Express Checkout error message: "Security header is not valid" - api

I'm implementing Express Checkout in PayPal.
I have no problem with the first two steps, SetExpressCheckout and GetExpressCheckout. But when I use DoExpressCheckout, I encounter the error "Security header is not valid".
The API credentials are the same!
I've fixed it by changing the $environment to live in DoExpressCheckout. (The difference $environment makes is that it'll use https://api.sandbox.paypal.com/nvp/ instead of https://api-3t.$environment.paypal.com/nvp)
But why?
Is there something wrong with https://api-3t.$environment.paypal.com/nvp?

https://api-3t.sandbox.paypal.com/nvp requires different user-accounts than what https://api-3t.paypal.com/nvp requires.
The sandbox accounts can be activated at developer.paypal.com

I had the same error being thrown for the live environment. For me, it turned out there was a trailing space at the end of my API username.... I removed the space and it worked fine.... I'd pasted them into a config file straight from PayPal and must've copied a blank there as well... so if this happens to you, check for trailing spaces! This would've been obvious if the username was hardcoded in a string, but wasn't because it was in a java properties file.
note that you'll also get this error if your credentials are wrong (ie bad username, password or signature). I just had the same issue happen when I pasted in my info to a config file, and had extra characters at the end of my signature by mistake.

He may not grant permission for checkout. Refer to this article, apparently down for now but still available here.

Related

"User is unauthorized" error with sample web viewer app

I'm following the instructions here: https://www.itwinjs.org/learning/tutorials/develop-web-viewer/ to create a sample web viewer app. The doc says to update variable IMJS_CONTEXT_ID which is not in the .env file and doesn't appear with "Show IDs" for my iModel (I have created a github issue for the doc already). I've tried updating the variable IMJS_ITWIN_ID instead with the "iTwin ID" from my iModel. When I start the app I get an error page "An Error Has Occurred: The user is unauthorized. Please provide valid authentication credentials". I have checked the variables IMJS_AUTH_CLIENT_CLIENT_ID, IMJS_AUTH_CLIENT_REDIRECT_URI, IMJS_AUTH_CLIENT_SCOPES, IMJS_ITWIN_ID, IMJS_IMODEL_ID and all appear to be correct. Is there something else I need to configure?
Sorry, the tutorial you're referring to is a bit outdated now. Have you taken a look at https://developer.bentley.com/tutorials/web-application-quick-start/?
In the new #itwin/web-viewer-react templates we renamed IMJS_CONTEXT_ID to IMJS_ITWIN_ID. We also made some changes to the required scopes, you'll need namely imodelaccess:read, imodels:read, and realitydata:read. Please make sure your auth client has the above scopes and you have access to the model. If you still have trouble, feel free to continue the discussion over at https://github.com/iTwin/itwinjs-core/discussions

Parameter not allowed for this message type: code_challenge_method, how to fix it in nuxt?

in Nuxt I have the title error using auth v5. This is my current strategy:
The docs (https://dev.auth.nuxtjs.org/schemes/oauth2#codechallengemethod) says that you can use "plain" or "S256" as an option, I tried both but the error persists.
The only I cant manually get it work is by copy-pasting the oAuth in the url:
https://accounts.google.com/o/oauth2/auth/identifier?protocol=oauth2&response_type=token&client_id=MYCLIENTID&redirect_uri=https%3A%2F%2Flocalhost%3A3005%2Flogin&scope=profile%20email&state=sIpW-W_6h_QwUs0gCDV_o&flowName=GeneralOAuthFlow
Compare that link to the following:
https://accounts.google.com/o/oauth2/auth/identifier?protocol=oauth2&response_type=token&client_id=MYCLIENTID&redirect_uri=https%3A%2F%2Flocalhost%3A3005%2Flogin&scope=profile%20email&state=sIpW-W_6h_QwUs0gCDV_o&code_challenge_method=S256&code_challenge=fnyp2Ray850HEmHEwmoyQtIrPFPpHWBt4nVAz9p5Vxs&flowName=GeneralOAuthFlow
The only difference between the first and second link is that the first one actually works (I can login) and it doesn't have a challenge_method.
The second link doesn't work (it displays the google image above) but if you read the end of the link it has both the code_challenge_method & code_challenge
After many hours of trial and error, the only way to make it work is by setting code_challenge_method to an empty string, like this:
The demo used in the nuxt auth module, does the same thing, they don't use any code_challenge_method with the google strategy
EDIT 10/06/2021
After doing further investigation, it seems that if I only use an empty code_challenge_method (just like the image above), google auth just doesn't seem to work anymore, my bet is that a broken commit was merged here, so in order to fix it I added a new property to my google strategy:
responseType: 'token id_token'
I also created a report for that bug here
I had the same error and this setup has fixed my issues. Note I am using Next-auth but the parameter name is the same except for the naming convention. Set response_type value to code. Setting the response_type value to token will issue an error, so use code instead.

How can I update the user password in Selenium-Grid-Extras?

Can anyone link me to a good Selenium-Grid-Extras guide? I have it installed, and need to customize it. Specifically, I need to update the credentials, and reboot settings. When I go to my link: http://XX.XX.XX.XX:3000/user_auto_logon, I can see the settings, but I don't know how to change them. Also, when I open my selenium_grid_extras_config.json I don't see a section that has any of this information to update. Also, even if I did find a section in the selenium_grid_extras_config.json, how would I update the password for the existing username... I'm sure it's not going to be displayed in plain text. Thanks in advance!
From Shawn McCarthy. This solved my problem:
If you want, you can just delete the selenium_grid_extras_config.json file, and rerun the jar file and it will go through the FirstTimeRunConfig again.
You should be able to pass in the username and password to the endpoint as well, http://XX.XX.XX.XX:3000/user_auto_logon?username=YOUR_USER&password=YOUR_PASSWORD
You can check out the /api endpoint to see all the possible endpoints, and the accepted parameters (and which ones are required or not). Usually with no parameters, it does a get current status/value.
Thanks Shawn!

How to propagate data from mod-auth-external authenticator to served page

Background
In our Apache configuration we use mod-auth-external (previously on Google Code) to invoke PAM authentication.
Now there is a request for proper handling of shadow-based password expiration:
If password is before warning period Apache should respond with HTTP status code 200. Nothing new here.
If password is in warning period (its validity end is near) Apache should respond with HTTP status code 200, but include somehow information about the warning period.
If password is in expiration period (it is no longer valid but user can still change it on his own) Apache should respond with HTTP status code 401 and include somehow information about expiration period.
If password is beyond expiration period (it is no longer valid and account was locked, administrator must unlock it) Apache should respond with HTTP status code 401 and include somehow information about the locked state.
(There are also corner cases of page missing or some other errors. It is not clear what to do then. But it seems that solving above points would allow to solve those corner cases as well.)
Our PAM authenticator (used through mod-auth-external) is able to differentiate those cases by adjusting return values. That we already have.
The problem is however how to get information from the authenticator to the associated action serving the page (either actual page with 200 status code or 401 error document).
Current investigations
It should be noted that there is significant difference between requirement 2 and requirements 3 and 4.
Requirements 3 and 4 alone are somewhat easier because they both involve our mod-auth-external authenticator returning error (access denied). So we only need to know how to get that error code in 401 error page. I even raised issue on that on mod-auth-external page.
Requirement 2 is much more difficult. In that case our authenticator must return 0 (access granted) and still somehow propagate information about the warning to whatever gets served in the end.
Logs parsing
Obvious (and ugly) idea is to parse logs. mod-auth-external description on Google Code Wiki mentions that authenticator return value gets written to Apache syslog. Also whatever authenticator prints to standard error stream gets logged as well.
This could be used to pass information from authenticator to some other entities.
The difficulty here is that it is not clear how to do it safely. What to print to be sure that "the other entity" will match properly current request with log entry. Mere URL doesn't seem to be enough since there can be multiple requests for the same URL at the same time. While I don't see anything more useful in what authenticator gets.
Another issue here is that it seems that to be able to parse the logs you have to have some non-trivial code running for "the other entity". And this complicates things further since how should we do it?
Another idea
If we could make the authenticator somehow modify "request session" (or whatever, maybe just environment? - I don't know, I'm new to Apache) to add arbitrary data to it we would be (almost) at home.
Our authenticator would somehow store "password status" and also possibly days remaining to the end of warning/expiration period (if applicable). Then upon serving 401 error page we would retrieve that back and use it to dynamically generate content of the page.
Or even better we would have it stored in session so that the other end could read that data directly. (For cases where it is not simply a browser showing page.)
But so far I fail to see how to do that.
Do you have any idea how to meet those requirements?
For over a month I got no answer here. Nor on GitHub issue that I opened for mod-auth-external.
So I ended doing a custom modification to our mod-auth-external. I don't like modifying third party software but this one seems dead anyway. And also it turned out we are using pretty old version (2.2.9 which I upgraded to 2.2.11, the last in 2.2.x line). Which already had some customizations anyway.
I explained details of the solution in a comment to my GitHub issue so I will not repeat them here.
I will however comment on shadow details as they were not mentioned there.
I had two choices: either use getspnam function to retrieve shadow data or to parse messages generated by PAM. First attempts based on getspnam function but in the end I used PAM messages. I didn't have strong reasons for any of those. However I decided to propagate in HTTP response not only shadow status but any PAM message that was generated and so it seemed easier to follow that way.

invalid_client in google oauth2

I try to make a web page for youtube video upload, therefore I try to get the client id from google api console, and in the api console it shows something like this:
Client ID: 533832195920.apps.googleusercontent.com
Redirect URIs: http://bobyouku.ap01.aws.af.cm/testyoutube.php
https://developers.google.com/oauthplayground
However when I try to test my account using the following URL:
https://accounts.google.com/o/oauth2/auth?client_id=533832195920.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Fbobyouku.ap01.aws.af.cm%2Ftestyoutube.php&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fyoutube&response_type=code&access_type=offline
It gives out the result of invalid_client. Even when I try it on oauth2 playground, same fail occurs
So anyone knows what's happen?
Set/change your product name, I had this issue until I created a product name as same as project name.
The product name can be set in the Consent screen section of the Google Developers Console for your project. Look under APIs & auth in the left navigation and select Consent screen.
You need also to set your email address in the box above the product name.
After copy values from Google web UI, I had a blank space for:
client_id
secret
And at the BEGINNING and at the END for both.
This happens even when clicking on the "copy" button.
Trim the leading and trailing white space from both the client_id and client_secret. Google's copy button does not do this for you.
Set both the email address and product name fields for the OAuth consent screen.
Setting EMAIL ADDRESS and PRODUCT NAME in the consent screen of Google developer console, solves the error "Error: invalid_client. The OAuth client was not found." for me.
I had .apps.googleusercontent.com twice in my ID.
It was a copy and paste issue "Your ID HERE".apps.googleusercontent.com
invalid_client can also simply means that your client ID and client secret are wrong when you create your Oauth2 object.
in this thread i found my answer.
I went to google console,
generate a new project, made refresh, because in my case after create the page didn't reload
select new project
create a client ID
use it for what you need
thanks guys :D
In my case this turned out to be something else, namely my code used an environment variable that hadn't been set properly (and stupidly wasnt checked by my code). Setting it, recompiling assets, and restarting the app did the trick.
If you follow the documentation, from this page
https://developers.google.com/identity/sign-in/web/sign-in#specify_your_apps_client_id
you'll see
<meta name="google-signin-client_id" content="YOUR_CLIENT_ID.apps.googleusercontent.com">
But it's wrong. It should be
<meta name="google-signin-client_id" content="YOUR_CLIENT_ID">
The issue is that the '.apps.googleusercontent.com' gets added anyway. If you do it like the documentation says, you get '.apps.googleusercontent.com' twice
I solved this by removing unnecessary quotes from my clientID and clientSecret values.
Did the error also report that it was missing an application name? I had this issue until I created a project name (e.g. "Project X") in the project settings dialog.
probably old credentials are invalid
see the answer below
stackoverflow answer
or short names may work
see the answer below
stackoverflow answer
or product name same as project name as answered already
at times one may include extra space in the
check twice this line so that you are redirected to the correct url
I solved my problem with trim :
'google' => [
'client_id' =>trim('client_id),
'client_secret' => trim('client_secret'),
'redirect' => 'http://localhost:8000/login/google/callback',
],
None of the following were my issue - I resolved this by opening an incognito window. Something was obviously being cached somewhere, no amount of changing auth client settings helped and there were never any trailing or leading spaces in config values.
Check your Project name on Google APIs console.
you choose another project you created.
I was same error.
my mistake was choosing diffirent project.
At Credentials
Accept requests from these HTTP referrers (web sites) (Optional)
Use asterisks for wildcards. If you leave this blank, requests will be accepted from any referrer. Be sure to add referrers before using this key in production.
Add . (star dot star) . It work fine for me
I accidentally had a value in the Client Secret part of the URL, but Google Credential does not need a Client Secret for Android OAuth 2 Client IDs. Simply leaving the value blank in the URL did the trick for me.
Steps that worked for me:
Delete credentials that are not working for you
Create new credentials with some NAME
Fill in the same NAME on your OAuth consent screen
Fill in the e-mail address on the OAuth consent screen
The name should be exactly the same.
Another thing to check:
When you install the GoogleAPIs into a .Net app with NuGet, it will inject a new set of dummy values in your *.config file.
Check that any original values are still in place, and remove dummy entries.
Deleting client ID and creating new one a couple of times worked for me.
Mine didn't work because I created it from a button from the documentation. I went again to the project and created another OAuthClientID. It worked. Yes, be careful about the extra spaces on right and left too.
For best results make sure you have the complete details as follows:
{"client_id":"282324738-4labcgdsd4nlh34885s2d34tmi.apps.googleusercontent.com","project_id":"abcd23ss-212808","auth_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https://www.googleapis.com/oauth2/v3/token","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","client_secret":"23452-dfgdfgcdfgfd","redirect_uris":["http://localhost:6900/auth/google/callback"],"javascript_origins":["http://localhost:6900"]}
This data is always available for download as JSON from https://console.developers.google.com/apis/credentials/oauthclient/
If you are in Meteor JS, you have to use clientId instead appId:
Since facebook uses appId and google clientId.
ServiceConfiguration.configurations.upsert({
service: "google"
}, {
$set: {
clientId: process.env.OAUTH_GOOGLE_APP_ID,
loginStyle: "popup",
secret: process.env.OAUTH_GOOGLE_SECRET
}
});
I spent some hours to realize over that.
I wish I had seen this post before, because there are a lot of things I had to find out trial and error. A lot can go wrong with this. Here's another issue I had:
Whe you specify the Authorised Javascript origins or Authorised redirect URIs, make sure to include your domain with and without www. So https://google.com and https://www.google.com
Also I had uploaded an Application logo. Because of that, the consent screen required a review... which takes forever. Don't upload an Application logo, or be very patient.
this could also be because of not using https url.
In other words,this only works with https. It works with http only in localhost
The solution that worked for me was to remove the ' single quotes and remove additional spaces at the end of the client id and secret in the .env file