I trying to send a payment with my test application. Im using the paypal java sdk package.
Im not receiving my access token. Im receiving only the bearer token,
Bearer WesirDWp61YcTr8N8XWZHnPk7tCch.ZgcMvLfyp-FRA : appId :
APP-80W284485P519543T
Thus when I try to send a payment Im getting and 401 authorization error because of no access token. The first time I sent the request it returned the access token but every subsequent attempt brings this error:
Java exception "com.paypal.core.rest.PayPalRESTException: Error code : 401
with response : Server returned HTTP resp" when calling method "create" with
signature "(Ljava.lang.String;)Lcom.paypal.api.payments.Payment;" in class
"com.paypal.api.payments.Payment".
I do not understand what is happening here . Am I completely missing the boat here?
Thank You for any response.
Hit this URL with POST Request on Postman.
POST https://api.sandbox.paypal.com/v1/oauth2/token
On Authorization choose basic auth and enter the username as a clientID and password as a ClientSecret.
In Header set Content-Type: application/x-www-form-urlencoded
In Body seelect x-www-form-urlencoded and write grant_type: client_credentials
after that send request you will get the access_token
The bearer token is the access token, more specifically it is the type of access token returned. As per the REST API Reference (which is what the java sdk calls), the call to the oauth end point returns:
{
"scope": "https://api.paypal.com/v1/payments/.* https://api.paypal.com/v1/vault/credit-card https://api.paypal.com/v1/vault/credit-card/.*",
"access_token": "EEwJ6tF9x5WCIZDYzyZGaz6Khbw7raYRIBV_WxVvgmsG",
"token_type": "Bearer",
"app_id": "APP-6XR95014SS315863X",
"expires_in": 28800
}
The SDK combines the two fields and returns them as the "Bearer token".
This bearer token is all you need to access the REST APIs (with some restrictions based on the permissions/scopes requested and how the bearer token was requested, however that is dependent on creation call). Pass the bearer token in the authorization header:
"Authorization: Bearer EEwJ6tF9x5WCIZDYzyZGaz6Khbw7raYRIBV_WxVvgmsG"
Related
I am using FusionAuth for authentication. I have created one application in the FusionAuth. It has oAuth configured.
http://localhost:9011/oauth2/authorize?access_type=offline&prompt=consent&response_type=code&client_id=9ecc54b7-6f79-4105-a208-ca61e6157b58&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fipos%2Frest%2FfusionAuth%2FcallBack
This is my authorization url to one the FusionAuth login page.
Once I hit the link and enter the user name and password, I get the call back on configured call back url in my java jersey api.
I get the following details in the call back request.
code - dZgq5Xd0YmAQXZ2JIzkih832iojimgLUPwT7yoH9-TY
locale - en_US
userState - AuthenticatedNotRegistered
Here I am using Scribe Java library for OAuth authentication
I make call to get the access token call usnig the Scribe java libary with the given authorization code and grant_type is authorization_code.
Here this call get success and I get the below detail in the response.
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImRRZTA1Uk1vN19oVjZUUnpLVUQ1aXpRU2NSOCJ9.eyJhdWQiOiI5ZWNjNTRiNy02Zjc5LTQxMDUtYTIwOC1jYTYxZTYxNTdiNTgiLCJleHAiOjE1Nzc3MTg0NjgsImlhdCI6MTU3NzcxODM0OCwiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiI3ZWE3OWRhZi1hZjExLTQ1MTUtODljYS1iOGFjYTFjN2I5YTEiLCJhdXRoZW50aWNhdGlvblR5cGUiOiJQQVNTV09SRCIsImVtYWlsIjoiZGhhdmFsYmhvb3Q5M0BnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiZGhhdmFsYmhvb3QifQ.eA0Xi6nEZhWaTMd-P26ESdE3NsyXNRNVBKBdBvHxvzfHgXYJiN2pf-16mY8JK-4-1g3vZF7Cwv-SkP4iZAIJCYYc3uBW8Qlcjjn9cyi7_RggBBBsErcs2acRIt-D5NpnVJfkxHwGAs9fO6a2Win98GGYyv1nzBG9OhWkyZJTy4QxzlgXNrkQIzTuzRwLkRFzKCT95pqfsOYb_MXPuAksg5q1SHIj8qtbO7EO-vMbpmiok1C-Wflbiq2X_tq17QBKbO4JAMLm9_pCZse1tqLyNP4fIh3VHTz7OdbbXvug2Tpk_yTWLVL_29XC87-91R5iXeezLjADkdi1yXMUdHioOw",
"expires_in": 119,
"token_type": "Bearer",
"userId": "7ea79daf-af11-4515-89ca-b8aca1c7b9a1"
}
Here, I do not get the refresh_token, in any case, user first time login or in any case.
This is JWT token and I had reduced the expiry time to 120 seconds.
In application OAuth setup I enable Generate refresh tokens option.
The only problem here I have is, I do not receive the refresh token.
Help me with this.
Thank you.
To obtain a Refresh Token as a result of the Authorization Code Grant, you'll need to request the offline_access scope.
https://fusionauth.io/docs/v1/tech/oauth/endpoints#authorization-code-grant-request
You can modify your request as follows (line breaks added for readability)
http://localhost:9011/oauth2/authorize?
scope=offline_access
&prompt=consent
&response_type=code
&client_id=9ecc54b7-6f79-4105-a208-ca61e6157b58
&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fipos%2Frest%2FfusionAuth%2FcallBack
As a side note, adding prompt=consent is fine, but it will not affect the request as this is not yet available in FusionAuth. Please upvote the feature request if this is something you'd like to see in an upcoming release. https://github.com/FusionAuth/fusionauth-issues/issues/411
I am upgrading my service and implementing webclient using oAuth2, and I am getting exception is"tokenType cannot be null" could you please help me to resolve that.
exception:
org.springframework.security.oauth2.core.OAuth2AuthorizationException: [invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: Error while extracting response for type [class org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse] and content type [application/json]; nested exception is org.springframework.http.converter.HttpMessageNotReadableException: An error occurred reading the OAuth 2.0 Access Token Response: tokenType cannot be null; nested exception is java.lang.IllegalArgumentException: tokenType cannot be null
Please have a look at https://github.com/spring-projects/spring-security/issues/5983#issuecomment-430620308
This is well known problem because of the spec that requires a token type (BEARER in our case) to be present in the response to the client when hitting the token access uri, Spring security oauth doesnt affect a default in case of non presence of this parameter tokentype, you have a work around in the link above.
The OAuth spec states :
https://www.rfc-editor.org/rfc/rfc6749#section-5.1
5.1. Successful Response
The authorization server issues an access token and optional
refresh token, and constructs the response by adding the following
parameters to the entity-body of the HTTP response with a 200 (OK)
status code:
access_token
REQUIRED. The access token issued by the authorization server.
token_type
REQUIRED. The type of the token issued as described in
Section 7.1. Value is case insensitive.
expires_in
RECOMMENDED. The lifetime in seconds of the access token. For
example, the value "3600" denotes that the access token will
expire in one hour from the time the response was generated.
If omitted, the authorization server SHOULD provide the
expiration time via other means or document the default value.
Eventually figured out the issue,client was missing one of field in token json response that was tokenType. Actually tokenType also should be included in token response, in my case tokenType was bearer.
{
"access_token": "************",
"token_type": "Bearer",
"expires_in": 1800,
"scope": "read"
}
I am using Outlook Rest API to subscribe events. However, I get error code 401 although I include the access token. I get the access token following https://learn.microsoft.com/en-us/outlook/rest/java-tutorial this tutorial. And my payload is like the following:
{
"#odata.type":"#Microsoft.OutlookServices.PushSubscription",
"Resource":"https://outlook.office.com/api/v2.0/me/events",
"NotificationURL":URL,
"ChangeType":"Created"
}
with the header:
authorization: Bearer + access token which I get from the tutorial. (I.E EwBAA8l6BAAURSN/FHlDW5xN74t6GzbtsBBeBUYAAeybQmu+RnQcYAQ3wTW3kJUclA03jKgc4Sdx2mp5SOlLswSAr9zTmO7qk33wpTD3ULZkUrl9IpTnnhtjeoSXt+z5GRRtmL40jyvAghrTseO8yEZtR04SLjl6i1KZNXxZwUTK8s6DkXESwkwaTmQKPckKHi9XeIbx8dolnT7vEeeUo5rmzcG251dQokfZYHCar3bd1bysV7oaTt5Iis6qgkYtg4BL/32QObgI8SHQS4my7FSsqLYFchYExEFeBXgUjt4yE0G0bbmykz3T5C713DAqo8BtCkkbRIckv6N4bpq84bpzaDAgdgHhnpcYzUaViJ2zhZXMrShUdpddug+DPkEDZgAACILe9sz+3mX7EAJrVvnkVpyZzC9WvQkY4xET3KdEstT..... Something like this)
content-type: application/json
Why do I get 401?
Thank you.
A 401 means that your token isn't valid for what you're trying to do. It could be expired, invalid, etc. Typically the body of the response gives more detail on the reason of the 401.
I'd recommend going to https://oauthplay.azurewebsites.net/ and playing with the notifications API there to see how it all works.
I am using an API to get some information. At the beginning of each session you need to get a JWT token to be able to send requests to the API. After I've got the token and I try to send a request, I get an error saying I'm unauthorized, which is fair since I did not attach the token in my request. The problem is that the documentation for the API does not explain how to do this, and I haven't been able to find it anywhere else either. How do I do this? I am doing this is Java and is using their own HttpURLConnection. Hopefully you understand what I mean.
Thank you in advanced!
It depends on how the web-service (API) wants to have the token represented.
Common are:
HTTP request headers (problem for XHR requests)
query parameters (bad idea because of caching/logging)
form fields (not universally useable)
URL segment (bad idea because of caching/logging)
certain cookies with the token as value (transparent) or
authentication header (typical)
The Authentication headers as defined in HTTP RFCs are typically be used with the Basic or Digest authorization scheme. In case a string (token) authenticates the bearer of that token, the "Bearer" scheme is used (for example defined for OAuth2 in RFC6750).
You would use
uc.setRequestProperty("Authorization","Bearer " + jwt);
for this.
I am trying to retrieve user photo using outlook REST API(https://msdn.microsoft.com/en-us/office/office365/api/photo-rest-operations#UserphotooperationsGetphoto)
I got the access token following (https://msdn.microsoft.com/en-us/library/azure/dn645543.aspx)
but getting this error : any help?
HTTP/1.1 401 Unauthorized [Content-Length: 0, Server: Microsoft-IIS/8.0, request-id: 6925fcab-9021-4059-af4b-4cbf130faea7, X-CalculatedBETarget: CY1PR0401MB1388.namprd04.prod.outlook.com, X-BackEndHttpStatus: 401, Set-Cookie: exchangecookie=87cb2447eae9401c80a96c497dff06a9; expires=Sat, 22-Apr-2017 07:56:53 GMT; path=/; HttpOnly, x-ms-diagnostics: 2000001;reason="The access token is acquired using an authentication method that is too weak to allow access for this application. Presented auth strength was 1, required is 2.";error_category="invalid_token",
code looks something like this:
HttpClient httpclient = HttpClients.createDefault();
final String bearerToken = getBearerToken();
HttpGet request = new HttpGet("https://outlook.office.com/api/v2.0/me/photo/$value");
request.setHeader(javax.ws.rs.core.HttpHeaders.AUTHORIZATION, "Bearer " + bearerToken);
request.setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);
HttpResponse response = httpclient.execute(request);
return IOUtils.toByteArray(response.getEntity().getContent());
According to the error message. Instead of a client_secret in your request body, you need a client_assertion.
For more details, you can reference the blog Building Daemon or Service Apps with Office 365 Mail, Calendar, and Contacts APIs (OAuth2 client credential flow)
According to the API you call "https://outlook.office.com/api/v2.0/me/photo/$value". It seems that you only want to get the photo for the current login user; if so, you can use Authorization Code Grant Flow to get the token which will not require the client certificates.
UPDATE#1:
Can this be done programmatically/API way
As far as I know, the consent need the user's or admin's interactivity.
https://login.windows.net/common/oauth2/authorize?response_type=code&client_id={0}&resource={1}&redirect_uri={2}&prompt={3}
If you are developing a ASP.NET web application, you can reference the sample project O365-WebApp-MultiTenant.
BTW, when calling the API with app-token, you need to specify the user name.
e.g.
https://outlook.office.com/api/v2.0/users('user1#customdomain.onmicrosoft.com')/messages
UPDATE#2:
The 403 code when updating the photo using the app token is expected result.
As we can see from the figure above, updating the user photo requires the delegated permission "User.Read.Write". The app token does not have permission to update user's photo.