We are developing a web application with Google OpenID Connect Single Sign-On and currently having trouble in google authentication.
Every time we access the application login page, the URL of google account chooser is randomly changed.
Sometimes it goes to https://accounts.google.com/signin/oauth?response_type=code&client_id=... which is what we expects, sometimes goes to https://accounts.google.com/AccountChooser?oauth=1&continue=... that results in 400. That’s an error. The server cannot process the request because it is malformed. It should not be retried. That’s all we know. shown in google error page.
We follow https://developers.google.com/identity/protocols/oauth2/openid-connect to implement OAuth 2.0 authorization code flow.
Here are some of parameters we specified in auth request.
response_type: "code"
scope: "openid email"
openid.realm: App URL
redirect_uri: App callback URL
nonce: Not set
Any help would be greatly appreciated.
Thank you.
Related
I am following this guide (https://learn.microsoft.com/en-us/skype-sdk/ucwa/authenticationusingazuread) in order to access Skype for Business. Everything goes fine till the last part but let's do step by step. I am building my .net console application to do this but in order to explain you properly the problem I am having I will show you directly the http calls through Insomnia (software used to make http calls).
Step 1:
GET request towards https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root
I hit 200 and as answer I receive this:
Step 2:
I use the user link.
So I send an http request to https://webdir1e.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user and I get a 401 Unauthorized (everything still correct).
In the header of the answer it points me to the Identity Provider to ask for authorization (authorization_uri)
Step 3: I use that link to authorize my app, which has its own client_Id (that I hide in the following screenshot).
This is how I compose the call:
If I send this http request I get redirected to the page where it asks my personal login and by inserting my credentials I succesfully login and hit 404, where in the answer I receive back my access token.
Step 5: I use the access token towards the same AutodiscoverService link of step 1. This is to register my application. I hit 200 and I receive back the link to access Skype for Business.
Finally (and this is where things go wrong) I send a POST request towards the applications link with the Bearer token, and I receive a 403 Forbidden. I think I am following correctly the guide but I can't figure out why I can access the resource at the last step.
EDIT:
The permissions are granted. I hide the name since it contains the name of my company. But it is the same of the domain of my login.
So the token you generated authorizes you to access resources at https://webdir1e.online.lync.com which you've done to fetch a new set of resources including the "application" resouce which is on a DIFFERENT host: https://webpooldb41e14.infra.lync.com.
You actually have to get another OAuth token now which authorizes you for the application resource and then you can POST to that to generate your session in UCWA.
As a side note... If you've defined your own single-tenant application in Azure that has been granted rights to SkypeForBusinessOnline then I think you should be targeting authorization and authentication endpoints of the form:
https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/authorize
https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token
Also I should add, if you're trying to write a trusted secure client that users in your company will use I would suggest looking up the Resource Owner Password Credentials auth flow. It allows you to directly hit the token endpoint I mentioned above and exchange username/password credentials for an access token. Then you can manage auto-discovery and application creation easily under the hood without getting re-directed back and forth to Azure.
https://learn.microsoft.com/mt-mt/azure/active-directory/develop/v2-oauth-ropc
We have an application that uses Dropbox API. When the user goes through the Dropbox OAuth 2 flow and signs-in using their email address and password, all works fine and we get the access_token. However, when the user uses the "Sign in with Google" flow in the Dropbox authorization dialog, we get back code which we then try to exchange for access token but the request fails with {"error_description": "code doesn't exist or has expired", "error": "invalid_grant"}.
Here's the steps we use:
1.
var dbx = new Dropbox.Dropbox({ clientId: clientId });
var authUrl = dbx.getAuthenticationUrl('https://www.dropbox.com/1/oauth2/redirect_receiver');
This gives us url https://www.dropbox.com/oauth2/authorize?response_type=token&client_id=...&redirect_uri=https://www.dropbox.com/1/oauth2/redirect_receiver.
2.
Open authUrl in a popup.
3.
User uses "Sign in with Google"
4.
We get a redirect to the URL below that contains the code:
https://www.dropbox.com/google/authcallback?state=...&code=...&scope=...
Now trying to exchange the code for access token with POST to https://api.dropboxapi.com/oauth2/token gives us:
{"error_description": "code doesn't exist or has expired", "error": "invalid_grant"}
The problem here is that, given the use of the Google Sign In flow, there are actually two OAuth authorization flow instances occurring; the Google Sign In flow is nested inside the Dropbox app authorization flow. Your app doesn't actually need to know about this though.
That https://www.dropbox.com/google/authcallback URL is Dropbox's redirect URL for the Google Sign In flow, and accordingly the code given there is for the Google OAuth flow, not the Dropbox OAuth flow. Attempting to use it for the Dropbox OAuth 2 flow will accordingly fail as you've seen (since it actually came from Google, not Dropbox).
You should have your app wait until your own redirect URL (in your shared code, https://www.dropbox.com/1/oauth2/redirect_receiver) is accessed, and only then take the code from there and exchange it for a Dropbox access token.
I've been experimenting with Cognito for a few days, and I am now testing the Built-in signing UIs. I have managed to get it working, I am able to see the login page and successfully login with a User I have created. For my callback URL I'm using localhost:3000 as a testing ground, where I'm running a React SPA.
However, I am at a complete loss about what to do once I'm redirected. The documentation says I should get a URL with a JWT as a query parameter. Instead, I'm getting a URL of the form:
localhost:3000/?code=########-####-####-####-############
where # is an alphanumeric character. I don't recognize this code, I don't think it is a JWT. I would highly appreciated it anyone could:
explain what it is
direct me to any kind of documentation on how to use it?
After redirection, You are getting localhost:3000/?code=########-####-####-####-############
This means you have enabled code grant flow
This code is used to get the tokens from Amazon Cognito.
Request Type: POST
URL: https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/token
PayLoad:
grant_type=authorization_code&
client_id=<CLIENT_ID>&
code=<AUTHORIZATION_CODE>&
redirect_uri=com.myclientapp://myclient/redirect
Here you can see we are passing code in the payload with redirect url.
The response of this POST request will be your tokens ( If Successful authentication :) )
Sample Response:
{
"access_token":"eyJz9sdfsdfsdfsd",
"refresh_token":"dn43ud8uj32nk2je",
"id_token":"dmcxd329ujdmkemkd349r",
"token_type":"Bearer",
"expires_in":3600
}
You can save this token in your localstorage or sessionstorage for further custom authentication.
Please refer all the available endpoints of amazon cognito for more details.
Ex:
Authorization Endpoint
Token Endpoint
I hope now it makes clear to you!
I'm developing an app that will need google's OAuth2.0. Initially, I was trying to test the webservice using postman. and below are the steps that I've followed.
In https://console.developers.google.com/, I've created a project.
Under Library I've enabled Google People API
In credentials, I've created one with https://www.getpostman.com/oauth2/callback as redirect URL
I got the lient secret and client ID.
With the above details I'm trying to test the same in postman.
In post man I did the below steps.
Selected OAuth2.0 under Authorization and clicked on get new Access token. This opened a new window and I entered the below details.
Auth URL : https://accounts.google.com/o/oauth2/auth
Access Token URL : https://accounts.google.com/o/oauth2/token
Client ID : the one that I got from google console
Client Secret : the one that I got from google console
Scope: https://www.googleapis.com/auth/contacts https://www.googleapis.com/auth/contacts.readonly https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/user.addresses.read https://www.googleapis.com/auth/user.birthday.read https://www.googleapis.com/auth/user.emails.read https://www.googleapis.com/auth/user.phonenumbers.read https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile
Grant Type: Authorization Code.
And when I click on request token, I'm redirected to accept the permission and to my surprise, the configuration details window (In postman), doesn't go off and display me a token. Below is a screenshot post I click on Request Token.
Please let me know where am I going wrong and how can I fix this.
Thanks
This is from the google federated login description
"Once Google accepts the authentication request, the user is redirected to a Google authentication page. At this point the authentication sequence takes over. On successful authentication, Google redirects the user back to the URL specified in the openid.return_to parameter of the original request."
I assume my web app is responsible for the redirect 'to a Google authentication page' mentioned here? I dont see how google can make this redirect.
And If my webapp does the redirect, how do the openid request parameters get sent to google?
On reading some more, its only possible that once "Once Google accepts the authentication request", (I assume the requesting party gets a 200 http status), the requesting web application now adds the same parameters that had been posted to google login endpoint to a google authentication url and then redirects the user to this url