I am trying to create a simple app using the dropbox api. My app constructs a URL to request access permissions from the user. I am setting the token_access_type to "offline".
The url looks like this:
.../oauth2/authorize?response_type=code&client_id=<APP_CODE>&token_access_type=offline
After the user authorizes the app I then send the following data to the oauth2/token endpoint: code = <CODE_FROM_WEBSITE> grant_type = authorization_code client_id = <APP_CODE> client_secret = <APP_SECRET>
The call succeeds, I get an access_token. But there is no refresh_token. What am I doing wrong?
Turns out I was using a saved URL to create the access_token - and that saved URL had the wrong token_access_type parameter.
Related
How can I get id_token while being authorized in website (OAuth 2.0)? I am trying to send post request which is include itself client_id, client_secret, refresh_token, redirect_uri. But in reponse I didn't get "id_token". How can I managing to get "id_token"? Maybe I need to add something else to my post request? Or I need to change some details directly in url?
I am trying to create an automated login in my own API through Cypress.
It uses Google SSO and with the authorization code, it generates an entirely new JWT to the user.
Everything looks fine. I can retrieve an id_token and access_token from https://oauth2.googleapis.com/token using the refresh_token
And with this data I can even check the user consuming the route https://www.googleapis.com/oauth2/v2/userinfo
But when I pass my auth code to the API it says redirect_uri_mismatch
I am calling an URL like
localhost:3000/foo/auth/callback?state=%7B%22pasUrl%22:%22terminal%22%7D&code=4/0AX4XfWhZRB1mZZ_VByR26EGJkXlhO1WMQ89yaysG56ihdlb9dJbOASvITFm-yv6iMMGYrA&scope=email%20profile%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile%20openid&authuser=0&hd=foo.com&prompt=consent
and in the list of Authorized redirct URIs I have http://localhost:3000/foo/auth/callback
I have an api with oauth2.0 authorization grant type authentication which has the following steps -
Get method for authorization code which opens up a form in browser where you need to enter credentials. This results in a series of post redirect requests and finally returns a authorization code in third post response header
Now a post request is sent, with grant type authorization code containing client credentials and the above authorization code we got from the get request, in the body and it returns the access token
This is how it works in postman. How can I achieve the same thing using Rest Assured?
You need two handlers
Handler 1:
To redirect to oauth server. (requeter should identity list of grant types, generate url with client_id and state and redirect application to this url)
Once end user signs in and allows the grant. (assumed that user allows)
Handler 2:
oauth server redirects back to postman with a authorization_code and state.
You need to configure redirect to your server callback url.
Once you receive these two
Verify state is same as what you sent. if yes proceed.
send authorization_code, cleint_secret, client_id back to server to recieve access_token and refresh_token
Use access_token to access data.
Use refresh_token to get new access_token.
I'm integrating Okta to my own IdP server by using Okta's API.
I'm implementing the Authorization code flow by following the steps below:
In my own server, use the /api/v1/authn endpoint to get the sessionToken.
Use the sessionToken to obtain the authorization by calling this endpoint: /oauth2/v1/authorize?client_id=" + clientId + "&sessionToken=" + sessionToken + "&response_type=code&response_mode=query&scope=openid&redirect_uri=" + redirectUrl + "&state=evanyang&nonce="
It's supposed to return a response with status code 302 and with the Location header containing the redirect url as well as the code value.
However, I keep getting a response with status code 200 and without the Location header, with a html body saying "You are using an unsupported browser." and "Javascript is disabled on your browser."
According to the API documentation: http://developer.okta.com/docs/api/resources/oidc.html#authentication-request, the sessionToken parameter is sufficient to do this: An Okta one-time sessionToken. This allows an API-based user login flow (rather than Okta login UI).
Am I missing any extra requirement for getting the authorization code through API? Please help.
Thanks in Advance :)
The Authorization Code grant type and the Authorization endpoint in there are meant to be access through a browser, not a non-browser client.
This issue is caused by obtaining session id between obtaining session token and authorization code. Once the session token is used to get session id, it becomes invalid, which means it cannot be used to get authorization code anymore.
According to Okta, the Authorization Code grant type and the Authorization endpoint and be used through a API-based web app too, as long as the session token is provided in the request: http://developer.okta.com/docs/api/resources/oidc.html#authentication-request. In fact, one can use this script(https://github.com/SohaibAjmal/Okta-OpenId-Scripts) to finish the flow.
Hi am developing a windows store 8.1 app using C# and xaml
For log in, am authenticating the user with Windows Azure Active directory Single Sign-on using JavaScript back-end.
Once the user is logged in and i have the access token, how to get the logged in user's user email id and Username using the access token in the app?
Anybody please provide me a solution to get the user email using the access token?
If you have the access token then that should contain the user id value. For retrieving the e-mail address you have to query the Graph API to get user details. The full documentation on that is here but in short you should make a get request like below, placing the AccessToken in the Authorization header, after "Bearer ".
GET https://graph.windows.net/contoso.onmicrosoft.com/users/Alex#contoso.onmicrosoft.com?api-version=2013-04-05 HTTP/1.1
Authorization: Bearer eyJ0eX ... FWSXfwtQ
Content-Type: application/json
You can use either user principal name or objectId in the address. Better yet, you can use the Azure AD Graph Client nuget package and call their API to get user information.
Uri servicePointUri = new Uri("https://graph.windows.net");
Uri serviceRoot = new Uri(servicePointUri, "contoso.onmicrosoft.com");
ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(serviceRoot, accessToken);
IUser user = activeDirectoryClient.Users
.Where(user => user.UserPrincipalName.Equals("alex#contoso.onmicrosoft.com"))
.ExecuteAsync().Result.CurrentPage.ToList().SingleOrDefault();
See here for the full sample.