I am trying to build an application with Box SDK in Java. Currently, I am connecting to my Box with a developer token:
BoxAPIConnection api = new BoxAPIConnection("MY-DEVELOPER-TOKEN");
I have to generate a new developer token every 60 minutes, therefore I would like to make it so this is done automatically. According to the Box API authentication doc, we can do it with:
BoxAPIConnection api = new BoxAPIConnection("MY-CLIENT-ID", "MY-CLIENT-SECRET", "MY-AUTH-CODE");
However, I get:
Exception in thread "main" com.box.sdk.BoxAPIException: The API returned an error code: 400
{"error":"invalid_grant","error_description":"Auth code doesn't exist or is invalid for the client"}
I get my Client ID and Client Secret from the configuration page of my Box account, so I assume these are correct. Where can I get my authentication code? The one I am using is the one from a pop-up window when I first connected to my account.
You can get the authentication code like this:
go to a browser and type in with your client_id:
https://account.box.com/api/oauth2/authorize?response_type=code&client_id=xxxxxx&state&state=security_token%3DKnhMJatFipTAnM0nHlZA
authorize the app and you'll get a code back (make sure your redirect is something like localhost
then use postman and do this (fill in the code w/ what you just got back)
Related
I get a valid code on the client side login of my application using angularJS Oauth Module GAuth.checkAuth(). and then GAuth.getToken().
The code is valid only for 1 hour and any API like GoogleDocs,Gmail accessed after 1 hour fails and needs relogin.
To overcome this I am trying to send the code to the server for getting AccessCode at Server so that I can send same with requests to GoogleDocs, Gmail etc
GoogleAuthorizationCodeTokenRequest req =
new GoogleAuthorizationCodeTokenRequest(
new NetHttpTransport(),
JacksonFactory.getDefaultInstance(),
"https://www.googleapis.com/oauth2/v4/token",
// "https://accounts.google.com/o/oauth2/token",
"901142925530-21ia7dqnsdsdsndnsnnnfdc9cm2u07.apps.googleusercontent.com",
"6NSvw0efghyuuG8YGOBWPln79n",
authCode,
"http://localhost:8080");
req.setGrantType("authorization_code");
//req.put("refresh_token", authCode);
//req.put("access_type", "offline");
GoogleTokenResponse tokenResponse =
req.execute();
tokenResponse.getAccessToken()
Where authCode is the code I received in GAuth Token
But the call is failing and in response I get
400 Bad Request
{
"error" : "invalid_grant",
"error_description" : "Incorrect token type."
}
Any help is highly appreciated!
When the user first authenticates your application you are given an authorization code. You then need to take this authorization code and exchange it for an access token and a refresh token. Once the authorization code has been used it can not be used again.
grant_type=authorization_code
Denotes that you are asking Google to verifiy that your authorization code and give you a new access token and refresh token.
It sound to me like you are taking either the access token returned from that request and sending it to grant_type=authorization_code end point which is not going to work its the wrong type of code. hens the error you are getting of
400 Bad Request { "error" : "invalid_grant", "error_description" : "Incorrect token type." }
You will need to take the refresh token you are given. If there is one I am not sure that you can even get a refresh token from AngularJs. You can get one using java though.
A refresh of an access token in pure rest will look like this
https://accounts.google.com/o/oauth2/token
client_id={ClientId}.apps.googleusercontent.com&client_secret={ClientSecret}&refresh_token=1/ffYmfI0sjR54Ft9oupubLzrJhD1hZS5tWQcyAvNECCA&grant_type=refresh_token
Note the &grant_type=refresh_token. If you are using the Google api java client library it should handle all of that for you. However your tagging is a little confusing its unclear if you are trying to do this in java or angularjs which I do not believe will allow you to use refresh tokens. Again I am not an angular dev I could be wrong on that point.
Anwser:
You the code you are sending is not an authorization code. Only an authorization code can be sent to grant_type=authorization_code. Solution: Send an authorization_code
Types of Google codes and tokens:
There are three types of codes or tokens you should be aware of with Oauth2.
Authorization code.
Refresh token
Access token
When you request access of a user and they grant your application access you are given an Authorization code. The Authorization code is short lived it probably less then 10 minutes and it can only be used once.
The Authorization code is used to get the initial access token and the refresh token from googles authentication server. by using the grant_type=authorization_code
Access token are good for about an hour. They are used to make calls to google APIs
https://www.googleapis.com/plus/v1/people/me?access_token={your access token}
You can use the access token as often as you want during that hour assuming you don't blow out some quota.
Refresh tokens are used to request a new access token from the Google authentication server when the access token you have current has expired or you just want a new one. here the grant_type=refresh_token is used to request a new access token you are essentially telling google I am sending you a refresh token you know what to do.
additional reading
I have a coupe of tutorials that might help you out Google 3 Legged OAuth2 Flow and Google Developer Console Oauth2 credentials
Also helpful when learning Oauth: The OAuth 2.0 Authorization Framework
I'm sure this is basic and I'm missing something. I've read through other answers on SO, I've googled, I've read resources and I just can't wrap my head around what I need to do.
I'm trying to figure out how to write an app that connects to Twitch's API, specifically how to authenticate with Twitch's api. Their documentation is here: https://github.com/justintv/Twitch-API/blob/master/authentication.md
I've created an app and stored my keys.
Now comes the part where I want my user to click a button which launches the authentication on their website. From what I can tell I do this by using an AccountManager. Except... I can't figure out what I'm supposed to do.
Here's the excerpt I've found online:
AccountManager am = AccountManager.get(this);
Bundle options = new Bundle();
am.getAuthToken(
myAccount_, // Account retrieved using getAccountsByType()
"Manage your tasks", // Auth scope
options, // Authenticator-specific options
this, // Your activity
new OnTokenAcquired(), // Callback called when a token is successfully acquired
new Handler(new OnError())); // Callback called if an error occurs
According to twitch's documentation I want to send the user to:
https://api.twitch.tv/kraken/oauth2/authorize
?response_type=code
&client_id=[your client ID]
&redirect_uri=[your registered redirect URI]
&scope=[space separated list of scopes]
&state=[your provided unique token]
And I simply have no idea how these two things need to be combined.
Firstly, I recommend to read the OAuth2 RFC. This should cover everything you need to know.
The AccountManager code snippet won't help you much unless there already is an app that provides authentication for Twitch. If that's not the case you either need to use an existing OAuth2 library or implement your own.
You could write your own AccountAuthenticator but that's a different challenge (and you still need some kind of OAuth2 client).
Doing it yourself is not that hard, see below.
Steps to implement it yourself
Twitch recommends to use the "Implicit Grant Flow" for mobile apps. That's what I'm going to describe below.
1. Get a client ID
Register your app as outlined in Developer Setup to get a client ID
As redirect URI you can use something like https://localhost:12398/, the actual port doesn't really matter.
2. Build the authentication URL
In your client app you need to construct the authentication URL like so:
https://api.twitch.tv/kraken/oauth2/authorize?
response_type=token&
client_id=[your client ID]&
redirect_uri=[your registered redirect URI]&
scope=[space separated list of scopes]
Apparently [your client ID] should be replaced by the client ID you've received from Twitch, same goes for [your registered redirect URI] (that's the URL above, i.e. https://localhost:12398/). [space separated list of scopes] is the list of scopes (i.e. features your want to access), see Scopes. Make sure you URL-encode the parameter values properly.
Assuming your client ID is 123456 and the scopes you need are user_read and channel_read your URL would look like this:
https://api.twitch.tv/kraken/oauth2/authorize?
response_type=token&
client_id=123456&
redirect_uri=https%3A%2F%2Flocalhost%3A12398%2F&
scope=user_read%20channel_read
Note that you should also pass a state parameter, just use a randomly generated value. You can also append the (non-standard) force_verify parameter to make sure the user actually needs to log in each time (instead of continuing a previous session), but I think you can achieve the same by clearing the cookie store (given that you open the URL in a webview in the context of your app) before you open the login page.
With a random state the URL would look like this:
https://api.twitch.tv/kraken/oauth2/authorize?
response_type=token&
client_id=123456&
redirect_uri=https%3A%2F%2Flocalhost%3A12398%2F&
scope=user_read%20channel_read&
state=82hdknaizuVBfd9847guHUIhndzhuehnb
Again, make sure the state value is properly URL encoded.
3. Open the authentication URL
Ideally you just open the URL in a WebView inside of your app. In that case you need to intercept all request to load a new URL using WebViewClient.shouldOverrideUrlLoading
Once the client is redirected to your redirect URL you can close the webview and continue with step 4.
Theoretically it's possible to utilize the default browser to do the authentication, but I would have security concerns since an external app could learn about your client ID and the access token.
4. Extract the access token
The actual URL you get redirected to in step #3 will have the form:
https://[your registered redirect URI]/#access_token=[an access token]&scope=[authorized scopes]
or to pick up the example
https://localhost:12398/#access_token=xxx&scope=user_read%20channel_read
Where xxx is the actual access token.
If you passed a state it will be present like so:
https://localhost:12398/#access_token=xxx&scope=user_read%20channel_read&state=82hdknaizuVBfd9847guHUIhndzhuehnb
All you have to do now is to parse the (URL encoded) access token, scope and state. Compare the scopes and state to the ones that you actually sent. If they match you can start using the access_token to authenticate.
Note According to the OAuth2 RFC, the response URL MUST also contain a token_type and it SHOULD contain an expires_in duration in seconds.
Once you received the access token you can use it to authenticate as described here.
Access tokens issued by the Implicit Grant Flow usually expire after a certain time and the user needs to authenticate again. The Twitch documentation doesn't mention any expiration time, so it's possible that the token is valid forever. So make sure your app doesn't store it or store it in a secure way (like using Android's key store provider to generate and store a key to encrypt the access token).
If the implicitly issued access token expires you could consider using the "Authorization Code Flow". That's quite similar but it contains an additional step to receive the access token and a "refresh token" that can be used to renew the access token. I leave it up to you to figure out how that works.
I'm in the process of learning how to use HP Quality Center's REST api to query and manipulate data. Unlike REST standard, this API is not completely stateless. It uses cookies to store authentication sessions.
I've tried to implement a very simple test, using the Jersey Client library. I can successfully authenticate my user, by sending my credentials. The API reference claims that this will set a cookie, and I am good to go with further calling the REST api. However, a simple "is-authenticated" call returns a 401, Authentication failed.
I have a feeling that the cookie writing or reading is not working properly, as everything else seems to work as it should. But I haven't been able to find out if or how cookies are set and read, when no browser is involved. So How does cookies work, when calling cookie-setting REST services from java VM? Does it work at all? Where are they stored?
I am using Eclipse Kepler as my IDE, if that matters at all, and a 32-bit java 1.6 JDK and JRE.
Code, and response strings below:
1. Logging in:
Client client = ClientBuilder.newClient();
Response response = client
.target("http://[host]:[port]").path("qcbin/authentication-
point/alm-authenticate")
.request().post(Entity.entity("<alm-authentication>
<user>username</user>
<password>secret</password></alm-authentication>",
MediaType.TEXT_XML_TYPE));
System.out.println(response.toString());
Output:
InboundJaxrsResponse{ClientResponse{method=POST,
uri=http://[host]:[port]/qcbin/authentication-point/alm-authenticate,
status=200, reason=OK}}
API Return description:
One of:
HTTP code 200 and sets the LWSSO cookie (LWSSO_COOKIE_KEY).
HTTP code 401 for non-authenticated request. Sends header
WWW-Authenticate: ALMAUTH
2. Verifying Logged in:
response = client.target("http://[host]:[port]")
.path("qcbin/rest/is-authenticated")
.request().get();
System.out.println(response.toString());
Output:
InboundJaxrsResponse{ClientResponse{method=GET,
uri=http://[host]:[port]/rest/is-authenticated, status=401,
reason=Authentication failed. Browser based integrations - to login append
'?login-form-required=y to the url you tried to access.}}
PS: adding the ?login-form-required=y to the URL, will bring up a log-in window when called in a browser, but not here. Appending the line to the URL actually still gives the same error message, and suggestion to append it again. Also, when called in a browser, the is-authenticated returns a 200, success, even without the login-form.
When you log in, you're getting a cookie which is a name plus a value.
The REST server expects you to pass this in the request header with every request you make.
Look into the object which you get for client.request(); there should be a way to specify additional headers to send to the server. The header name must be Cookie and the header value must be name=value.
So if the server responds with a cookie called sessionID with the value 1234, then you need something like:
client.request().header("Cookie", "sessionID=1234")
Related:
http://en.wikipedia.org/wiki/HTTP_cookie
I am stucking with the following problem like one month already, I am trying to verify an inapp purchase by using the following api :https://developers.google.com/android-publisher/authorization
I followed every step from the documentation(doing everthing with Postman Rest Client from Chrome), I can retrieve an accesstoken and a refresh token, but whenever when I try to query a purchase it results in error code 403 access not configured, BUT I CONFFIGURED IT IN THE SETTINGS!
anybody with an idea maybe?
It is far from straightforward to get an accesstoken for this API. This blog post helped get me started in the right direction, but I've outlined my own process that does not depend on using any external scripts to work. The steps are:
Obtain a client ID and secret (one-time)
Obtain a Refresh Token (one-time)
Use the Refresh Token to obtain an Access Token (once per hour)
4 Use the access token to access the API
Each of these steps are detailed below:
Obtaining Client ID and Secret
Go to the the Google Developer's console
Go to your project page
Select "Consent Screen" on the left side and make sure that the email address and Product name fields are set
Select "Credentials" from the left menu, and select "create a new client id"
Leave Application type set to "Web application" and set "Authorized redirect URI" to https://localhost. You do not need to change the Authorized JavaScript Origins.
Click "Create Client ID" and record the Client ID and Client secret that result.
Obtaining a Refresh Token
In web browser, enter the following URL (substituting correct value for client_id):
https://accounts.google.com/o/oauth2/auth?scope=https://www.googleapis.com/auth/androidpublisher&response_type=code&access_type=offline&redirect_uri=https://localhost&client_id=XXXX
Accept any requests for authorization that appear
You will then be redirected to a URL like this:
https://localhost/?code=4/k0TenvwICIgmBoQOazJy4_EnJr6-.clLqtp_vVAIbEnp6UAPFm0GASPqQigI
Copy the code from the latter part of this URL
Use wget to convert this code into refresh token; substitute CODE, CLIENT_ID, and CLIENT_SECRET
wget --debug --post-data="grant_type=authorization_code&code=CODE&client_id=CLIENT_ID&client_secret=CLIENT_SECRET&redirect_uri=https://localhost" https://accounts.google.com/o/oauth2/token
The resulting JSON file will contain an access_token and a refresh_token. Record the refresh_token value
Obtaining an Access Token
send a POST request to https://accounts.google.com/o/oauth2/token with the following fields set (substitute REFRESH_TOKEN, CLIENT_ID, CLIENT_SECRET)
grant_type=refresh_token
refresh_token=REFRESH_TOKEN
client_id=CLIENT_ID
client_secret=CLIENT_SECRET
You will get back a JSON string containing an access_token that will be good for one hour.
Using the Access Token to make API request
Fetch from
https://www.googleapis.com/androidpublisher/v1.1/applications/PACKAGENAME/inapp/SKU/purchases/PURCHASETOKEN
with an Authorization header containing the access token, e.g:
Authorization: Bearer ya29.1.AADtN_WoM4-4Fb1voFL-emcUWluijCzwvc9Z-FYM9SPvK03HCbGkdROJTVVPSLHK2IlVJQ
You may also be able to pass the access token as an HTTP query parameter, e.g.
https://www.googleapis.com/androidpublisher/v1.1/applications/PACKAGENAME/inapp/SKU/purchases/PURCHASETOKEN?authorization_token=AUTHTOKEN
I had a similar problem as you. Answer by mmigdol is helpful, but it didn't help me. I finally managed to solve it by looking at links generated here: https://developers.google.com/oauthplayground/
Apparently, Android publisher scope
https://www.googleapis.com/auth/androidpublisher
needs to be added into the link requesting authorisation code (before even generating refresh token) by adding:
&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fandroidpublisher
to get this:
https://accounts.google.com/o/oauth2/auth?redirect_uri=<YOUR_REDIRECT_URI>&response_type=code&client_id=<YOUR_CLIENT_ID>&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fandroidpublisher&approval_prompt=force&access_type=offline
Hi am regarding facebook php server side login..
http://developers.facebook.com/docs/authentication/server-side/
in that
$code = $_REQUEST["code"];
what is the meaning of this..., what is this code ?
Once the user has authorized your app, you should make a server side
request to exchange the code returned above for a user access token.
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID
&redirect_uri=YOUR_REDIRECT_URI
&client_secret=YOUR_APP_SECRET
&code=CODE_GENERATED_BY_FACEBOOK
Note the "CODE_GENERATED_BY_FACEBOOK" comment.
$_REQUEST['code'] is most likely a token that guards against CSRF. Facebook will create this and give it to your application via $_REQUEST['code'] (could be a POST, GET or whatever).
If you're not sure what $_REQUEST is, you should read the PHP manual entry for it.
$code is like authorization token that you exchange for an access token that you will use later to make calls to facebook api. The part you're looking at handles redirect from facebook after user logged in to facebook and authorized your application to access their information. at this point facebook redirects user back to your site and passes code as a get parameter and that line grabs that code from $_REQUEST, which in this context is the same as $_GET['code']