I am using Google Cloud Endpoints with JWT Authorization and I am trying to Upload File from API.
There is no Issue with JWT as it is already working correctly with all other types ex. [application/JSON].
API POST Call (api/document/processrequest) with Content Type as multipart/form-data is saying Bad Format Response from Google Endpoints for Same Token.
API Post Call (api/document/processrequest) with ContentType (application/JSON) have no issues.
Is Google Cloud Point not supporting multipart/form-data?
Authorization Token is passed in Header. Authorization: Bearer [Token]
Everything works fine in Localhost/Development Environment without Endpoint.
Error Generated In Stackdriver Log:
Firebug error sample call:
Firebug success sample call with application/json:
I have specified application/JSON and multipart/form-data both in openapi specification.
Endpoints does not support multipart/form-data.
Related
We are using App Service Authentication to protect a web API and using Google as authentication provider. It works as expected when we fire a request from a browser (when the session information is in the cookie)
IIS log:
2016-05-29T13:51:19 PID[3600] Verbose Received request: GET
https://XXXXXX.azurewebsites.net/api/user 2016-05-29T13:51:19
PID[3600] Verbose Found 'AppServiceAuthSession' cookie for site
'XXXXXX.azurewebsites.net'. Length: 728. 2016-05-29T13:51:19
PID[3600] Verbose Authenticated XXXXXX#gmail.com successfully
using 'Session Cookie' authentication.
But when we use API testing tool such as Postman and set the Authorization header with bearer token, it always results in redirection.
IIS log:
2016-05-29T13:53:38 PID[3600] Verbose Received request: POST
https://XXXXX.azurewebsites.net/api/user 2016-05-29T13:53:38
PID[3600] Information Redirecting:
https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=XXXXXXX-XXXXX7attpunn9smo4.apps.googleusercontent.com&redirect_uri=https%3A%2F%2FXXXXXX.azurewebsites.net%2F.auth%2Flogin%2Fgoogle%2Fcallback&scope=openid+profile+email&state=nonce%3De5f4aabe11cb4544bf18d00920940d47_20160529135838%26redir%3D%2Fapi%2Fuser
We also tried to set X-ZUMO-AUTH header with the same bearer token, we see error as the token is not in expected format. Apparently it expects encoded JWT token.
IIS log:
016-05-29T13:51:52 PID[3600] Verbose Received request: POST
https://XXXXXX.azurewebsites.net/api/user 2016-05-29T13:51:52
PID[3600] Warning JWT validation failed: IDX10708:
'System.IdentityModel.Tokens.JwtSecurityTokenHandler' cannot read this
string: 'Bearer
ya29.XXXXXXXXXX_RDrX_zsuvMx49e_9QS5ECz9F1yhDHe5j4H9gRN6opkjLXvN1IJZjHXa_Q'.
The string needs to be in compact JSON format, which is of the form:
'..'.. 2016-05-29T13:51:52 PID[3600]
Information Redirecting:
https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=XXXXXXX-k5nj6dkf987attpunn9smo4.apps.googleusercontent.com&redirect_uri=https%3A%2F%2FXXXXXX.azurewebsites.net%2F.auth%2Flogin%2Fgoogle%2Fcallback&scope=openid+profile+email&state=nonce%3De15b0915406142378XXXXX_20160529135652%26redir%3D%2Fapi%2Fuser
Note:
Bearer token obtained from Google is valid as we can verify the detail by making call to
https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=[token]
Please suggest.
The Google token you're using is an access token, not a bearer token. It can be used to access Google resources but cannot be used to authenticate with your Web API.
I wasn't able to find good documentation on this, but I can tell you it works here instead:
In your client app, you must obtain an id_token and an authorization code from Google. You normally get this when the user logs in using the Google OpenID Connect login. I assume you already know how to do this since you already know how to get the access token.
Send a POST request to https://{hostname}/.auth/login/google with a JSON payload that looks like {"authorization_code":"<code>", "id_token":"<id_token>"}.
A successful login response will contain a JSON payload that contains an authenticationToken field. Cache this token.
You can use the authentication token from #3 to make authenticated calls to your web API. Put it in the x-zumo-auth HTTP request header.
Turn on Authentication / Authorization from App Service Portal
Browse to the web app or API that requires authentication, you will be redirected to google login page, when you authenticate successfully, the response will contain:
"id_token": this token can be extracted from the response, or by accessing the Token Store /.auth/me
"redirect_uri" this token will be included in the response body, also you can just set it statically in the following step since this is the callback URL and it shouldn't change unless you change it from the google console
POST a request to https://{hostname}/.auth/login/google with the following JSON payload, {"redirect_uri":"", "id_token":""}. a successful response will contain "authenticationToken" store this token or cache it
Subsequent requests to the APIs that requires authentication should contain an HTTP request header:
"x-zumo-auth" with the value of "authenitcationToken"
Bonus:
In order to verify your token you can POST to https://{hostname}/.auth/login/google with the following JSON pay load {"id_token":""}, the response should specify if the token is valid or not
I am building a program that will list albums/folders and images from my Amazon Cloud Drive. I am able to authenticate and get a token by following the instructions here at amazon public apis.
I am having trouble with the next call to get my endpoints described here under Account API.
Using get
GET : {{metadataUrl}}/account/endpoint Gets the customer end-point against
which REST queries will be executed.
So my request looks just like this in fiddler and on my site just like it is described on the Amazon site here under Get Endpoint. The only differences is the token for obvious reasons.
Sample Request:
GET /drive/v1/account/endpoint HTTP/1.1
Host: drive.amazonaws.com
Authorization: Bearer
Atza|IQEBLjAsAhQ5zx7pKp9PCgCy6T1JkQjHHOEzpwIUQM
My response is:
{
"message":"Authorization header requires 'Credential' parameter.
Authorization header requires 'Signature' parameter.
Authorization header requires 'SignedHeaders' parameter.
Authorization header requires existence of either a 'X-Amz-Date'
or a 'Date' header. Authorization=Bearer"
}
What I am expecting:
{
"customerExists": true,
"contentUrl": "https://content-na.drive.amazonaws.com/cdproxy/",
"metadataUrl": "https://cdws.us-east-1.amazonaws.com/drive/v1/"
}
I did find some information about building the objects in my response from amazon, however, it's not listed in the documentation on the amazon developer site. Is this something new that has not been updated in the docs or am I doing something wrong?
I had a new line between Authorization: Bearer and my token Atza|IQEBLjAsAhQ5zx7pKp9PCgCy6T1JkQjHHOEzpwIUQM. After removing the new line my issue was fixed..
I have to migrate from Google OAuth 1.0 to OAuth 2.0.
I just have wrote a small request in Chrome Rest Client:
POST: https://accounts.google.com/o/oauth2/token
Headers: Authorization: OAuth realm="", oauth_signature="PU3W5uRL0eAyEi", oauth_nonce="1396865138306881000", oauth_signature_method="HMAC-SHA1", oauth_consumer_key="XXXXX.apps.googleusercontent.com", oauth_token="YYYYY", oauth_timestamp="1396865138", Content-Type: application/x-www-form-urlencoded
Payload: grant_type=urn:ietf:params:oauth:grant-type:migration:oauth1&client_id=ZZZZZ.apps.googleusercontent.com&client_secret=SSSSS
For that I receive an error message:
Status: 400 Bad Request
"{
error: "invalid_request"
error_description: "Invalid authorization header."
}"
The problem could be that I try to migrate from one Project in Google Developers Console to another.
Could that really be a problem?
The reason that I moved to another project is because I cannot create OAuth 2.0 Client ID in the original Project. I receive the following error message:
"You can not create OAuth 2.0 client ID because this project already contains an Oauth 1.0 client ID."
Please suggest.
Thank you,
E
As pointed out in a similar post, when constructing the base string to sign your migration requests, please make sure that the string uses a POST method and that it contains all relevant migration parameters as per the migration documentation.
As per OAuth1 spec, a valid base string for a migration request should look like:
POST&https://accounts.google.com/o/oauth2/token&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=urn:ietf:params:oauth:grant-type:migration:oauth1&oauth_consumer_key=YOUR_CONSUMER_KEY&oauth_nonce=NONCE&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1396414006&oauth_token=THE_TOKEN_TO_MIGRATE
Note that, for readability purpose, the above is the decoded version of the base string (check out the OAuth1 spec for more examples).
Hope that helps, Miguel.
When generating the base string you will need to ensure that each individual parameter is URL encoded before constructing the base string.
As per the oAuth documentation to sign OAuth 1.0 requests the base string is made up of 3 components
The HTTP request method
The base URL the request is being sent to
A normalized string of the parameters in the request
When constructing the base string you need to do the following
Ensure HTTP request method is POST
URL encode the base URL
Ensure the three POST body parameters [client_id, client_secret, grant_type] are included in the normalized request parameters
Ensure each parameter is individually URL encoded and then URL encode the complete normalized request parameters string. So in effect, some of the paramters are double URL encoded. This double URL encoding is mentioned in Using OAuth with the Google Data APIs#Signing Requests for the oauth_token
Only after doing all these steps did I get the migration request to work and I received a valid refresh_token
Below is a sample base string
POST&https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Ftoken&client_id%3Dxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com%26client_secret%3Dxxxxxxxxxxxx%26grant_type%3Durn%253Aietf%253Aparams%253Aoauth%253Agrant-type%253Amigration%253Aoauth1%26oauth_consumer_key%3Dxxxxxxxxx%26oauth_nonce%3D4106001%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1400779530%26oauth_token%3D1%252FkklP1YPy_AULt7j_tttttt_tterwerkj_dfj45dflk
Hey guys I ran into a weird issue with trying to use the Yammer API's Download URL.
Since this is an API call, you would think that you could just append your users
access token to the end of the API URI to initiate a direct download of the file,
but it seems that this will lead to a 401 Unauthorized when trying to actually use it?
My api urls are set up as so
https://www.yammer.com/domain.com/api/v1/uploaded_files/{file_number}/version/{version_number}/download/somepdf.pdf?access_token={access_token}
Does anyone know why this does not work?
?access_token={access_token} will not work the token should be in the http header and not the url after authentication.
If you are trying to access Yammer programmatically from an application be aware of the following:
Around December 2013 Yammer has slightly modified the authentication process.
By then the access_token could be part of the URL as described in the question.
Calling the API with the old code results in a HTTP 401 error. By now it is important to transport a Bearer Token in the HTTP Request like this:
GET /api/v1/messages/following.json HTTP/1.1
Host: www.yammer.com
Authorization: Bearer abcDefGhi
abcDefGhi is the token gathered after the oauth authorization.
Source:
http://developer.yammer.com/authentication/
In my Rails 3 app, I am able to successfully authenticate using Oauth2 and able to get the metadata for a file. The downloadUrl is
https://doc-10-3o-docs.googleusercontent.com/docs/securesc/tj647mo7q16s2rquitcrcv800pkn7gcf/ap67p147th03cn8rjpu68i8qva3p7i8j/1345240800000/02289284805103305740/02289284805103305740/0BwsQ03A3DXbCTVBjUDlNNzNJNDQ?h=16653014193614665626&e=download&gd=true
The documentation states that I must do the following:
Gets a file's metadata by ID. To download a file's content, send an authorized HTTP GET request to the file's downloadUrl
I do not wish to use Google APIs Client Library for Ruby, but simply formulate a HTTP Request using HTTParty
Here is a snippet of the code I've been trying to get to work
response = HTTParty.get(https://doc-10-3o-docs.googleusercontent.com/docs/securesc/tj647mo7q16s2rquitcrcv800pkn7gcf/ap67p147th03cn8rjpu68i8qva3p7i8j/1345240800000/02289284805103305740/0?access_token={token})
open("/User/mymachine/test.pdf", 'wb'){|pdf| pdf << response.body}
I'm pretty sure I'm formulating the request wrong. Any help would be greatly appreciated. Thanks in advance.
You have to add the Authorization: Bearer header to your request, together with the access token you retrieved during the OAuth 2.0 flow.
Basically, your HTTP request must look like the one in the OAuth 2.0 documentation:
https://developers.google.com/accounts/docs/OAuth2WebServer#callinganapi
I'm not a Ruby expert, but the request using HTTParty should be:
response = HTTParty.get(downloadUrl, :headers => {"Authorization" => "OAuth {token}"})
Where downloadUrl is the one you got from the file's metadata and token is the access token you retrieved when performing authorization.