I am using an URL like the following:
https://www.google.com/accounts/OAuthAuthorizeToken?
oauth_token=ab3cd9j4ks73hf7g&oauth_callback=http%3A%2F%2Fwww.example.com
This gets redirected to:
http://www.youtube.com/oauth_authorize_token?oauth_callback=http%3A%2F%2Fwww.google.com&oauth_token=1%2FyT-RZ-5PAMCp43Wt0RAGpNUAbMKAHxq1MG_RiX3Cmtk
After the user clicks allow access, YouTube directs the page to:
http://www.youtube.com/t/oauth_token_authorized
Why is the callback not working?
Their API seems to agree with what I am doing.
In sum, you're specifying the oauth_callback too late in the process. Instead, provide it at the very beginning. For Google's provider, that's when you're calling OAuthGetRequestToken.
This Google documentation seems to get it right. Strange. I also found other documentation that explains the same thing: "The [Service Provider] MUST associate the callback URL sent in Step 1 with the request token it issues." So, you have to provide the callback URL when getting the "unauthorized" request token ("unauthorized" because the user hasn't given their permission yet). After you've done this, you can forward the user to the Authorization URL, where the user (aka resource owner) grants access explicitly for your application.
Here's a page that gives related information about OAuth 2.0.
Related
I am using IBM Mobilefirst platform 8.0 at the moment.
Currently, I am facing a problem:
On my MFP, I have 1 security check to protect 1 adapter.
The flow is that:
login with the security check
can obtain access token (I call it TOKEN_1)
can request resource from adapter
logout
This step, I use the TOKEN_1 to request the resource from adapter and it returns 401 unauthorized (it's correct here)
login with the security check again
can obtain a new access token now (I call it TOKEN_2)
At this time, I can use both TOKEN_1 and TOKEN_2 to request the resource from the adapter and I think that it's not a good thing (just for my case and from my point of view)
I would think that the TOKEN_1 should not be valid anymore but only the TOKEN_2.
So, my question is that there is any way to invalidate forever an access token after we logout with MFP?
Thank you so much in advance.
You can manually clear out the access tokens in the mobile device using the API clearAccessToken.
You can invoke it before or after your logout call. This is to ensure all token related data held in-memory is cleared. This does not clear any token data you have recorded within in your code and stored.
Once you have logged out with WLAuthorizationManager.logout(securitycheck) , the next time you request a protected resource, MFP client SDK always obtains a new token.
I have a problem with Vertx oauth2.
I followed this tutorial http://vertx.io/docs/vertx-web/java/#_oauth2authhandler_handler:
OAuth2Auth authProvider = OAuth2Auth.create(vertx, OAuth2FlowType.AUTH_CODE, new OAuth2ClientOptions()
.setClientID("CLIENT_ID")
.setClientSecret("CLIENT_SECRET")
.setSite("https://github.com/login")
.setTokenPath("/oauth/access_token")
.setAuthorizationPath("/oauth/authorize"));
// create a oauth2 handler on our domain: "http://localhost:8080"
OAuth2AuthHandler oauth2 = OAuth2AuthHandler.create(authProvider, "http://localhost:8080");
// setup the callback handler for receiving the GitHub callback
oauth2.setupCallback(router.get("/callback"));
// protect everything under /protected
router.route("/protected/*").handler(oauth2);
// mount some handler under the protected zone
router.route("/protected/somepage").handler(rc -> {
rc.response().end("Welcome to the protected resource!");
});
// welcome page
router.get("/").handler(ctx -> {
ctx.response().putHeader("content-type", "text/html").end("Hello<br>Protected by Github");
});
The ideas is to have in the protected folder all the webpages that requires auth.
When I want to access to protected webpage I get redirected to the microsoft login site and after the login I get redirected to my callback.
What I don´t understand is how to handle the callback now?
I get something like this as response:
https://localhost:8080/callback?code=AAABAAA...km1IgAA&session_state=....
How I understood (https://blog.mastykarz.nl/building-applications-office-365-apis-any-platform/) I need to extract somehow the code and the session-state and send back with a post to:
https://login.microsoftonline.com/common/oauth2/token
in order to get the token.
But I did not understand how this can be done with Vertx.
Any help? How to extract the code and session and send back to Microsoft?
I found some tutorials here: https://github.com/vert-x3/vertx-auth/blob/master/vertx-auth-oauth2/src/main/java/examples/AuthOAuth2Examples.java but did not help me.
I am doing this with Azure authentication (in tutorial is written Github but i changed all this to Microsoft).
Are you behind a proxy? The callback handler sends a request to the provider from the application and not from a browser. For me this froze the whole application. You can set the proxy with OAuth2ClientOptions given to the OAuth2Auth.create
As mentioned in the official vert.x-web document, the handling of the auth flow (including access token request to microsoft) is handled by OAuth2AuthHandler:
The OAuth2AuthHandler will setup a proper callback OAuth2 handler so the user does not need to deal with validation of the authority server response.
This being said, there is no need for application to manually handle it. Instead of using example from vertx-auth, try this one instead which actually uses OAuth2AuthHandler.
I am trying to make a Java class which would call upon Google's API to recreate an access token to a user's account with new permissions/larger scope. This class is to be instantiated by a Java servlet I had created. I want a function within that class to return a new access token. For this class to do that, I am using the Scribe library.
In Scribe's quick guide, there are two steps which concern me and have me stumped:
Step Three: Making the user validate your request token
Let’s help your users authorize your app to do the OAuth calls. For
this you need to redirect them to the following URL:
String authUrl = service.getAuthorizationUrl(requestToken);
After this either the user will get a verifier code (if this is an OOB
request) or you’ll receive a redirect from Twitter with the verifier
and the requestToken on it (if you provided a callbackUrl)
Step Four: Get the access Token
Now that you have (somehow) the verifier, you need to exchange your
requestToken and verifier for an accessToken which is the one used to
sign requests.
Verifier v = new Verifier("verifier you got from the user");
Token accessToken = service.getAccessToken(requestToken, v); // the requestToken you had from step 2
It does not seem to specify how to get that verifier from the user. How am I supposed to do that? How do I redirect my user to the authURL, and how do I get it to send its verifier back to this class of mine, which initiated the request to begin with?
If this is unclear, let me structure the question differently, taking Scribe out of the equation: To get an authorization code from Google (which would be used to then get a refresh token and access token), I would execute the following URL connection from within the servlet (yes, I've tried to answer this problem without the Scribe library, and still can't figure it out):
URL authURL = new URL("https://accounts.google.com/o/oauth2/auth");
HttpsURLConnection authCon = (HttpsURLConnection) authURL.openConnection();
authCon.setRequestMethod("GET");
authCon.setDoOutput(false);
authCon.setConnectTimeout(100000);
authCon.setRequestProperty("response_type", "code");
authCon.setRequestProperty("client_id", CLIENT_ID);
authCon.setRequestProperty("redirect_uri",
"http://**************.com/parseAuth/");
authCon.setRequestProperty("scope", convertToCommaDelimited(scopes));
authCon.setRequestProperty("state", csrfSec);
authCon.setRequestProperty("access_type", "offline");
authCon.setRequestProperty("approval_prompt", "auto");
authCon.setRequestProperty("include_granted_scopes", "true");
What has me stuck is what I should be putting for the redirect URI. After getting the user's approval for the new scope, this authorization URL would return an authorization code to the redirect URI, and seemingly nothing to whatever called it. (Am I correct in this?) So if I have another servlet as the redirect URI to parse/extract the authorization code from the response, how in the world do I get that authorization code back to my first, initial servlet? It seems to me that there is no way to have it give back the value to the servlet, in the same position of the code from which the URL was called. It looks like the function has to end there, and all new action must take place within that new servlet. But if that is the case, and I send that auth code to Google's API which would send back a refresh token and access token to ANOTHER servlet I would make to be its redirect URI, how do I possibly get that information back to what it is which called the initial servlet to begin with? That seems to be the same problem at its core, with the problem I am having with Scribe.
I've been stuck on this for many hours, and can't seem to figure out what it is I am supposed to do. I feel like I am missing some key concept, element, or step. I need this clarified. If it is at all relevant, my servlet is hosted on a Jboss application server on OpenShift.
I want to get users' access_token by using Google Drive SDK in JAVA.
I completed to get access_token when user log-in first time. But, I really want to direct-login. I know access_token be expired, so 'refreshToken' can be my solution. But refreshToken is always 'null'. How can I perform direct-login? Many advices welcome.
You need to separate "login" from "access drive". Once your application has an access token for a given user/scope, it can access Drive on behalf of the user. There are two (main) ways your application can obtain an access token.
It can request access which will involve the user being logged in to grant access.
In step 1, it can request "offline" access, in which case it will be given an access token and a refresh token. It can subsequently use the refresh token to request more access tokens without the user being present.
I suspect that you want to do option 2. This is described quite well at https://developers.google.com/accounts/docs/OAuth2WebServer#offline
If you have tried this and you having problems, please paste your code and the http trace so we can look at the problem with you.
http://twitter4j.org/en/code-examples.html - How to provide a Twitter PIN statically during OAuth authentication, the code example talks about providing a PIN if its already available.
Our application is a standalone java application and would prefer to pass credentials via a property file without any human intervention.
Twitter will provide you the PIN code.
In the example, Twitter4J supposes that somebody will copy the URL it gave (with requestToken.getAuthorizationURL() at line 10) in a web browser and will authorize the application via the browser. After that, the user is supposed to write in the example program the PIN code displayed in its browser.
There are two big drawbacks for you in this example :
Human intervention
Which code will you give to your example program if Twitter do not give you a PIN code (and it will happen if the callback URL of your Twitter application is not "oob") ?
You will have to simulate the human intervention to get the PIN code. Unfortunately, Twitter4J does not seem to get methods to do this (I do not see such method in the Javadoc) so you will have to code yourself the following process :
Retrieve the HTML code of the web page at requestToken.getAuthorizationURL().
This HTML page contains a form whose some parameters will be posted with the username (or email) and the user's password to get the PIN code. These parameters are called "oauth_token" (the temporary OAuth token that you already have), "deny" (a tag used if you do not want to authorize the application) and "authenticity_token". All of them are in <input> HTML tags. Pick them.
Simulate the posting of the form. For this you will have to use the POST oauth/authorize endpoint. The URL is https://api.twitter.com/oauth/authorize?oauth_token=<your OAuth Token>. The request has to be authenticated following the Twitter process for Authenticating requests. This is the content of what you will post : "authenticity_token=<the form's "authenticity_token" parameter>&session[username_or_email]=<user's name or email>&session[password]=<the user's password in clear>". If you don't authorize the app, append "&deny=<the form's "deny" parameter>" in the body message. There will not be any problem for you since you have got the credentials (session[xxx] parameters) in a property file and you picked the other parameters in the form (cf 2.).
The Twitter API will give you back an web page. If the authorization was successful, the PIN will be inside. However, be careful. The PIN takes different names depending on the callback URL. If the callback URL is "oob", the PIN code is called OAuth PIN. It is a 4-digit number somewhere in a <div id="oauth_pin"> HTML tag. Otherwise, it is called OAuth Verifier. It is contained in a URL located in a <div class="happy notice callback"> HTML tag. In this URL, the PIN is the oauth_verifier of the request string. It looks like an OAuth token.
Don't hesitate to have a look at the HTML code of the web pages of the 2nd and the 4th step of my process. It is very useful to understand the process.
I spent some time today trying to figure out how to authenticate without user intervention using Twitter4j Library. I came up with the following:
ConfigurationBuilder conf = new ConfigurationBuilder();
conf.setOAuthConsumerKey(CONSUMER_KEY);
conf.setOAuthConsumerSecret(CONSUMER_KEY_SECRET);
conf.setOAuthAccessToken(TOKEN);
conf.setOAuthAccessTokenSecret(TOKEN_SECRET);
Twitter twitter = new TwitterFactory(conf.build()).getInstance();
By using ConfigurationBuilder, I'm now able to authenticate automatically. Of course you need to set values for CONSUMER AND TOKEN keys accordingly. Here's how I verified it:
User user = twitter.verifyCredentials();
System.out.println("Successfully verified credentials of " + user.getScreenName());
Hope this helps!