I have two separate Google App Engine projects (let's call them projects A and B) that I'm using Oauth2 to validate users for. For each project, I generated its own Oauth 2.0 Client ID.
So for project B, attempting to verify my Oauth2 token yields a value error. From what I can tell, for some reason it's expecting the ClientID from project A. Using project A's Client ID actually makes everything work as expected, which seems weird.
I'm using Python3.5 for this project and trying to use to deploy a webpage using Flask, if that helps anything.
Error Code: (keys redacted)
Token has wrong audience <Client ID A>, expected <Client ID B>
Code for verifying token:
from google.oauth2 import id_token
from google.auth.transport import requests as goog_requests
from flask import Flask, render_template, request
...
# Verify and get info for the user's ID token.
# This is where the error gets thrown
idinfo = id_token.verify_oauth2_token(
request.headers.get('X-id-token'),
goog_requests.Request(),
CLIENT_ID
)
Additional info - as I'd expect with that error code, the UI for loging in indicates that I'm trying to login to project A as well. I'm also wondering if this has anything to do with my google sdk cli configuration. I tried resetting my default project to project B but that didn't change anything.
Any help is greatly appreciated!
I'm dumb. I didn't change the sign-in object(?) in my HTML to match the new Client ID. I had to change
<meta name="google-signin-client-id" content="CLIENT_ID">
to the new client ID.
Related
I've cloned https://github.com/ananay/passport-apple-example and replaced the config with this:
clientID: "com.myname.web",
teamID: "myteamid",
callbackURL: "https://myurldev.com/auth/apple/redirect",
keyID: "mykeyid",
privateKeyLocation: path.join(__dirname, "../apple-key.p8")
I've also added SSL certificate on my machine and starting the server with https, all works fine & is recognized by my browser. I'm also starting the app on port 443 and proxying using my hosts file myurl.dev.com -> 127.0.0.1.
I have the same auth setup for facebook, google & microsoft and everything works fine.
I have:
Created a new APP identifier and enabled Sign in with Apple for it, named it: com.myname.dev
Created a new SERVICE identifier and enabled Sign in with apple, called it: com.myname.web
Added "https://myurldev.com/auth/apple/redirect" to the "Reply URLS" on the service identifier com.myname.web
Set my app identifier com.myname.dev as the main app identifier my service to be grouped with.
Created a private key and enabled sign in with apple, interface confirmed the presence of grouped ID com.myname.web bundled with com.myname.dev for which the key was created.
I have confirmed using console.log that the private key is indeed at the path being passed as parameter.
converted the .p8 file to base64 & then back to UTF-8 in an attempt to use the string for privateKeyString
successfully implemented Apple Oauth several times in the past using passport-apple
This time around, for some reason, auth simply doesn't work.
If I set the clientID as the APP identifier, not the service, I'm getting
invalid_request
Invalid web redirect url.
instead of invalid_client
Any advice on debugging this is highly appreciated. Thank you.
EDIT #1:
I have dug a bit deeper into the passport-apple package to figure out if anything goes against apple's docs around token generation, but the flow never reaches that part, indicating things go wrong on the actual configuration in Apple's console & what I'm trying to use for my project.
EDIT #2
2 of the app Ids I have created always throw "wrong redirect uri" because they're not service IDs so I can't configure redirect_uri, this will change if to "required" if I pass undefined as a redirect_uri.
One of the app ids throws only invalid client_id instead, regardless if I pass undefined or good value for redirect_uri.
EDIT #3
Went full vanilla through the OAuth code flow process and just created a url & redirected the user it, failing with this method is consistent with what is happening when using the passport-apple module.
const url = new URL("https://appleid.apple.com/auth/authorize");
url.searchParams.append("state", "fdbd287b1f");
url.searchParams.append("response_type", "code");
url.searchParams.append("scope", "name email");
url.searchParams.append("response_mode", "form_post");
url.searchParams.append(
"redirect_uri",
"https://raiseitupdev.com/auth/apple/redirect",
);
url.searchParams.append("client_id", "com.myname.web");
return res.redirect(url.toString());
[Creator of the library here.]
Did it stop working in development too? I feel this is a configuration error because the actual thing is working live on my website:
https://passport-apple.ananay.dev
Please follow up on this Github issue. Thanks!
https://github.com/ananay/passport-apple/issues/23
I am trying to access the Youtube API via python so that I can insert videos into a playlist. To do so I have to use oauth2 to authorize myself. I have looked up many guides and videos and followed their instructions step by step but I always get the same result, saying Error 400: redirect_uri_mismatch
The code that I am using is
from google_auth_oauthlib.flow import InstalledAppFlow
flow = InstalledAppFlow.from_client_secrets_file("client_secrets.json", scopes=['https://www.googleapis.com/auth/youtube.force-ssl'])
flow.run_local_server(port=8080, prompt='consent')
credentials = flow.credentials
print(credentials.to_json())
I have also tried
from google_auth_oauthlib.flow import InstalledAppFlow
flow = InstalledAppFlow.from_client_secrets_file("client_secrets.json", scopes=['https://www.googleapis.com/auth/youtube.force-ssl'])
flow.run_console()
credentials = flow.credentials
print(credentials.to_json())
I understand that this occurs when there is a mismatch between the redirect_uri on the request side and what is listed in the console. But I have triple checked that on https://console.developers.google.com/ I have the redirect URI to be http://localhost.com:8080 and have checked to make sure that my client_secrets.json file reflects the same. I have set my JavaScript origins to also be http://localhost.com:8080. I have set my oauth clientID to be a web application as I am running this in pycharm. However, whenever I run my code I get the same error saying The redirect URI in the request, http://localhost:8080/, does not match the ones authorized for the OAuth client. To update the authorized redirect URIs, visit: https://console.developers.google.com/apis/credentials/oauthclient/${your_client_id}?project=${your_project_number}
I have looked at the other questions on stackOverflow and have tried the solutions that were suggested but none of them have worked. I have no idea why I cannot get authorization and desperately need help
i made a Discord bot which was working just fine until recently; since yesterday it's refusing to log in (output says invalid token was provided but creating a new token and putting it into code won't work).
The funny part is I actually have two versions of the same bot (deploy and test where the latter is only in one of my servers where i test new functions before implementing them in the deployed version).
Just replacing the token with the "test-bot" one fix the issue and allows me to correctly login (with the wrong bot of course since I'm using bot-test token).
To verify the token i made this very small script:
client.login(botToken).then().catch(reason => {
console.log("Login failed: " + reason);
console.log("Token used: " + botToken);
}); //login in discord
This allows me, in case of failed login to have similiar output:
Login failed: Error [TOKEN_INVALID]: An invalid token was provided.
Token used: NjAxMzc3Mzg3NDgwODc1MDE4.Xr5Cyg.xhX3QYqk0prPC7y3KS0yc5JA02U
Here you can see a screenshot from discord bot page where you can double-check the token used IS correct (the token now has been reset so this one won't be valid anymore)
I can tell the import method of the token (it's imported from another file) works fine (bot.js can see it and what i actually do when I change version is commenting/decommenting 2 lines of code (containing token and client ID which is used by a bot function).
Additional info:
I'm using Discord 12 at the moment but the bug started yesterday giving out the same result and I had installed discord 11+ back then.
nodejs version used is 12.16.3
npm version used is 6.14.4
bot is hosted in a VPS running Debian 9
Is anyone able to help with this or encountered similiar error?
Thanks in advance,
I am working with the Spotipy Python library to connect to the Spotify web API. I want to get access to my Spotify's user account via Authorization Code Flow. I am using Python 3.5, Spotipy 2.4.4, Google Chrome 55.0.2883.95 (64-bit) and Mac OS Sierra 10.12.2
First, I went to the Spotify Developer website to register the program to get a Client ID, a Client Secret key and enter a redirect URI (https://www.google.com) on my white-list.
Second, I set the environment variables from terminal:
export SPOTIPY_CLIENT_ID='my_spotify_client_id'
export SPOTIPY_CLIENT_SECRET='my_spotify_client_secret'
export SPOTIPY_REDIRECT_URI='https://www.google.com'
Then I try to run the example code typing 'python3.5 script.py my_username' from terminal. Here is the script:
import sys
import spotipy
import spotipy.util as util
scope = 'user-library-read'
if len(sys.argv) > 1:
username = sys.argv[1]
else:
print "Usage: %s username" % (sys.argv[0],)
sys.exit()
token = util.prompt_for_user_token(username, scope)
if token:
sp = spotipy.Spotify(auth=token)
results = sp.current_user_saved_tracks()
for item in results['items']:
track = item['track']
print track['name'] + ' - ' + track['artists'][0]['name']
else:
print "Can't get token for", username
When running this code, it takes me to a log in screen on my browser. I enter my Spotify's credential to grant access to my app. But when I finally click on 'log in' (or 'Iniciar sesiĆ³n' in Spanish) nothing happens. I tried to log in with my Facebook account but it does not work either. It seems that I get a Bad Request every time that I click on 'log in'. Here is a capture of Chrome:
The process is incomplete because when trying to enter the redirect URI back on terminal I get another Bad Request:
raise SpotifyOauthError(response.reason)
spotipy.oauth2.SpotifyOauthError: Bad Request
I tried to restart my computer, clean my browser cookies, use another different browser but did not work. It seems that I am not the only one having this problem. Is it maybe a bug? Please, avoid answers like "read the documentation of the API going here". Thank you.
Solved it. In order to run the Authorization Code Flow example code provided in the Spotipy's documentation correctly, I specified the redirect URI in line 13 of the example script when calling util.prompt_for_user_token, even when I had done this previously when setting environment variables:
token = util.prompt_for_user_token(username, scope, redirect_uri = 'https://example.com/callback/')
Likewise, do not use https://www.google.com or similar web address as your redirect URI. Instead, try 'https://example.com/callback/' or 'http://localhost/' as suggested here. Do not forget that the redirected URL once you are logged in must have the word code included.
Cheers,
I'm trying to implement a custom authentication in an Azure Mobile App (not the old Mobile Service) with a Node.js backend, with actions I can't quite translate into Node. An earlier question states that custom authentication "just works" with a .NET backend. I am having trouble getting
I have copied Joy of code's example JWT generation (gist here). I invoke it like this (inlining the aud and userId):
zumoJWT(expiry,"MyAud","MyAud:1455527189540927",req.azureMobile.configuration.auth.secret);
My registration API returns the following JSON
{"user":{"userid":"MyAud:1455527189540927"},"token":"a lot of base64"}
Which I put into the Android MobileServiceClient with this code
JsonObject userob=ob.get("user").getAsJsonObject();
MobileServiceUser user=new MobileServiceUser(userob.get("userid").getAsString());
user.setAuthenticationToken(ob.get("token").getAsString());
mClient.setCurrentUser(user);
Which gives me the error message
com.microsoft.windowsazure.mobileservices.MobileServiceException: {"name":"JsonWebTokenError","message":"invalid signature"
The next time I invoke an API. How do I make my app accept the login token?
Edit: The server-side logs say
2016-02-15T11:42:35 PID[180] Warning JWT validation failed: IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
)
',
token: '{"alg":"HS256","typ":"JWT","kid":0}.{"exp":null,"iss":"urn:microsoft:windows-azure:zumo","ver":2,"aud":"MyAud","uid":"MyAud:1455534835642715"}
RawData: a lot of base64'..
I figured it out. I needed to have
mobile.configuration.auth.validateTokens=false;
in app.js (or rather, not have the same variable set to true).