After integrating the WebProvider for ActiveDirectoryFederationServices from preview 4.1.0-preview-1.23108.18, a 401 occurs after the frontchannel redirect and userinfo call.
Probably this is due to the behavior described here: ADFS 4.0 (2016) OpenID Connect userinfo endpoint returns 401 when provided with access token.
Apparently the attachment of the resource = urn:microsoft:userinfo is missing.
In my experience when trying to hit the ADFS OIDC userinfo endpoint you need to pass a querystring key value pair (resource=urn:microsoft:userinfo)
The retrieval and validation of the token was successful.
The token response returned by https://[redacted]/adfs/oauth2/token/ was successfully extracted: {
"access_token": "[redacted]",
"token_type": "bearer",
"expires_in": 3600,
"resource": "8f238a5c-2dea-42cd-80eb-abf7638fcadd",
"refresh_token": "[redacted]",
"refresh_token_expires_in": 26751,
"scope": "openid",
"id_token": "[redacted]"
}.
Is there any way to set the resource or disable the retrieval of user info?
Related
regarding tapkey token exchange flow:
when exchanging access tokens through https://login.tapkey.com/connect/token api, I get error code 400 with error message invalid_grant
I am aware of a similar question and the solution in: Tapkey returns 400 bad request invalid_grant
My jwt token contains of the following:
Header:
{
"alg": "RS256"
}
Payload:
{
"algorithm": "RS256",
"audience": "local",
"iat": 1633339589,
"exp": 1633343189,
"issuer": "tapkey",
"subject": "myIpUserID1"
}
Before I make the API call I generate the jwt token with "iat": Time.now.to_i and "exp": Time.now_to_i + 3600, the call is done a few seconds later, manually.
Beforehand I created a IdentityProviderUser via API with the "IpID": "myIpUserID1", and got a success response with a new User-ID (ID).
I also tried to make the https://login.tapkey.com/connect/token api-call with "subject" to be set to that returned User-ID, but that gave me the same error message.
The payload field for the UserId is expected to be "sub" not "subject"
When generating oauth token from ordercloud sandbox environment, ordercloud returns ServerError as the error. Double checked the client_id, username, password and grant_type and it is correct. I am able to generate token using client_credentials grant_type. Is there a different way to generate token using password grant_type?
"client_id": "827D3F9E-F0AE-4C12-AF55-24D1D526303F",
"grant_type": "password",
"username": "admin02",
"password": "Test1234567#",
"scope": "CatalogAdmin BuyerReader MeAdmin InventoryAdmin PasswordReset OrderAdmin PriceScheduleAdmin ProductAdmin ProductAssignmentAdmin ShipmentAdmin"
"ErrorCode": "ServerError",
"Message": "An unknown error has occurred on the server.",
Your API Client has a ClientSecret set and you are not passing the ClientSecret in the request body. If you remove the ClientSecret, or pass it in the request body, your call should succeed.
It should be returning a 400 though rather than 500, so I will log that as a bug on our end.
API details:.Net Core 3.1 REST API using IdentityServer4 version 3.1.3
I have many APIs which send responses in a specified format.
For e.g. Register endpoint returns below response:
{
"responseCode": 0,
"developerMessage": "Response code not specified.",
"clientMessage": null,
"data": {"id":123},
"exception": null
}
I developed the authentication server using IdentityServer4.
But, my token endpoint returns below response:
{
"access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6Ik...",
"expires_in": 1209600,
"token_type": "Bearer",
"refresh_token": "1u8_VOFHTaeqWEWd6R...",
"scope": "offline_access api1"
}
Now the requirement is that all the endpoints of the API should return the response in the same format.
Which means I need to change the response of the token (or more) endpoints.
I looked into the ICustomTokenResponseGenerator service (mentioned here) but all it does is adding more fields to the response. And it is from IdentityServer3
class CustomTokenResponseGenerator : ICustomTokenResponseGenerator
{
public Task<TokenResponse> GenerateAsync(ValidatedTokenRequest request, TokenResponse response)
{
response.Custom.Add("custom_field", "custom data");
return Task.FromResult(response);
}
}
But, I want to completely change the response.
Is there any other service that I can use to get the below response?
{
"responseCode": 0,
"developerMessage": "Response code not specified.",
"clientMessage": null,
"data":
{
"access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6Ik...",
"expires_in": 1209600,
"token_type": "Bearer",
"refresh_token": "1u8_VOFHTaeqWEWd6R...",
"scope": "offline_access api1"
},
"exception": null
}
As explained in your GitHub ticket:
IdentityServer is an OAuth implementation - what you are suggesting would be incompatible with OAuth and thus is not supported by us.
If you need to change the complete payload to something custom - write some middleware to intercept the response.
Get URL :https://api.socialtables.com/4.0/products
Header : Authorization :Bearer b465820782e1b07db9b38d6e351883517ccc0dcf
Response
{
"code": "NotAuthorized",
"message": "Not Authorized"
}
You need to use an oauth token to authenticate.
See https://developer.socialtables.com/docs/authentication/ for how to get a token and authenticate.
I would like to know if it is possible to call a Google API that requires auth such as the Google Calendar API using the Apache HttpClient, and no Google code or libraries. (and need the code to do it)
This is the code I have so far, its gets an auth error,
What do you use for the user/password?
HttpPost request = new HttpPost("https://www.googleapis.com/calendar/v3/users/me/calendarList/primary?key=mykey");
DefaultHttpClient client = new DefaultHttpClient();
client.getCredentialsProvider().setCredentials(
new AuthScope(AuthScope.ANY),
new UsernamePasswordCredentials(user, password));
HttpResponse response = client.execute(request);
Error:
"errors": [
{
"domain": "global",
"reason": "required",
"message": "Login Required",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Login Required"
You don't use Login and password you need to be authenticated once you are you will have an access token then you can call something like this.
https://www.googleapis.com/calendar/v3/users/me/calendarList/primary?access_token={tokenFromAuth}
You can authenticate to Google with any language that is capable of a HTTP POST and a HTTP GET. Here is my walk though of the Auth flow to Google http://www.daimto.com/google-3-legged-oauth2-flow/ you will need to create a Oauth2 credentials on Google Developer console to start. Then its just a matter of asking the user for permission to access their data and requesting the access.