In using Instagram API, when I login with my Instagram ID, my url is like this : 'http://ec2-54-92-53-75.ap-northeast-1.compute.amazonaws.com/instagram_about_token/example/?code=34cde9ac55c047918e4973c9591595cb'
Actually, I set redirect URL as 'http://ec2-54-92-53-75.ap-northeast-1.compute.amazonaws.com/instagram_about_token/example/', so as a result of login, '?code=34cde9ac55c047918e4973c9591595cb' this was added.
Is this an access token of Instagram?? I'm not sure right now because in API console of Instagram, the request is something like this :
"GET /v1/users/self/feed?access_token=1470328514.1fb234f.09a36e85629645fe8115c369202ec012 HTTP/1.1"
As you see, the access token is added like '?access_token=~~~~',
so I want to know whether '?code=~~~' on my website means that I got an access token on my website. Thank you.
The code in URL is not the access token you want, but it is required to get it. The whole process is good described on Instagram Developer Documentation: http://instagram.com/developer/authentication/
Step Three: Request the access_token
In the previous step, you’ll have received a code which you’ll have to
exchange in order to receive an access_token for the user. In order to
make this exchange, you simply have to POST this code, along with some
app identification parameters to our access_token endpoint. Here are
the required parameters:
client_id: your client id
client_secret: your client secret
grant_type: authorization_code is currently the only supported value
redirect_uri: the redirect_uri you used in the authorization request.
Note: this has to be the same value as in the authorization request.
code: the exact code you received during the authorization step.
For example, you could request an access_token like so:
curl \-F 'client_id=CLIENT-ID' \
-F 'client_secret=CLIENT-SECRET' \
-F 'grant_type=authorization_code' \
-F 'redirect_uri=YOUR-REDIRECT-URI' \
-F 'code=CODE' \https://api.instagram.com/oauth/access_token
If successful, this call will return a neatly packaged OAuth Token that
you can use to make authenticated calls to the API. We also include
the user who just authenticated for your convenience:
{
"access_token": "fb2e77d.47a0479900504cb3ab4a1f626d174d2d",
"user": {
"id": "1574083",
"username": "snoopdogg",
"full_name": "Snoop Dogg",
"profile_picture": "http://distillery.s3.amazonaws.com/profiles/profile_1574083_75sq_1295469061.jpg"
} }
Related
i am new to keycloak.
I have made web portal that authentication (login, logout,forgot password) of users is done in backend ( PHP ) using REST Api. After successful authentication user is allowed to enter secure part of portal.
I am having trouble to get REST API endpoint so that when user is logged in i would like to get a list of permissions that this user have so i can render the UI with functions that specific user have permissions to. So far i found endpoint which can ask for specific permission only
curl -X POST http://$URL/auth/realms/argo/protocol/openid-connect/token -H "Authorization: Bearer $TOKEN" --data "audience=$CLIENTID" --data "permission=$PERMISSIONNAME#$PERMISSIONSCOPE"
Is this possible with keycloak ? I would have maybe around 10 navigation functions and some will be payable so once user buys this function we will allow this permission to this specific user.
Thanks
I spent a lot of time to make it work.
Basically, once the user is logged in (via a JWT access token) your app has to issue an additional call to an OIDC endpoint, in order to get an extended JWT token (including fine grained permissions).
Here are the details of this extra call:
POST http://server:port/auth/realms/<realm>/protocol/openid-connect/token
Content-Type: application/x-www-form-urlencoded
Authorization: "Bearer ....." (=access token of logged-in user)
Parameters:
- grant_type: the constant "urn:ietf:params:oauth:grant-type:uma-ticket"
- audience : the keycloak client id
- response_include_resource_name: true
You will get in response a JWT token that should be decoded
either programatically (quite easy)
or by invoking Keycloak token introspection endpoint (ie /auth/realms//protocol/openid-connect/token/introspect
And, once decoded, you will notice that the json payload contains an extra "authorization" node.
I've got some code (a script on a server) that tries to send an OAuth2 request to get a token from an API. I have a client id, and client secret from the "OAuth 2.0 Client Ids" section of the "Credentials" tab in the Google Cloud Platform > APIs and Services. I also have a refresh token that I originally obtained somehow.
The URL I am POSTing to is:
https://www.googleapis.com/oauth2/v4/token
I'm sending the header
Content-Type: application/x-www-form-urlencoded
In the body of my post I have the following information:
grant_type=refresh_token&client_id=${encodeURIComponent(client_id)}&client_secret=${encodeURIComponent(client_secret)}&refresh_token=${encodeURIComponent(refresh_token)}
However, it has been a long time since I last ran this code and now it returns an error "bad grant". On this page it says that a refresh token will stop working if it has not been used for six months, which explains why I am getting the error. However, it does not say how to get another refresh token using the client id and client secret similar to how I am now creating a post to get an access token. How do I do this?
I believe your goal and your current situation as follows.
You want to retrieve new refresh token from the current client ID and client secret.
Your client ID and client secret are the valid values.
In this case, in order to retrieve new refresh token, it is required to use the additinal 2 parameters of scope and redirect_uri. These parameters can be confirmed at your created client ID of "OAuth 2.0 Client IDs" of "Credensials" tab in the Google Cloud Platform. When the parameters including client_id, client_secret, scope and redirect_uri are used, new refresh token can be retrieved. The flow for this is as follows.
1. Retrieve authorization code.
Please create the following endpoint using client_id, redirect_uri and scope.
https://accounts.google.com/o/oauth2/auth?client_id={your client ID}&redirect_uri={your redirect uri}&scope={your scopes}&response_type=code&approval_prompt=force&access_type=offline
When you created above endpoint, please access it to your browser. By this, the login screen is opened. When you logged in to Google account, the authorization screen is opened. When you permit the scopes, the authorization code can be retrieved.
When your credential is for the web application, you can retrieve the code at the URL on the browser like http://{your redirect uri}/?code={the authorization code}&scope={your scopes}.
Please copy the code.
2. Retrieve refresh token.
Using the retrieved authorization code, you can retrieve new refresh token. The sample curl command for this is as follows.
curl \
-d "client_id={your client ID}" \
-d "client_secret={your client secret}" \
-d "redirect_uri={your redirect uri}" \
-d "grant_type=authorization_code" \
-d "code={retrieved your authorization code}" \
"https://www.googleapis.com/oauth2/v4/token"
When above curl command is run, the following result is obtained.
{
"access_token": "###",
"expires_in": 3600,
"refresh_token": "###",
"scope": "{your scopes}",
"token_type": "Bearer"
}
Reference:
Using OAuth 2.0 to Access Google APIs
I have successfully (?) implement the Twitter three-legged authentication process to obtain user access token. The problem is the access token appears invalid... or I use it wrong. I already able to get the app's access token, which can access limited Twitter API. I use it by adding "Authentication: Bearer 'access token'" on the header. But when I did the same thing with the user context access token and did the same request, I always get error code 89 Invalid or expired token.
The access token I obtained has a structure of [several numerics]-[some alpha numeric chars]. Like 12345678-asd98f798asdf79asdfa9sdfs9df7a9sdf7. This looks similar with the access token example in step 3 of https://developer.twitter.com/en/docs/basics/authentication/oauth-1-0a/obtaining-user-access-tokens.
I also notice that the example request there is like this:
POST statuses/update.json
oauth_consumer_key=cChZNFj6T5R0TigYB9yd1w
oauth_token=7588892-kagSNqWge8gB1WwE3plnFsJHAZVfxWD7Vb57p0b4
Which I presume those two additional parameters are to be added to the body instead of the header. But, how if my request is a GET request? Like request to get home timeline, which absolutely requiring user context access token?
https://developer.twitter.com/en/docs/tweets/timelines/api-reference/get-statuses-home_timeline
From this API ref, the example only give the GET url, and not how to supply the user context access token. Please help. I have the feeling that the solution is very simple (like a fix on the header), but I can't see it.
This is my current request:
curl -X GET \
'https://api.twitter.com/1.1/users/show.json?screen_name=huffpost' \
-H 'Authorization: Bearer 12345678-as3d12a3d1a3sd1232ads13asd123as1d23as3d32,Bearer 12345678-as3d12a3d1a3sd1232ads13asd123as1d23as3d32' \
This is the result:
{
"errors": [
{
"code": 89,
"message": "Invalid or expired token."
}
]
}
The user access token requires signing a request which includes parameters and headers.
https://developer.twitter.com/en/docs/basics/authentication/oauth-1-0a/authorizing-a-request
You can use a library like https://github.com/twitter/joauth to generate the signature.
For Java+OkHttp - you can use this library https://github.com/yschimke/okurl/blob/master/src/main/kotlin/com/baulsupp/okurl/services/twitter/joauth/Signature.kt#L33
Getting auth token from uber is a two step process.
Please refer Uber Auth API
Ask the uber user to authorize : call GET https://login.uber.com/oauth/v2/authorize?response_type=code&client_id={client_id}&redirect_uri={redirect_uri}
Provide your client_id and redirect_uri specific to your website. If the authorization is successful, you will be redirected to your site with the code in the query parameter.
The the code you get in step 1 to retrieve auth token.
Send an HTTP POST request to https://login.uber.com/oauth/v2/token. Following should be the json you send to server:
{
"client_secret": "{client_secret}",
"client_id": "{client_id}",
"grant_type": "{authorization_code}",
"redirect_uri": "{redirect_uri}",
"code": "{insert authorization code obtained in previous step}"
}
In the step two I always get a error 400 with "invalid grant type" message. Please suggest where am I going wrong.
You need to send the parameter as form-data, not JSON. Take a look at the curl example in section 3 here: https://developer.uber.com/docs/authentication
The authorization and authentication documentation doesn't mention anything about JSON, therefore application/x-www-form-urlencoded media type is to be used to send the HTTP POST request to the /oauth/v2/token API endpoint
I'm trying to fork a repo using the GitHub V3 API via REST, however, I am having issues making a POST request as per the docs (https://developer.github.com/v3/repos/forks/#create-a-fork).
Basically, what I have so far:
A logged-in user with an OAuth Token
A POST request setup to the API (URL: https://api.github.com/repos/carmichaelalonso/infiniteflight/forks/) - I am testing this with hurl.it to begin with.
Headers in the request: one has the name Authorization with the value 'token ...', the other specifies Content-Type with the value application/json
A body with the following JSON: {"organization" : "shortlisthome"} (shortlisthome is the account I am trying to fork the repo to.
I am not intending to fork this to an organization, instead of a standard user account, which is where I am getting confused. When I run the request, I do not get any authentication errors or 404 errors (I previously had but I had been entering incorrect values by mistake, causing such errors).
When I run this request though, I get the following result (a 422 unprocessable request):
{
"message": "Validation Failed",
"documentation_url": "---url-to-docs---",
"errors": [
{
"resource": "Fork",
"code": "invalid",
"field": "organization"
}
]
}
I am unsure whether or not I am able to fork this to a standard user, or if it is an error with my request. Please let me know if I can provide any more info (first post here so a bit unfamiliar with the convention).
Thanks!
In order for shortlisthome to fork the repository you need to authenticate as them. The repository you're trying to fork is public, so all you need to do is obtain a OAuth token for shortlisthome and then make a similar request to the one you're making now. The only difference will be that you do not need to provide the JSON body of {"organization": "shortlisthome"}.
For what it is worth, the optional JSON body is intended for you to use when you are a member of an organization with proper permissions and you want to fork the repository to that organization. You cannot fork a repository to someone else's account unless you are authenticated as them.
I've so far avoided OAuth2, and do not know hurl. Yet, perhaps this can help.
This post shows how it can be done using cURL's -u username flag:
curl -u 'myusername' https://api.github.com/repos/carmichaelalonso/infiniteflight/forks/ -d ''
The -d (or alternatively --data) flag turns it into a POST request.
Without that flag cURL defaults to a GET request, which is not what you want.
Since, the data is part of the URI for this request, send an empty string for the data that must follow the -d param, as such: -d ''.
Of course, using -u will require you to also supply a password..
Here is what GitHub shows using OAuth2 with their API:
OAuth2 Token (sent in a header):
curl -H "Authorization: token OAUTH-TOKEN" https://api.github.com
OAuth2 Token (sent as a parameter):
curl https://api.github.com/?access_token=OAUTH-TOKEN
Read more about OAuth2. Note that OAuth2 tokens can be acquired programmatically, for applications that are not websites.
OAuth2 Key/Secret
curl 'https://api.github.com/users/whatever?client_id=xxxx&client_secret=yyyy'
I suspect that adding -d '' (or some equivalent in hurl),
plus one of the formats above for sending OAuth2 info might get you most of the way there.
I used this command to fork on github enterprise
curl -vX POST https://git.redacted.com/api/v3/repos/<org-to-fork-from>/<repo-to-fork>/forks?access_token=<api-token> -d #gh-fork.json --header "Content-Type: application/json"
gh-fork.json is just
{
"organization": "org-to-fork-to",
"description": "",
"homepage": "https://git.redacted.com",
"private": false
}