I am using oauth2 (node.js and the connect-oauth library) to connect to the google contacts API version 3.0.
Doing so, I get a response such as:
{ access_token : "...",
"token_typen": "Bearer",
"expires_in" : 3600,
"id_token": "..." }
I am missing the refresh token used to get a new access token as soon as the latter is expired.
options for oauth2
{ host: 'accounts.google.com',
port: 443,
path: '/o/oauth2/token',
method: 'POST',
headers:
{ 'Content-Type': 'application/x-www-form-urlencoded',
Host: 'accounts.google.com',
'Content-Length': 247 } }
post-body
'redirect_uri=http%3A%2F%2Flocalhost%2Foauth2callback&grant_type=authorization_code&client_id=CLIENTID&client_secret=CLIENTSECRET&type=web_server&code=4%2F3gbiESZTEOjiyFPLUhKfE_a_jr8Q'
NOTE: I tried to add approval_prompt=force from a similar question to the request-post_body but this resulted in an Error
{ statusCode: 400, data: '{\n "error" : "invalid_request"\n}' }
NOTE: I tried to add approval_prompt=force from a similar question to the request-post_body but this resulted in an Error
You don't need the approval_prompt param when you ask for a token. The *approval_prompt* param is for the authorization part.
I am missing the refresh token...
The only way you DON'T get a *refresh_token* is when:
use the Client-side Applications flow;
include the access_type=online param in the authorization code request.
So, try adding: access_type=offline, to the authorization code request.
Edit:
i.e.:
https://accounts.google.com/o/oauth2/auth?client_id=**your_client_id**&scope=https://www.googleapis.com/auth/plus.me&redirect_uri=http://localhost&response_type=code&access_type=offline
If you're getting 400 is because you are adding an invalid parameter or missing one.
Good luck!
One time I did this was testing - I had deleted the google authorisation token from the app - so it tried to get another one and it did but without a refresh token.
So check the app you are testing is not authorised for the account you are testing from (does that make sense?)
Related
I am trying to fetch data from the coinmarketcap api. It worked through Postman once yesterday, but then ever since I keep attempting to hit the api I keep getting this error:
GET /cryptocurrency/info?id=1 200 - - 190.846 ms
error Error: write EPROTO 4375776704:error:1408F10B:SSL
routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:
This also happens when I attempt to call the api through a proxy server.
const requestOptions = {
method: "GET",
uri: "https://pro-api.coinmarketcap.com/v1/cryptocurrency/listings/latest",
qs: {
start: "1",
limit: "10",
convert: "USD",
},
headers: {
"X-CMC_PRO_API_KEY": "my_api_key",
"Accept": "application/json",
},
json: true,
gzip: true,
};
Everything I read says to just change https to http but the api is definitely https and I've tried every variation just in case (including http://localhost for the proxy layer). I've also signed up for a different API account in case the key I had originally was compromised from my initial experimenting. However the new key has the same issue.
I've run out of ideas here, does anyone else know what could be wrong?
I'm in the process of attempting to verify a JWT access_token against OneLogin's api as described here. My code is as follows:
const client_id = MY_CLIENT_ID
const client_secret = MY_CLIENT_SECRET
const token = MY_ONE_LOGIN_JWT_ACCESS_TOKEN
axios
.post(
"https://my-endpoint-dev.onelogin.com/oidc/2/token/introspection",
{ token, client_id, client_secret, token_type_hint: "access_token" },
{
headers: {
"Content-Type": "application/x-www-form-urlencoded",
},
}
)
.then((response) => {
console.log("response");
console.log(response);
})
.catch((err) => {
console.log("err");
console.log(err);
});
The endpoint appears to work fine, in fact when the JWT has become expired it gives me an error stating as such and I need to update the token I'm passing along. However, whenever I make a standard request as shown above with valid credentials and tokens I get the following error response:
{error: "invalid_request", error_description: "no client authentication mechanism provided"}
There's no documentation on the provided page that describes what is wrong with the request when that error is received. From the documentation, so far as I can tell, my request is formatted correctly.
I have verified that the Token Endpoint in OneLogin is set to POST, so my assumption that the client_secret should be in the body is documented as correct (though I did try it as Basic just to verify):
I've attempted searching for a solution, but the only thing close I've found advises that the Content-Type header may not be supplied. I've made sure to add that to the list of headers and have verified it shows up in the request, but still the error persists.
Any thoughts to what I may be missing here?
EDIT:
Attempted to do a cURL request and received a 200 response back with the same information. Leading me to believe it's something with the axios call that I have incorrect.
I get this message when I don't provide either the client_id or the client_secret. Hopefully you can validate that you are actually sending both in your request. Maybe you can try the request via postman to double check.
I ran into the same issue and finally figured out you have to turn the data into a query string: https://axios-http.com/docs/urlencoded
For example:
import qs from 'qs';
const data = { 'bar': 123 };
const options = {
method: 'POST',
headers: { 'content-type': 'application/x-www-form-urlencoded' },
data: qs.stringify(data),
url,
};
axios(options);
I have an simple web app I'm testing on localhost (using http-server) in which I'm trying to authorise it following the GitHub tutorial.
I was able to redirect to GitHub page so the user can login there and get the temporary code returned from GitHub as query parameter.
Yet I can't get auth token because every time I send a POST request with all the required data I'm getting CORB error.
The code I'm using to do that:
const getGitHubToken = async code => {
return await fetch(authData.accessTokenURL, {
method: 'POST',
body: {
client_id: authData.client_id,
client_secret: authData.client_secret,
code
},
headers: {
'Accept': 'application/json',
'Content-Type': 'application/json'
}
});
};
So my questions are:
why isn't it working
is it safe to keep client_id and client_secret on client side
any suggestions if it's good idea to apply this approach when my aim is to create an app able to query GitHub API (general stats, public repos), how can I do it better?
I'm trying to understand how authorization works after headers with data were set. I'm using passport and jwt to auth user and setting authorization headers after succeed login attempt.
res.setHeader('authorization', 'JWT ' + token);
console.log(res.getHeader('authorization'));
// prints JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcl9wYXNzd29yZCI6IiQyeSQxMiR1VUh3czBoeXVYSFhjWTFXWFd2L21ldlNZUFBZcm4xLjdmdEwxb1RSN29mQmxDMEpERE5uLiIsInVzZXJfyMDc1NzM1LCJleHAiOjE1MzQ2Njc3MzV9.F4j6eXpbhPLsLOAixwyNT6PLOUhna1C6CA4iIVbidXsbmFtZSI6ImFkbWluIiwiaWF0IjoxNTM
and for example on my main router where only logged in users should be allowed to enter I can't catch this header? It seems like after setting this header its only working until the page is being reloaded. I made previous question about it but it wasn't specific enough.
I'm starting to think how authorization works and how to set headers or cookies or something after succeed passport authentication?
What you need is an interceptor to be created for your http requests where you'll inject the rules for setting headers with each response
var http = require('http');
http.Interceptor.register({
test: {
uri: '/me/friends',
host: 'graph.facebook.com'
},
rule: {
response: {
headers: {
'Set-Cookie': 'AuthSessId=41D3D0110BA61CB171B345F147C089BD; path=/',
'Content-Type': 'application/json'
}
uri: /^\/dialog\/oauth/,
host: 'www.facebook.com'
});
You can use this npm package for the same and ollow the documentation
Please visit https://www.npmjs.com/package/node-interceptor
I am trying to create a LINE login authentication function on my web. The problem I am encountering is that I kept receiving error 400, a bad request which may have something to do with the parameter I've put in.
Here is my code,
fetch('https://api.line.me/v2/oauth/accessToken', {
method: 'POST',
mode: 'no-cors',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body: JSON.stringify({
grant_type: 'authorization_code',
client_id: 'my_id',
client_secret: 'my_client_secret',
code: code,
redirect_uri: 'the link direct to'
})
}).then(response => {
console.log(response);
}).catch(function(err) {
console.log(err);
});
I followed the reference from LINE, https://developers.line.me/web-api/managing-access-tokens and put in the parameter it asked for, but I kept having the same error.
Tried with postman and got the same error
I am not sure which part I did wrong. Would someone help me with this issue?
I've got the same error 400 problem. In my case, my redirect_uri contains parameter e.g. mysite.com?action=abc which not work. It accept something like mysite.com/action/abc.
It seems no problem with your access token request.
Can you recheck the redirect_uri used by making an authorization request
is same to the callback URL registered in the LINE console?
As described in the Line Login documents:
redirect_uri : Callback URL. URL that users are redirected to after authentication and authorization. Must match one of the the callback URLs registered for your channel in the console.