I have to migrate from Google OAuth 1.0 to OAuth 2.0.
I just have wrote a small request in Chrome Rest Client:
POST: https://accounts.google.com/o/oauth2/token
Headers: Authorization: OAuth realm="", oauth_signature="PU3W5uRL0eAyEi", oauth_nonce="1396865138306881000", oauth_signature_method="HMAC-SHA1", oauth_consumer_key="XXXXX.apps.googleusercontent.com", oauth_token="YYYYY", oauth_timestamp="1396865138", Content-Type: application/x-www-form-urlencoded
Payload: grant_type=urn:ietf:params:oauth:grant-type:migration:oauth1&client_id=ZZZZZ.apps.googleusercontent.com&client_secret=SSSSS
For that I receive an error message:
Status: 400 Bad Request
"{
error: "invalid_request"
error_description: "Invalid authorization header."
}"
The problem could be that I try to migrate from one Project in Google Developers Console to another.
Could that really be a problem?
The reason that I moved to another project is because I cannot create OAuth 2.0 Client ID in the original Project. I receive the following error message:
"You can not create OAuth 2.0 client ID because this project already contains an Oauth 1.0 client ID."
Please suggest.
Thank you,
E
As pointed out in a similar post, when constructing the base string to sign your migration requests, please make sure that the string uses a POST method and that it contains all relevant migration parameters as per the migration documentation.
As per OAuth1 spec, a valid base string for a migration request should look like:
POST&https://accounts.google.com/o/oauth2/token&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=urn:ietf:params:oauth:grant-type:migration:oauth1&oauth_consumer_key=YOUR_CONSUMER_KEY&oauth_nonce=NONCE&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1396414006&oauth_token=THE_TOKEN_TO_MIGRATE
Note that, for readability purpose, the above is the decoded version of the base string (check out the OAuth1 spec for more examples).
Hope that helps, Miguel.
When generating the base string you will need to ensure that each individual parameter is URL encoded before constructing the base string.
As per the oAuth documentation to sign OAuth 1.0 requests the base string is made up of 3 components
The HTTP request method
The base URL the request is being sent to
A normalized string of the parameters in the request
When constructing the base string you need to do the following
Ensure HTTP request method is POST
URL encode the base URL
Ensure the three POST body parameters [client_id, client_secret, grant_type] are included in the normalized request parameters
Ensure each parameter is individually URL encoded and then URL encode the complete normalized request parameters string. So in effect, some of the paramters are double URL encoded. This double URL encoding is mentioned in Using OAuth with the Google Data APIs#Signing Requests for the oauth_token
Only after doing all these steps did I get the migration request to work and I received a valid refresh_token
Below is a sample base string
POST&https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Ftoken&client_id%3Dxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com%26client_secret%3Dxxxxxxxxxxxx%26grant_type%3Durn%253Aietf%253Aparams%253Aoauth%253Agrant-type%253Amigration%253Aoauth1%26oauth_consumer_key%3Dxxxxxxxxx%26oauth_nonce%3D4106001%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1400779530%26oauth_token%3D1%252FkklP1YPy_AULt7j_tttttt_tterwerkj_dfj45dflk
Related
Section 4.1.1. Authorization Request states:
The client constructs the request URI by adding the following
parameters to the query component of the authorization endpoint URI
using the application/x-www-form-urlencoded format, per Appendix B:
The use of the Content:Type x-www-form-urlencoded forces the request parameters to be sent in the body and not the query header. However, when submitted this way the authorization server returns an error indicating it cannot locate the client_id.
Is there a setting I need to change to support the request in the body rather than in the header?
I am trying to send oauth request to receive a token and no matter what I do I get an error that nonce was already used. So I decided to send that same request using Fiddler and everything worked flawlessly. The only issue I see is with the request body. I have to send grant_type=client_credentials in the body and it must be of application/x-www-form-urlencoded type. not Json nor XML. RestSharp describes adding JsonBody and XMLbody but both of those would set incorrect content type to the request. In my code I am trying to add the body the following way:
req.AddParameter("grant_type", "client_credentials", ParameterType.RequestBody)
Is that the correct way to add request body? I am also open to all suggestions to what else might be causing that error
Thank you
For OAuth, to generate a token the grant_type, code, client_secret etc. should be sent as an query parameters. In RestSharp it is done as
request.AddQueryParameter("grant_type", "client_credentials")
Everything in detail about OAuth is here
Following this procedure:
https://learn.microsoft.com/en-us/graph/auth-v2-user
I'm trying to get a refresh token from this microsoft end point:
https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize
Using PostAsync method from System.Net.Http.HttpClient class from nuget (asp.net core 2.2) library, I'm able to get a response back with this error: "AADSTS90102: 'redirect_uri' value must be a valid absolute Uri.":
I tried to set some redirect url in the Azure Portal including:
https://automation.legroupeti.com/Configurations/GetRefreshToken/
https://automation.legroupeti.com/Configurations/GetRefreshToken
https://automation.legroupeti.com/
https://automation.legroupeti.com
The post request is the following (Using PostAsync method from System.Net.Http.HttpClient class from nuget (asp.net core 2.2)):
Here are the configured redirect urls form the registred application in the Azure Portal:
I expect a valid response from the endpoint.
How do I configure the redirect_uri to be valid?
EDIT 1
I fixed the redirect_uri parameter.
From the screenshot, it appears that the URLEncoding is incorrect. The '/' character in the path should be encoded to %2F, while your code has %2. (After '.com' and before 'Configurations'.)
Also, have you considered the Authorization Provider from the SDK?
https://learn.microsoft.com/en-us/graph/sdks/choose-authentication-providers?tabs=CS#AuthCodeProvider
I was getting this error and for me the issue was that I was encoding the redirect_uri value in the post request to the /oauth2/v2.0/token endpoint. Notice how redirect_uri is not encoded in this request.
POST /{Tenant ID}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
Cookie: {cookie}
Content-Length: 941
client_id={Application (client) ID}
&scope=https://graph.microsoft.com/mail.read
&redirect_uri=http://localhost/myapp/
&grant_type=authorization_code
&client_secret={secret}
&code={code}
I used the Postman sample provided by Microsoft to find the root cause.
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#request-an-access-token
You seem to be mixing the authorize and token endpoints.
If you want the user to authenticate, you have to redirect the user to that URL, not send a POST request to it.
After the user returns to your app, you need to exchange the authorisation code for tokens.
Documentation: https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-call-api-overview
If you want a token just for your app without user authentication, you need to call the token endpoint.
Documentation: https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-overview
I also faced the same problem:
AADSTS90102: 'redirect_uri' value must be a valid absolute Uri.
I tried few URL variants (with encoding, without, etc.) in Chrome, but was getting different exceptions about a wrong URL. Then I used the Safari browser and voila, I got a response code.
In the final result, I just copied the URL from the documentation, pasted tenant and client_id values from the registered application into the return_url parameter, and instead of the /myapp/ prefix I pasted %3A8080, where %3A it's the : symbol. The redirect_utl param has to be the same as URL in the registered application.
I am trying to use the Cloudcontrol REST API.
Has anybody used that API? I did not find out how to authenticate.
As an example, I tried https://api.devcctrl.com/app/APPMNAME/deployment/default/error/
I found : https://api.devcctrl.com/doc/#Token but I don't understand how exactly to use it.
An example would be great.
What I really want to do: I want to deploy an app using REST API. I cannot use the CLI tools due to missing python installation.
Thanks
Mike
First, in order to get the token, you need to send a HTTP POST request to api.cloudcontrol.com/token/using Basic Authentication using the email and password of your cloudControl account. You will get a JSON response like this:
{"token": "<TOKEN_KEY>"}'
You need this token key to authenticate for all other requests to the API. To do so, add an Authorization Header to your request with this content:
Authorization -> "cc_auth_token="<TOKEN_KEY>""
Furthermore, you might also need to set up some other headers for PUT or POST requests, like:
Content-Type -> "application/x-www-form-urlencoded"
Content-Length -> <length of your parametrized url values, e.g. bar=baz&foo=qux>
Accept-Encoding -> "compress, gzip"
You can find examples of this usage in the pycclib (Python) or gocclib (Go) libraries.
In my Rails 3 app, I am able to successfully authenticate using Oauth2 and able to get the metadata for a file. The downloadUrl is
https://doc-10-3o-docs.googleusercontent.com/docs/securesc/tj647mo7q16s2rquitcrcv800pkn7gcf/ap67p147th03cn8rjpu68i8qva3p7i8j/1345240800000/02289284805103305740/02289284805103305740/0BwsQ03A3DXbCTVBjUDlNNzNJNDQ?h=16653014193614665626&e=download&gd=true
The documentation states that I must do the following:
Gets a file's metadata by ID. To download a file's content, send an authorized HTTP GET request to the file's downloadUrl
I do not wish to use Google APIs Client Library for Ruby, but simply formulate a HTTP Request using HTTParty
Here is a snippet of the code I've been trying to get to work
response = HTTParty.get(https://doc-10-3o-docs.googleusercontent.com/docs/securesc/tj647mo7q16s2rquitcrcv800pkn7gcf/ap67p147th03cn8rjpu68i8qva3p7i8j/1345240800000/02289284805103305740/0?access_token={token})
open("/User/mymachine/test.pdf", 'wb'){|pdf| pdf << response.body}
I'm pretty sure I'm formulating the request wrong. Any help would be greatly appreciated. Thanks in advance.
You have to add the Authorization: Bearer header to your request, together with the access token you retrieved during the OAuth 2.0 flow.
Basically, your HTTP request must look like the one in the OAuth 2.0 documentation:
https://developers.google.com/accounts/docs/OAuth2WebServer#callinganapi
I'm not a Ruby expert, but the request using HTTParty should be:
response = HTTParty.get(downloadUrl, :headers => {"Authorization" => "OAuth {token}"})
Where downloadUrl is the one you got from the file's metadata and token is the access token you retrieved when performing authorization.