We use https://[tenant].acumatica.com/identity/connect/authorize to get an authorization code which works fine then we call
https://[tenant].acumatica.com/identity/connect/token
endpoint with below params:
grant_type: authorization_code
client_id: [client id]
client_secret: [client secret]
code: (the value from "code" query parameter from the first request respomse)
redirect_uri: https://[local].ngrok.io/accumatica/access-token
We get a bad request with error message:
{
"error": "invalid_client"
}
What could be the reason?
Thanks
Most common explanation is that Client ID and Client Secret values passed by the OAuth client don't match the Client ID and Client Secret values configured in the OAuth server (Acumatica).
I'm not sure whether you're still having this issue - but perhaps it would be best to use grant_type = password.
That is the method recommended in Acumatica training documentation and we have used it that way to successfully get a token.
Here is a screen shot of the parameters from Postman...
enter image description here
Related
Postman headers I'm using secret keys to generate an access token that I will use to authenticate for an API that I call. The issue is that I'm getting the error:
status code was: 401, expected: 200
WWW-Authenticate: Bearer error="invalid_token", error_description="The audience value is invalid"
This is how I call the API
Given url `https://login.microsoftonline.com/tenant_id/oauth2/token`
And form field grant_type = `client_credentials`
And form field client_id = `value`
And form field client_secret = `value`
When method post
Then status 200
match response.access_token != null
def access_token = response.access_token
print access_token
Given header Authorization = 'Bearer ' + access_token
Given url 'url'
And header accept = `plain/text`
And header 'X-Mimic-User' = `confidential`
When method GET
Then status 200
I'm expecting to the authenticated to the API with the generated access token.
So it appears your error may be related to the Authorization header, although the error description is hard to decipher, possibly scope related? I would list the URL first, not the header, unless you are re-using it, and want to configure the value for subsequent requests. Another way of setting the Bearer token is:
And match response.access_token == '#present'
* def oauthToken = `Bearer ${response.access_token}`
But really the most important thing is for you to check your request, including headers and compare it between Karate and Postman to see what is different.
From what I see in the error description, the first API call made towards your auth provider is returning a 200 with an access token. but the second call you are making to your application server seems to be failing to see the audience value in your access token.
I doubt you are using the same client credentials input (client_id, client_secret) in your postman and karate setup. Make sure they are the same.
I would also confirm if the access token received is having the aud parameter by checking it in https://jwt.io or any other tool you trust to decode your access token JWT. for the sake of experimentation do the same for the access token you got from postman as well.
Ideally, these configurations are very internal to your application and identity team and may not be directly related to karate. The other teams mentioned should be the ones best to guide you.
I am using the Microsoft Graph API to generate oAuth 2.0 access token, which expires after 1 Hour. Route being used is: https://login.microsoftonline.com/[Tenant ID]/oauth2/v2.0/token
I am passing these values in the Query string.
{
grant_type: "client_credentials",
client_id: APP_ID,
client_secret: APP_PASSWORD,
scope: "https://graph.microsoft.com/.default",
}
Now, my current implementation I have added recursion in which I added retries before calling a graph api to extract user details from AD.
Is there a way I can get/fetch a refresh token, because refresh tokens last longer?
You need to follow the below steps to enable Refresh Tokens:
Request the scope 'offline_access'. This will tell the endpoint to provide a refresh_token along with the access_token and associated metadata.
You need to request a new access_token (and refresh_token as they come together) by repeating the same POST to /common/oauth2/v2.0/token with a slightly different body - grant_type is set to refresh_token and instead of a code, you supply a refresh_token property and value
For e.g.
POST /{tenant}/oauth2/v2.0/token
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=[client Id]
&scope=[scope]
&refresh_token=[refresh token]
&grant_type=refresh_token
&client_secret=[secret]
Please refer to the documentation here for refresh token request details.
In my view, use of refresh token along with client crendential flow is of no use. Why would you want to have an additional step added to get access token when you can get that straight away.
Flow with the client_credentials grant type:
Step 1: client authentication
OK access token is issued
Flow for obtaining Refresh_token
Step 1: client authentication
Step 2: Refresh token validation and use it to obtain access token
OK access token is issued.
I am trying to follow Revolut's tutorial for authenticating to their API and I'm stuck at requesting a reusable access token.
So far I've managed to:
1. Create public/private keys
2. Upload public key
3. Sign a jwt with the generated client_id
4. Get an authorisation code
But I am blocked at using the above for requesting a reusable access token.
As per this page, I'm supposed to create a POST request on https://b2b.revolut.com/api/1.0/auth/token with the following body:
{
"grant_type": "authorization_code",
"client_id": my_client_id,
"code": my_authorisation_code,
"client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
"client_assertion": my_jwt
}
Which I've done in Insomnia but I keep getting this error:
{
"error": "invalid_client",
"error_description": "client_id is missing"
}
Looking on SO for an answer I stumbled upon this answer, but I get this error all the time, even after I change the client_id.
Turns out the body should not be a JSON, it should have been url encoded, like this:
grant_type=authorization_code&client_id=client_id&code=code&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=jwt
I am trying to configure the ROPC flow in Azure Active Directory B2C using a custom policy mentioned in the below URL.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/ropc-custom
But I am getting the below error while testing the ROPC policy.
{
"error": "invalid_request",
"error_description": "AADB2C90083: The request is missing required
parameter: grant_type.\r\nCorrelation ID: b4153dfe-4296-4b68-850f-ee30ac4d86b0\r\nTimestamp: 2019-08-02 11:53:23Z\r\n"
}
https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/oauth2/v2.0/token?p=B2C_1A_<POLICY_NAME>&username=xxxxx&password=xxxxx&grant_type=password&scope=openid <NativeClient_App_ID> offline_access&client_id=<NativeClient_App_ID>&response_type=token id_token
In the above url add your tenant name, ROPC Signin Policy Name, username & Password and your native client ID.
Now try to send the request and check.
I got the same error then I realised it should be GET request and I was sending POST. Make sure you are sending correct request type.
I'm trying to call the outlook API with the following request:
https://outlook.office.com/api/v2.0/me/calendars
GET
Authorization: Bearer [my fresh bearer token]
I successfully retrieved an access_token from the token endpoint after the login and user consent.
However, every request I try returns 401 Unauthorized with the following header (showing that one cause it looks weird to me):
WwwAuthenticate [HttpHeaderValueCollection]: {Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000#*", token_types="app_asserted_user_v1 service_asserted_app_v1", authorization_uri="https://login.windows.net/common/oauth2/authorize", error="invalid_token", Basic Realm="", Basic Realm="", Basic Realm=""}
As you can see, at the end there is error="invalid_token"
Also, there is app_asserted_user_v1 service_asserted_app_v1
Is there something I forgot to activate or configure properly?
EDIT: I did found this post but if I add a resource parameter like the OP, I get "Bad Request" and this code:
AADSTS90100: The 'resource' request parameter is not supported.
All right I found the answer myself and I hope it will help more people:
The problem was even before, at the step I was redirecting the user to the MS Login page.
At that point I used to give it the following scopes:
openid Calendars.ReadWrite offline_access profile
BUT, the Calendars.ReadWrite MUST but passed with its "full" name, being:
https://outlook.office.com/Calendars.ReadWrite
HTH