I have been trying this for quite a while now. I am able to fetch the request token no problem. But when i try to exchange it for the access token I get the following error:
2011-07-17 22:19:19,649 [http-8080-1] ERROR oauth.OauthService -
Unable to fetch access token! (consumerName=google,
requestToken=[key:4/Azm6wQDW85iYVmeb4ogCAl70D_89,
secret:Zrh9saEDJcgCo83QejOu28sU,
authUrl:https://www.google.com/accounts/OAuthAuthorizeToken?oauth_token=4%2FAzm6wQDW85iYVmeb4ogCAl70D_89,
isOAuth10a:true])
oauth.signpost.exception.OAuthCommunicationException: Communication
with the service provider failed: Service provider responded in error:
400 (Bad Request
Here is the code in the controller:
def OauthService
if (session.oauthToken == null) {
flash.message = "The token could no be retrieved... Please try again"
redirect(uri:"/")
}
def requestToken = OauthService.fetchRequestToken('google')
def accessToken = OauthService.fetchAccessToken('google', requestToken)
I have been playing about with it but it never seems to work any way I do it. Has anybody got any ideas?
If you look at the OAuth plugin docs, it mentions that some Google APIs require the scope attribute to be set in the OAuth config (in Config.groovy). Might be worth double-checking, considering the Google server is returning 400 Bad Request.
Also, enabling debug logging for the grails.app.service.org.grails.plugins.oauth and grails.app.controller.org.grails.plugins.oauth packages might provide some more clues.
Related
I am trying out get the access token from the super user so that I can the same to create new users in key cloak, I have deployed keycloak in wildfly and when I try to do the get call, I am getting Invalid user credentials as response,
How to know the actual credentials?
And when I try to update the password from the console, I getting the error message like below.
Since I am new to this and din't find enough information from internet also, any kind of help will be appreciated .
Updated:
Now i am getting new error description as Parameter client_assertion_type is missing like below. What should be client_assertion_type here ?
This keycloak help page describes the most likely reason for the second error:
Q: When logging in, I get an error: *Parameter client_assertion_type is missing [invalid_client].
A: This error means your client is configured with Signed JWT token credentials, which means you have to use the --keystore parameter when logging in.
Alternatively you can disable using JWT tokens for the client in Keycloak.
For your information, the client_assertion_type would probably be urn:ietf:params:oauth:client-assertion-type:jwt-bearer. But then you'd get another error because the client_assertion is missing.
If ccp-portal is a confidential client using client authentication with signed JWT then the Keycloak doc states that
During authentication, the client generates a JWT token and signs it
with its private key and sends it to Keycloak in the particular
backchannel request (for example, code-to-token request) in the
client_assertion parameter.
I guess it's not possible to generate a JWT with PostMan.
This is meant for backchannel client-keycloak communication, not for
user authentication.
Solutions
You can use the admin-cli as client_id instead of your ccp-portal client. The admin-cli should be in the list of clients configured for your ccp realm. You can see that from the Keycloak interface.
Another option is allow direct access grants in ccp-portal client config.
Finally you could use ccp-portal client in your application configured with one of the Keycloak client adapters, instead of POSTMan.
As subrob sugrobych mentionned, parameters should be passed as form-data.
first of all, when you are posting data to keycloak over a rest client, you need to input parameters as form paramaters, and not as query parameters. This is why you are getting this strange error of not providing parameter grant_type, when you obviously are providing it. Same is valid for accessing keycloak api via code.
Next thing you need to think about are roles for your superuser. You can assign realm roles and client roles. There is a client named 'realm-management' which contains roles which would normally count as "system roles". You will need to use them. When you are getting HTTP code 403, it means, that probably your user is missing a role from this client.
I need subscribe for Google Calendar API v3 Push Notifications. I have checked documentation - it provides useful API details. I have checked java client library. It contains useful classes...
Trying:
com.google.api.services.calendar.Calendar calendar = initObject();
...
calendar.calendarList().get("myMail#ukr.net").execute();
As result I have CalendarListEntry map with my calendar info.
Trying use same calendarClient object:
calendar.calendarList().watch(channel).execute();
in result:
17:46:26,540 ERROR # c.n.c.c.g.GoogleCalendarClient.watchCalendarList com.google.api.client.googleapis.json.GoogleJsonResponseException: 401 Unauthorized
It seems I have an authorization issue. I think I should not have one because of I can try one more time same client object and it returns correct result. Also I have considered case to use optional token field - no changes.
If someone needs my channel object:
17:58:38,022 INFO # {"address":"https://myPersonalVerifiedByGoogleAddr/google/calendars/","id":"4ac3e9e3-8428-405e-a8ed-6cf0e4fa25ff","payload":false,"type":"web_hook"}
address - my inet address verified by google
id - generated
payload - false (because of no content in my request)
type - web_hook (following google doc)
I have no ideas how to fix unauthorized in watch request, because of client is authorized (I would not be able to load calendar info).
You may want to try testing it by sending http request to validate if it is just an OAuth token issue. Next is to validate if you have done all the required steps to make a watch request. This would narrow down the possible reasons you encounter the issue.
Also check that in the docs it stated that "the Google Calendar API will be able to send notifications to this HTTPS address only if there is a valid SSL certificate installed on your web server."
I am trying to implement the rest api sample given in the salesforce site link below.
http://wiki.developerforce.com/page/Getting_Started_with_the_Force.com_REST_API
I have set up project as said in the link, but when I am executing the project I am getting an error as "Error - no access token". When I do debug, I came to know that the variable accessToken is null.
String accessToken = (String)
request.getSession().getAttribute("ACCESS_TOKEN");
I am bit confused about this problem.
Please help me in this regard.
It seems you are missing this part in your code:
// Set a session attribute so that other servlets can get the
// access token
request.getSession().setAttribute(ACCESS_TOKEN, accessToken);
// We also get the instance URL from the OAuth response, so set it
// in the session too
request.getSession().setAttribute(INSTANCE_URL, instanceUrl);
I'm using scribe for making an app that has oauth support. I didn't found problems With Twitter, but when using facebook I have problems...
This is the code that works on twitter oauth
OAuthService s = /* ... Facebook oauth init ... */
final Token requestToken = s.getRequestToken();
final String authURL = s.getAuthorizationUrl(requestToken);
It gives me an error at the second line:
12-20 10:01:31.475: E/AndroidRuntime(5405): java.lang.UnsupportedOperationException: Unsupported operation, please use 'getAuthorizationUrl' and redirect your users there
12-20 10:01:31.475: E/AndroidRuntime(5405): at org.scribe.oauth.OAuth20ServiceImpl.getRequestToken(OAuth20ServiceImpl.java:45)
I know that it says that I might use getAuthorizationUrl... But I have to pass a requestToken...
Could you please help me?
It would be helpful any example with Scribe and Facebook
Thanks!
PS: Same problem with Windows Live ! =(
EDIT:
I have been looking at the source code of the Scribe library and I found something
https://github.com/fernandezpablo85/scribe-java/blob/master/src/main/java/org/scribe/oauth/OAuth20ServiceImpl.java
Here we can see that I can call the getAuthorizationUrl(...) with null parameter because it doesn't use it.... But I think the prioblem now is that the config isn't filled...
here is how I initialize facebook service:
new ServiceBuilder()
.provider(FacebookApi.class)
.apiKey(....)
.apiSecret(....)
.scope("email,offline_access")
.callback("oauth://facebook")
.build();
Is this correct?
Thanks!
private static final Token EMPTY_TOKEN = null;
OAuthService service = new ServiceBuilder()
.provider(FacebookApi.class)
.apiKey(apiKey)
.apiSecret(apiSecret)
.callback("http://www.example.com/oauth_callback/")
.build();
String authorizationUrl = service.getAuthorizationUrl(EMPTY_TOKEN);
All you now need to redirect user to this URL and let him verify them self to get code from facebok.
There are a good amount of example with very good documentation for almost all major Oath
system
here is for Facebook
FacebookExample
For all major providers
Scribe Example Directory
Edit
After looking at the discussion my suggestion is to get a full understanding about Oauth1 and Oauth2.
You've got it all wrong. OAuth 2 Protocol never returns a request token like OAuth 1.
Oauth 1 does an HTTP POST request and returns an unauthorized request token. Then, you will have to authorize your unauthorized token to receive an authorized token (That's 2 HTTP call).
Oauth 2, on the other hand, doesn't have a request token flow, you will need to do an HTTP GET for an authorization token (1 HTTP call only). Hence why Scribe says that you need to call getAuthorizedUrl.
See this Facebook Example, to see how to retrieve an authorized token using OAuth 2.
Does anyone know how to use 2-legged OAuth with google-api-java-client?
I'm trying to access the Google Apps Provisioning API to get the list of users for a particular domain.
The following does not work
HttpTransport transport = GoogleTransport.create();
GoogleHeaders headers = (GoogleHeaders) transport.defaultHeaders;
headers.setApplicationName(APPLICATION_NAME);
headers.gdataVersion = GDATA_VERSION;
OAuthHmacSigner signer = new OAuthHmacSigner();
signer.clientSharedSecret = CONSUMER_SECRET;
OAuthParameters oauthParameters = new OAuthParameters();
oauthParameters.version = OAUTH_VERSION;
oauthParameters.consumerKey = CONSUMER_KEY;
oauthParameters.signer = signer;
oauthParameters.signRequestsUsingAuthorizationHeader(transport);
I get the "com.google.api.client.http.HttpResponseException: 401 Unknown authorization header".
The header looks something like this
OAuth oauth_consumer_key="...", oauth_nonce="...", oauth_signature="...", oauth_signature_method="HMAC-SHA1", oauth_timestamp="...", oauth_version="1.0"
I also tried following without success
GoogleOAuthDomainWideDelegation delegation = new GoogleOAuthDomainWideDelegation();
delegation.requestorId = REQUESTOR_ID;
delegation.signRequests(transport, oauthParameters);
Any ideas?
Thanks in advance.
It seems that there was nothing wrong with the code. It actually works.
The problem was with the our Google Apps setup.
When you visit the "Manage OAuth key and secret for this domain" page (https://www.google.com/a/cpanel/YOUR-DOMAIN/SetupOAuth),
and enable "Two-legged OAuth access control" and select
"Allow access to all APIs", it doesn't actually allow access to all APIs.
If you visit the "Manage API client access" page after that
(https://www.google.com/a/cpanel/YOUR-DOMAIN/ManageOauthClients),
you'll see that there is an entry like:
YOR-DOMAIN/CONSUMER-KEY "This client has access to all APIs"
It seems that this doesn't include Provisioning API.
Only after we explicitly added the Provisioning API, the code started to work.
So to enable Provisioning API, you should also have something like the following entry in your list:
YOR-DOMAIN/CONSUMER-KEY Groups Provisioning (Read only) https://apps-apis.google.com/a/feeds/group/#readonly
User Provisioning (Read only) https://apps-apis.google.com/a/feeds/user/#readonly
Somone else had the same problem:
http://www.gnegg.ch/2010/06/google-apps-provisioning-two-legged-oauth/
Sasa
Presumably you are trying to get an unauthorised request token here? I Haven't used the Google implementation, but the OAuth 1.0a spec says you need a callback URL, which you don't have. This might be a red herring as the spec says a missing param should return HTTP code 400 not 401.
See http://oauth.net/core/1.0a/#auth_step1