I have create an OAuth application, it gives me Client ID:xxx Client Secret:yyy
Redirect URIs, Authorize URL, Access Token URL now what should I do? In coding wise, I am working in Java.
Thanks for your interest in working with our API!
I think the best explanation of how to work with our API using would is in the documentation on our developers site.
Take a look at that, and let us know if you have any other questions.
Particularly useful from that page is this sample flow that your app might go through:
# Redirect the user to this page
https://www.coinbase.com/oauth/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_CALLBACK_URL&scope=user+balance
# If the user accepts, they will be redirected to:
YOUR_CALLBACK_URL?code=CODE
# Initiate a POST request to get the access token
https://api.coinbase.com/oauth/token&
grant_type=authorization_code&
code=CODE&
redirect_uri=YOUR_CALLBACK_URL&
client_id=CLIENT_ID&
client_secret=CLIENT_SECRET
# Response containing the 'access_token'
{
"access_token": "...",
"refresh_token": "...",
"token_type": "bearer",
"expire_in": 7200,
"scope": "universal"
}
# Now you can use the 'access_token' to initiate authenticated requests
https://api.coinbase.com/v1/account/balance?access_token=...
# Response
{
"amount": "50.00000000",
"currency": "BTC"
}
Related
Due to the architecture of our product, the loadbalancer that I use is not able to manage correctly my servers. To solve this point, I have create a kind of manager which forward the call to the correct server by requesting it directly from the first server when it is needed. The issue is to do that I forward the user keycloak token string in the header of the second call. It works pretty well but after few minutes to token is invalidate. I tried to refresh it by many way without success. I have 2 constraints. I can't reask the credentials to the user, and I can't use the keycloak secret because I'm working in a multi tenant / multi realm app. Do you have any idea?
I'm assuming that you have just the access_token on login.
First you need to exchange that access token for a refresh token (and another access token), you do this by calling:
HTTP POST {{host}}/auth/realms/{{realm}}/protocol/openid-connect/token
HEADERS:
Content-Type: application/x-www-form-urlencoded
BODY:
grant_type: urn:ietf:params:oauth:grant-type:token-exchange
subject_token: the_user_access_token
client_id: your_client_id (in my case this is "public")
requested_token_type: urn:ietf:params:oauth:token-type:refresh_token
you will get back a response that looks like this:
{
"access_token": "access_token_value",
"expires_in": access_token_time_in_seconds,
"refresh_expires_in": refresh_token_time_in_seconds,
"refresh_token": "refresh_token_value",
"token_type": "bearer",
...
}
So with this you have what you need to actually refresh your token with the following request:
HTTP POST {{host}}/auth/realms/{{realm}}/protocol/openid-connect/token
HEADERS:
Content-Type: application/x-www-form-urlencoded
BODY:
grant_type: refresh_token
refresh_token: refresh_token_value
client_id: public
This will get you the following response:
{
"access_token": "access_token_value",
"expires_in": access_token_time_in_seconds,
"refresh_expires_in": refresh_token_time_in_seconds,
"refresh_token": "refresh_token_value",
"token_type": "bearer",
...
}
Now you can repeat step 3 and 4 up until the maximum session duration.
We are using Spring Cloud Netflix Zull as Gateway Application for our backend services. Front end is Angular. But we are testing endpoints in Postman only(Front end is under development). We have one module called LoginServiceModule and another is ZullServerModule. The LoginSericeModuke take username and password from front end and make call to the following oauth/token endpoint by including required headers and body.
http://localhost:XXXX/login
and response is
{
"access_token": "XXXXXXXXX",
"token_type": "bearer",
"refresh_token": "XXXXXXXXX",
"expires_in": 3600,
"scope": "read write",
"jti": "XXXXXXXXXXX"
}
and the ZullServerModule contains ZullServerConfiguration, Authorisation Server Configuration and Resource Server Configuration and etc...
The LoginModule internally calls oauth/token end point like this.
ResponseEntity<String> loginResponse = restTemplate.exchange("http://localhost:XXXX/oauth/token", HttpMethod.POST, entity, String.class);
and the response is ..
{
"access_token": "XXXXXXXXX",
"token_type": "bearer",
"refresh_token": "XXXXXXXXX",
"expires_in": 3600,
"scope": "read write",
"jti": "XXXXXXXXXXX"
}
we extract the access_token from the response and call following endpoint...
http://localhost:XXXX/ProjectName/api/endpointname?access_token={access_token}.
But when the access_token expires, and when i access the above backend service url, its saying
{
"error": "invalid_token",
"error_description": "Access token expired:XXXXXXXXXXXXXXX(access_token)"
}
I know its expired and tried regenerating access_token with help of refresh_token in terminal like this
curl clientID:clientSecret#localhost:XXXX/oauth/token -d grant_type=refresh_token -drefresh_token={refresh_token}
But i need to include this in our code and don't know where to place it.
After searching on net, i came across about ZullFilter. I tried all pre, route and post filters. For each request they are all executed (i.e all long as access_token not expired), but when token expires and if i test endpoint, none of the filters are executed and i am getting error response
{
"error": "invalid_token",
"error_description": "Access token expired: XXXXXXXXXX"
}
I have placed sysouts in run method of every filters. I don't know much about filterOrder also.
#Override
public Object run() throws ZuulException {
System.out.println("pre filter...");
RequestContext context =
RequestContext.getCurrentContext();
HttpServletResponse response = context.getResponse();
System.out.println(response.getStatus());
return null;
}
I want to control access_token generation with help of refresh_token. How could i code that whenever the access_token expires and if i access resources after expire,then i get to know that token expired and re generate access_token and call the previous call with new access_token.
Typically it is the client that is responsible for maintaining its own token and refreshing it when it is about to expire. Moving this logic into your Zuul layer seems like a really bad idea. Think about the implementation for a second, how would it work?
Once a client's token has expired, it would be calling your endpoints with a perpetually expired token that Zuul would have to try and refresh with every request. This would add a lot of overhead for each API call. You could possibly introduce some kind of hack where you always pass back a new token in a response header or something... but at this point you'd be violating the authorization flow of OAuth2.
I downloaded the example:
https://dev.office.com/Getting-Started/office365Apis?platform=option-android#register-app
clicking on send button throws this error:
RetrofitError: 404 Not Found
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Bearer access token is empty.",
"innerError": {
"request-id": "951626d4-0168-4b58-a78a-1fdd3bd322f2",
"date": "2016-04-29T18:34:05"
}
}
}
It looks like perhaps you did not register your app before downloading the sample. The readme instruction in the sample should walk you through registering and configuring an app, at which point the login should succeed and you will get a bearer token.
You are missing an access token. From https://msdn.microsoft.com/en-us/office/office365/api/discovery-service-rest-operations:
Discovery Service operations
Initial sign in
This brings the client to a web page where the user enters account information. It returns the endpoints needed to continue with Discovery Service. This is used the first time a user tries your application. It tells your application:
what cloud the user belongs to
where the app can send the user to log in
where to go to get a token
you can continue reading it on the official site.
I am trying to make a very simple app with spring social, the app is not for public. What I am trying to achieve is to post to my wall or to the page that I administer.
Trying to ask facebook for access to manage_pages permission they denied because as they said "You do not need to request these permissions because your blog or CMS is integrated with an app that you admin. As an App admin, you can already access these permissions and post to your timeline or a page you admin. You can provide access to additional users by adding them as developers of your App."
Now in the code. I altered a bit spring social showcase example. And my case is as follows:
1) I login to facebook through my app
2) Trying to get the number of pages that I administer
3) Post to my wall.
For step two I am using this code:
if (facebook.pageOperations().getAccounts() != null) {
System.out.println("SIZE OF ACCCOUNTS IS: " + facebook.pageOperations().getAccounts().size());
}
The size of accounts is always 0. So this means that although I should be able to post to the pages that I am administrator I can not even see them. Am I correct?
For step three now:
facebook.feedOperations().updateStatus("I'm trying out Spring Social!");
facebook.feedOperations().post(new PostData("me").message("I'm trying out Spring Social!")
.link("http://www.springsource.org/spring-social", null, "Spring Social", "The Spring Social Project", "Spring Social is an extension to Spring to enable applications to connect with service providers."));
System.out.println("FEED POSTED");
both of those attempts fail with the following exception:
org.springframework.social.InsufficientPermissionException: Insufficient permission for this operation.
Could someone help please?
It seems like you have not asked/granted the permissions that you need during login. The first thing that you need to do is implement login and ensure sure that you include the correct scope i.e. permission (manage_pages) during login. Since your requirements also include publishing, include these permissions publish_pages and/or publish_actions depending on whether you want to publish as a page or yourself. e.g. if you are using the JS SDK, it would look something like this:
FB.login(function(response) {
// handle the response
}, {scope: 'manage_pages, publish_pages, publish_actions'});
Once you do this, on logging in, you will be prompted if you want to grant these permissions. On granting, your access token will contain these permissions and you will be able to make a call to /me/accounts which will give you a list of pages that you admin and their respective access tokens. It will look something like this:
"data": [
{
"access_token": "CAACEdEose0cBAAy...",
"category": "Food/Grocery",
"name": "Page Name",
"id": "1234567890",
"perms": [
"ADMINISTER",
"EDIT_PROFILE",
"BASIC_ADMIN"
]
},
...
]
If you want to publish as yourself, then you can continue using the current user access token. Else if you want to publish as a page, grab the page access token from the response above and use that to make the POST request against the page id.
And if you are creating an app for yourself and not for the public, then you do not need to submit these permissions for review provided you are an admin or have some role in the app.
You might be able to find some more context here.
Question
When using the Google Plus Sign In Api with the Play Framework do you have to set headers in a different way? Is there something I am doing wrong here?
Background
I am using Play Framework(in Java) to use the Google Plus Sign in Api.
I am running into issues on the second leg of OAuth authentication, exchanging the Authorization Code for a Token.
Basic OAuth Flow
Pretty Picture
Redirect user to User login/Consent screen
This asks the user if they want to grant you application permission to the requested scopes
URL: https://accounts.google.com/o/oauth2/auth
Exchange Authorization Code for a Token
If the user gives your application permission then they will be redirected to a URL you specify, in that URL(As a GET param) will be an Authorization Code.
Your application can then use this Authoriztion Code to get a Token from the server
Your application does this by making a HTTP request to a endpoint on the Google Servers(Or whatever service you are using)
URL: https://accounts.google.com/o/oauth2/token
Use Token in API requests
The Issue
To Exchange the Authorization Code for a Token, with the Google Plus Sign In Api, you must make a POST request to https://accounts.google.com/o/oauth2/token with the following perimeters
{
"code": "Security Code Returned from Step 1",
"client_id": "Client Id that was given to you in GApi Console",
"client_secret": "Client Secret that was given to you in the GApi Console",
"redirect_uri": "Redirect Uri you specified in the GApi Console",
"grant_type": "authorization_code"
}
However when I make this request with all the correct parameters I get this error
{
"error" : "invalid_request",
"error_description" : "Required parameter is missing: grant_type"
}
From the Google Plus Sign in Api
To make HTTP requests in The Play Framework you use the WS Library. I make the request like this
public static F.Promise<Result> OAuthCallback(String state, String code){
/*
Note:
- The GoogleStrategy class is just a class that holds all my GApi credentials
- The parameters (String state, String code) are just GET params from Step 1, returned by the GApi
*/
//Make URL builder
WSRequestHolder requestHolder = WS.url(GoogleStrategy.getTokenUrl);
//Set headers
requestHolder.setHeader("code", code);
requestHolder.setHeader("client_id", GoogleStrategy.clientId);
requestHolder.setHeader("client_secret", GoogleStrategy.clientSecret);
requestHolder.setHeader("redirect_uri", GoogleStrategy.redirectUri);
requestHolder.setHeader("grant_type", GoogleStrategy.grantType);//GoogleStrategy.grantType = "authorization_code"
//Make HTTP request and tell program what to do once the HTTP request is finished
F.Promise<Result> getTokenPromise = requestHolder.post("").map(
new F.Function<WSResponse, Result>() {
public Result apply(WSResponse response){
return ok(response.asJson());//Returning result for debugging
}
}
);
return getTokenPromise;//Return promise, Play Framework will handle the Asynchronous stuff
}
As you can see, I set the header grant_type. Just to make sure setting headers was working I made a program that spits out the headers of a request in NodeJS(Source) and this was the result
{
"HEADERS": {
"host": "127.0.0.1:3000",
"code": "4/qazYoReIJZAYO9izlTjjJA.gihwUJ6zgoERgtL038sCVnsvSfAJkgI",
"grant_type": "authorization_code",
"client_secret": "XXXX-CENSORED FOR SECURITY PURPOSES-XXX",
"redirect_uri": "http://127.0.0.1:9000/api/users/auth/google/callback",
"client_id": "XXXX-CENSORED FOR SECURITY PURPOSES-XXX",
"content-type": "text/plain; charset=utf-8",
"connection": "keep-alive",
"accept": "*/*",
"user-agent": "NING/1.0",
"content-length": "14"
}
}
I think those are not to be sent as headers but as a body. In the link you provided there is an example:
POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded
code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7&
client_id=8819981768.apps.googleusercontent.com&
client_secret={client_secret}&
redirect_uri=https://oauth2-login-demo.appspot.com/code&
grant_type=authorization_code
So pass them to your post call:
StringBuilder sb = new StringBuilder();
sb.append("code=").append(code)
.append("&client_id=").append(GoogleStrategy.clientId)
.append("&client_secret=").append( GoogleStrategy.clientSecret)
.append("&redirect_uri=").append(GoogleStrategy.redirectUri)
.append("&grant_type=").append(GoogleStrategy.grantType)
requestHolder.setContentType("application/x-www-form-urlencoded")
.post(sb.toString());