after successfully getting past the login page using curl in Linux (bash) with two sites that use information from the HTML-form field to accomplish this, I now also want to login to another site with my credentials that is a bit more tricky. I'm new to this and it seems that it works with OAuth so I need an access token first. With my two successfull attempts it was necessary to extract a CSRF token from the HTML code so as to prove I'm not a malicious bot. But now it's completely different and the server thinks I'm a bot (see error messages below).
Can somebody please confirm whether these are the only steps involved for logging in to an OAuth protected site:
a POST request to the server that generates the token (https://name_of_site/api/v1/auth/token)
a GET request to a password-protected part of the website using the access token from step 1
When I try step 1, I get error messages as shown below*. I inspected the website before logging in and afterwards with a browser and copied everything as cURL (bash). In the header fields of the token request I can find two more fields that look like they provide dynamic information:
x-trace-request-id
x-recaptcha-v3
I did some research and found that the request ID stays the same for some interactions that go to and from a server to facilitate identification of the client(?).
And concerning the recaptcha, I know what a recaptcha is, but I did not have to solve any captchas when accessing the site with a browser. So I'm quite unsure about these bits of information.
I strongly assume that I need to send one or both of these headers in the first step to actually get an acess token. But how could I get valid values for these parameters with cURL?
Any help is aprreciated! Please point me in the right direction. I can provide more information if needed, of course.
{"status":"ERROR","statusCode":400,"data":{"message":"Request failed with status code 400","error":"invalid_grant","error_description":"invalid credential","bot-detection-error":"MissingAdditionalAuthToken"}}
This is the error I get when I do not provide x-trace-request-id and x-recaptcha-v3
{"status":"ERROR","statusCode":400,"data":{"message":"Request failed with status code 400","error":"invalid_grant","error_description":"invalid credential","bot-detection-error":"InvalidCaptchaV3Token"}}This is the error I get when I simply use the values as copied from the old request when I used the browser
Related
First off, I apologize if I use any incorrect terminology. I'm familiar with calling internal apis, but this a side project and new territory for me.
I've been using chrome debugger and powershell to write some scripts against the api of a public site. I was able to retrieve the JWT token, however after a few minutes my calls will start to fail with a 403 error. To get around this I've been exporting all the request headers from chrome and storing those locally for my script to pass whenever my call to the api fails. I narrowed it down to 4 headers that must be present, the one that is most suspect seems to be "cookie".
I then removed all key value pairs in the cookie header until I found the one that makes it fail. It's named "__cf_bm". A quick google says it's some kind of cloudflare bot management data. I don't see any of the data present in the __cf_bm cookie being sent in a response during authentication, I only see it in request headers. Is it not possible to construct this value? Does this essentially prevent me from interacting with the site's api?
To use OneDrive API, I use token flow authentication to obtain an access token .
In general, I send a URL request using source code, then log in to Microsoft account and get an access token. Login is only requested for the first try since information are kept in browser cache .
However, when using RPA (Robotic Process Automation), the browser runs on a background process and the cache will not be kept. Therefore, it is necessary to log in to Microsoft account after sending the URL request every time. So far it seems to be ok but I am wondering that is it possible to get an error if I log in to Microsoft account too frequently in the long term?
From my research it looks like this shouldn't be an issue unless you have certain security features enabled that check for this. I wouldn't worry unless you're attempting to sign in many times within a few seconds. In the case that you do get an error it should be easily fixable since we know where it's coming from.
I'm unclear about how OAuth2 (or at least google's implementation of it) works for server applications as far as redirect_url is concerned.
I'm trying to achieve three use cases:
Case 1:
A user who has never logged in logs in through my web interface using the well-documented tools found in the google identity management API, which produces a token.
My javascript client sends the resulting token along with username (or anything else needed) to the server.
The server uses the token and additional information to make sure the user is authenticated and has access to some resource that is requested, for instance basic login.
Case 2:
A user has already logged via web page and their token is available as a cookie that has not expired, and the initial page forwards that to the same token checking mechanism as above.
The server uses the token to validate their session.
Case 3:
A user is accessing my server from an app (like Unity or some other compiled Qt application or even on a command line) and is prompted for credentials because no token can/should exist when cookies aren't a thing in this context.
If their credentials are no good, the application says so, and asks for new ones.
If the credentials are good, a token is generated but is probably not used except if the token needs to be refreshed at some time interval, because we assume that re-running the app or command line is effectively a new session.
None one of these cases requires my server to use the redirect_url (except maybe the case of #2 where the token is expired), because:
Case 1, the user would have been unable to pass a token in the first place if they can't log in, and would have been redirected before that.
Case 2, the server accepts the token and doesn't redirect, or rejects the token and only then may redirect them back to the initial state of Case 1, but the server already wants to redirect them because the token is invalid, so I don't need/want the redirect_url from oauth.
Case 3, we are assuming there is no browser and don't care about redirect_url in any case no matter what.
As my code works now, using: https://developers.google.com/identity/protocols/oauth2/web-server there is always this redirect_url field which I don't know what to do with, and when I execute REST commands I'm getting raw html back which includes self-submitting javascript instead of useful headers.
I can see a case for exposing some URL on my server to validate an oauth2 session/token from google during authentication, for instance, but that would be a validation url, not a redirect_url, because the user/server doesn't "go" to that url at that point in the process.
So, I don't know what to do with redirect_url because when I leave it out, things don't seem to work.
There's a lot going on in this question, so I don't really know the type of answer you're looking for. I wrote our code for authenticating our Qt app with Google SSO, and wrote the linked post discussing the problems we faced.
One thing I found confusing in the documentation and provided examples is that when defining an app in the Google console, if your client is a desktop one, there's no field for redirection URLs. Instead, the client specifies it when initiating the authentication flow, and then it's expected to open a transient server that listens for the return connection from the Google side. There's no point declaring it on the Google console because it cannot be validated unless the client app is running at the moment, and even then, it's typically a hardcoded URL like http://127.0.0.1:1234/ as you would expect.
My application has a microsoft authentication on it before logging into it & I have recorded script but when I am running it, it is showing me access denied error everytime.I have set authentication manager but still same error. See image attached.
I have tried HTTP Authentication Manager & provided login username & password.
Most probably your application uses OAuth therefore it is neither something you can really record and replay nor handle with the HTTP Authorization Manager.
Depending on your application setup you will either need:
To perform correlation of the query parameters
Or to pass the relevant Authorization Bearer token via HTTP Header Manager. The process of obtaining the token can be different depending on your application login chain implementation, check out How to Run Performance Tests on OAuth Secured Apps with JMeter article to get a couple of ideas regarding bypassing 3rd-party provider login challenge in JMeter tests.
Check if you can provide the auth credentials as parameter of the requests.
for example www.abc.com?username=abc&password=abc. Replicate the same with Jmeter
Use Fiddler (or you can get away with browser dev tools if you don't mind searching manually) and log in manually via your browser.
Check the request(s) that are submitted to Microsoft for tokens/GUIDs and search for where the browser got those strings from (it'll be in one of the previous requests' responses' bodies or redirect URLs. In Fiddler you can use the find function on responses, browser dev tools you'll have to find it manually).
You can then use a JMeter Regular Expression Extractor post-processor (or any of the other post processors you prefer) to extract that string from the earlier request into a variable.
In your login request you can then use the value of that variable (if you used regular expression post-processor with a capture group the first group's value will be ${variable_g1}
You'll probably have an anti-forgery value that you can extract from the HTML of the login page which needs to be submitted with the username and password and then in the response you'll get a cookie set and potentially JWT token in the response body/URL.
I'm having trouble with Adobe Sign's OAuth authentication -- every time I try to get my access token with my Client ID and redirect URI, I get this message:
Unable to authorize access because the client configuration is invalid: invalid_request
This is the request that I have been making (with the proper substitution for REDIRECT and CLIENTID):
https://secure.echosign.com/public/oauth? redirect_uri=REDIRECT& response_type=code& client_id=CLIENTID& scope=user_login:self+agreement_send:account
I am fairly new to OAuth and don't understand what I'm doing wrong. Could someone please explain the issues that could result in this error message?
I was having the same problem. I solved it by including the correct shard in the URL after "secure." and before ".echosign". You identify your shard by looking at the URL where you created your application.
I found this information here.
Hope this helps.
Is OK to have spaces in that https request?
If you still have a problems with this.
I think your URL is not correct.
I using this one
https://secure.na2.echosign.com/public/embeddedWidget
for adobe widget.
Adobe require same url for OAuth
https://secure.na2.echosign.com/public/oauth
Check your domain, and try. You can create widget just to see your domain
This comment might get helpful for others who are facing issue in Adobe Sign access token invalid_request.
Developer Guide on Sign API: https://opensource.adobe.com/acrobat-sign/developer_guide/index.html
For the Outh process and the link to be used in user's browser:
https://secure.na1.adobesign.com/public/oauth/v2?redirect_uri=https://www.google.co.in&response_type=code&client_id=paste_your_client_id_here&scope=user_read:account
If any one using sandbox,
https://secure.na1.adobesignsandbox.com//public/oauth/v2?redirect_uri=https://www.google.co.in&response_type=code&client_id=paste_your_client_id_here&scope=user_read:account
Please ensure the correct environment identifier and shard. https://helpx.adobe.com/sign/using/identify-account-shard.html
https://helpx.adobe.com/sign/kb/unable-to-authorize-access-because-the-client-configuration-is-invalid-invalid-request-while-running-oauth-process.html
After pasting URL in browser and allowing the access to your API and getting code. Please use endpoint URL to get access token as below:
for developer account: https://api.na1.adobesign.com/oauth/v2/token
for sandbox account: https://api.na1.adobesignsandbox.com/oauth/v2/token