Authorization Code Grant return invalid_grant - vb.net

I am trying to implement DocuSign OAuth by Authorization Code Grant.
Firstly what I am trying to do:
Make GET request to https://account-d.docusign.com/oauth/auth?response_type=token&scope=signature&client_id=71d5e08f-299d-480a-9520-74d2e5083008&state=a39fh23hnf23&redirect_uri=http://localhost/callback
When i have got token i am trying to make POST request by CURL
curl -i -v -d "grant_type=authorization_code&code=eyJ0eXAiOiJNVCIsImFsZyI6IlJTMjU2Iiwia2lkIjoiNjgxODVmZjEtNGU1MS00Y2U5LWFmMWMtNjg5ODEyMjAzMzE3In0.AQkAAAABAAYABwAABDYucBzVSAgAAJC8dXAc1UgCAISmNWgyUw9Hlk8ldzq-z2gNACQAAAA3MWQ1ZTA4Zi0yOTlkLTQ4MGEtOTUyMC03NGQyZTUwODMwMDgVAAEAAAASAAAAAAAYAAEAAAAFAAAAIAAABDYucBzVSA.0yPv4mlsiuab6ZlC11k_s9rR5gLO0Z1aEoHlyXrE30ba3LD6qBaqqVFcdQDJ3tagx0-6rg48fENjpkglkELnZG7tmF2AZYR98DUYgbot4OMnj0Y0Q-QhhqLvOe6SJmYxfYqCxBC03FVBjH9gTvCVD7kb0msN23-pw5WGRi5p209gNhr-YDv0wb9jwMJdNC-z5QSW0D5qgkbP5HKjIxgITG_qNCyO3CWPvlJIG8u1Wh1oB-EL4JI5fUZSNlipEpZRKG0jU9cbZbO8DaeEhZzfL54wc38r4luN-2XJx1yL48p4HgNP2ujWJAIJiJpy_-TnmMHTHzp3YTaPB7Swus_Leg" -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic NzFkNWUwOGYtMjk5ZC00ODBhLTk1MjAtNzRkMmU1MDgzMDA4OjY5MDcwMGI4LTAxMmQtNGU1My05N2FlLTVhNmFkNjg3OWVkYg==" -X POST https://account-d.docusign.com/oauth/token
And always I am getting the same message : "invalid_grant"
I have checked all params twice, and i know about that question DocuSign authorization code grant flow gets invalid_grant error about the same situation, it is not marked as answered
Can anyone explan me what i am doing wrong?

You are mixing two type Authorization Code Grant and Implicit Code Grant, in your first GET URL, you are passing response_type=token instead it should be response_type=code, once you will change response_type from token to code then it will work.

Related

Getting GitHub Branch protection returns "404 Not Found"

I have tried to get the Branch policies using curl / Postman however I keep getting Error "404 Not Found".
Based on the documentation (https://docs.github.com/en/rest/reference/repos#get-branch-protection), I seem to be using the correct API Uri. see below commands used. Ps: Auth Token has been verified.
For Curl :
curl \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/repos/{owner}/{repo}/branches/{branch}/protection
Postman:
https://api.github.com/repos/{owner}/{repo}/branches/{branch}/protection
I need API call to return the Branch protection. Thanks!
while at the moment not clearly documented,
this API URI requires the provided access token to have admin privileges for the repository.

Soundcloud API authentication always throws "401 - Unauthorized"

Due to the new updates of the Soundcloud API, I'm trying to update the authentication flow in my code ( the project was using login and password ).
But I'm blocked by a problem, and I'm losing my head.
I follow instructions on this page : https://developers.soundcloud.com/blog/security-updates-api
I manage to get a refresh token and an access token with this :
curl --request POST \
--url https://api.soundcloud.com/oauth2/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data client_id=CLIENT_ID \
--data client_secret=CLIENT_SECRET \
--data grant_type=client_credentials
But I'm not able to execute this request, which is an example in the mentionned page, with the access token I got with the previous request :
curl --request GET \
--url 'https://api.soundcloud.com/me/tracks?limit=1' \
--header 'Authorization: OAuth ACCESS_TOKEN'
The request response is always :{"code":401,"message":"","link":"https://developers.soundcloud.com/docs/api/explorer/open-api","status":"401 - Unauthorized","errors":[],"error":null}
I tried with a refresh of my access token, and with the url "https://api.soundcloud.com/me" instead of "https://api.soundcloud.com/me/tracks?limit=1".
And always returning the same error.
Can someone help me ?
Thanks by advance, and thanks for reading.
OK, I think I got it, thanks to this question on github :
https://github.com/soundcloud/api/issues/76
"The client_credentials auth flow is meant only for server-side integration and allows access to public endpoints only. Meaning that for endpoint /me or any other user-related endpoint you have to use the Authorization Code flow which provides the client-side integration."
And here : https://developers.soundcloud.com/docs/api/guide#authentication :
"if your app needs to access only public resources, you can use the OAuth Client Credentials Flow"
I'm done with the error messages too blurry... and with me reading too fast !
I will add the correct authentication method in comments later.
UPDATE : "manual" authentication flow
As the project is behind a VPN, I can't use normal authentication flow ( redirect_uri can't be called by soundcloud !)
So :
Get a "code"
First, authenticate on SoundCloud with the account you want to access ( or ask your customer to do it )
In your browser, type this url :
https://api.soundcloud.com/connect?client_id=YOUR_CLIENT_ID&response_type=code&scope=&state=[random_string]&redirect_uri=YOUR_REDIRECT_URI
Accept the demand and this will redirect you to an URL with the code inside : code=YOUR_CODE. Keep it. If this is done by your customer, simply ask him to copy-paste the url.
That's not really secure, but you can't avoid it if your redirect uri is not accessible from Soundcloud.
Obtain a refresh token and an access token :
With curl, to keep your Client Secret, or App Secret, secret ( indeed :D ). And also the access token.
curl -X POST "https://api.soundcloud.com/oauth2/token"
-H "accept: application/json; charset=utf-8"
-H "Content-Type: application/x-www-form-urlencoded"
-d "grant_type=authorization_code&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&redirect_uri=YOUR_REDIRECT_URI&code=YOUR_CODE"
This last request will answer in json format. Inside, you'll find an access token, and a refresh token.
Register the refresh token in your projet to reuse it to refresh your access token when needed !

How compose GraphQL query for github

How to present this string as a GraphQL query
curl -H "Authorization: bearer token" https://api.github.com/graphql
Help me please
You can follow "Forming Calls with GraphQL", which involves "Creating a personal access token for the command line" to get a token.
Your header should then be: Authorization: bearer xxx, with xxx being the token you have generated.
As a concrete example: "Get started with GitHub GraphQL API".

Auth0 right way to call userinfo

I have created an API with RS256 signing algorithm and http://localhost:3000/api/v1 as the Identifier (audience) and I added openid, phone, profile as the scopes to the created API
Then created an application to invoke the above API, with RS256 signing and turned off OIDC Conformant since I'm using a customized login page.
I was able to invoke the following authorize request successfully :
https://hostname.auth0.com/authorize?client_id=CLIENT_ID&redirect_uri=http://localhost:4200/dashboard&response_type=code&scope=openid%20profile&state=state&nonce=nonce&audience=https://hostname.auth0.com/userinfo
After getting the code I was able to execute the token call and received the access_token
curl --request POST \ --url https://hostname.auth0.com/oauth/token \ --header 'content-type: application/json' \ --data '{"client_id":"CLIENT_ID","client_secret":"CLIENT_SECRET","audience":"localhost:3000/api/v1","grant_type":"client_credentials","code": "CODE"}'
But after decoding the JWT token I couldn't see the userinfo endpoint in audience field
So I'm getting unauthorized error in executing the following userinfo call, but I was able to call my other API (secured resources) using the given access token without any issue.
curl --request GET \
--url 'https://hostname.auth0.com/userinfo' \
--header 'authorization: Bearer {ACCESS_TOKEN}' \
--header 'content-type: application/json'
Unauthorized
-Then I tried to invoke the token endpoint using userinfo url as the audience value:
curl --request POST \
--url https://hostname.auth0.com/oauth/token \
--header 'content-type: application/json' \
--data '{"client_id":"CLIENT_ID","client_secret":"CLIENT_SECRET","audience":"https://hostname.auth0.com/userinfo","grant_type":"client_credentials","code": "CODE"}'
Then I'm getting the following error:
{"error":"access_denied","error_description":"Client is not authorized to access \"https://hostname.auth0.com/userinfo\". You might probably want to create a \"client-grant\" associated to this API. See: https://auth0.com/docs/api/v2#!/Client_Grants/post_client_grants"}
When I tried to add userinfo url as an additional Identifier (audience) when creating an API, I'm getting an error saying 'provided identifier is reserved'
Please let me know what I'm doing wrong here. Looking forward to your reply.
Thanks.
I see multiple issues in what you are doing.
If you are looking to get an access token for your API as well, you should specify that API's identifier as the audience in the initial /authorize call. /userinfo audience is assumed, so you don't need to specifically mention it. For example, if your API identifier is https://api.example.com:
https://hostname.auth0.com/authorize?client_id=CLIENT_ID&redirect_uri=http://localhost:4200/dashboard&response_type=code&scope=openid%20profile&state=state&nonce=nonce&audience=https://api.example.com
You may also want to specify some of the scopes defined in the API in the above call (apart from openid and profile).
When you exchange the code to tokens, the grant_type should be authorization_code (not client_credentials). Also, you don't need to specify the audience again during this code exchange. But make sure you specify the redirect_uri that you sent in initial /authorize request here as well. This is required to prevent some attack vectors.
Changing the API calls based on the above points should send you back the correct access token - which can be used to both call your API and the /userinfo endpoint.
More info about this flow can be found in the docs: https://auth0.com/docs/api-auth/tutorials/authorization-code-grant

Authenticate to API with secret key and credentials

I am trying to make a request to the TaskRabbit API. I want to use my credentials and get the details of my account back.
I have a developer account (application ID, application Secret, Authorize URL). How can I use these credentials to authenticate with TaskRabbit? Can I use something like curl to test this out?
I tried using something like
curl -X POST -H "Content-Type: application/json" -d '{"username":"my username","password":"my password"}' https://combo-staging-2.taskrabbit.in/api/v2/account.json
this fails, since it’s not what the API expects. Is there a way to use my keys to make a similar request?