I tried to generate access token through api but I am unable to get code I tried to generate through the apis
Unable to generate access token
GET https://account-d.docusign.com/oauth/auth? response_type=code &scope=signature &client_id={CLIENT_ID} &state=a39fh23hnf23 &redirect_uri={REDIRECT_URI}
POST https://account-d.docusign.com/oauth/token
Content-Type: application/x-www-form-urlencoded Authorization: Basic
BASE64_COMBINATION_OF_INTEGRATOR_AND_SECRET_KEYS
grant_type=authorization_code&authorization_code=YOUR_AUTHORIZATION_CODE
But I received the following response
{
"error": "invalid_grant"
}
Could be any of a number of issues. Did you receive back an authorization_code? Did you use the authorization_code in less than two minutes (it's time limited).
There are other potential issues too. Google for "docusign invalid_grant"
Did you properly create and encode the BASIC authorization field?
For the best results I recommend that you use an OAuth Authorization Code Grant client library. They exist for most every web stack / language.
Related
I have an API that uses Azure AD to provide access to resources. It has one scope api://{client_id}/Api.Read and following API permissions:
User.Read.All,
User.Read.
When I receive an access token from the AD it has only one aud - {client_id} and when I try to access Microsoft graph (e.g. https://graph.microsoft.com/v1.0/me) I get "Access token validation failure. Invalid audience." response as expected.
My question is - Is it possible to access both graph API and my API using one token and how do it?
I am exchanging current token to a "proper" token using on-behalf-of call: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
Basically, you just make the following call (copied from the link above):
POST /oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com/<YOUR_TENANT>
Content-Type: application/x-www-form-urlencoded
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
&requested_token_use=on_behalf_of
&client_id=<YOUR_CLIENT_ID>
&client_secret=<YOUR_CLIENT_SECRET>
&assertion=<YOUR_CURRENT_TOKEN>
&scope=<YOUR_NEW_SCOPES>
The response contains the new token to access the resources that are requested in the scopes. My scenario is not exactly yours, but I think this should work for your case as well. You need to make this call server-side.
This assumes that the user has already consented that your app is okay to use <YOUR_NEW_SCOPES>, or otherwise this call will result in "interaction_required" or "invalid_grant" error (something like this, don't remember the exact error name) that basically means you need to raise UI prompt for the user to agree to the new scopes (how to do that is another question)
I got this error trying to get an auth token from Sharepoint REST api. My SP is cloud based and I am using Postman to test the requests, as a previous attempt similarly ran into a dead end when much troubleshooting back and forth with Msoft lead no where .. Anyway, I have the following error and I was wondering if anyone could help me figure out what it is or how I can troubleshoot this issue.
error_description: "AADSTS50169: The realm 'realm' is not a configured realm of the current service namespace"
error_codes : 50169
I followed this tutorial
Thanks!
Edit: I went through and started again, this tut seems to be working I guess I may have missed a step (my guess is I didn't correctly configure the app permissions with xml when creating the app)
To do authorization of SharePoint online and use REST API via Postman, here is a solution for your reference:
First: get security Token
Access [https://login.microsoftonline.com/extSTS.srf] via Http Post method. The content of the http request is as follows.
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
utility-1.0.xsd">
<s:Header>
<a:Action
s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://login.microsoftonline.com/extSTS.srf</a:To>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:UsernameToken>
<o:Username>[username]</o:Username>
<o:Password>[password]</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<a:EndpointReference>
<a:Address>[endpoint]</a:Address>
</a:EndpointReference>
</wsp:AppliesTo>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>
The demonstration screenshot in Postman:
And the response content will include a security token as below, we can use this security token to get Access Token of SharePoint.
Second: get Access Token
Here i show you how to get access token of SharePoint online using the security token and SharePoint Rest API.
Access [https://yourdomain.sharepoint.com/_forms/default.aspx?wa=wsignin1.0] via http Post method. The content of the request is the security token that we have got above as below.
And the response as below:
We can see that there are two cookie, rtFa and FedAuth in response header, and these two cookie need to be added to the request in subsequent request.
Third: get Request Digest
Access [https://yourdomain.sharepoint.com/_api/contextinfo] via http Post method with that two cookies which we have got above.
And the response as below:
This is the final Token we want!
Then we can use REST API of SharePoint, we only need to add this token and the previous two cookie, as shown in the following figure.
I am implementing Oauth 2 authentication for Office 365 account in a java based server side application. After reading the documentation, I have done the following things:
I have office 365 subscription.
I have created an app in Azure
Actve directory, that is necessary to authenticate web app using
office 365 account.
I have client ID and secret. I have also
given all permission to the Azure app.
I am requesting authorization code using the Url:
https://login.microsoftonline.com/common/oauth2/authorize?client_id={client_id}&response_type=code&redirect_uri={redirect url}&response_mode=query
As a response of this, I am getting authorization code as expected:
http://localhost:8080?code={authorication code}&session_state=259479e4-84aa-42ea-91e9-9e919cc99587
Now I need to get token along with the user name (user ID from which the user in logged in), as I need the user name for further processing. For this, I am using the method described here:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-protocols-oauth-code/
That is using a POST request like this:
POST /{tenant}/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=2d4d11a2-f814-46a7-890a-274a72a7309e
&code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrqqf_ZT_p5uEAEJJ_nZ3UmphWygRNy2C3jJ239gV_DBnZ2syeg95Ki-374WHUP-i3yIhv5i-7KU2CEoPXwURQp6IVYMw-DjAOzn7C3JCu5wpngXmbZKtJdWmiBzHpcO2aICJPu1KvJrDLDP20chJBXzVYJtkfjviLNNW7l7Y3ydcHDsBRKZc3GuMQanmcghXPyoDg41g8XbwPudVh7uCmUponBQpIhbuffFP_tbV8SNzsPoFz9CLpBCZagJVXeqWoYMPe2dSsPiLO9Alf_YIe5zpi-zY4C3aLw5g9at35eZTfNd0gBRpR5ojkMIcZZ6IgAA
&redirect_uri=https%3A%2F%2Flocalhost%2Fmyapp%2F
&resource=https%3A%2F%2Fservice.contoso.com%2F
&client_secret=p#ssw0rd
Now the problem is that, when ever I send this post request, I always get error with error code some times 400 or 402 etc. I also user POST man in chrome to check the response of the call. It always return error like that:
{
"error": "invalid_grant",
"error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID. Send an interactive authorization request for this user and resource.\r\nTrace ID: b834315e-ccb3-4533-b7c9-4af7b34054b9\r\nCorrelation ID: 784f18da-5479-4b69-b939-0067abfcc460\r\nTimestamp: 2016-08-02 07:28:22Z",
"error_codes": [
65001
],
"timestamp": "2016-08-02 07:28:22Z",
"trace_id": "b834315e-ccb3-4533-b7c9-4af7b34054b9",
"correlation_id": "784f18da-5479-4b69-b939-0067abfcc460"
}
(Note: I have registered all the apps using administrator login)
I have tried a lot to find out whats is going wrong here. I have added multiple apps in Azure Active directory but I am always getting similar response.
I request professionals to help me. . . ! Actually I want to allow user to click on a button in office 365 web add-in and use oauth2 authentication to login to our system. It will be great in somebody suggest me some good tutorial to successfully implement this.
If you were requesting the access token for the Office 365, the resource parameter in the send request should be https%3A%2F%2Foutlook.office.com.
And also you can use the Microsoft Graph as Philip suggested. You can refer here about how to choose the endpoint.
Receiving the error codes "interaction_required" or "invalid_grant" error codes means there is an issue with the "Refresh token" and it advised to:
Discard current refresh token
Request new authorization code
I'm using Ember.js and Node. I already have json web token based authentication set up and am now trying to use LinkedIn's REST API to get information for my user profiles.
I'm able to redirect my users to the LinkedIn authorization code endpoint (Step 2 in this guide: https://developer.linkedin.com/docs/oauth2), but I'm getting stuck on Step 3 (Exchange Authorization Code for Access Token). When I make the POST request with the correct parameters, I get a 401 unauthorized_client error no matter how I try and make the request.
I'm making the request directly from my Node server, and using the request module. I've tried including the params as query params, and as part of the body. I've tried adjusting the headers and the url encoding but nothing seems to change the 401 error.
This is the call I need to be making according to the guide:
POST /uas/oauth2/accessToken HTTP/1.1
Host: www.linkedin.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=987654321&redirect_uri=https%3A%2F%2Fwww.myapp.com%2Fauth%2Flinkedin&client_id=123456789&client_secret=shhdonottell
This should not happen if you are POSTing the correct parameters. You can rather try it with an alternative way. With the authorization code you received in Step 2, use request based service like POSTMAN and try getting the response again. If you get it using that it means there has been some error while you are making the request.
Make sure to properly provide the headers.
Even after the POSTMAN service if you get an unauthorized response, confirm your client_id and client_secret.
Please note that for 2-legged authentication, the grant_type should always be "client_credentials". Also, you only need to supply the client_id and client_secret as parameters, nothing more. See the sample in the LinkedIn documentation. It looks like you try to do a 3-legged authentication request.
I am currently looking for a way to secure a REST API using token based authentication. I am developing the API in Python using Flask and have discovered the flask-security extension which seems to have a lot of interesting features.
One of the features mentioned in the documentation is Token Authentication.
According to the documentation:
Token based authentication is enabled by retrieving the user auth
token by performing an HTTP POST with the authentication details as
JSON data against the authentication endpoint. A successful call to
this endpoint will return the user’s ID and their authentication
token. This token can be used in subsequent requests to protected
resources.
I am however still a bit confused on how to implement this feature using flask-security.
Some online research has led me to using things such as #auth_token_required but I am having some trouble to put everything together. The flask-security documentation itself is not very helpful.
For example, how can a user get an authentication token? what is the authentication endpoints?
It would be great if you could lead me in the right direction. Code examples would be awesome too :-)
Endpoint is /login, you post your credentials as json request body:
{'email':'john#smit.com', 'password':'1234'}
However for this to work you need to disable the csrf tokens in your flask app (thanks Mandar Vaze):
app.config['WTF_CSRF_ENABLED'] = False
Then you do each request with the token in the HTTP headers:
Authentication-Token:WyI1NTE1MjhmNDMxY2Q3NTEwOTQxY2ZhYTgiLCI2Yjc4NTA4MzBlYzM0Y2NhZTdjZjIxNzlmZjhiNTA5ZSJd.B_bF8g.t1oUMxHr_fQfRUAF4aLpn2zjja0
Or as query string:
http://localhost:5000/protected?auth_token=WyI1NTE1MjhmNDMxY2Q3NTEwOTQxY2ZhYTgiLCI2Yjc4NTA4MzBlYzM0Y2NhZTdjZjIxNzlmZjhiNTA5ZSJd.B_bF8g.t1oUMxHr_fQfRUAF4aLpn2zjja0
Client example in python 3:
import requests
import json
#do the login
r = requests.post('http://localhost:5000/login',
data=json.dumps({'email':'john#smit.com', 'password':'1234'}),
headers={'content-type': 'application/json'})
response = r.json()
print(response) #check response
token = response['response']['user']['authentication_token'] #set token value
#Now you can do authorised calls
r = requests.get('http://localhost:5000/protected',
headers={'Authentication-Token': token})
print(r.text)
Angular example snippet to obtain the token:
$http.post('/login', {"email": $scope.formdata.login,"password":$scope.formdata.password}).
success(function(results) {
$window.sessionStorage.token = results.response.user.authentication_token;
});
Angular example snippet to visit protected pages:
if ($window.sessionStorage.getItem('token')) {
config.headers['Authentication-Token'] = $window.sessionStorage.getItem('token');
}
I found Flask-Security's token-based not a good candidate for my project. I recommend using JWT token instead.
The problems with Flask-Security's token based authentication.
Need to disable CSRF globally, this is not good when you also have a traditional web application in which CSRF token is desirable
No easy way to renew the token ( without submitting password again )
Can not control the payload of the token, there's no API to put/get data to/from the token
That token, by design, only works with one Flask app. So if your frontend app needs to talk with multiple restful apis, this wont work well
Check out JWT (pyjwt or flask-jwt) token, it solves all the above problems and more.
Authentication endpoint is /login
Look at the code of flask-security here specifically views.py: _render_json()
login() calls _render_json which in turn calls get_auth_token() - and returns the auth token.
Problem (for me) is to get this to work.
For me request.json seems empty (hence this does not work)
{"email": "test#example.com", "password": "test123"}
Hopefully this helps you move forward a little.