I am trying to get the refereh_token, access_token using Google Auth Exchange Code, went through the documentation but it doesn't work, I am using a react-google-login for Auth and getting the code in response and i am passing the code
https://accounts.google.com/o/oauth2/token but its giving error
{
"error": "invalid_grant",
"error_description": "Bad Request"
}
i have tried lots of ways
code=4%2FKxoYTS-jeq5-d6Lv7YvSz9ZrK0pJ_5lZsMExzNC1M0o&redirect_uri=https%3A%2F%2Fdevelopers.google.com%2Foauthplayground&client_id=407408718192.apps.googleusercontent.com&client_secret=************&scope=&grant_type=authorization_code
frontend is reactjs and backend is nodejs..
To get the ACCESS token using referesh token you have to call a api which will give you a new access token
call a POST APi https://www.googleapis.com/oauth2/v4/token
pass the body as x-www-form-urlencoded i.e
Header as
Content-Type : application/x-www-form-urlencoded
Body
client_secret : 'xxxxxxxxxxxxdxxxxxSSd'<YourClientSecret>
grant_type : refresh_token'
refresh_token : '1/DDPkddk514451xxxxxxxx' <YourRefreshToken>
client_id : 'xxxxxxxxxxxxxxx' <YourClientID>
for more reference you can read this https://developers.google.com/identity/protocols/OAuth2WebServer
Related
Postman headers I'm using secret keys to generate an access token that I will use to authenticate for an API that I call. The issue is that I'm getting the error:
status code was: 401, expected: 200
WWW-Authenticate: Bearer error="invalid_token", error_description="The audience value is invalid"
This is how I call the API
Given url `https://login.microsoftonline.com/tenant_id/oauth2/token`
And form field grant_type = `client_credentials`
And form field client_id = `value`
And form field client_secret = `value`
When method post
Then status 200
match response.access_token != null
def access_token = response.access_token
print access_token
Given header Authorization = 'Bearer ' + access_token
Given url 'url'
And header accept = `plain/text`
And header 'X-Mimic-User' = `confidential`
When method GET
Then status 200
I'm expecting to the authenticated to the API with the generated access token.
So it appears your error may be related to the Authorization header, although the error description is hard to decipher, possibly scope related? I would list the URL first, not the header, unless you are re-using it, and want to configure the value for subsequent requests. Another way of setting the Bearer token is:
And match response.access_token == '#present'
* def oauthToken = `Bearer ${response.access_token}`
But really the most important thing is for you to check your request, including headers and compare it between Karate and Postman to see what is different.
From what I see in the error description, the first API call made towards your auth provider is returning a 200 with an access token. but the second call you are making to your application server seems to be failing to see the audience value in your access token.
I doubt you are using the same client credentials input (client_id, client_secret) in your postman and karate setup. Make sure they are the same.
I would also confirm if the access token received is having the aud parameter by checking it in https://jwt.io or any other tool you trust to decode your access token JWT. for the sake of experimentation do the same for the access token you got from postman as well.
Ideally, these configurations are very internal to your application and identity team and may not be directly related to karate. The other teams mentioned should be the ones best to guide you.
I am working a POC to verify the migration of our Signup & Signup flow to Azure AD B2C. I have successfully called the API authorize to get the access token and id token. Then I tried to call /token to refresh the token according to document , however I got the error message below.
AADB2C90090: The provided JWE is not a valid 5 segment token.\r\nCorrelation ID: ae943eb7-9290-4fd5-aeac-d56411d803c7\r\nTimestamp: 2022-10-26 07:13:40Z\r\n
Following is the url I used to get access token in Browser.
GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_signupsignin1&client_id=7adbb5f8-17d2-4dfa-94cd-5ab1cbc9f425&nonce=defaultNonce&redirect_uri=https://jwt.ms&scope=openid offline_access&response_type=code+id_token&prompt=login
Following is the screenshot I used to call token API in Postman.
POST /{tenant}.onmicrosoft.com/B2C_1_signupsignin1/oauth2/v2.0/token HTTP/1.1
Host: {tenant}.b2clogin.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 1971
grant_type=authorization_code&client_id=7adbb5f8-17d2-4dfa-94cd-5ab1cbc9f425&code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMCIsInppcCI6IkRlZmxhdGUiLCJzZXIiOiIxLjAifQ..n8murSwIYYseViQm.WluJ_gU8aUQd1PPadPik4ODSso4KpKAu8geA5NmAlkbieJPVZb30MJSHGOiUsrxfwu4BoV69bshD7URJeVNFzfqPsCjBhpYDyeL8x0uUZIJwDQ7DTiflw8A4LbYf-SzjluqbfSqDwQFGyQvKesgsrnZzyxg9AnLiL1NoBW27Kd3ZcX3i1BHKr8c--qOyxbz8DtUyIzkJGcOq79wIQZRnDCr1_xPo6EhzOi59TlEIfJhzR4qfgLm3tlgK8zDaUY5Zf3a89olfkmpvrjS84vsfDyyWM4UZe_6MpymNQFe-6Q-fJRmWqdmqdvljaDykP2ZSZJS6jHkdmU9t9aYCTWPB4JgnN1PleQDzRK-MR9WPJ5ULoxmp2VOZ_YFdY94MOGEW8c_IeNGVuPRRC8jXEaQnEWA_3Fs5tzuNe4UjQUxRTTjNeZERb1MHFPk2YGZRc4CshvqvobuGQ2fVNKFHA8JvW9Qt6Xibw0gfY8D0tTZuOP6IxPwhFSWXa5nX4j_lDeFFxhTKA38CALXQ1FVWvHZmzYhB_yMYq44jdG46lpQYB4rV9CFIBvFzJ940EPH6LpOPAnLQzLNm6zqtsVKUoB49dXE2hapIbD5LHsoNoZYeQhu8qJdhxg.8PfqgqgrubNchCs9OxHQQA%26id_token%3DeyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrNHh5b2pORnVtMWtsMll0djhkbE5QNC1jNTdkTzZRR1RWQndhTmsifQ.eyJleHAiOjE2NjY3NzE0MDUsIm5iZiI6MTY2Njc2NzgwNSwidmVyIjoiMS4wIiwiaXNzIjoiaHR0cHM6Ly9iZW5ueXpob3UuYjJjbG9naW4uY29tLzUzYjRjYmY0LWU1NDYtNDU2ZS04ZTI0LTlhM2RlOGQ3ZTljYy92Mi4wLyIsInN1YiI6ImUyN2YwZGU0LTMxODItNDZlYi1iMjYzLTdkMThkOGY4OWE1OCIsImF1ZCI6IjdhZGJiNWY4LTE3ZDItNGRmYS05NGNkLTVhYjFjYmM5ZjQxNSIsIm5vbmNlIjoiZGVmYXVsdE5vbmNlIiwiaWF0IjoxNjY2NzY3ODA1LCJhdXRoX3RpbWUiOjE2NjY3Njc4MDUsIm9pZCI6ImUyN2YwZGU0LTMxODItNDZlYi1iMjYzLTdkMThkOGY4OWE1OCIsImNvdW50cnkiOiJDaGluYSIsIm5hbWUiOiJLYXJsYSIsImVtYWlscyI6WyJrYXJsYS56aGFuZ0BtYWlzY3JtLmNvbSJdLCJ0ZnAiOiJCMkNfMV9zaWdudXBzaWduaW4xIiwiY19oYXNoIjoiOU1Oc2k5b05KQzZYWjRVSkFvS0N6dyJ9.RckgULrCBdXzw-7-VYgmB7k0Ghfg1jRMsJF8_1oxLbNXTOcZDe9grbJKcpWoesHp5L5_bVfAa1HQOFzMlmPwPPvM0a2yl1zT8UQzJ_a8W4EHkA4Ao3Xt3osbjoBhRh65Nu4fCVGHswPgxZNAR_N7jr4pR6Pf4PllmKpne-bw7onz_HjpT4ulyyq8jNZye3YokPZh0ha9LaV_19NiwfnVAR451lqfugKs2DWfseXbyGlOnjFCl_UHQDOxa1_ZUTmvF1JUgff2VAOmW2925RMQopzfDjCUEvwZMLr8pKTystErvUR6a8itRAKIFwbfEh3en8PqBun9T89-5qKmmN4NTQ&client_secret=h888Q~Jlg97L2ngl6GHpaKqS6FmkLygeTVY7Eb-h
I tried to search the error message but only get two discussion threads in Stackoverflow, however no useful info found.
https://stackoverflow.com/search?q=AADB2C90090%3A+The+provided+JWE+is+not+a+valid+5+segment+token.
I tried to reproduce the same in my environment and got the same error as below:
To generate the access token, ID token and code in the browser I used the below parameters:
GET https://Tenant.b2clogin.com/Tenant.onmicrosoft.com/B2C_1_testuserflow/oauth2/v2.0/authorize?
client_id=37cd7fca-ea8f-4300-XXXX-XXXXXXXXXX
&response_type=code+id_token
&redirect_uri=https://jwt.ms
&response_mode=fragment
&scope=openid
&state=12345
The error usually occurs if you pass invalid code value. To resolve the error, make sure to copy only the code value not with id token.
I am able to call /token to refresh the token successfully like below:
I am using the gmail API and I'm trying to do a POST request for the watch user endpoint ( https://developers.google.com/gmail/api/reference/rest/v1/users/watch ).
I'm doing it on postman by usnig this URL which I need and inside of headers I add the auth and it's code.
POST REQUEST TO
https://www.googleapis.com/gmail/v1/users/me/watch
Headers:
Authorization: Bearer secretcode
By sending this request, I'm getting an error of 401 which says "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential.
From last couple of weeks we have few clients complaining that our app is auto revoking Office365 oauth every 1 hour. This is the typical behiviour as access token have validity of 1 hour, so our app is designed to auto refresh the access token using refresh token captured during oauth.
This seems to be not working for atleast few customers from last few weeks. Below exception is thrown back by Office365 token api - https://login.windows.net/common/oauth2/token
{"error":"invalid_grant","error_description":"AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID: 7f80c2c3-41bc-41bd-8304-b56969c83a00\r\nCorrelation ID: 5a08714a-1e7d-4f32-814d-146bc721e8ab\r\nTimestamp: 2020-10-12 05:42:11Z","error_codes":[9002313],"timestamp":"2020-10-12 05:42:11Z","trace_id":"7f80c2c3-41bc-41bd-8304-b56969c83a00","correlation_id":"5a08714a-1e7d-4f32-814d-146bc721e8ab","error_uri":"https://login.windows.net/error?code=9002313"}
Here, the error code '9002313' states there is some issue related to auth parameters especially 'client_id' of our azure app. (reference)
Below data is sent to fetch new access token
client_id (related to azure app)
client_secret (related to azure app)
grant_type = 'refresh_token'
refresh_token
Edit 1: Update token endpoint to v2.0
Request URI
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Request Body
client_id=<client-id> &scope=https://outlook.office365.com/Calendars.ReadWrite https://outlook.office365.com/Contacts.ReadWrite https://outlook.office365.com/Mail.ReadWrite &refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq... &grant_type=refresh_token &client_secret=<client-secret>
Reponse Body
{"error":"invalid_grant","error_description":"AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID: 4447c69e-09d6-4a00-8dfe-735106d71200\r\nCorrelation ID: 1820e135-a511-4516-99d9-b6cebb342eb2\r\nTimestamp: 2020-10-13 03:39:37Z","error_codes":[9002313],"timestamp":"2020-10-13 03:39:37Z","trace_id":"4447c69e-09d6-4a00-8dfe-735106d71200","correlation_id":"1820e135-a511-4516-99d9-b6cebb342eb2","error_uri":"https://login.microsoftonline.com/error?code=9002313"}
Your authority is old and you missed the scope in the request body(if use the v2.0 endpoint), if you want to get a new access token for O365 with the refresh token, use the sample request below.
Request url:
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Request body:
client_id=<client-id>
&scope=https://outlook.office365.com/.default
&refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq...
&grant_type=refresh_token
&client_secret=<client-secret>
For more details, refer to the doc - Refresh the access token.
Update:
I test it for you, it works on my side. Make sure you also get the refresh token with the v2.0 endpoint, see here.
The permissions for my app:
Test to get a new access token in the postman after getting the refresh token.
I am trying POST method from postman for Step 2 of Auth Code Flow.
But, I am getting the response as-
{
"error": "invalid_request",
"error_description": "missing required parameter(s). (grant_type)"
}
I have already provided the grant_type as authorization_code.
Not able to figure out what is the problem.
Screenshot of Postman request attached along.
It should be:
grant_type=authorization_code
You can review the docs here:
https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type