I've just started with the oauth2 and xero (using .net)
I've run through the scoop install, following the docs, grant type of 'authorization_code', scope of 'd', which gave me the access and refresh tokens.
Now when running the example project, XeroNetStandardApp, after replacing client id, secret, callback uri and tokens, I'm getting a 401 when I try to do anything after retrieving the new token.
The token refresh appears to be working fine. If I call https://api.xero.com/connections with the bearer, I get [] (so, no elements in the response), so I assume this is some type of user auth error, but I'm at a bit of a loss as to what I do here.
Any help would be much appreciated
When setting up xoauth via powershell, explicitly set the scopes you are wanting the user to have. This seems obvious to me now, but didn't while I was following the setup instructions
Related
I cannot replicate the example regarding the authentication with JWT using graphql and provided in the tutorial https://www.howtographql.com/graphql-python/4-authentication/. The "me" query does always fails cause we get the value AnonymousUser from info.context.user instead of the authenticated user by the JWT token in the http header.
Did anyone face this problem before?
Many thanks in advance,
I am developing an iPhone application to demonstrate the MFA using sms factor with MFA APIs for POC. I am using the authorisation flow for getting my access token (where I get a authorisation code and redeem it for an access token)earlier to MFA implementation. From the documentation, I found out that I need an MFA_token to work with MFA APIs. I added few changes with my existing authorisation process.
I am getting an MFA Token by doing the following steps:
Added scope enroll read:authenticators to authorisation endpoint( i.e. “https://<my_domain>/authorize”)
Added an audience:
https://<my_domain>/mfa to the authorisation endpoint
Then I make a post request to token endpoint with authorization code to get the mfa_token.
The only changes I can observe is now the access token(which I presume to be the mfa_token) is in jwt format with expire time 600 sec. By using this access token(=mfa_token)
I built a custom pages for my user for enrollment and challenging the user via sms.
I am able to enroll user, confirm enrollment using this access token.
But when I challenge an user using this access token I get the following error after https://YOUR_DOMAIN/mfa/challenge call.
{
“error”: “invalid_grant”,
“error_description”: “Malformed mfa_token”
}
Can anyone please say me where I am going wrong?
Is the access token same as the MFA_Token in my case?
Thanks in Advance!
I think the access_token only serves as mfa_token during OOB/device registration. Thenafter, the user will get an mfa_token during auth, which is passed for MFA/OTP challenges
https://auth0.com/docs/login/mfa/ropg-mfa/manage-authenticator-factors-mfa-api#resource-owner-password-grant
I want to get the Authorization code to generate ACCESS TOKEN and REFRESH TOKEN for my Application. I'm trying to get the job done using POSTMAN. But this seems not working. I'm attaching a screenshot of POSTMAN. Can you tell me what I am doing wrong?
Any useful suggestion or alternative solution is appreciated.
https://www.postman.com/praveendvd-public/workspace/postman-tricks-and-tips/documentation/8296678-5dc51f3f-c7b0-4c66-a457-11af32bb1a63?entity=request-6dda15f2-306b-4915-a585-
use this public collection as an example
It will be easier to do this using settings within the Postman GUI. There is an Authorization tab in which you can specify auth type, configure new tokens, add your client id & secret, etc.
After many tries, I figured it out myself. To Generate the Refresh token and access token the first time, I needed Authorization Code. I thought I need to generate it again and again but it Turns out I needed it only once and when I got the access_token and refresh_token, I can easily generate access_token by using refresh_token.
Here's the corrected API request flow-
Requesting Authorization code
Using Web
Requesting ACCESS TOKEN and REFRESH TOKEN
Regenerating Access Token using refresh token
I am building an integration component using a graphical framework who has a pre-build OAuth2 connector.
This framework required following fields for OAuth v2:
Grant type
Scope
Auth Server URL
Client Id
Client Secret
Access Token
Refresh token
I need to get data from Google Analytics API, so I went to Google Dev Console
(https://console.developers.google.com/project/927890000889/apiui/credential). I generated a 'Client ID for web application'. From the parameter of this object I was able to fill some of the parameters above
Grant type : 'authorisation_code'
Client Id : 'RANDOMCHARSam5o37nsiu730d.apps.googleusercontent.com'
Client Secret : 'RANDOMCHARSiSwBA5OH5qYLUa'
Then using Google Oauth Playground (https://developers.google.com/oauthplayground) I was able to fill the missing bits
Scope : 'https://www.googleapis.com/oauth/analytics'
Auth Server URL : 'https://accounts.google.com/o/oauth2/auth'
Access Token : 'RANDOMCHARSQAQv4HRF5-JsQEzUS61lj2YremyCocv0PQ4-agpzJe'
Refresh token : 'RANDOMCHARSLPJnL4FPaDc2KP6V8kCzjjHO2Kj4Np_3X0'
Everything works fine, I am authorised to access and I get data from Google Analytics, but just for a while, after few minutes if I retry I receive an authorisation failure error.
I believe that the problem is related to the expiration of the Access Token, but I don't know how to solve that.
Worth to mention that this activity it's batch (no human interaction), so nobody can request a new access token.
The integration framework is not extensible (I cannot write code to renew the code) so I believe there's a way to get a access token that never expire or some other mechanism to achieve the same result.
Bottom line, I am not sure if I approached the requirement correctly since the beginning (Client ID for web application).
Any help is much appreciated,
Giovanni
Access tokens typically expire after 60 minutes. If you have a refresh token you can use the refresh token to get a new (valid) access token.
This doc explains how to do that:
https://developers.google.com/accounts/docs/OAuth2WebServer#refresh
To answer your overarching question, yes, you are approaching everything correctly. All you need to do is handle the case where the access token has expired by refreshing it. Also, when you originally requested the access token the response should tell you how long it's valid for, so you should only refresh that token if it's expired.
You can use Refresh tokens to make it more long used.
The Google Auth server issued Refresh tokens never expire,
A token might stop working for one of these reasons:
The user has revoked access.
The token has not been used for six months.
The user changed passwords and the token contains Gmail scopes.
The user account has exceeded a certain number of token requests. There is currently a limit of 50 refresh tokens per user account
per client.If the limit is reached, creating a new token automatically invalidates the oldest token without warning.
This limit does not apply to service accounts.
from: https://developers.google.com/identity/protocols/OAuth2
INFO: com.google.api.client.auth.oauth2.TokenResponseException: 400 OK
{
"error" : "invalid_grant"
}
my code is
GoogleCredential credential = new GoogleCredential.Builder()
.setTransport(httpTransport)
.setJsonFactory(js)
.setServiceAccountId(emailId)
.setServiceAccountScopes(scopes)
.setServiceAccountPrivateKeyFromP12File(new File(privateKeyPath)).build();
System.out.println("SERVICE ACCOUNT SERVLET CALLED");
credential.refreshToken();
this method is running fine but suddenly it starts to give error.
Possible reasons:
1) I was having a similar problem caused by the time on my server being incorrect. Make sure your system clock is synchronized.
2) You should reuse the access token you get after the first successful authentication. You will get an invalid_grant error if your previous token has not expired yet. Cache it somewhere so you can reuse it.
3) Make sure that you pass the access token, and not refresh token as that fails. When you run, it turns the OAUth2 refresh token into an access token and passes that to the service. If you pass the raw refresh token, this is not acceptable for API access without turning it into a short-lived access token.
4) You might have reached the refresh token limit. Certain Google APIs have this, some explanation you can find here: https://developers.google.com/compute/docs/authentication
5) You also can revoke it. Go to your Google API Console ( https://code.google.com/apis/console/ ) and revoke your Client Secret under Client ID for installed applications. Be sure to also update your code with the new Client Secret