I am trying to get the installed app to work with Oauth2 on Reddit's api. I am using Windows runtime api's httpclient to make requests, and webauthenticationbroker to get the code to do the GET request to receive the token. I requested a token by using this:
https://www.reddit.com/api/v1/authorize?client_id=" + client_id + "&response_type=code&state=" + "testing" + "&redirect_uri=http://abcd.com&duration=" + "permanent" + "&scope=" + "vote,identity"
And got a code back, so I used POST on this (with the content type being: application/x-www-form-urlencoded):
https://www.reddit.com/api/v1/access_token
with the body being this:
grant_type=https://oauth.reddit.com/grants/installed_client&\
device_id="+id + "&code=" + code
(code and id is the code received in the first step and id is a generated UUID)
Then I got something like this back:
{"access_token": "--5e65dP1dI_1vgLbqvi7zRB6cnU", "token_type": "bearer", "expires_in": 3600, "scope": "*"}
So I extracted the token and got this:
--5e65dP1dI_1vgLbqvi7zRB6cnU
Then I tried to do a GET request on https://oauth.reddit.com/api/v1/me with these headers:
{
User-Agent: (testUWP client by /u/bored_reddit_user)
Authorization: bearer --5e65dP1dI_1vgLbqvi7zRB6cnU
}
I got these headers back with status code 403 reason phrase forbidden:
{
Connection: keep-alive
Server: cloudflare-nginx
Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
Transfer-Encoding: chunked
cache-control: max-age=0, must-revalidate
x-ua-compatible: IE=edge
CF-RAY: 23f5127a6a2911a1-SJC
Date: Tue, 03 Nov 2015 03:42:58 GMT
x-frame-options: SAMEORIGIN
access-control-allow-origin: *
X-Moose: majestic
x-reddit-tracking: https://pixel.redditmedia.com/pixel/of_destiny.png?v=BZoi0ikdGrSYn9U9xM6GWeYcRRb0W50fSQuGYb1Q8Oe7E5WVB6qTA4hRqlx9vDfpLOKzpE3Z5Wo%3D
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
access-control-expose-headers: X-Reddit-Tracking, X-Moose
}{
Content-Type: application/json; charset=UTF-8
}
and this content:
{"explanation": "Please log in to do that.", "reason": "USER_REQUIRED"}
I am at a loss as to what I'm doing wrong, can anyone help me out?
This wiki page on the reddit github gives a pretty good overview of reddit's implementation of OAuth2 and the different grant_types and what circumstances they are appropriate for. This page has some more information. I'm suspecting that reddit doesn't want you storing the client secret in an app that you install on a user's device since you can't keep it secure, and a user could figure out your CLIENT_ID.
I'm glad my comment could point you in the right direction, if you could accept this answer, I'd appreciate the rep.
Related
I am getting 500 internal server error while trying to configure google sign in with my Cognito user pool, steps followed are from here.
There is no error message in response to the requested API.
I'm finding it very difficult to troubleshoot the issue. Only thing observed from response headers is
x-cache: Error from CloudFront
The error is from token endpoint URL: oAuth2/token
Request URL: https://mydomainurl/oauth2/token
Request Method : POST
Headers:
Content-Type: application/x-www-form-urlencoded
Form body:
grant_type: authorization_code
client_id: cognito_app_client_id_here
code: AUTH_CODE
redirect_uri: https://redirect-url
Received response headers:
access-control-allow-credentials: true
access-control-allow-origin: https://mydomainurl
cache-control: no-cache, no-store, max-age=0, must-revalidate
content-type: application/json;charset=UTF-8
date: Fri, 08 Nov 2019 08:10:28 GMT
expires: 0
pragma: no-cache
server: Server
status: 500
strict-transport-security: max-age=31536000 ; includeSubDomains
vary: Origin
via: 1.1 1111111222333.cloudfront.net (CloudFront)
x-amz-cf-id: DirdxkYdQojw7EE8fw-_Kta_nHfBIQBN9VpT2qTg3WGoj2a_8yh3RA==
x-amz-cf-pop: BLR50-C3
x-amz-cognito-request-id: 97468dc9-8957-4a35-8780-1a7f5d9e3c56
x-cache: Error from cloudfront
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
Does anyone know how to resolve the above error?
Where to view any error logs if generated by CloudFront distribution or by
CloudWatch for the above request?
I had a similar problem with a web app hosted on S3, distributed by CloudFront, with OAuth2 user authentication via Cognito.
In my case, the web app was a single-page application with routing. The app was hosted at https://example.com but my callback URL was at https://example.com/login. Since the login process involved navigating away from the app then redirecting back, it resulted in a 404 Not Found on the S3 side since there was no resource at s3://example.com/login, subsequently causing the x-cache: Error from cloudfront as seen in the response headers of the original question.
The fix was to edit the CloudFront distribution and add a custom error response, mapping 404 Not Found to a response path of /index.html and response code 200 Ok.
I am not sure why i am getting this error message. i have inserted the ids
POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-length: 322
content-type: application/x-www-form-urlencoded
user-agent: google-oauth-playground
HTTP/1.1 400 Bad Request
Content-length: 68
X-xss-protection: 1; mode=block
X-content-type-options: nosniff
Transfer-encoding: chunked
Vary: Origin, X-Origin, Referer
Server: ESF
-content-encoding: gzip
Cache-control: private
Date: Sun, 11 Nov 2018 23:59:34 GMT
X-frame-options: SAMEORIGIN
Alt-svc: quic=":443"; ma=2592000; v="44,43,39,35"
Content-type: application/json; charset=utf-8
{
"error_description": "Bad Request",
"error": "invalid_grant"
}
Bad Request error occurs when the request syntax are wrong (i.e. when a parameter or a header you are supposed to send is missing or contains an incorrect/invalid value). Best option is to check OAuth Specification are figure out what you have done wrong in the token request. Google might have a slightly different implementation from the actual specification, but I think it won't be difficult to find the issue after checking the documentation.
Access token request specification for authorization code grant can be found here.
I'm trying to collect and download my lifelog user data. The first step into doing this is getting a user-access token. I am encountering problems while requesting authorization.
From the sony developer authenticization page I am told to input the following code into my API explorer:
https://platform.lifelog.sonymobile.com/oauth/2/authorize?client_id=YOUR_CLIENT_ID&scope=lifelog.profile.read+lifelog.activities.read+lifelog.locations.read
I am supposed to receive the authorization code as such:
https://YOUR_CALLBACK_URL?code=abcdef
However, this is what the current situation is actually like:
I have replaced my actual client ID below with MY_CLIENT_ID for security reasons
INPUT:
GET /oauth/2/authorize?client_id=MY_CLIENT_ID&scope=lifelog.profile.read%2Blifelog.activities.read%2Blifelog.locations.read HTTP/1.1
Authorization:
Bearer kN2Kj5BThn5ZvBnAAPM-8JU0TlU
Host:
platform.lifelog.sonymobile.com
X-Target-URI:
https://platform.lifelog.sonymobile.com
Connection:
Keep-Alive
RESPONSE:
HTTP/1.1 302 Found
Content-Length:
196
Location:
https://auth.lifelog.sonymobile.com/oauth/2/authorize?scope=lifelog.profile.read+lifelog.activities.read+lifelog.locations.read&client_id=MY_CLIENT_ID
Access-Control-Max-Age:
3628800
X-Amz-Cf-Id:
HILH9w3eOm-6ebs_74ghegYQyWS4xyqA1l0gXPRJuuubsoZ6eiiS3g==
Access-Control-Allow-Methods:
GET, PUT, POST, DELETE
X-Request-Id:
76caccfc976d40259ef30415d10980e9
Connection:
keep-alive
Server:
Apigee Router
X-Cache:
Miss from cloudfront
X-Powered-By:
Express
Access-Control-Allow-Headers:
origin, x-requested-with, accept
Date:
Sun, 22 Jan 2017 03:00:42 GMT
Access-Control-Allow-Origin:
*
Vary:
Accept
Via:
1.1 dc698cd00b7ec82887573cfaba9ecca6.cloudfront.net (CloudFront)
Content-Type:
text/plain; charset=utf-8
Found. Redirecting to https://auth.lifelog.sonymobile.com/oauth/2/authorize?scope=lifelog.profile.read+lifelog.activities.read+lifelog.locations.read&client_id=MY_CLIENT_ID
Nowhere can I see the authorization code in the above code. I even tried copying and pasting the URL (on the last line) into my browser, it says "localhost.com took too long to respond"
This is where I input my request
I am not sure whether it is an issue with the callback URL. I don't have an actual website or app made, I just used the default localhost
I am a beginner in this and would really appreciate all help.
I'm trying to get headers of response returned and consumed by react-native's fetch() method but it seems there is something not right with it and the headers aren't there.
I've seen that react-native team has accepted a PR with something probably related here: https://github.com/facebook/react-native/commit/fe42a28de12926c7b3254420ccb85bef5f46327f but i'm not sure if it targets the issue i'am currently facing. Anyway, i have installed a react-native from master (to have that recent PR applied) and my api endpoint retuns the following headers:
> curl --include 'http://192.168.0.111:3000/api/v1/items?limit=1'
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Link: <http://192.168.0.111:3000/api/v1/items?limit=1&page=32>; rel="last", <http://192.168.0.111:3000/api/v1/items?limit=1&page=2>; rel="next"
Total: 32
Per-Page: 1
Content-Type: application/json; charset=utf-8
Cache-Control: no-store, must-revalidate, private, max-age=0
(...)
But, my fetch method can't see them for some reason:
fetch(CONFIG.api_url + '/items?limit=25').then(function(resp) {
console.log(resp.headers)
console.log(resp.headers.getAll())
console.log(resp.headers.get('Link'))
})
Thanks in advance for any tips on how to access those headers (dirty hot-fixes welcome :)!
I was looking for something like this from chrome fetch api (not using reactjs)and the documentation has no mention about this (even at the time of writing). I did some trail and errors and found the following works in chrome (checked this in version 47)
//get all 'available' headers
response.headers.forEach(function(value, key){
console.log('[' + key + '] = '+value);
});
Note that response headers are restricted based on the response type. See 'Response Types' section for more info https://developers.google.com/web/updates/2015/03/introduction-to-fetch?hl=en
I trying to use the Google OAuth 2.0 playground to query for realtime updates on a Google Docs File ID. For every request using either the get or update Realtime api calls I receive an error and have tried sending in numerous file ids. Do you have any advice as to how to use this API?
Below is the URL I am sending along with the error returned:
https://www.googleapis.com/drive/v2/files/1IT1qIuM6QsqV7D--69uv0sn4OSQ24UQKos3x0P3BQjc/realtime
Error Returned:
GET /drive/v2/files/1IT1qIuM6QsqV7D--69uv0sn4OSQ24UQKos3x0P3BQjc/realtime HTTP/1.1
Host: www.googleapis.com
Content-length: 0
Authorization: Bearer ya29.LgDc0oNUU_4cuhoAAAAjT4pqiLwlIpoRV7ll_QEJp1QayB49KOwIYKHVK5rMww
HTTP/1.1 400 Bad Request
Content-length: 172
X-xss-protection: 1; mode=block
X-content-type-options: nosniff
Expires: Wed, 25 Jun 2014 10:08:21 GMT
Server: GSE
Cache-control: private, max-age=0
Date: Wed, 25 Jun 2014 10:08:21 GMT
X-frame-options: SAMEORIGIN
Content-type: application/json; charset=UTF-8
{
"error": {
"code": 400,
"message": "Invalid Value",
"errors": [
{
"domain": "global",
"message": "Invalid Value",
"reason": "invalid"
}
]
}
}
Thanks,
Michael
You need to provide your API key at the end. You can see what the requests should look like in the API explorer.
Note however that realtime documents are scoped to a particular app, so anything you've created in your app won't show up in the API explorer. You can update and the get it from that using the explorer app though.