I've been trying to update Google sign-in button on my website from old javascript method to new identity library, it works fine when I use callback function but the redirect option (for server-side verification) doesn't send credentials in POST request:
<html>
<body>
<script src="https://accounts.google.com/gsi/client" async defer></script>
<div id="g_id_onload"
data-client_id="my client id"
data-ux_mode="redirect"
data-login_uri="http://localhost:3001/api/google-auth">
</div>
<div class="g_id_signin" data-type="standard"></div>
</body>
</html>
In POST request it sends 'g_csrf_token' cookie, but doesn't contain 'credential' or 'g_csrf_token' in request body or parameters as mentioned in the document here
https://developers.google.com/identity/gsi/web/reference/html-reference#server-side
I believe I've set OAuth 2.0 Client ID and Consent Screen correctly. Any help will be appreciated
Related
So i created youtube api project on google cloud. I tested getting auth code via urn:ietf:wg:oauth:2.0:oob redirect-uri, i don t want to make webservice to auth my account. Everything is good because i am getting code in the browser but i have the problem with POSTing to the api this auth code. When i am trying to post authentication code via RestMan (sth like postman) it shows me that:
<html lang=en>
<meta charset=utf-8>
<meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
<title>Error 404 (Not Found)!!1</title>
<style nonce="CIsxxpEHaaEHNiQiddzf7Q">
*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}#media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}#media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}#media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
</style>
<main id="af-error-container" role="main"><a href=//www.google.com><span id=logo aria-label=Google role=img></span></a>
<p><b>404.</b> <ins>That’s an error.</ins>
<p>The requested URL was not found on this server. <ins>That’s all we know.</ins>
</main>
My data in RestMan:
URL: https://accounts.google.com/o/oauth2/token/
Raw body: code=MYCODE&client_id=MYCLIENTID&client_secret=MYSECRET&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code
I think it can be problem with body in redirect_uri part. Can someone advice me what should i write there? Need i create webservice authorization with localhost?
EDIT:
Okay i just used youtube client library for java.
Example codes are really helpful and connection should be safe.
Link: https://developers.google.com/api-client-library/java/
a) You're likely using the wrong URL. Use the Google discovery doc: https://accounts.google.com/.well-known/openid-configuration to find the token endpoint:
...
"token_endpoint": "https://oauth2.googleapis.com/token",
...
b) Consider setting up localhost to get the authorization code and refresh token. See https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html.
Okay i just used youtube client library for java. Example codes are really helpful and connection should be safe. Link: https://developers.google.com/api-client-library/java/
I am using Asp.Net Core 3.1 API with Identity Server and I am using Postman as an API tester from long time and it is working perfect, but, after version update to 8.+.+ the Postman return me this error:
<HEAD>
<TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii">
</HEAD>
<BODY>
<h2>Bad Request - Request Too Long</h2>
<hr>
<p>HTTP Error 400. The size of the request headers is too long.</p>
</BODY>
I putted in header key (Content-Type) and the value (application/json) and authorization is in type of bearer token with empty body.
I followed many questions to solve this issue like the bellow mentioned:
bad request - request too long
https://github.com/IdentityServer/IdentityServer3/issues/1124
https://community.postman.com/t/400-bad-request/18252
How can I solve Postman (Bad Request - Request Too Long) issue?
After many research, it is very easy and simple way to delete the cookies from the Postman application as shown below:
Then delete the cookies as shown below:
Now try to apply the request, it should work, but, this is only temporary solution, I hope there is a full solution from Postman team or someone.
I'm new in VueJS and have a problem: I can authenticate a user with adldap2 in php. But how can I check in VueJS whether the user is authenticated? The login expires after 2 hours and the user should not be able to interact with the website when not longer logged in. By the way, I also need "Auth::user()" in backend.
So I try to find a way to get something like let user = Auth.user; in VueJS and Auth::user(); in PHP.
I need it in VueJS for things like that:
<div class="row" v-if="Auth.checked">
<div class="col-md-12">
<!-- "navigation" is a custom component in VueJS -->
<navigation :items="menuItems" v-on:ask-upgrade="showUpgrade = true"></navigation>
</div>
</div>
I get a solution. Here is the tutorial what I used for my problem. My auth.js file is very larger now but I need a lot of auth stuff for routing.
I try to talk to my REST API built with Laravel. But the call with POSTMAN is rejected due to a token mismatch. I guess I need to include the CSRF token in the header. But do I need the encrypted one? When I insert this token I still get the error that there is a token mismatch.
I retrieve my token by using:
$encrypter = app('Illuminate\Encryption\Encrypter');
$encrypted_token = $encrypter->encrypt(csrf_token());
return $encrypted_token;
but is this supposed to change on every refresh?
If you aren't using forms - for an API for example - you can follow the steps here https://gist.github.com/ethanstenis/3cc78c1d097680ac7ef0:
Essentially, add the following to your blade or twig header
<meta name="csrf-token" content="{{ csrf_token() }}">
Install Postman Interceptor if not already installed, and turn it on
Then, in your browser log into the site (you need to be authorised), and either inspect element or view source to retrieve the token
In Postman, set GET/POST etc as needed, and in your header create a new pair
X-CSRF-TOKEN tokenvaluetobeinserted235kwgeiOIulgsk
Some people recommend turning off the CSRF token when testing the API, but then you aren't really testing it are you.
If you do find you still have errors, check the response back using preview as Laravel tends to be fairly explicit with their error messages. If nothing is coming back, check your php_error.log (what ever it is called).
ps Oct 2018 - I now user Laravel Passport for handling API registration, logins and user tokens - worth a look!
Go to app/Http/Middleware/VerifyCsrfToken.php and add this values
protected $except = [
'/api/*'
];
Yes it changes every refresh. You should be putting it in the view and when you post it needs to be sent as the value of the "_token" POST var.
If you are just using a standard POST just add this to the form:
<input type="hidden" name="_token" value="<?php echo csrf_token(); ?>">
If you are using AJAX make sure you grab the value of _token and pass it with the request.
REF: http://laravel.com/docs/5.1/routing#csrf-protection
Use Postman
Make a GET request to any page that has
<meta name="csrf-token" content="{{ csrf_token() }}">
Copy the value from the response.
Add a header field to your POST request:
"X-CSRF-TOKEN: "copied_token_in_previous_get_response"
I had this error while using a baseURL variable in my Postman environment. Turns out I was calling the site's URL without /api at the end. Sounds silly, but just to eliminate user error make sure you check that your request URL is based on:
✅ https://<your-site-url>/api
Not:
❌ https://<your-site-url>
If you are making REST API use api.php for writing routes, not web.php, according to Laravel documentation web.php is for writing routes for the website that's why you see csrf-token error while using it like API, So for API we have the api.php file which will not give you a csrf-token error.
I just had the same issue and this answer finally helped me solving it: https://stackoverflow.com/a/67435592/11854580
Apparently the CSRF token needs to be updated on every POST request. (Not on every GET request somehow.) You can solve this with a pre-request-script in Postman as explained in this tutorial: https://blog.codecourse.com/laravel-sanctum-airlock-with-postman/
Adding /api to the url should solve this for most people just testing out their APIs... Eg. https://www.yoursite.com/api/register
For a web application that doesn't reload the page with in 3600 seconds, whats the best way to keep the session alive with google plus?
If I use the html sign in button, is there a javascript call to refresh the session?
Do I need to refresh the token, but does that update the session?
Would it be best to call the server and refresh the token, but then I need to update the client cookie?
Should I reload the page, this would suck b/c its an application that shouldn't do that?
Can I ask the javascript to sign in again, but I get a popup blocker?
How do I deal with the 3600 token expiring in a web application that doesn't refresh the page?
<span id="signinButton">
<span class="g-signin" data-callback="signinCallback"
data-clientid="xxxxxx.apps.googleusercontent.com"
data-cookiepolicy="single_host_origin"
data-accesstype="offline"
data-approvalprompt="auto"
data-theme="dark"
data-requestvisibleactions="http://schemas.google.com/AddActivity"
data-scope="https://www.googleapis.com/auth/plus.login
https://www.googleapis.com/auth/plus.me
https://www.googleapis.com/auth/userinfo.email
email">
</span>
</span>
You can use the gapi.auth.authorize call of the JS Client library (which will be loaded with the Sign-in JS script), providing the same parameters you did in the Sign-in Button, and using 'immediate': true. Since the user already authenticated before, this will refresh the token automatically (if necessary).