I have an application that can do POST and GET requests if I pass them as a String.
I'm trying to hit some Google APIs and am getting stuck trying to make the refresh_token POST request.
The format that google wants is:
POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded
client_id={client_id}&
client_secret={client_secret}&
refresh_token=1/6BMfW9j53gdGImsiyUH5kU5RsR4zwI9lUVX-tqf8JXQ&
grant_type=refresh_token
My question is can I make this POST request as a string if the client_id, client_secret, refresh_token are URLencoded?
Like this:
https://accounts.google.com/o/oauth2/token?client_id={client_id}&client_secret={secret}&refresh_token=1%26BMfW9j53gdGImsiyUH5kU5RsR4zwI9lUVX-tqf8JXQ&grant_type=refresh_token
Related
I need to get an OAuth token using a simple POST request.
In Postman, we configure OAuth tokens via the following configuration:
When I click "Get New Access Token", postman makes a request against the Access Token URL.
How does one see what that request looks like? Are these parameters (client id, client secret, etc.) placed in a POST body? What are the headers? I'd like to see the request structure in plain text.
Essentially I need to emulate this request in a script, where I have to include the credentials in the body itself, where the body would look something like this:
{
"Access_Token_URL":"myURL",
"Client_ID":"myClientId",
"Client_Secret":"myClientSecret",
"Scope":"myScope"
}
That request follows the OAuth 2.0 specification, using the client_credentials grant, and it will use an Authorization Basic header to authenticate the client; so its body will look like this:
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic bXlDbGllbnRJZDpteUNsaWVudFNlY3JldA
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&scope=MyScope
Where bXlDbGllbnRJZDpteUNsaWVudFNlY3JldA is the Base64-encoded value of myClientId:myClientSecret.
Note that the Content-Type is application/x-www-form-urlencoded.
Also note that what Postman calls the Access Token URL is actually named Token Endpoint in the OAuth 2.0 terminology.
trying to understand more about RestFul calls. I understand the format, but what I want to know is how the call is actually sent. For example, if I were to setup Fiddler on my client, and I were to make a RestFul call to http:/thisplace.com/rws with Method = POST and Body = Login HTTP/1.1
Host: client.mydomain.com
Accept: application/xml
Content-type: application/xml
What exactly do I see being sent out from the client on fiddler? Is the information coded inside the URL?
Wondering if RestFul calls can be sent without a third-party tool such as PostMan.
RestFul services use standard HTTP methods (GET, POST, PUT, DELETE, etc). The parameters in a HTTP POST request are sent in the request body which appears after the headers. The information/parameters are not encoded in the URL in a POST request.
The format that the parameters are sent depends on the Content-Type of the request.
In your example you specify content-type: application/xml which means you'd need to provide xml in the request body. In fiddler an HTTP POST to http://thisplace.com/rws might look something like this (for application/xml):
POST http://thisplace.com/rws HTTP/1.1
Content-Type: application/xml
Accept: application/xml
Host: thisplace.com
content-length: 64
<myData>
<value>hello</value>
<value2>world</value2>
</myData>
The request body is below the headers and is the after the blank line where you see the xml.
If you specified application/json the parameters would be encoded as json, and the request body might look like:
{
"value1": "hello",
"value2": "world"
}
For content type application/x-www-form-urlencoded the parameters would be in the same format as a query string and the request body might look like:
value1=hello&value2=world
Yes, RestFul calls can be made without postman but you haven't specified which language/technology you're using or how you'd like to send the requests.
I am using Postman Tool and Insomnia(Hurl.eu) Tool to make a Particular webRequest.
I get the Response 200 from Insomnia but i am getting 403 Forbidden error from Postman.Here are the Preview messages from both
Postman:
POST /ccadmin/v1/login HTTP/1.1
Host: ccadmin-test-XXXX.oracleoutsourcing.com:443
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.NlCxWPgJAizSO60YeIBQRjgrYlgUhywr8vmnIca69A=ehkZS1iMzUyLWZkNmE1ODM1ZDM3NSIsImlzcyI6ImFwcGxpY2F0aW9uQXV0aCIsImlyJleHAiOjE1MDU4MzQ5NjIsInN1YiI6ImRiZTYwMGFkLWQwNjYtNDhdCI6MTQ3NDI5ODk2Mn0=.
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
Insomnia(Hurl):
POST /ccadmin/v1/login HTTP/1.1
Host: ccadmin-test-XXXX.oracleoutsourcing.com:443
Accept: */*
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.NlCxWPgJAizSO60YeIBQRjgrYlgUhywr8vmnIca69A=ehkZS1iMzUyLWZkNmE1ODM1ZDM3NSIsImlzcyI6ImFwcGxpY2F0aW9uQXV0aCIsImlyJleHAiOjE1MDU4MzQ5NjIsInN1YiI6ImRiZTYwMGFkLWQwNjYtNDhdCI6MTQ3NDI5ODk2Mn0=.
Content-Length: 29
Both request looks similar ,but i am getting 2 different responses.
I also disabled Postman Settings->
i)Send Postman Token Header
ii)Send no-Cache Header
I hope this will help you.
I have found that sometimes Postman behaves a bit weird when you are using Bearer Authorization, this since they made an update to the app and added the "Authorization" tab.
This has happened to me more than ones, specially on pre existing collection.
Let's give it a shot.
Delete the Authentication key on your header, I can see you wrote that one manually. And lets Postman handle that.
Open the Authorization tab, select the Bearer token type from the dropdown, add your token on the window in the left side.
Click on Preview Request.
Now you should be able to see the token on the headers "greyed out"
Open the console, this will help you checking the request and maybe you will find an adicional error.
On the console you can check the raw request and response, it helps.
Also you should try making a request from your machine using CURL ‘yes you can usit on windows and mac’, this way you can discard that you have a closed port.
Good luck
I am testing Facebook Graph API v2.3 with Postman.
While it is possible to get response by putting access token in query string as follow:
https://graph.facebook.com/v2.3/me?access_token=my_access_token
I am wondering whether it's possible to do the same thing with HTTP request headers, which would be something like this:
GET /v2.3/me HTTP/1.1
Host: graph.facebook.com
Authorization: <my_access_token>
Cache-Control: no-cache
Postman-Token: <postman_token>
Based on this similar question (i.e. How should a client pass a facebook access token to the server?) on Stackoverflow, it seems that this should be possible.
Any thoughts on this?
Edit:
What raised my interest is that, when I used the API Graph Explorer provided by Facebook Developers, it seems that there's no query string in that sandbox either. How does that work?
Facebook API Graph Explorer DO use query string for access token. Thanks to #CBroe's response.
Yes it is possible
Authorization: Bearer AccessTokenHere
e.g.
curl --header "Authorization: Bearer CAAC...ZD" https://graph.facebook.com/me
This answer previously recommended using "OAuth" instead of "Bearer" as the token type. Both will work, but "Bearer" is the type that shows up in the standard. Also, on completing Facebook's OAuth flow, the token_type in their response is bearer. So all in all "Bearer" makes more sense.
When calling GET /api/token for login, where to put the username and password?
URL parameters or header?
I'm confused, because I read, the token should go into a header, when I request some other data later.
(I'm writing an API myself, I'm not using someone elses)
Login should be a POST request (you create a token). That way you could send the username and password in the body of the request.
POST /app/token HTTP/1.1
username=example&password=example
If credentials are correct, the request could return the token in the body.
HTTP/1.1 201 Created
Content-Type: application/json
{
"token": "example"
}
You can then store this token on the client side (for example in local storage) and send it in the header for subsequent requests.