We got the following exception for our customers while trying to get AccessToken using signed JWT for the scope "https://www.googleapis.com/auth/admin.directory.group.readonly" through this protocol(https://developers.google.com/accounts/docs/OAuth2ServiceAccount?hl=fr#makingrequest).
{
"error": "access_denied",
"error_description": "Requested client not authorized."
}
It was worked earlier. We are facing this issue from last 2 days.
But we got response for Admin-SDK users API using the scope "https://www.googleapis.com/auth/admin.directory.user.readonly" for the same app.
Please assist me.
TIA,
Riyaz A
Related
I am using laravel 8.40 and passport 10.3. I want to generate token without authorization. for that I have followed the laravel passport documentation. But when I try to generate token using the following sippent
grant_type:password
client_id:959f0346-0848-4aca-af63-ed77daba2561
client_secret:lLSI6Yg4RRh5ZaH00fAaVhcU9C5Zd8ITfe9XTO8H
username:admin#test.com
password:password
scope:*
though my credentials are correct I test on my web guard, I am getting this response
{
"error": "invalid_grant",
"error_description": "The user credentials were incorrect.",
"message": "The user credentials were incorrect."
}
Just replace
"grant_type":password
to
"grant_type":client_credentials
I used OAuth 2.0 Client Credentials Flow (2-Legged) to get access token and I followed each step as described in https://developer.linkedin.com/docs/v2/oauth2-client-credentials-flow.
But when I send the API request to get access token I received following response
{
"error": "access_denied",
"error_description": "This application is not allowed to create application tokens"
}
https://medium.com/#ellesmuse/how-to-get-a-linkedin-access-token-a53f9b62f0ce
you may check this way to get linkedin access token
Hello Microsoft/Azure/Skype experts,
I'm tasked with accessing presence data from Skype For Business Online accounts from my macOS app (native).
I'm unfortunately stuck and i always get a 403 error when i access the autodiscover request and never get the link to the applications resource
I have been following this documentation
https://learn.microsoft.com/en-us/skype-sdk/ucwa/authenticationusingazuread
STEP 1
We have registered the app in the Azure Management Portal using our Office 365 account credentials.
We have used custome redirect URL (http://localhost)
Allow Implicit Flow is set to true in manifest
We pre-configure the permissions needed for Skype for business
online
STEP 2
Issuing a GET as specified in the documentation to initiate sign in and authorization check.
GET https://login.microsoftonline.com/common/oauth2/authorize?response_type=token&client_id=c#####-4d41-485e-871f-0a22aa79e52b&redirect_uri=http://localhost
This returns a 200 OK.
STEP 3
We got the Auto discover URL as described in the documentation.
This is what i get - i use the domain marked in RED.
STEP 4
As per the documentation, they ask me to do this
Requesting an access token using implicit grant flow
So i issue a GET as described
https://login.microsoftonline.com/oauth2/authorize?
response_type=id_token &client_id=######-4d41-485e-871f-0a22aa79e52b
&redirect_uri=http://localhost
&state=8f0f4eff-360f-4c50-acf0-99cf8174a58b
&resource=https://webdirin1.online.lync.com
Now this shows the sign in page, i sign in and then it throws an error
AADSTS90014%3a+The+required+field+%27nonce%27+is+missing.
I researched and could not fix this error.
So after lots of research and looking at this Microsoft documentation LINK (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#requesting-individual-user-consent) , apparently there is another way of getting the bearer token.
STEP 4 - SECOND TRY
I then Request individual user consent by sending the SCOPE parameter for Skype for Business.
I then issue a GET request to
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=#######-4d41-485e-871f-0a22aa79e52b&response_type=code&redirect_uri=http://localhost&response_mode=query&scope=https://api.skypeforbusiness.com/User.ReadWrite&state=12345
This returns an access code which i use in next step to get the TOKEN
STEP 5 - Get the bearer TOKEN
Issue a POST to following URL
https://login.microsoftonline.com/common/oauth2/v2.0/token With the
following data in POST body
"grant_type": "authorization_code", "client_id":
"######-4d41-485e-871f-0a22aa79e52b", "scope":
"https://api.skypeforbusiness.com/User.ReadWrite", "code":
"OAQABAAIAAACEfexX.........", "redirect_uri": "https://localhost"
This returns the bearer token in the following response JSON
{
"access_token" = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1........w4b-- gnWG_iOGtQ";
"expires_in" = 3599;
"ext_expires_in" = 3599;
scope = "https://api.skypeforbusiness.com/User.ReadWrite";
"token_type" = Bearer;
}
STEP 6
Yay! Got the bearer token at laaast!
Now back to the main documentation
https://learn.microsoft.com/en-us/skype-sdk/ucwa/authenticationusingazuread
And where we do this - 'Resending an autodiscovery request with the bearer token'
We execute a GET request to
https://webdirin1.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user
Now this, as per the documentation should return this JSON
{
"_links":{
"self":
{"href":"https://webdirX.online.lync.com/Autodiscover/AutodiscoverService.svc/root/user"},
"applications":
{"href":"https://webpoolXY.infra.lync.com/ucwa/oauth/v1/applications"}
}
}
BUT i GET A 403: PERMISSIONS denied error
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page
using the credentials that you supplied.</h3>
</fieldset></div>
So thus i have never got the applications url and I have checked the manifest, registration and i have no idea, why i get this error.
Any inputs would be appreciated.
For step 4, you need to specify nonce=somestring in the URL. Typically this should be a securely random value that is only used once. It can contain any value.
Also, you are only requesting an id token. Set response_type=id_token+token.
I'm building a simple app to hit the Instagram API and display pictures. Following their docs, I redirect users to a sign-in, after which they're sent back to the app with an access_token. When I use that token to make requests, however, I get the following response:
{
"meta": {
"error_type": "OAuthAccessTokenException",
"code": 400,
"error_message": "The access_token provided is invalid."
}
}
The requested URL is:
"https://api.instagram.com/v1/media/search?lat=37.7936981&lng=-122.3966248&access_token=12345.adsf123adsf2341adsfasdfwhatever"
I've also tried putting the token within quotations, and URI-escaping the ampersands.
And I've tried this both through a script tag src and as a GET request in Postman. Unlike most of the answers I've found related to the above error, this is definitely not an expired token issue, as I run into this error immediately after getting the token. And it also appears NOT to be a case of my passing the token incorrectly, because when I remove the token altogether, I get a separate error complaining that no token or client_id has been passed.
Anyone familiar with this error? Have a sense what I might be doing wrong?
Please don't confuse this question with this one: Migration from OAuth1 3L to OAuth2:
I have been migrating my system users from google OAuth1 to OAuth2 as specified here.
The usual problem with this migrations is the building of the base_string which was a problem for me before asking this question. After fixing the base_string build up I did migrate 95% of my users but a small amount of users kept returning a 400 error:
{
"error": "invalid_request",
"error_description": "Invalid authorization header."
}
Here are the most important fields to check on:
base_string:
POST&https%3A%2F%2Fwww.googleapis.com%2Foauth2%2Fv3%2Ftoken&client_id%3DXXX%26client_secret%3DXXX%26grant_type%3Durn%253Aietf%253Aparams%253Aoauth%253Agrant-type%253Amigration%253Aoauth1%26oauth_consumer_key%3DXXX%26oauth_nonce%3D178143337915967474871427127026%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1427127026%26oauth_token%3D1%XXX
URL: https://www.googleapis.com/oauth2/v3/token
I have to say, this users do work with OAuth1 at the moment so they are fully valid connections. An invalid/expired connection returns me this 500 error:
{
"error": "invalid_token",
"error_description": "Either the token is invalid or we could not decode it."
}