I'm trying to get a token through my OAuth application as written in the documentation, but I always get this error
{"error_description": "Invalid OAuth client credentials", "error":
"unauthorized_client"}
My actions:
I receive the code:
https://bitbucket.org/site/oauth2/authorize?client_id={my_application_key}&response_type=code
I want to receive a token for this code:
curl -X POST -u "client_id: my_application_secret" https://bitbucket.org/site/oauth2/access_token -d grant_type=authorization_code -d code={code}
Maybe I'm missing something?
Replace all your client_id and secret with the consumer key and consumer secret respectively generated from your Bitbucket Settings' OAuth.
When you've successfully authorized your integrating app and generated the access_token via: https://bitbucket.org/site/oauth2/access_token , you should receive an access_token.
Related
Due to the new updates of the Soundcloud API, I'm trying to update the authentication flow in my code ( the project was using login and password ).
But I'm blocked by a problem, and I'm losing my head.
I follow instructions on this page : https://developers.soundcloud.com/blog/security-updates-api
I manage to get a refresh token and an access token with this :
curl --request POST \
--url https://api.soundcloud.com/oauth2/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data client_id=CLIENT_ID \
--data client_secret=CLIENT_SECRET \
--data grant_type=client_credentials
But I'm not able to execute this request, which is an example in the mentionned page, with the access token I got with the previous request :
curl --request GET \
--url 'https://api.soundcloud.com/me/tracks?limit=1' \
--header 'Authorization: OAuth ACCESS_TOKEN'
The request response is always :{"code":401,"message":"","link":"https://developers.soundcloud.com/docs/api/explorer/open-api","status":"401 - Unauthorized","errors":[],"error":null}
I tried with a refresh of my access token, and with the url "https://api.soundcloud.com/me" instead of "https://api.soundcloud.com/me/tracks?limit=1".
And always returning the same error.
Can someone help me ?
Thanks by advance, and thanks for reading.
OK, I think I got it, thanks to this question on github :
https://github.com/soundcloud/api/issues/76
"The client_credentials auth flow is meant only for server-side integration and allows access to public endpoints only. Meaning that for endpoint /me or any other user-related endpoint you have to use the Authorization Code flow which provides the client-side integration."
And here : https://developers.soundcloud.com/docs/api/guide#authentication :
"if your app needs to access only public resources, you can use the OAuth Client Credentials Flow"
I'm done with the error messages too blurry... and with me reading too fast !
I will add the correct authentication method in comments later.
UPDATE : "manual" authentication flow
As the project is behind a VPN, I can't use normal authentication flow ( redirect_uri can't be called by soundcloud !)
So :
Get a "code"
First, authenticate on SoundCloud with the account you want to access ( or ask your customer to do it )
In your browser, type this url :
https://api.soundcloud.com/connect?client_id=YOUR_CLIENT_ID&response_type=code&scope=&state=[random_string]&redirect_uri=YOUR_REDIRECT_URI
Accept the demand and this will redirect you to an URL with the code inside : code=YOUR_CODE. Keep it. If this is done by your customer, simply ask him to copy-paste the url.
That's not really secure, but you can't avoid it if your redirect uri is not accessible from Soundcloud.
Obtain a refresh token and an access token :
With curl, to keep your Client Secret, or App Secret, secret ( indeed :D ). And also the access token.
curl -X POST "https://api.soundcloud.com/oauth2/token"
-H "accept: application/json; charset=utf-8"
-H "Content-Type: application/x-www-form-urlencoded"
-d "grant_type=authorization_code&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&redirect_uri=YOUR_REDIRECT_URI&code=YOUR_CODE"
This last request will answer in json format. Inside, you'll find an access token, and a refresh token.
Register the refresh token in your projet to reuse it to refresh your access token when needed !
I'm trying to fetch a decent number of API URLs like https://api.wikimedia.org/core/v1/wikipedia/en/file/File%3AFlag%20of%20Madison%20Heights%2C%20Michigan.svg.
I have signed up for an API key as described in the instructions.
However, when I issue my requests with the Authorization: Bearer [long JWT Access Token goes here] header, I just get {"error":"rest-read-denied","httpCode":403,"httpReason":"Forbidden"} back.
If I omit the Authorization header, then I do get a good response, but am severely rate limited.
The API Portal says that my API key is approved. I have tried resetting the secret, and have tried creating a separate one, I have inspected the exact headers sent by using curl -v and I can see the Authorization header in there and it looks correct (diffed it with the access token).
If I modify the token, then I get a different error message: {"httpCode":401,"httpReason":"Jwt verification fails"} so clearly my token is passed in correctly and it's a permissions issue with my API key. I have tried both a key with read only permission, and a key with both read & edit permissions, but no dice.
The example cURL request in the signup instruction also fails with a rest-read-denied error:
curl -H "Authorization: Bearer $AccessToken" \
https://api.wikimedia.org/core/v1/wikipedia/en/page/Earth/bare
!?!?
I have created a job of JDBC to BigQuery using the web interface and it worked just fine.
Now I want to create the same job from the REST API of GCP so I took the rest equivalent of the request from the site and tried to send it from Postman.
I'm sending POST request for the following URL:
https://dataflow.googleapis.com/v1b3/projects/test-data-308414/templates:launch?gcsPath=gs://dataflow-templates/latest/Jdbc_to_BigQuery
which I got from the example in the GCP documentation.
I also pass the JSON that the GCP gave me in the body.
And the API key as get parameter in the next format "?key=[API_KEY]"
I'm getting 401 response from the server with the following message:
Request is missing required authentication credential. Expected OAuth
2 access token, login cookie or other valid authentication credential.
See
https://developers.google.com/identity/sign-in/web/devconsole-project.
With a status of:
UNAUTHENTICATED
I looked up at the link and found a tutorial on how to create google authentication on the front end
witch is not helpful to me.
I'm pretty sure that I'm passing the API key in the wrong format and that the reason it failed to authenticate.
But I couldn't find any documentation that says how to do it correctly.
PS> I have also tried passing it at the headers as I saw in one place
in the next format
Authorization : [API_KEY]
but it failed with the same message
Few days back I was trying to integrate GCP into MechCloud and struggling to figure out how to invoke a microservice ( which is acting as a proxy to GCP) with credentials for different projects which will be passed to this microservice on the fly. I was surprised that in spite of spending good amount of time I could not figure out how to achieve it because GCP documentation is focused on working with one project credentials at a time using application default credentials. Another frustrating thing is that API explorer shows both OAuth 2.0 and API Key by default for all the APIs when the fact is that API Key is hardly supported for any API. Finally I found the solution for this problem here.
Here are the steps to invoke a GCP rest api -
Create a service account for your project and download the json file associated with it.
Note down values of client_email, private_key_id and private_key attribues from service account json file.
Define following environment variables using above values -
GCP_SERVICE_ACCOUNT_CLIENT_EMAIL=<client_email>
GCP_SERVICE_ACCOUNT_PRIVATE_KEY_ID=<private_key_id>
GCP_SERVICE_ACCOUNT_PRIVATE_KEY=<private_key>
Execute following python code to generate jwt_token -
import time, jwt, os
iat = time.time()
exp = iat + 3600
client_email = os.getenv('GCP_SERVICE_ACCOUNT_CLIENT_EMAIL')
private_key_id = os.getenv('GCP_SERVICE_ACCOUNT_PRIVATE_KEY_ID')
private_key = os.getenv('GCP_SERVICE_ACCOUNT_PRIVATE_KEY')
payload = {
'iss': client_email,
'sub': client_email,
'aud': 'https://compute.googleapis.com/',
'iat': iat,
'exp': exp
}
private_key1 = private_key.replace('\\n', '\n')
# print(private_key1)
additional_headers = {'kid': private_key_id}
signed_jwt = jwt.encode(
payload,
private_key1,
headers=additional_headers,
algorithm='RS256'
)
print(signed_jwt)
Use generated jwt token from previous step and use it as a bearer token to invoke any GCP rest api. E.g.
curl -X GET --header 'Authorization: Bearer <jwt_token>' 'https://compute.googleapis.com/compute/v1/projects/{project}/global/networks'
The best practice to authenticate a request is to use your application credentials. Just make sure you installed the google cloud SDK.
curl -X POST \
-H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
-H "Content-Type: application/json; charset=utf-8" \
-d #request.json \
https://dataflow.googleapis.com/v1b3/projects/PROJECT_ID/templates:launch?gcsPath=gs://dataflow-templates/latest/Jdbc_to_BigQuery
I've got some code (a script on a server) that tries to send an OAuth2 request to get a token from an API. I have a client id, and client secret from the "OAuth 2.0 Client Ids" section of the "Credentials" tab in the Google Cloud Platform > APIs and Services. I also have a refresh token that I originally obtained somehow.
The URL I am POSTing to is:
https://www.googleapis.com/oauth2/v4/token
I'm sending the header
Content-Type: application/x-www-form-urlencoded
In the body of my post I have the following information:
grant_type=refresh_token&client_id=${encodeURIComponent(client_id)}&client_secret=${encodeURIComponent(client_secret)}&refresh_token=${encodeURIComponent(refresh_token)}
However, it has been a long time since I last ran this code and now it returns an error "bad grant". On this page it says that a refresh token will stop working if it has not been used for six months, which explains why I am getting the error. However, it does not say how to get another refresh token using the client id and client secret similar to how I am now creating a post to get an access token. How do I do this?
I believe your goal and your current situation as follows.
You want to retrieve new refresh token from the current client ID and client secret.
Your client ID and client secret are the valid values.
In this case, in order to retrieve new refresh token, it is required to use the additinal 2 parameters of scope and redirect_uri. These parameters can be confirmed at your created client ID of "OAuth 2.0 Client IDs" of "Credensials" tab in the Google Cloud Platform. When the parameters including client_id, client_secret, scope and redirect_uri are used, new refresh token can be retrieved. The flow for this is as follows.
1. Retrieve authorization code.
Please create the following endpoint using client_id, redirect_uri and scope.
https://accounts.google.com/o/oauth2/auth?client_id={your client ID}&redirect_uri={your redirect uri}&scope={your scopes}&response_type=code&approval_prompt=force&access_type=offline
When you created above endpoint, please access it to your browser. By this, the login screen is opened. When you logged in to Google account, the authorization screen is opened. When you permit the scopes, the authorization code can be retrieved.
When your credential is for the web application, you can retrieve the code at the URL on the browser like http://{your redirect uri}/?code={the authorization code}&scope={your scopes}.
Please copy the code.
2. Retrieve refresh token.
Using the retrieved authorization code, you can retrieve new refresh token. The sample curl command for this is as follows.
curl \
-d "client_id={your client ID}" \
-d "client_secret={your client secret}" \
-d "redirect_uri={your redirect uri}" \
-d "grant_type=authorization_code" \
-d "code={retrieved your authorization code}" \
"https://www.googleapis.com/oauth2/v4/token"
When above curl command is run, the following result is obtained.
{
"access_token": "###",
"expires_in": 3600,
"refresh_token": "###",
"scope": "{your scopes}",
"token_type": "Bearer"
}
Reference:
Using OAuth 2.0 to Access Google APIs
Iam trying to get the Channel Subs of a Channel with the following call:
https://api.twitch.tv/kraken/channels/<CHANNELID>/subscriptions?client_id=XXX&oauth_token=XXX
But i get always this response:
{
"error": "Forbidden",
"status": 403,
"message": "Unable to access channel subscribers of <CHANNEL>"
}
Can you please tell me, what I need to pass, that i get the permissions?
Thanks, Greetings
If you are using new Twitch API you should send token in your authorization header starting with Bearer keyword. If you are using API v5 then you should add Oauth keyword. In your example you are trying to send it in query parameters.
Select the one which is correct for you.
In the new Twitch API:
curl -H "Authorization: Bearer <access token>" https://api.twitch.tv/helix/
In Twitch API v5:
curl -H "Authorization: OAuth <access token>" https://api.twitch.tv/kraken/
You can also find more information in the official documentation: https://dev.twitch.tv/docs/authentication/