I am getting the apikey that generates the /api/login, but that apikey I don't see how to use it in the other endpoints since in the Docs it talks about making request with the OAuth2.
https://files.slack.com/files-pri/T11NA9FSN-F03CMAN5H6X/captura_desde_2022-04-22_15-38-11.png
In case you need to use
generated via "api/login" method API key in the scope of Sandbox you should:
generate API key via "api/login" method by passing login and password of customer user
sign in with the same user or just refresh Sandbox page, in case you already signed in
after authentication method will be changed to WSSE (in case if it is still session switch it manually)
after WSSE will be used for every call
In case you need to use WSSE authentication from code please see the next article (especially "Header Generation" part): https://doc.oroinc.com/api/authentication/wsse/
Related
I have a server that at (site.com/api/v1/auth)
sends user data with the GET parameter.
I have a login and password for authorization, in return the server sends me a unique key. That is, after each successful authorization - the API key changes.
Here is the instruction, but I don't understand how to set it up correctly in Postman to check.
https://app.swaggerhub.com/apis-docs/pixel3655/democontent2.pi/1.0.0-oas3#/user/auth
You need to send X-PI-EMAIL and X-PI-PASSWORD in the headers of the auth endpoint.
Then in the Tests section of the auth endpoint you can inject the id into your environment variables.
pm.environment.set("currentId", pm.response.json().result.id);
and use it on the other API requests by adding a header of X-PI-KEY and a value of {{currentId}}.
magento REST API, how i will get token and token secret to be fill in
Postman REST resquest. I have only consumer key and consumer secret.
Please provide me the steps to follow.
First, you want to request a valid OAuth token and secret. Do this by hitting the /oauth/initiate URL of your Magento store with a GET parameter for oauth_callback. We're going to use httpbin so that we can echo anything that is passed to our callback. Make sure you have "Auto add parameters" checked on the OAuth 1.0 settings for Postman.
That will give you an oauth_token and oauth_token_secret, which are only temporary. These are referred to as a "request token" and secret. Save these values somewhere because you will need them later.
Now, assemble a new regular HTTP request to the /admin/oauth_authorize URL of your Magento store. This will return a login form where you can accept the oauth token and authorize your app, however since we're using Postman we aren't able to interact with the form.
Instead, view the source and pull out the form_key hidden input value. Then assemble a new HTTP request to fake the submission of the authorization form. Make sure it is a POST request. Your new HTTP request should look like this.
Now, you need to actually confirm the authorization. Simply issue a GET to the /admin/oauth_authorize/confirm URL of your Magento store with the oauth_token as your parameter. When you send this request it will redirect to your oauth_callback from the first step. Now, you can see why we used httpbin as our callback in the first step.
OK. So, we're almost home. The last piece of the puzzle is to use the oauth_token, oauth_secret, and oauth_verifier all together to get a valid and persistent "access token". So, take the oauth_token_secret from the first step, and combine and assemble a new OAuth request like so.
You should get a returned token and secret. These will never expire! You can use them to query products and stuff.
Now, you can assemble your OAuth requests like this. Edit: Note, you must check the "Add params to header" checkbox in order for Magento REST calls to work properly.
I am trying to exchange the authorization code I received without success. I am using the manual way where I omit the redirect url:
https://api.dropbox.com/oauth2/authorize?response_type=code&client_id=<key>scope=&state=<state>
when this url is activated it will take the user to the authorization screen, if the user authorized the app, it DOES NOT redirect, instead it prints an authorization code such as:
Enter this code into <app-name> to finish the process.
GooKWtwe54AAAAAAABABSUl_Ruv1COvpBBCuWQ5kv2g
How do I exchange this code for an access token?
If you're not supplying a redirect_uri parameter on /oauth2/authorize to automatically redirect the user, you can prompt them to copy that authorization code into your app manually. Then, your app should exchange that authorization code for an access token using /oauth2/token.
Also, note that /oauth2/authorize should be accessed on www.dropbox.com not api.dropboxapi.com, as it is a web page. The /oauth2/token endpoint is an API call, so that should called on api.dropboxapi.com.
You can find the documentation for both of these here:
https://www.dropbox.com/developers/documentation/http/documentation#authorization
I have this scenario: a corporate site (MVC 4) and a web shop; add OAuth 2 SSO functionality. Both sites have their own members, but the corp site (for which I'm responsible) must also work as an OAuth 2 authorization server and will store a web shop user id for each member. The shop requested the following endpoints:
Auth endpoint
• authorization:
…/oauth2/authorize?client_id={CLIENT_ID}&state={STATE}&response_type=code&redirect_uri={REDIRECT_URI}
• token
…/oauth2/token?code={TOKEN}&client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&redirect_uri={REDIRECT_URI}&grant_type=authorization_code
…/oauth2/token?refresh_token={TOKEN}&client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&redirect_uri={REDIRECT_URI}&grant_type=refresh_token
API endpoint
• getid (will return JSON with the shop id of the member):
…/oauth2/api/getid?access_token={TOKEN}
I don't have experience with OAuth, so I was looking at the DotNetOpenAuth samples and have concluded that I need to implement an OAuthAuthorizationServer, but modifying the sample to fit my requirements is difficult as it seems to do more and is complex.
As researching DotNetOpenAuth seems to be so time consuming, I'd like to ask: is modifying the OAuthAuthorizationServer sample the right approach? Or should I try to make a native implementation or try a different OAuth library that may be easier to use in my situation?
Please comment on my overall plan:
-keep the corp site member login flow standard forms auth, straightforward LogOn controller
-add an OAuth controller that will implement the three required endpoints as actions
-when the authorization action is reached, I validate the client and redirect to LogOn passing on the redirect_uri; I think the Authorize ActionResult from OAuthController.cs from the sample is where I should start investigating this, and return an AccountAuthorizeModel. Is this correct?
-after the user logs in, and if the login page was reached from the authorization endpoint, I redirect to redirect_uri with the code attached; I don't know where to start with this one. PrepareApproveAuthorizationRequest then PrepareResponse? Where does the code come from? Where in the flow should I add a new ClientAuthorization in the database?
-the shop will then use the code to get or refresh the token, from the /token endpoint; simply return HandleTokenRequest?
-with the token the shop site will be able to get the member data JSON; have to find out how to validate the token
Now, besides adding a Clients table to store the client ids and secrets, and ClientAuthorization to keep track of who's authorized, I don't know if the other tables from the DotNetOpenAuth sample are used and when: Nonce, SymmetricCryptoKey, User.
Modifying OAuth2AuthorizationServer.cs seems straightforward, I only have to add real certificates and make sure the clients are pulled from my data context.
Thanks!
I think you are right in most of the points. Let's comment them:
OAuth server should have 2 endpoints (not 3), as requesting token and refreshing token goes to the same endpoint (TokenEndpoint).
It depends if your are going to implement a different authentication server (or controller), or you are going to implement the authentication responsibility inside the authorization server. In case they are separated, the authentication server should be the one responsible of displaying the logon, authenticate and communicate with authorization server using OpenID protocol (Also supported by DotNetOpenAuth).
Once the user is authenticated, the authorization server should store the data of the user identity somehow, and return the authorization code (if using this Oauth flow) using DotNetOpenAuth functions:
var response =
this.AuthServer.PrepareApproveAuthorizationRequest(AuthorizationRequest,
User.Identity.Name);
return this.AuthServer.Channel.PrepareResponse(response);
finalResponse.AsActionResult();
I don't think you need to save nothing about the authorization process in the database, and the code is generated by DotNetOpenAuth and sent to the client into the query string of the redirection.
Then, the client should get the code (ProcessUserAuthorization) and call the TokenEndpoint. This endpoint is just returning HandleTokenRequest, that internally is calling to some OAuthAuthorizationServer functions, such as CreateAccessToken.
Once the client has the access token, it should call the resources, sending the token into the HTTP Header 'Authorization'. The resource server is the responsible to validate the token.
var resourceServer = new ResourceServer(new
StandardAccessTokenAnalyzer(signing, encrypting));
AccessToken token = resourceServer.GetAccessToken(request, scopes);
A store provider for nonce and crytoKeys is needed using this flow. Have a look to class InMemoryCryptoKeyStore in:
https://github.com/DotNetOpenAuth/DotNetOpenAuth/wiki/Security-scenarios
Hope this helps!
This is a ruby question using omniauth-salesforce. I have omniauth 1.1.1 and omniauth-salesforce 1.0.3, and I can get user authenticated. However no refresh_token is returned by default. I only get access_token. My callback URL is http:// localhost:3000/auth/salesforce/callback
Based on the description of "Digging Deeper into OAuth2.0 on Force.com", the default scope of https://login.salesforce.com/services/oauth2/authorize is id api refresh_token. But this is not the case.
Then I I tried to specify scope parameter in the omniauth.rb
provider :salesforce, salesforce_client_id, client_secret, {:scope => "id api refresh_token"}
Then I got an error saying:
the requested scope is not allowed
In addition, if I try to put the following on a browser and I got the same error message
https://login.salesforce.com/services/oauth2/authorize?response_type=code&client_id=3MVG9rFJvQRVOvk4RuIKaSYwf07LcsMtIAUK7h3Q6n5OHfD.IbFpEsROli3SqxWo67RklJ5FBdnYf4ejHNFrq&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fsalesforce%2Fcallback&display=page&scope=api
Any help will be greatly appreciated.
Thanks,
You are correct to set the scope in your omniauth.rb's provider statement. However, before salesforce.com will issue a refresh_token the application must be configured to support this OAuth scope.
On salesforce.com, navigate to where you app is configured. (Setup > Create > Apps)
Under Connected Apps, click on your application's name to view its settings, then click Edit.
Under Selected OAuth Scopes, ensure that "Perform requests on your behalf at any time" is selected. You must include this even if you already chose "Full access".
Save, then try your OAuth flow again. It make take a short while for the update to propagate.
In your callback controller action, the refresh_token will now be available in request.env["omniauth.auth"].credentials.refresh_token.