I am new to Slack Webhooks and am trying to retrieve Slack channel messages using Outgoing Webhooks API.
Below is my get GET API.
https://slack.com/api/conversations.history?token=60ClVADXdNAlOfGr239oI8hl&channel=auto_test&limit=10&inclusive=true
API response code:
200 Ok
Below is my response Body:
{
"ok": false,
"error": "invalid_auth"
}
Can any one please suggest how to use Outgoing Webhook API. Thanks in advance.
Use "Bot User OAuth Access Token" , In "OAuth and permissions Tab" Format is
xoxb-xxxxx-xxxxx-xxxx. And then add scope "channels:history" and reinstall your app in slack. And then try to get conversation history with channel id .
Your token should be "Bot User OAuth Access Token", which is present in OAuth & Permissions Tab and starting with xoxb.
Provide channelId in channel=channelId
I follow the steps in the Spotify Web Api Tutorial using the authorization-code from the Spotify Accounts Authentication Examples. Everything is okey, I register an application with Spotify, authenticate a user and get authorization to access user data and when the page show me the user data the refresh token is different each time I authenticate myself. I think refresh token shuld not change.
The only modification I did in the example code was replace the client id, client secret and the redirect uri with the correct values from my application.
Any advices?
For the Authorisation Code Flow you just need to do that initial authentication you're already doing. It will always return a new refresh token however that token can be used over an over with 4. Requesting a refreshed access token; Spotify returns a new access token to your app from Authorisation Guide that will return you a new access token for subsequent calls and you won't need to do the Authentication Step you're doing multiple times just keep doing that one.
JWT terminology has been bothering me for a few reasons. Is JWT suitable for Authorization or is it only for Authentication?
Correct me if I'm wrong but I have always read Authorization as being the act of allowing someone access to a resource yet JWT doesn't seem to have any implementation that actually allows access to users to a given resource. All JWT implementations talk about is providing a user a token. This token is then passed with every call to a back-end service endpoint where it is checked for validity and if valid access is granted. So we can use JWT for Authentication of any user but how can we restrict the access to particular valid users ?
How can we use JWT for restricting a few users depending on roles they have?
Do JWT provide any type of Authorization details as well or does it just provide us Authentication ?
Thanks in advance for your help and reading my doubt patiently.
Authorization with JWT can be achieved using the token specific claims.
As many other user information packaged as claims in the Json Web Token the specific permissions can be pre-filled in the token and can be intercepted later on by an authorization service.
Typically the authorization would be permission based where permissions are used to restrict access to an api endpoint (may also be used to grant users access to views on the frontend apps).
Here down a sample JWT token having a permission element:
{
"UserInfo": {
"id": "#{USER_ID}",
"roles": {
"#{ROLE_NAME}": "#{ROLE_ID}"
},
"permissions": {
"#{PERMISSION_NAME}": "#{PERMISSION_ID}",
}
},
"exp": 1488888888
}
JWT can be used for two purpose:
Authentication (as you said)
Information Exchange.
The second part is the interesting one. A JWT contains:
a header: contains algorithm and token type
a payload: Which are statements about an entity (typically, the user) and additional metadata. There are three types of claims: registered, public, and private claims.
a signature: The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.
The payload can contains information about a user such as a list of rights.
This way you can use it for Authorization.
Example from jwt.io:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
which contains:
{
"alg": "HS256",
"typ": "JWT"
}
{
"sub": "1234567890",
"name": "John Doe",
"admin": true
}
you can see that the payload contains the identity and information about the administration right. You can trust theses data because of the payload signature.
User logins first. Once user pass the login process, or we say once user is authenticated, you sign a jwt token and send it to the user. this is node.js snippet
async postLogin(req, res, next) {
// parse the req.body, get the email,password
// check if the email exist, if exists check the passord
// now you are sure credentials are true, create the jwt.
const token = jwt.sign({ _id: this._id, email: this.email }, "this-is-secret", {
expiresIn: "1h",
res
.status(200)
.header("x-auth-token", token)
.json({ token, userId: existingUser._id.toString() });
});
}
now client will takes it save it to localStorage. (for simplicity i m using localStorage). IN the client side, user sends post request to login and gets what I sent above. It will take the token, and save it. since it is async request, it will be like this. this is a little react code to demonstrate:
.then(resData => {
localStorage.setItem('token', resData.token);
localStorage.setItem('userId', resData.userId);
One thing about tokens, browser does not send it automatically, so client will manually attach it to the request.
fetch(url, {
method: "post",
headers: {
Authorization: 'Bearer ' + localStorage.getItem('token')
}
})
Once your server gets the request, you check the incoming token, if it is a valid token you will authorize the user to access certain routes or services. So user will be Authorized.
Authentication is the process of identifying users and validating who they claim to be. One of the most common and obvious factors to authenticate identity is a password. If the user name matches the password credential, it means the identity is valid, and the system grants access to the user, so we say user is authenticated
Is JWT suitable for Authorization or is it only for Authentication?
The answer to this question is lying in the following lines of RFC7519 Standard:
JSON Web Token (JWT) is a compact claims representation format
intended for space constrained environments such as HTTP
Authorization headers and URI query parameters.
JWT doesn't seem to have any implementation that actually allows access to users to a given resource.
I would say this part of your understanding needs a bit of polishing ;-)
Indeed JWT has a structure called Claims and there you can find topics related to authorization.
The remaining part of your understanding is not following a correct sequence. In fact, there is a missing piece called Token Issuer. This guy is responsible to Authenticate JWT token requester and issue a JWT token if and only if the authentication process was successful and the requester was authorized. Then the issued JWT token could be verified by checking the signature, meaning that, the token that has been issued via a token issuer like an Identity Server will contain a hash code of message which will allow the consumer of the token to double-check the signature (hash code) to make sure the token has not been modified via unauthorized access during the transitions between client-server. Then if the token was a valid token the consumer at the next step can extract token (JWT) claims to process the authorization part.
The Request Token and Token Secret MUST be exchanged for an Access Token and Token Secret.
To request an Access Token, the Consumer makes an HTTP request to the Service Provider’s Access Token URL. The Service Provider documentation specifies the HTTP method for this request, and HTTP POST is RECOMMENDED. The request MUST be signed per Signing Requests, and contains the following parameters:
oauth_consumer_key:
The Consumer Key.
oauth_token:
The Request Token obtained previously.
oauth_signature_method:
The signature method the Consumer used to sign the request.
oauth_signature:
The signature as defined in Signing Requests.
oauth_timestamp:
As defined in Nonce and Timestamp.
oauth_nonce:
As defined in Nonce and Timestamp.
how to get these parameters in java
AppKeyPair appKeys = new AppKeyPair("INSERT_APP_KEY_HERE", "INSERT_SECRET_HERE"); //Both from Dropbox developer website
WebAuthSession session = new WebAuthSession(appKeys, Session.AccessType.DROPBOX);
DropboxAPI<WebAuthSession> mDBApi = new DropboxAPI<WebAuthSession>(session);
System.out.println(mDBApi.getSession().getAuthInfo().url);
The URL contains all the information need I believe.
Dropbox API downloaded form here: https://www.dropbox.com/developers/reference/sdk
Go here to get App key information:
https://www.dropbox.com/developers/apps (Must sign in to dropbox and create new app)
You don't need all the extra stuff other than oauth_token if you connect over https.
If you're using the HTTP API directly, you can get a request token via the /oauth/request_token call.
Instead of using the HTTP API directly, you might find it easier to use the official Java SDK for Dropbox. Documentation on the OAuth flow: WebAuthSession.java.
I am developing an OAuth library to be used by BlackBerry mobile devices to connect to Netflix. I have successfully negotiated the request token and the access token. I have received the authorized token, the token secret, and the encrypted subscriber ID.
Encrypted subscriber ID:
T1BlCJtdcWMuF6gJEfue96_W.kZ_gW81h59KqLEfT1AzE-
Authorized Token: T1U.wMxbvP.KCdxGpqmfERA0y3BKEuyhYIljMF5W1k0iXD9j.2qDMw7NjoaOnG40UXESpqPk37gJbBlB1Ve.uatw--
I am now having trouble using the subscriber ID and the authorized token to retrieve the user information from Netflix. Does the authorized token look correct? It seems a little off to me as compared to the request token and unauthorized token....
I would appreciate any advice, thanks!
Those seem correct to me. Have you compared the request you're making to the one on http://developer.netflix.com/walkthrough? Are you making sure to use the oauth_token_secret returned from requesting the access_token (step 4 in the walkthrough), and not the one you got from request_token (step 1 in the walkthrough)?