I'm trying to build up an OAuth2 provider with Doorkeeper and I wanted to test all existing flows, but got stuck at the first attempt.
I'm trying to test the authorization code flow. Everything works fine on getting the authorization code, but once I try to get the access token something gets wrong. Below mentioned are some of the steps.
describe 'when sends an access token request' do
let(:access_params) do
{ grant_type: 'authorization_code',
code: authorization_code,
redirect_uri: application.redirect_uri }
end
let(:access_uri) { '/oauth/token' }
before { page.driver.post access_uri, access_params }
it 'returns valid json' do
pp page.source
end
I was expecting the json with the final access token, but I got this error. I checked out pretty well the client and the params. All seems fine to me.
{"error":"invalid_client","error_description":"Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method."}
Can you help me on understanding what is missing?
Thanks
I finally got it work. I missed one important aspect about the OAuth2 specs, where the client must identify itself using basic auth. I solved adding it before the post, and it worked pretty well.
before do
page.driver.browser.authorize application.uid, application.secret
page.driver.post access_uri, access_params
end
Related
If ClaimsIdentity set through JwtBearerAuthentication middleware doesnt have enough roles required through
[Authorize(Roles="whateverrole")]
it returns 401 instead of 403.
I am struggling with this in asp.net core web api whole night. I have also seen this question on stackoverflow but i havent seen any solution i could make work. The order of registering middleware nor AutomaticChallange setting did the job.
I dont know if i am missing something but it seems shocking that this hasn't been solved properly for years. It is so annoying.
Is there any normal, usual, non-workaround, non-hack way of solving this?
UPDATE (in response to comment from #juunas)
I have tried that and roles are mapped correctly from Claims.
So, if i remove Roles requirement from attribute, for all roles that user is assigned to (in JWT token) User.IsInRole(x) returns true. So mapping works just fine.
About moving from roles based authorization to policies...can you provide some some link with some best practices, recommendations or something that you base that statement on?
I am not saying its not something to be done but would just like to understand it.
It's important to understand the difference in these to errors to understand why you will get one and not the other.
401 is for authentication. If you are getting this error then you have to ask yourself is the user logged in, or does the user have a current token provided by a valid token provider? If the token has expired or the provider is not valid then you can get a 401. If this is what you are getting then you need to check User.Identity.IsAuthenticated does this return true? Most likely it returns false.
403 is for authorization. This would mean the user has a valid token, but the token they have does not give them access to the resource they are requesting. This is where you would want to check User.IsInRole() and it would return false.
If you're getting 401 it means that the user hasn't been authenticated i.e. they have not logged in, their login was invalid, the token has expired... etc. As far as your application is concerned the user hasn't proved they are who they say they are yet.
Edit: Apologies for assuming the user wasn't Authenicated, I didn't see where you stated that they where in your first post. It's hard to help without seeing code but my next guess is that the Claims check hasn't been added to the services pipeline.
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
services.AddAuthorization(options =>
{
options.AddPolicy("whateverrole", policy => policy.RequireClaim("whateverrole"));
});
}
This is in your Startup.cs. MS doc is here https://learn.microsoft.com/en-us/aspnet/core/security/authorization/claims
Last update: Simply put using the default Authorize attribute tag you can't change it. MS designs I this way due to the number of layers in the pipeline that could impact authentication. I was unaware of this because I use a custom Authorize attribute and forgot that I over wrote the way it handled status codes.
However I found a nice solution that might suite your needs https://github.com/aspnet/Security/issues/872#issuecomment-232624106
It adds an error page to the pipeline prior to the app.UseMvc() that redirects authentication errors to an error page that returns the correct status code.
I have successfully set up Graph.cool Auth0 authentication and created a User through Relay as described here.
Next I'd like to actually query graph.cool on behalf of this user. As a first step, I simply manually modified the Relay setup to specify the same auth token as was used to create the User in the first place (through the idToken on type AUTH_PROVIDER_AUTH0):
Relay.injectNetworkLayer(
new Relay.DefaultNetworkLayer(process.env.GRAPHQL_ENDPOINT, {
headers: {
Authorization: 'Bearer XXX.YYY.ZZZ',
},
})
);
However, the app stops rendering and I just get a console warning RelayPendingQueryTracker.js:153 Server response was missing for query Index. Any hints?
When calling the signinUser or createUser mutation, a Graphcool token is returned in the payload. https://www.graph.cool/docs/faq/graphcool-session-user-goij0cooqu
This is the token you need to use in the Authorization header instead of the Auth0 idToken.
Maybe it can also be a help to take a look at how we do it in the dashboard https://github.com/graphcool/dashboard/blob/master/src/views/LoginView/LoginView.tsx
Hope this helps!
I'm trying to use the Survey API.
When I try and use the form online to request an Authorization token I get a
error message.
Invalid or missing access token" error message.
The form to test the API calls also asks for a Client Secret code but yet it auto fills the box with the API Key.
Any help here would be nice.
I'm not sure if this is a bug on Survey Monkey's end either in the API or the form that tests the API.
You should have received a reply to this via email but I wanted to ensure this was answered here in case anyone else is having the same issue.
There was a bug on our API console preventing an access token being issued, this is now fixed.
The access token has to be copied into the "Authorization" parameter in the format "bearer ". e.g. if your access token is 'fdhjfu3cc8ss=', make sure the Authorization parameter has "bearer fdhjfu3cc8ss=" in it (with no quotes). Note that you need to use the Access Token returned, not the Authorization Code.
Recently, I am trying to get e-mails from Gmail, using XOAuth2 protocol.
Especially, I am using "OAuth2Authenticator.java" from https://code.google.com/p/google-mail-oauth2-tools/downloads/list.
But, I always get an invalid credential error like the follwoing:
A1 NO [ALERT] Invalid credentials (Failure)
Exception in thread "main" javax.mail.AuthenticationFailedException: [ALERT] Invalid credentials (Failure)
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:566)
at javax.mail.Service.connect(Service.java:265)
Before reading, due to the limitation of putting a link, I cannot write "httoo://" so that please think of that this http header is front of some url information.
Before posting this question, I think I looked most of the articles about this one. Many articles are about using OAuth1.0 (deprecated) But, I still cannot figure out how I can make it work with OAuth2 & XOAuth2. I appreciate any suggestion/helps.
The following is the steps I am taking:
get an access token through OAuth2 with the scope of mail.google.com/
just put this access token & gmail account (e.g. test#gmail.com) into "OAuth2Authenticator.java".
After this procedure, I always get invalid credential.
The interesting stuff is that I can get unread mails through Feed URL (i.e. https://mail.google.com/mail/feed/atom) which is specified in Google OAuth2.0 Playground.
This indicates that I am sure that I get the correct access token. But, does not work at all for IMAP with this sample code.
Actually, the scope "mail.google.com/" is not included in the list of Google OAuth2.0 Playground.
For getting access token for XOAuth2, is there any other special way to get access token?
For the official page about XOAuth2, we need to use base64 to encode the access token.
But, I think the sample code is doing this procedure.
Also, SMTP of this sample did not work at all. But, after changing the properties, I could make it work. Is this code old?
But, unfortunately, what I need is IMAP. But, after trying setting some different/new properties, IMAP does not work at all....
I am stuck on this problem for a long time. So, I posted this question.
I really appreciate any suggestion/helps.
Regards
I figured out your problem regarding invalid credentials
A1 NO [ALERT] Invalid credentials (Failure) Exception in thread "main"
javax.mail.AuthenticationFailedException: [ALERT] Invalid credentials (Failure) at
com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:566) at
javax.mail.Service.connect(Service.java:265)
To remove above error you have to invalidate your Token and get a new token using below code
1- accountManager.invalidateAuthToken("com.google", token);
after invalidate token you have to get Refresh token using below code
String newToken = AccountManager.get(this).getAuthToken(new Account(account,"com.google"),
AUTH_TOKEN_TYPE, true, null, null).getResult().getString(AccountManager.KEY_AUTHTOKEN);
using new token now you are able to login.
maybe I am not understanding the OAuth flow correctly, but this is what I want to be able to do: I have a service that will issue request to Trello's API, so, in order to perform some of the requests, I need to have a access token.
Is this even possible? I know that you can do this with other services, like Twitter, but I don't know if I can do this against Trello.
I am using NodeJS with a library called oauth to do this, and my flow looks like this: I created a new OAuth object, call getOAuthRequestToken and then I call getOAuthAccessToken in the callback, and is there where I get an 500 error saying that the oauth_verifier is missing.
Here the piece of code I am talking about:
var OAuth = require('oauth').OAuth,
oauth = new OAuth('https://trello.com/1/OAuthGetRequestToken?key=' + config.key,
'https://trello.com/1/OAuthGetAccessToken',
config.key,
config.secret,
'1.0',
null,
'PLAINTEXT');
oauth.getOAuthRequestToken(function(error, oauth_token, oauth_secret, results){
//Here I have some error handling code
oauth.getOAuthAccessToken(oauth_token, oauth_secret,
function(error, oauth_access_token, oauth_access_token_secret, access_results){
//Here I would be storing the access token for later, etc.
}
});
So, obviously, I am not passing the oauth_verifier parameter to the getOAuthAccessToken method (I checked in the code and that function is expecting the verifier as third parameter), but I am not doing it because I do not have it: the results object is empty and I do not know how to get it programmatically.
Another thing to notice is that I am passing the key parameter in the request token url and using plaintext as signature because I just thought that would be the right thing to do (I haven't see any reference in the documentation about what kind of signature to use or if I need to pass the key as a parameter).
Am I doing things really wrong? Am I in the correct track? what am I missing?
As always, thanks in advance! =)
Trello docs don't say much about oAuth.
I'd speculate that the issue would be that Trello is oAuth 2.0 (used by Facebook, Google) and you're using the oAuth 1.0 scheme (used by Twitter, Tumblr).
For what it's worth, the node-oauth library has an oAuth2 implementation in its lib directory you can include via require in node.js.