I am trying to create an automated login in my own API through Cypress.
It uses Google SSO and with the authorization code, it generates an entirely new JWT to the user.
Everything looks fine. I can retrieve an id_token and access_token from https://oauth2.googleapis.com/token using the refresh_token
And with this data I can even check the user consuming the route https://www.googleapis.com/oauth2/v2/userinfo
But when I pass my auth code to the API it says redirect_uri_mismatch
I am calling an URL like
localhost:3000/foo/auth/callback?state=%7B%22pasUrl%22:%22terminal%22%7D&code=4/0AX4XfWhZRB1mZZ_VByR26EGJkXlhO1WMQ89yaysG56ihdlb9dJbOASvITFm-yv6iMMGYrA&scope=email%20profile%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile%20openid&authuser=0&hd=foo.com&prompt=consent
and in the list of Authorized redirct URIs I have http://localhost:3000/foo/auth/callback
Related
I have an application that uses NestJS and Angular. I am currently using #auth0/auth0-angular on the frontend to log users in and out. I want to write e2e tests with Supertest using the Authorization Code Flow and according to the Auth0 docs (https://auth0.com/docs/get-started/authentication-and-authorization-flow/add-login-auth-code-flow#parameters), I have to:
1) Authorize the user by sending the user to the authorization URL
2) If all goes well, I should receive an HTTP 302 response which includes an authorization
code
3) Exchange this authorization code for tokens by POSTing to the token URL
('https://YOUR_DOMAIN/oauth/token').
4) If all goes well, I should receive an HTTP 200 response with a payload containing the
tokens.
However, since I’m writing tests with Supertest on the backend, I can’t send a user to the authorization url and have the user handle authentication. Is there a way to get around this and get an authorization code (perhaps fake the authorization code somehow?) so that I can POST to the token url in order to get the tokens?
I initially tried to use the Auth0.js SDK but turns out that was only for browsers (can't use it since I'm writing Supertest tests on backend). Auth0 docs haven't been too helpful either and there seems to be very limited resources on using Supertest with Auth0.
I have an api with oauth2.0 authorization grant type authentication which has the following steps -
Get method for authorization code which opens up a form in browser where you need to enter credentials. This results in a series of post redirect requests and finally returns a authorization code in third post response header
Now a post request is sent, with grant type authorization code containing client credentials and the above authorization code we got from the get request, in the body and it returns the access token
This is how it works in postman. How can I achieve the same thing using Rest Assured?
You need two handlers
Handler 1:
To redirect to oauth server. (requeter should identity list of grant types, generate url with client_id and state and redirect application to this url)
Once end user signs in and allows the grant. (assumed that user allows)
Handler 2:
oauth server redirects back to postman with a authorization_code and state.
You need to configure redirect to your server callback url.
Once you receive these two
Verify state is same as what you sent. if yes proceed.
send authorization_code, cleint_secret, client_id back to server to recieve access_token and refresh_token
Use access_token to access data.
Use refresh_token to get new access_token.
We have an application that uses Dropbox API. When the user goes through the Dropbox OAuth 2 flow and signs-in using their email address and password, all works fine and we get the access_token. However, when the user uses the "Sign in with Google" flow in the Dropbox authorization dialog, we get back code which we then try to exchange for access token but the request fails with {"error_description": "code doesn't exist or has expired", "error": "invalid_grant"}.
Here's the steps we use:
1.
var dbx = new Dropbox.Dropbox({ clientId: clientId });
var authUrl = dbx.getAuthenticationUrl('https://www.dropbox.com/1/oauth2/redirect_receiver');
This gives us url https://www.dropbox.com/oauth2/authorize?response_type=token&client_id=...&redirect_uri=https://www.dropbox.com/1/oauth2/redirect_receiver.
2.
Open authUrl in a popup.
3.
User uses "Sign in with Google"
4.
We get a redirect to the URL below that contains the code:
https://www.dropbox.com/google/authcallback?state=...&code=...&scope=...
Now trying to exchange the code for access token with POST to https://api.dropboxapi.com/oauth2/token gives us:
{"error_description": "code doesn't exist or has expired", "error": "invalid_grant"}
The problem here is that, given the use of the Google Sign In flow, there are actually two OAuth authorization flow instances occurring; the Google Sign In flow is nested inside the Dropbox app authorization flow. Your app doesn't actually need to know about this though.
That https://www.dropbox.com/google/authcallback URL is Dropbox's redirect URL for the Google Sign In flow, and accordingly the code given there is for the Google OAuth flow, not the Dropbox OAuth flow. Attempting to use it for the Dropbox OAuth 2 flow will accordingly fail as you've seen (since it actually came from Google, not Dropbox).
You should have your app wait until your own redirect URL (in your shared code, https://www.dropbox.com/1/oauth2/redirect_receiver) is accessed, and only then take the code from there and exchange it for a Dropbox access token.
I am trying to exchange the authorization code I received without success. I am using the manual way where I omit the redirect url:
https://api.dropbox.com/oauth2/authorize?response_type=code&client_id=<key>scope=&state=<state>
when this url is activated it will take the user to the authorization screen, if the user authorized the app, it DOES NOT redirect, instead it prints an authorization code such as:
Enter this code into <app-name> to finish the process.
GooKWtwe54AAAAAAABABSUl_Ruv1COvpBBCuWQ5kv2g
How do I exchange this code for an access token?
If you're not supplying a redirect_uri parameter on /oauth2/authorize to automatically redirect the user, you can prompt them to copy that authorization code into your app manually. Then, your app should exchange that authorization code for an access token using /oauth2/token.
Also, note that /oauth2/authorize should be accessed on www.dropbox.com not api.dropboxapi.com, as it is a web page. The /oauth2/token endpoint is an API call, so that should called on api.dropboxapi.com.
You can find the documentation for both of these here:
https://www.dropbox.com/developers/documentation/http/documentation#authorization
I would like to use google fusion tables, for which I need to login first.
I do a http request and get the "auth" token as response.
But now I stuck and don't know how to use this token?
I could neither find any google docs on this nor this thread helped: Google Auth using Token
Because adding the auth token to the url does not work.
You use the authorization code to get an access_token.
This has useful information:
https://developers.google.com/usiontables/docs/articles/oauthfusiontables
You then send the access_token with your sql query.