I am currently working on a blackberry app that needs to connect to facebook chat. I am attempting to use the XMPP/Jabber interface. I can get the challenge from the server, however when I send my response I get a "not authorized" failure. My response is structured in this way:
api_key=[my api key]&call_id=[time in millis]&method=auth.xmpp_login&nonce=[nonce from challenge]&session_key=[explained below]&v=1.0&sig=[calculated as shown below]
For the session key, I send the user a browserfield to Facebook's site. It returns an access token in the form AAA...|BBB...|CCC... where BBB... is the session key
The sig is calculated by taking the following string, md5ing it, and then converting the bytes to a hexadecimal string:
api_key=[my api key]call_id=[time in millis]method=auth.xmpp_loginnonce=[nonce from challenge]session_key=[explained above]v=1.0[secret key appended here]
from there I base64 encode the response, and send:
<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>[Base64EncodedResponse]</response>
Facebook's response is consistently a not-authorized error, with no adidtional explanation. Is there something that is missing or something? Thanks for the help.
I was able to figure it out. The problem was, it wants the session secret, not the app secret. So the secret key appended at the end of the signature is obtained from calling auth.promoteSession, not from the App Secret on the website.
Related
I'm working on my first DocuSign web service consumer, in the development environment. At this point, I'm just trying to duplicate the token request procedure on DocuSign's how-to page: https://developers.docusign.com/platform/auth/jwt/jwt-get-token/
I'm sticking as closely as possible to the process shown in their YouTube video. I have created an app with an integration key and an RSA key pair (generated by DocuSign). I obtained application consent as per step 1 of the how-to.
As per step 2 of the how-to page, I entered the following request in jwt.io:
Header: {"typ":"JWT","alg":"RS256"}
Payload: {"iss":"(integration key GUID)","sub":"(API username GUID)","iat":1619972504,"exp":1619975504,"aud":"account-d.docusign.com","scope":"signature"}
I pasted the public and private keys, including the starting and ending strings, into the appropriate fields, and jwt.io created and verified a signature.
As per step 3 and the YouTube video, in Postman, I created a POST request to https://account-d.docusign.com/oauth/token with
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
assertion=(encoded token copied from jwt.io)
No matter what I do, the web service always returns
{
"error": "invalid_grant",
"error_description": "unsupported_grant_type"
}
I've spent more time than I care to admit re-reading the how-to page, re-watching the YouTube video therein, and poring over my data for typos, etc.
Ideas, anyone? Thanks!
For part 2 you would also need the scope of "impersonation" for JWT.
I´m trying to connect via Linkedin Auth2 from a java web application:
Added my own app in linkedin.
Generate the authorization URL: https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=XXX&scope=r_basicprofile%20r_fullprofile%20r_emailaddress&state=DCEEFWF454Us5dffef424&redirect_uri=http://localhost:9090/springmvc/token.htm
Introduce my login/password for linkedin in the new popup.
Get back successful the request on the redirect_uri previus, and take the authorization code "code"
Generate the accessToken URL
Make a POST with: https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&code=YYY&redirect_uri=http://localhost:9090/SpringMVC/token.htm&client_id=XXX&client_secret=ZZZ
Get next error in response: {"error_description":"missing required parameters, includes an invalid parameter value, parameter more than once. : Unable to retrieve access token : appId or redirect uri does not match authorization code or authorization code expired","error":"invalid_request"}
I´ve verified url parameters are correct:
- "code" is the token receive on step 4.
"redirect_uri" is the same URL on step 2 and 4. I added this URL on section "OAuth 2.0 redirect URL" on my APP.
"client_id" and "client_secret" are the "Client API" and "Secret API" on my APP.
Time between first and second request is less than 20 seconds.
The value of your redirect_uri parameter must be URL-encoded, so at 6. do:
https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&code=YYY&redirect_uri=http%3A%2F%2Flocalhost%3A9090%2FSpringMVC%2Ftoken.htm&client_id=XXX&client_secret=ZZZ
and it need not be sent as a POST but as a GET.
If You Are Sending a Request For Access Token it must be POST Request
Refer the OAuth Documentation
I actually Copied the Whole URL From My Eclipse Console To URL It is Still Valid
In Your Case The Problem is with URL Encoding As HanZ said .
You Have to Encode Your URL For Post Request.
I too got bugged with this issue for long time. Please keep few things in mind which I did and eventually sorted it out.
Hit the api to get authorization code by using get request.
The authorization code has a life span of about 20 seconds, so its difficult to manually copy the code from the url and make a request for token access. You should do it pro-grammatically.
Make a post request for getting access token.
Most Important: Old linkedin applications that I had created was not working and giving the above error. Create a new linkedin application and try. Doing this worked for me.
I assume that all the other parameters like client_id, secret, redirect_uri are correct.
please try and let us know.
Thanks.
When I try to access rest API using iPhone I have passed following parameter in URL and used both methods POST and GET but it displays Access Denied.
oauth_version="1.0",
oauth_signature_method="HMAC-SHA1",
oauth_nonce="B0dlzkfMWCAn0TJ",
oauth_timestamp="1366280813",
oauth_consumer_key="klkjylsiozbv6vfdsqtuheqo3kmqqzv2",
oauth_token="t9pefrwylmg7webyepsqepotlhzbytkp",
oauth_signature="NeOwbCLUPbIyF9ErnHoFQOl9%2Bwo%3D"
I have worked with REST Client plugin available for Firefox and Chrome, REST API is work well using REST Client plugin but not accessible in iPhone.
I am generating a random value for oauth_timestamp, oauth_signature and oauth_nonce then also REST API is displaying Access Denied.
Please provide suggestions.
//here final_sign is signature generated from following procedure.
$nonce = substr(md5(uniqid('nonce_', true)),0,16);
$temprealm="http://magentohost/api/rest/products";
$realm=urlencode($temprealm);
$oauth_version="1.0";
$oauth_signature_method="HMAC-SHA1";
$oauth_consumer_key="dfddfgdgdfgddf6qgygmyvw7e3";
$oauth_access_token="fdgdfgfdgdfg357gimpdnuejvcbtk51ni";
$oauth_method="GET";
$oauth_timestamp=time();
$algo="sha1";
$key="sb88hfdihyg25ipt1by559yzbj2m3861&s7uhaheu8nrx961oxg6uc3os4zgyc2tm"; //consumer secret & token secret //Both are used in generate signature
$data="oauth_consumer_key=".$oauth_consumer_key."&oauth_nonce=".$nonce."&oauth_signature_method=".$oauth_signature_method."&oauth_timestamp=".$oauth_timestamp."&oauth_token=".$oauth_access_token."&oauth_version=".$oauth_version;
$send_data=$oauth_method."&".$realm."&".urlencode($data);
$sign=hash_hmac($algo,$send_data,$key,1); // consumer key and token secrat used here
$fin_sign=base64_encode($sign);
echo $fin_sign;
From your question I understand that you use a random value for the signature and the nonce.
The latter would be fine, but a random signature would lead the receiver not to trust you as a legitimate client.
So, actually, you get the response you requested (;-)). But that does not solve your problem.
You have to generate a valid signature for the magento system.
There are many other question related to this, but they didn't help me fix my problem.
I'm using the Facebook server-side login for a website, which I want to test locally. The path that initiates the login action is [http://localhost:8080/fblogin] (this redirects to the Facebook login dialogue, and goes from there).
I can successfully get the code, but when I try to exchange that for an access token, I get the following error:
{"error":{"message":"Missing redirect_uri parameter.","type":"OAuthException","code":191}}
I am providing the redirect_uri, url encoded and it is the same as the one I use to get the first code. Here is the url I'm using to request the access token (with the all-caps query string parameters replaced with their actual values, of course):
https://graph.facebook.com/oauth/access_token?client_id=CLIENT_ID&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Ffblogin&client_secret=CLIENT_SECRET&code=CODE_FROM_FB
I suspect this might have to do with how my app is set up on Facebook. Here are the values I have set:
Display Name: (an actual display name here)
App Domains: localhost
Contact email: (an actual email here)
Site URL: [http://localhost:8080/fblogin]
What do I need to tweak in the settings to get this to work? Or does this look correct?
By the way, if it makes any difference, I am using the Play! framework, version 2.0.1
After digging around a little more, I found that it was necessary for me to use POST when sending the request from my server to get the access token.
Interesting that using POST worked for you as this didn't for me.
In any case, did you add the query parameters using setQueryParameter()? (see How to make multiple http requests in play 2?)
I'm using FB.login on the JS client and want to verify the user's identity on the server. So, the client gets a signedRequest from facebook and sends it to the server. The server splits on the period, and decodes the second part of the signedRequest into a json object.
What should I be using for "code" when I send my server-side request to
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID
&redirect_uri=YOUR_REDIRECT_URI
&client_secret=YOUR_APP_SECRET
&code=CODE_GENERATED_BY_FACEBOOK
My decoded json looks something like:
{"algorithm":"HMAC-SHA256","code":"2.AQCPA_yfx4JHpufjP.3600.1335646800.1-5702286|l11asGeDQTMo3MrMx3SC0PksALj6g","issued_at":1335642445,"user_id":"5232286"}
Is that the code I need? Does it need to be B64 encoded? If this isn't the code, what code should I use?
_
What I've tried:
The request I'm trying to use is:
https://graph.facebook.com/oauth/access_token?client_id=295410083869479&redirect_uri=https://squaredme.appspot.com/facebookredirect&client_secret=44f1TOPSECRETbb8e&code=2.AQCPA_yfx4JHpufjP.3600.1335646800.1-5702286|l11asGeDQTMo3MrMx3SC0PksALj6g
but this returns the error:
{"error":{"message":"Error validating verification code.","type":"OAuthException","code":100}}
I can't tell if this is because I'm using a bad code, or what. Noteably, this is running on my local dev server, and squaredme.appspot.com definitely does NOT resolve to my IP. I don't know if facebook checks that or what - I'm assuming I'd get a better error message. Thanks for any direction!
You are trying to somehow combine the two flows together and that's why things don't work well.
When facebook POSTs into the iframe with your app url and a signed request there are two options, the easy one being that the user is already authenticated and then the signed request will have all the necessary data (including a signed request), then you just load the canvas page and use the JS SDK to get an access token there as well, but in this case there's no need to use the FB.login (since it opens a popup and will automatically close it), you can use the FB.getLoginStatus method which won't annoy the user.
If the user is not authenticated then the sign request will be missing the things you need to use the graph api.
You then redirect the user to the auth dialog, and since you are loaded in an iframe you'll need to return a html response which redirects the parent window using javascript, like:
top.location.href = "AUTH_DIALOG_URL";
When the use is done (accepted or rejected the app) he will be redirected to the "redirect_uri" you added as a parameter to the auth dialog.
If the user accepted your app then you'll be getting the "code" parameter in the query string.
You then take the code, exchange it with an access token as you posted in your question, and then redirect the user back to "apps.facebook.com/YOUR_APP".
When the page then loads the user is already authenticated and you'll be getting a full signed request.
I hope this clarifies things for you, recheck the Server-Side flow it pretty much covers it all.
I also had some trouble with that, then I found the solution here in StackOverflow.
There are two kinds of "code" provided by facebook. One comes inside the signedRequest in the cookie generated by the client-side flow. The Facebook's JS SDK handles this codes and get a access token without telling us anything.
The other type of code comes attached as a query to your redirect URI (http://www.yoururl.com/index.php?code=AAAgyiaus...), when you navigate to OAuth URL (server-side flow). With this code, you go to a Token URL and get your access token.
When you are using the server-side flow, you need to indicate a redirect URI both in the OAuth URL AND in the Token URL, and they have to be exactly the same, so a missing slash or a query string can be a lot of problem.
The codes are different from each other. When you use the both things together, appears to be impossible to get a access token using the code that was inside the cookie's signedRequest.
BUT, it is not. The magic is: the code from signedRequest is associated with NO URI, so as long as the redirect_uri is a mandatory field, all you have to do is to pass it blank when you navigate to the Token URL.
So the final solution is: grab the signedRequest from the cookie, parse it in your server to obtain the code, then read the Token URL:
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID
&redirect_uri=&client_secret=YOUR_APP_SECRET
&code=CODE_INSIDE_THE_SIGNED_REQUEST
It looks like a hack, so I don't know how long it's gonna work, but it's working right now.