I have a server application that receives a user access token from the client and generates an appsecret_proof. I would like to make a graph API call in order to verify that the received access token is valid:
curl \
-F 'access_token=<my access token>' \
-F 'appsecret_proof=<my appsecret_proof>' \
https://graph.facebook.com/me
However, when I omit the appsecret_proof field the request is still verified. In both cases the response is:
{"success":true}
If I intentionally pass an invalid appsecre_proof it works as expected:
{"error":{"message":"Invalid appsecret_proof provided in the API argument","type":"GraphMethodException","code":100}}
I have made the neccessary changes in the Advanced settings:
According to the Facebook documentation: "When this is enabled, we will only allow API calls that either include appsecret_proof or are made from the same device the token was issued to."
"Once you've changed that setting, an attacker will not be able to use stolen access tokens without access to your app secret."
What am I missing here?
appsecret_proof is not same as the APP SECRET KEY.
Based on FB documentation, this is how it needs to be obtained:
go to http://www.freeformatter.com/hmac-generator.html#ad-output
in the message area, put the access token
in the secret key, put the APP secret key
Choose SHA256 as the digest algorithm
Generate the HMAC
You can use this generated HMAC as the my appsecret_proof in (for example):-
curl \
-F 'access_token=<my access token>' \
-F 'appsecret_proof=<my appsecret_proof>' \
-F 'batch=[{"method":"GET", "relative_url":"me"},{"method":"GET", "relative_url":"me/friends"}]'
https://graph.facebook.com/me
Omitting the appsecret_proof field might help but in certain regions, FB API demands for it and this is how you need to provide it
Related
I'm making a request to WSO2-AM to get the OAuth Token to access the api published in the API Manager on behalf of the user. Everything is working with the big string returned in access_token but I'd like to use the short one version, probably encoded.
Request:
curl -X POST -H 'Content-Type:application/x-www-form-urlencoded' -u
<consumer-key>:<consumer-secret> -k -d
'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=<id_token>'
https://<apim>:8243/token
Response:
{"access_token":"eyJ4NXQiOiJNell4TW1Ga09HWXdNV0kwWldObU5EY3hOR1l3WW1NNFpUQTNNV0kyTkRBe
lpHUXpOR00wWkdSbE5qSmtPREZrWkRSaU9URmtNV0ZoTXpVMlpHVmxOZyIsImtpZCI6Ik16WXhNbUZrT0dZd01XSTBaV05
tTkRjeE5HWXd....bZ-CD_r-2qkypeER7f8QMrLpozRipgHeCkpIKXx5PzSM6zBq5VjMW4EXSRg7LSu0JAJfD2UD6H4bqAiZPNiGy9vTLXc
Zr4g8WNzfKkr...
-hiAOt4SauSZxB1WWCFEZ0xyHVhbx7nAFzBVzfssF0DOYGXkc9hRJZGbG8VfiXb6PWtSfEjqJTSSY_aZWXw",
"refresh_token":"d3062fa0-1132-3532-b1b2-83c3c66136ff","token_type":"Bearer","expires_in":3600}
Expected:
{"access_token":"400f2a54-53d8-3146-88e3-be1bf5e7450d",
"refresh_token":"c2656286-449f-369f-9793 2cee9132de9f",
"scope":"default","token_type":"Bearer","expires_in":3600}
What I'm doing wrong that is not returning the short one?
I assume, that the expected by you access_token is the Opaque(Reference) Access Token, described in this WSO2 API Manager 3.1.0 documentation: Secure APIs using OAuth2 Opaque(Reference) Access Tokens.
But, according to the Release notes, from WSO2 API Manager 3.2.0, they removed this type of access token:
Out-of-the-box support to generate an opaque access token via the Developer Portal has been removed. Application Developers can create applications that only generate a JWT type access tokens.
So, the big string, you get is nothing more, like this JWT token, described here in documentation: JWT (Self Contained) Access Tokens, which you can decode on jwt.io site.
You can decode your long JWT from https://jwt.io/ and get the JTI value of it as the short one which will look similar to 400f2a54-53d8-3146-88e3-be1bf5e7450d.
Refer to the example shown below.
.
As you were referring to the short token. It is the opaque token and APIM 3.2.0 It is not shown while you creating the Application. You can get the default Token (opaque) By the WSO2 carbon management console.
Change Token Issuer to Default from JWT in ISP list for particular Application that you need to use.
enter image description here
Where I am generating opaque (Short) Token in APIM 4.0.0
enter image description here
I trying to use GCS "User Credentials" to connect to Google cloud storage using libcurl library.
"User Credentials" authentication needs Client Id & Secret key to connect to GCS, but in this process Authentication Code also needs to be generated.
I need to generate this Authentication code using cURL.
Can anyone help me ??
The Client ID you mentioned is the same as the Authentication ID and can only be generated from either the Cloud Console's Credentials Page or via the OAuth 2.0 Playground.
If you are trying to generate an Access Token (OAUTH2_TOKEN), you will need to complete an authentication flow to authorize requests as a user. Cloud Storage uses OAuth 2.0 for API authentication and authorization.
Here's what you need to do to get an authorization access token from the OAuth 2.0 Playground:
Select & authorize APIs (Cloud Storage)
Select the scope for the APIs you would like to access or input your own OAuth scopes, e.g.: https://www.googleapis.com/auth/devstorage.read_write
Then click the "Authorize APIs" button
Once you've got the Authorization Code click the "Exchange authorization code for tokens" button, you will get a refresh and an access token which is required to access OAuth protected resources.
Grab the Access Token to use in your cURL command
Then configure your request to Cloud Storage API by constructing your HTTP request like so (upload):
curl -X POST --data-binary #[OBJECT_LOCATION] \
-H "Authorization: Bearer [OAUTH2_TOKEN]" \
-H "Content-Type: [OBJECT_CONTENT_TYPE]" \
"https://www.googleapis.com/upload/storage/v1/b/[BUCKET_NAME]/o?uploadType=media&name=[OBJECT_NAME]"
You can have a look at this Cloud Storage upload example in our public docs to guide you with constructing a request and testing it out.
Hope this helps.
I am trying to get a secret out of Azure Key Vault. It is a very simple Restful API call. For example for all key, it is as simple as this:
GET {vaultBaseUrl}/secrets?api-version=7.0
where vaultBaseUrl is provided in Azure Console as Vault DNS name.
I am using console mode for testing
https://learn.microsoft.com/en-us/rest/api/keyvault/getsecrets/getsecrets#code-try-0
But the return value if always 404.
When I try curl in the Azure console, it gives 401 - Unauthorized.
However I can use the command line to get the secret out.
Is there any secret to making the restful call and curl work to get the secret out? All these situations use the same credentials.
A side questions is, that on the micorosft api testing page there is a 'Request Preview' section with a green Run button, almost as if it is inviting you to run the api, but the link is to learn.microsoft.com and the copy button on the box is disabled. I have never seen so many problems in one place, so I am thinking may be I don't understand something here.
The doc seems not to be correct. If you want to get the secret, you could use the Client credentials flow to get the access token and use it to get the secret.
Follow the steps as below.
1.Register an app in the Azure Active Directory, see this link. Get the application id and key, see this link. Add the service principal in the Access policies in your keyvault with the correct secret permission(just search the name of your AD App then add it).
2.In the postman, send a request to the url
POST https://login.microsoftonline.com/{your tenant id}/oauth2/token?api-version=1.0
Request body and complete sample(client_id and client_secret are the application id and key in step 1):
3.Copy the access_token in step 2, then use it as an Authorization token to call the api:
GET https://yourkeyvault.vault.azure.net/secrets?api-version=7.0
Besides, if you want to use CURL to get the secret, try the one like below. The TOKEN is the same with the access_token in step 2 above.
curl -X GET -H "Authorization: Bearer [TOKEN]" https://yourkeyvault.vault.azure.net/secrets?api-version=7.0
For more details about getting access_token via curl and complete steps, you could refer to this link. Don't forget to change the resource to https://vault.azure.net in the Request the Access Token step.
Pass Bearer token.There will be an Url to generate a token and pass it to authentication then u will donot get the error.
I added a custom OIDC Identity Provider to my realm and i want to use the Direct Access Grants flow (or grant_type=password) but this doesn't work.
Is it possible with Keycloak?
When try with Authorization Code flow every thing works fine but with
grant_type=password the error
{
"error":"invalid_grant",
"error_description":"Invalid user credentials"
}
is returned.
I'm trying to get the access token e the refresh token doing the following request:
$ curl -X POST 'http://localhost:8080/auth/realms/master/protocol/openid-connect/token'
-H 'content-type: application/x-www-form-urlencoded'
-d 'grant_type=password'
-d 'client_id=test-client'
-d 'client_secret=834a546f-2114-4b50-9af6-697adc06707b'
-d 'username=user' // valid user in custom Identity Provider
-d 'password=password' // password in custom Identity Provider
And this is the Identity Provider configuration:
this is the Identity Provider configuration
Please have a look below curl command
curl -X POST -k -H 'Content-Type: application/x-www-form-urlencoded' -i 'https://135.250.138.93:8666/auth/realms/<Realm-Name>/protocol/openid-connect/token' --data 'username=<userName>&password=<Password>&client_id=<Client-ID>&grant_type=password&client_secret=7df18c0d-d4c7-47b1-b959-af972684dab0'
In above command you have to provide these details
Realm-Name - Realm name against which you want token
userName - You should have a user which can access the above realm
Password - Password for above user
Client-ID - Client Name(Generally its a String Value) under the
Client-Secret - Client secret of above client which you can find [Realm->Client List->Select the client->Credential tab]
I was also stuck with this issue as well. In the beginning I also suspected that it looked like a bug. However, the turning point is that I tried with the master realm and the client_id=admin-cli with my admin user. I can retrieve the token with grand_type=password. It's just failed for my own realm and client_id like reported here.
I figured out my issue is that the user I used wasn't activated after I tried to login into my realm's console(eg: http://localhost:18080/auth/realms/quarkus-workshop-labs/account/). I need to reset my password, so it can be finally activated. Then the password grant_type just starts to work.
(note that by default, your new created user needs to reset password before it can use.)
Keycloak doing below validations before the DirectGrant auth flow.
username
password
otp (if configured)
if the user is enabled
if the user is locked due to brute force direction (only if it's enable)
You can customize this in Authentication -> Flows and select Direct grant flow.
For example you can disable Direct Grant - Conditional OTP to genarate token without checking otp.
Yes it is possible.
You need to enable/Grant Direct access in Keycloak settings for the particular client.
You need to set a client with test-client and the user should be available in the realm. Though cannot get what you wanna achieve with this 🧐
I got exactly same scenario it looks like a bug to me. I had to unlink the account from IDP, set the password and remove pending user actions. It is not a solution but in my case was ok as I needed only test user account for API tests and don't have that scenario on production.
I was able to use DAG if I set the (automatically provisioned) user's password in Keycloak to something and with that password I was able to get the token from the external iDP. I used this to investigate an Okta token. Hope this helps.
I think this is actually the right answer: answer.
To summarize: You can't do exactly what you requested, because Keycloak is not storing the password in DB, so password grant type flow is not valid for this user.
The alternative is to use Token Exchange feature that allows you to login to OIDC directly and use it's access token to retrieve keycloak access token.
There is an example code in the linked answer.
Okay.. i got the offline access session key
Can some please tell me how can i update my FB status using the offline access session key i have ?
Looked in the Graph API and PHP SDK but nothing helps
I assume when you say 'offline access session key' you mean the oauth access token.
Take a look at the 'Publishing to Facebook' section here: http://developers.facebook.com/docs/api#publishing
There is even a short example using curl:
curl -F 'access_token=...' \
-F 'body=Hello, Arjun. I like this new API.' \
https://graph.facebook.com/arjun/feed