behalf of this user"
I had the same issue, in my case the issue was because the security secret key didn't match with the one in the IDP database.
If you have generated manually the secrete key check that the key is created using ssh256 hash.
You can find how to generate a secrete key here
https://stackoverflow.com/a/44013730/4878365
I am playing around with IBM Cloud Functions (OpenWhisk) and trying to setup authentication through OAuth with Facebook as the provider. I have setup an app with Facebook, I am able to successfully connect with this and fetch my token and I am able to verify this by fetching basic profile information (name and userID).
My problems starts when I enable OAuth in the IBM Cloud Functions API. I get a HTTP code 500 back from the call with very little information about what actually went wrong.
{"code":500, "message":"Oops. Something went wrong. Check your URI and try again."}
The only thing that is stated in the dashboard is:
You can control access to your API through the OAuth 2.0 standard. First require an end user to log in via IBM Cloud App ID, Facebook, GitHub, or Google. Then include the corresponding OAuth token in the Authorization header of each API request. The authenticity of the token will be validated with the specified token provider. If the token is invalid, the request will be rejected and response code 401 will be returned.
With this information I got that I need pass the token with the Authorization header. My best guess is that the call fails somewhere when the token is being validated.
I am using Vue and Vue-axios to perform the API call. My current call looks like this:
this.$http.get(API_URL+"?user_id="+localStorage.user_id,{headers :{'authorization':localStorage.token}}).then((response) => {
console.log(response);
});
I have tried adding bearer/Bearer or token/Token in front of the token (some posts I read indicated that you should do this), but this had no impact on the response.
If I disable the OAuth authentication from the Cloud Functions side, the code above works and correctly retrieves the data (with or without the header option).
From the Chrome Dev tools it looks to me like the token is added correctly to the request, since the request headers have the Authorization header with the token.
I am not that familiar with OAuth or IBM Cloud Functions, so the problem might have a very easy fix. However, I am unable to find documentation which clearly shows me how I am supposed set this up. I am also unable to find any logs or more information about what actually fails here. Am I missing something obvious here?
Kjetil
Instead of using any Facebook SDK, I'm using HTTP Requests.
Here is the URL I'm using to log the user into my application: (Not Real ID or URL)
https://www.facebook.com/dialog/oauth?
client_id=6545941f68498461
&redirect_uri=https://script.google.com/macros/s/hcz-IRoJhm/exec?
&response_type=token
&scope=publish_stream
The documentation is HERE. Official Facebook Login
After the user signs in with Facebook, my website loads with an access token appended to URL. I request a response_type=token so I get a token, not a code or both a code and a token.
According to the Facebook documentation, Confirming Identity
Because this redirect flow involves browsers being redirected to URLs
in your app from the Login dialog, traffic could directly access this
URL with made-up fragments or parameters. If your app assumed these
were valid parameters, the made-up data would be used by your app for
potentially malicious purposes. As a result, your app should confirm
that the person using the app is the same person that you have
response data for before generating an access token for them.
Confirming identity is accomplished in different ways depending on the
response_type received above:
And because I am receiving a token this quote from Facebook documentation should apply to me:
When token is received, it needs to be verified. You should make an
API call to an inspection endpoint that will indicate who the token
was generated for and by which app. You can do this from the client or
from the server, depending on your use case.
For this particular situation, there is a section titled, Inspecting Access Tokens:
Here is the quote from the Facebook documentation:
Whether or not your app uses code or token as your response_type from
the Login dialog, at this point it will have received an access token.
However, for the same security reasons as above, you should perform an
automated check to confirm that the token belongs the person that your
app is expecting it to belong to, and that it was your app that
generated the token.
We provide the following Graph API endpoint that can be used to inspect access tokens:
GET graph.facebook.com/debug_token?
input_token={token-to-inspect}
&access_token={app-token-or-admin-token}
So, I have parsed the access token from the end of the URL, and then made another GET Request from the server as configured in the example for the inspection, and I can not get it to work. I have tried using a generated app token and I have tried using my App ID plus my App Secret, and nothing works. I get an error message:
Execution failed: Invalid argument:
If I use the Facebook Debugger
And paste in the token that was returned from the login, it works fine. I get information back. So the token I'm getting back is valid.
I'm using the exact syntax for inspecting the Access Token, and I've checked every character many times for spelling or syntax errors. There must be something else causing the request to be rejected. For test purposes, I am sending the HTTP GET Request from a different URL, but because tokens are portable, Facebook allows requests from different places, for example, from a server.
Why is my request failing?
I'm wondering if there is something about the Apps Script UrlFetch service that is causing the error. The token I get back is valid. In the online debugger, the token is fine. I keep getting an invalid argument error. GET requests don't have a payload, so trying to use the payload, so trying to use that parameter wouldn't help me.
I muted the HTTPExceptions, and got a response back:
{"error":{"message":"Unsupported get request.","type":"GraphMethodException","code":100}}
In Facebooks Receiving Error Codes table, there is no code 100.
I set the "escaping" : false thinking maybe there might be a character that shouldn't be escaped that was being escaped, but that did nothing.
Maybe there is something in the URL that fetch doesn't like. Maybe I need to manually escape something.
Okay, I have figured something out. Google Apps Script UrlFetchApp.fetch(getAppTknURL, optnAppTkn); does not like the " | " character. If I use that character, I get a Execution failed: Invalid argument: error, which has nothing to do with the HTTP request.
So, using the App ID and App Secret as the access_token, divided by the " | " character will produce an error. And, the App Access token also uses that character to divide the app ID and the App Token. So maybe I can figure out what the escape characters are for that " | " character.
I found the problem. Facebook configures the App Token with a divider after the app ID.
AppID|AppToken
The " | " character is the divider. That character has an escape code of %7C. In my case, the | character needed to be escaped in the URL. As soon as I did that, I started getting responses back from Facebooks server.