Develop Reference

Redirect URI not valid with Outlook MAIL REST API

Pre Info
I have a working ColdFusion application (web-based) with a fully Google Oauth2 verification process implemented. This works good and I can retrieve e-mails en post commands. Now I want to do the same with Microsoft's Outlook.
Problem
When I try to do a HTTP POST request to the token URL then I get a response that my redirect URI is not valid because it's not the same as the one I used to get the code.
What works
I can retrieve the code by doing a GET request to the Oauth endpoint. I've added a redirect URI in the azure portal (multiple URI) When I call this URL then I get a login screen from outlook and after that I'm successfully redirected back to my application. So I guess the redirect URI is correct and it's all working.
When I try to get the token with the received code then I get the redirect error. I've absolutely no idea how it comes up with the fact that these URIs are not the same. I've triple checked everything but cannot find anything wrong.
Error
This is the error I'm getting:
"error":"invalid_grant","error_description":"AADSTS70000: The provided value for the 'redirect_uri' is not valid. The value must exactly match the redirect URI used to obtain the authorization code.
I've tried different kinds of formats. Dash on the end or no dash. But the fact stays that the redirect URL is working for the earlier step. So why not with this one?
When I play around with it then I also get messages like "Code expired", so I know it's working properly. I've played around with options in the azure portal. I followed the Oauth2 outlook playground. But still I cannot get past this message. How can I figure out what is going on here?
REQUEST
I've tried different ways to do the request. The most simple one is this one:
cfhttp(method="POST", charset="utf-8", url="https://login.microsoftonline.com/common/oauth2/v2.0/token", result="result") {
cfhttpparam(name="Content-Type", type="header", value="application/x-www-form-urlencoded");
cfhttpparam(name="grant_type", type="formfield", value="authorization_code");
cfhttpparam(name="code", type="formfield", value="M090efafb-1ce6-1d54-fda7-e48f57c33cba");
cfhttpparam(name="scope", type="formfield", value="openid offline_access profile https://outlook.office.com/mail.read https://outlook.office.com/mail.read.shared https://outlook.office.com/mail.readwrite https://outlook.office.com/mail.readwrite.shared https://outlook.office.com/mail.send https://outlook.office.com/mail.send.shared");
cfhttpparam(name="redirect_uri", type="formfield", value="#URLencode('https://bizz.bmk-is.nl/')#");
cfhttpparam(name="client_id", type="formfield", value="cdee5a0a-a409-4c41-9572-726c5bdbe93e");
cfhttpparam(name="client_secret", type="formfield", value="[HIDDEN VALUE]");
}
## NEW EDIT ##
I will post some more information here. First of all, this is the get I'm using:
response_url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
response_url = "#response_url#?response_type=code";
response_url = "#response_url#&client_id=cdee5a0a-a409-4c41-9572-726c5bdbe93e";
response_url = "#response_url#&redirect_url=#URLencode('https://bizz.bmk-is.nl/')#";
response_url = "#response_url#&scope=openid offline_access profile";
response_url = "#response_url# https://outlook.office.com/mail.read";
response_url = "#response_url# https://outlook.office.com/mail.read.shared";
response_url = "#response_url# https://outlook.office.com/mail.readwrite";
response_url = "#response_url# https://outlook.office.com/mail.readwrite.shared";
response_url = "#response_url# https://outlook.office.com/mail.send";
response_url = "#response_url# https://outlook.office.com/mail.send.shared&prompt=login";
This is the error I'm getting now:
"error":"invalid_request","error_description":"AADSTS90102: 'redirect_uri' value must be a valid absolute Uri.

You may need to URL encode your 'redirect_uri'.
Here is an example from the MS Getting started with Outlook REST page. Notice the encoding on the URI:
GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=<CLIENT ID>&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&response_type=code&scope=openid+Mail.Read
And then getting the AccessToken:
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=AwABAAAA...cZZ6IgAA&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&client_id=<CLIENT ID>&client_secret=<CLIENT SECRET>

OMG I found it! I was searching around and playing around with the redirect uri's, when I noticed that in the get I called it "redirect url" and in the post "redirect uri". Changed that to uri and now it's working! Super nice. Still weird that I don't get an error in the get that redirect url is nothing, but hey I'm glad it's working.

Spotify API Token Scope Issue

I have been at this for sometime now and wanted to see if anyone had and idea of what I could be doing wrong. What I am trying to do is add a song to a playlist using the provided Spotify Web APIs. According to the documentation on this https://developer.spotify.com/documentation/web-api/reference/playlists/add-tracks-to-playlist/ I need to establish the scope of the user.
"adding tracks to the current user’s private playlist (including collaborative playlists) requires the playlist-modify-private scope" I have created the playlist as collaborative and I am using the login credentials of my personal account to reach this playlist I created. all this is under the same login.
What I am finding is that my scope is not getting added to my token on my call for my token causes a 403 error when I try to add the song.
Here is what that call looks like
https://accounts.spotify.com/authorize/?client_id=mynumber&response_type=code&scope=playlist-modify-private&redirect_uri=http:%2F%2Flocalhost:55141/Home/GetToken/
here are the docs on using authorization to get the correct token.
https://accounts.spotify.com/authorize/?client_id=894400c20b884591a05a8f2432cca4f0&response_type=code&scope=playlist-modify-private&redirect_uri=http:%2F%2Flocalhost:55141/Home/GetToken/
further more if I go into the dev support here
https://developer.spotify.com/documentation/web-api/reference/playlists/add-tracks-to-playlist/
and click the green try button and then request a new token it works.
Bottom line some how my request is not taking my scope request. Any Ideas?
Thanks

To get the token with a specific scope you need to go to the authorize endpoint and get the code. The code is what you want to get to be able http post to the endpoint https://accounts.spotify.com/api/token and get a token with your desired scopes. You can simply get the code by pasting a url like this in your browser...
https://accounts.spotify.com/authorize?client_id=<client_id>&response_type=code&scope=streaming%20user-read-email%20user-read-private&redirect_uri=<redirect_uri>
Only add %20 in between scopes if you have multiple ones
You will then be sent to spotify's website and they'll verify you want to do this. Once you verify it your browser will redirect you to what you set the redirect_uri to be in the url above. At the end of the url that you are sent to, you should be able to see the parameter name code with the code value assigned to it. You then get that code and put it in your http post body params to the https://accounts.spotify.com/api/token endpoint. Make sure you accurately follow the query params requirements in your post method.
An example of the post in python using the requests library:
authorization = requests.post(
"https://accounts.spotify.com/api/token",
auth=(client_id, client_secret),
data={
"grant_type": "authorization_code",
"code": <code>,
"redirect_uri": <redirect_uri>
},
)
authorization_JSON = authorization.json()
return authorization_JSON["access_token"]
In the end you should get a json that shows the scopes you set a long with a refresh the token later on to make more requests.
I know this answer is quite late but I was experiencing the same issue as well which is how I came across this question. I hope this helps anyone that sees this at a later date.
Source: https://developer.spotify.com/documentation/general/guides/authorization-guide/#client-credentials-flow

docuSign /v2/login_information Authenticate User to get BaseURL

I'm passing Authorization information in json format as following.
X-DocuSign-Authentication:{ "Username" :"xxxxx", "Password" :"xxxxxx",
"IntegratorKey" :"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" }
I'm converting it ToBase64String and pass it to docuSign restapi.
It gives me UnAuthorised user error with status code 401.
I want to know which format and encoding i have to pass to "/v2/login_information" to get baseURL

No encoding is required for the X-DocuSign-Authentication header.
Also see this answer for more detailed explanation.

DocuSign Authorization Code Grant flow returns invalid_grant error

The DocuSign documentation goes through an easy to follow authorization flow for code grant. I'm able to get the "code" from the initial GET request to /oath/auth but getting the tokens gives me an error of "invalid_grant" when I try in postman. I've followed the steps and have a request that looks like this using account-d.docusign.com for host:
POST /oauth/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic MjMwNTQ2YTctOWM1NS00MGFkLThmYmYtYWYyMDVkNTQ5NGFkOjMwODc1NTVlLTBhMWMtNGFhOC1iMzI2LTY4MmM3YmYyNzZlOQ==
grant_type=authorization_code&code=ey2dj3nd.AAAA39djasd3.dkn4449d21d
Two other members of my team have also tried with their developer accounts and all are getting invalid_grant errors. Is this no longer supported or are there common errors associated with this error that we might be able to investigate?

Re-check all of your values.
I was also getting the same invalid_grant response and could not figure out why at first. It turns out that I had a typo in the Content-Type header. I was using application/x-www-form-urlencode instead of application/x-www-form-urlencoded.
You may not be, but if you are submitting the exact Authorization Header as you've posted it here in your question (MjMwNTQ2YTctOWM1NS00MGFkLThmYmYtYWYyMDVkNTQ5NGFkOjMwODc1NTVlLTBhMWMtNGFhOC1iMzI2LTY4MmM3YmYyNzZlOQ==) it will fail with that message.
That is the base64 value for the sample integration key and sample secret key provided in their documentation. If you decode that string with an online base64decoder it will result in 230546a7-9c55-40ad-8fbf-af205d5494ad:3087555e-0a1c-4aa8-b326-682c7bf276e9. This is the same sample integration key and secret in the documentation.
Check the Authorization header you are submitting by encoding your integration key and secret (integrationKey:secret) using this online base64encoder. This will make sure the issue isn't with your base64 encoding of your integration key and secret. Once you have that value make sure your Authorization uses the word Basic before the value you got from this website. (Basic base64stringFromOnlineEncoder)
Check that the code your are submitting in the body of the post is not the sample code from their documentation. ey2dj3nd.AAAA39djasd3.dkn4449d21d is the sample code from their documentation. You may just be using that in your question as a placeholder but if you are submitting any of those values it will return invalid_grant. Make sure that the body of your post does not have any leading or trailing spaces.
Have the correct Content-Type set application/x-www-form-urlencoded
Have the correct Authorization header set Basic base64EncodedIntegrationKey:Secret
Have the correct body using the valid code received from the GET request to /oauth/auth with no leading or trailing spaces, making sure you're not using the values from your question.
If you are still having trouble and you are not doing a user application but are doing a service integration you can use Legacy Authentication to get your oAuth2 token.
Alternative Method using Legacy Authentication for Service Integrations
This method does not use a grant code. You pass in the integration key, username and password into the X-DocuSign-Authentication header in JSON format.
Demo Server: demo.docusign.net
Production Server: www.docusign.net API
Version: v2
POST https://{server}/restapi/{apiVersion}/oauth2/token
Content-Type: application/x-www-form-urlencoded
X-DocuSign-Authentication: {"IntegratorKey":"your_integrator_key","Password":"docusign_account_password","Username":"docusign_account_username"}
grant_type=password&client_id=your_integrator_key&username=docusign_account_username&password=docusign_account_password&scope=api
If you are building a user application that requires the user enter their docusign credentials to generate the token, this alternative will not work for you.

For anyone who is facing this error, I'd like to point out this note in the documentation:
Note: The obtained authorization code is only viable for 2 minutes. If more then two minutes pass between obtaining the authorization code and attempting to exchange it for an access token, the operation will fail.
I was struggling with the same error until I spotted the note and sped up my typing to meet the 2 minutes.
Hope it helps someone else.

In my case the problem was related to having set a wrong value for Content-Type header, namely "application/x-www-form-URIencoded" instead of the correct "application/x-www-form-urlencoded". Note though that in my case the problem was not a "typo" but an excessive trust in DocuSign documentation.
Indeed the wrong Content-Type is, at the time of writing, suggested directly into the documentation page where they describe the Authorization Code Grant workflow, see the image below for the relevant part.
Hopefully they will fix the documentation soon but for the time being be careful not to blindly copy & paste the code from their examples without thinking, as I initially did.

anyone have an idea what is wrong here I am getting a BadRequest with the following
{"error":"invalid_grant","error_description":"unauthorized_client"}
var client = new RestClient(ESIGNURL);
var request = new RestRequest("/oauth/token");
request.Method = Method.POST;
request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
request.AddHeader("Authorization", "Basic " + Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(integrationkey+ ":" + secret)));
string body = "grant_type=authorization_code&code=" + code;
request.Parameters.Clear();
request.AddParameter("application/x-www-form-urlencoded", body, ParameterType.RequestBody);
var response = client.Execute(request);

I was getting this error as well. What I realized is I was appending the state at the end of the code before passing it to the oauth token endpoint.
This snippet is from Docusign explaining what are some other reasons for getting that error.
Invalid-error explanation

I just spent a day doing this (in NodeJS). I'll add a couple of things to the answers from before. First, I had to put:
"Content-Type": "application/x-www-form-urlencoded"
in the header. Otherwise it gave me the message:
{
"error": "invalid_grant",
"error_description": "unsupported_grant_type"
}
Second, the base64 encoding:
I used this in NodeJS and it worked
const integration_key = process.env.INTEGRATION_KEY;
const secret_key = process.env.SECRET_KEY;
const authinfo =
integration_key.toString("utf8") + ":" + secret_key.toString("utf8");
const buff2 = Buffer(authinfo, "utf8").toString("base64");
If you use "base64url" it dosen't work because it strips the == off of the end of the string. The = symbol is used as padding and apparently it's needed. You see a similar difference on this site https://www.base64encode.org/ when you toggle the url safe encoding option. If you don't have the padding on the end of your base64 encoded string (or if it's generally incorrect) you get this message:
{
"error": "invalid_grant",
"error_description": "unauthorized_client"
}
Finally, if you're using Postman (I'm using DocuSign's Postman Collection) remember to reset and save the codeFromUrl variable after you update it. Otherwise it doesn't update and you get the message:
{
"error": "invalid_grant",
"error_description": "expired_client_token"
}
This means the old URL code has expired and your new one didn't save.

CSRF protection with custom form

I created a custom form in app and I set it's action to an url that is mapped by one of my RestControllers. I send the form, and get the following error message in my browser:
Your request cannot be processed
Sorry, an error has occurred.
Status: Forbidden (Forbidden)
Message: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
I took a look in chrome dev tools at the request itself and in the headers I found this:
Cookie:visited=yes; NG_TRANSLATE_LANG_KEY=%22en%22; tmhDynamicLocale.locale=%22en%22; JSESSIONID=FB0F8F19DE9B17AE4038C0149A81D829; SPRING_SECURITY_REMEMBER_ME_COOKIE=NEY5SnBQMUExcForNWFuUzVJbWlpdz09OmErQkE0bWZhbURubzFDamd5ckNJUUE9PQ; CSRF-TOKEN=ab678757-2326-4ebe-99e5-c97c1372fc9a
Does this mean that the request got a CSRF token but with the wrong name or thi is something else entirely? How can I insert the correct CSRF token into a form or rather how should it get there automatically?

If you just whant to see yor form working, you can disable CSRF protection to the URL form. Just add an entry on web.ignoring()
On SecurityConfiguration.java, find the configure method and add an entry like this:
web.ignoring()
.antMatchers("/api/yoururl/**")
.antMatchers("/scripts/**/*.{js,html}")
.antMatchers("/bower_components/**")
.antMatchers("/i18n/**")
.antMatchers("/assets/**")
.antMatchers("/swagger-ui/**")
.antMatchers("/test/**")
.antMatchers("/console/**");