I has configuring an app to use OneLogin with OpenID for authentication, and although at first things were progressing and authentication was working as it should, I started getting some "invalid client" responses like the following:
oops! something went wrong
{
"error": "invalid_client",
"error_description": "client is invalid",
"state": "aCLgxH"
}
this was observer in two different apps with the same clientId/credentials, so there must be somenthing wrong with the specific onelogin account. I tried creating anea OpenID app,with the same account, but I got the same result.
Any ideas/hints on this?
Related
I'm trying to request the contents of a Google doc (that I own) using the Google Docs API and the contents would be read to a website. I'm making the following request in Postman:
GET https://docs.googleapis.com/v1/documents/{documentId}?key=API_KEY
where the API_KEY is a key created in Google developer dashboard and is not restricted for now. However, I'm getting the following error:
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
I have made the doc public (read-access without signing in) and enabled the Docs API in the Google developer dashboard. Further, the dashboard is registering these (failing) requests, so something is going through.The answer is probably in the error message, but to me "or other valid authentication credential" means the API key that I'm already using.
I'm asking for advice on how to make this request successfully without needing to use OAuth or server-side code.
I found a workaround answer to my problem, although it didn't solve the problem with the Docs API. I decided to request the text data from a Google Sheet instead, which works fine with
GET https://sheets.googleapis.com/v4/spreadsheets/documentId?key=API_KEY
when the sheet is public and read-only.
Yes you can open the doc programatically using a service account. You need to "share" the doc with the service account email.
Instructions on creating a service account and reading a Google doc: https://www.futurice.com/blog/read-goog-doc-using-service-account
I keep getting a AuthenticationFailed error with a InvalidAuthenticationTokenAudience inner error when attempting to query the /environments endpoint.
I have already created an app in the Azure Active Directory, given it access in the time series insights management portal and I can already get an Oauth 2.0 Access token from the auth URL.
I have tried giving the token url the 'https://api.timeseries.azure.com/' resource/audience/scope but the API keeps returning the same error message:
{
"error": {
"code": "AuthenticationFailed",
"message": "Server failed to authenticate the request. The token has been obtained from wrong audience or resource.",
"innerError": {
"code": "InvalidAuthenticationTokenAudience",
"message": "The access token has been obtained from wrong audience or resource '00000002-0000-0000-c000-000000000000'. It should
exactly match (including forward slash) with one of the allowed
audiences 'https://api.timeseries.azure.com/'."
}
} }
I'm using Postman with the Oauth 2.0 authentication type, the client credentials Grant Type and send as basic Auth Header option for the token request.
Has anyone tried this with success?
Update 01:
The decoded (using JWT as suggested in comments) payload portion of one of the tokens shows the that the aud field is 00000002-0000-0000-c000-000000000000. Which is definitely wrong.
Based on the exception, it indicates that the resource is not matching https://api.timeseries.azure.com/ when acquire the access token.
So please make sure that the resource is https://api.timeseries.azure.com/, for more information please refer to the screenshot.
Get access token
I test Get environments API, it works correctly for me.
GET https://api.timeseries.azure.com/environments?api-version=2016-12-12
I have an account on Azure where we run various applications in docker containers.
I would like to connect to Active Directory on this account and be able to manage various aspects such as creating new users, etc.
I found following API browser:
https://learn.microsoft.com/en-us/rest/api/graphrbac/users/list
Unfortunately when I log in as a user with admin rights (Global Administrator) and provide tenant ID, when I call users/list endpoint, I get following error with 401 status:
{
"odata.error": {
"code": "Authentication_MissingOrMalformed",
"message": {
"lang": "en",
"value": "Access Token missing or malformed."
},
"date": "2018-07-20T14:01:24",
"requestId": "9f070c46-a949-41bf-85c9-f1ccf97975db",
"values": null
}
}
What is interesting - if I use any other random endpoint, for example: https://learn.microsoft.com/en-us/rest/api/servermanagement/node/list - it works fine. In this case it returns empty set, but at least it doesn't fail with strange authentication error.
I also can reproduce the issue that you metioned if I test Users - List Rest API directly from the site.
https://learn.microsoft.com/en-us/rest/api/graphrbac/Users/List
According to exception, the root cause of the issue is token audience. You could check the actual access token in the JWT.io.
You could get that the audience is https://management.core.windows.net/. The token that is acquired will work for other Azure Services like webapps, compute, ResourceManager, etc. but not for Graph.
You could test it with Azue AD graph explorer, then it will work for you.
The audience should be https://graph.windows.net
Currently we are in the process of developing one iPhone application that deals with google calendar. There was need of syncing calendar events to the server side. Everything works fine.
But for push notification , we are following this process
Whenever we post request to :
https://www.googleapis.com/calendar/v3/calendars/email#gmail.com/events/watch
with parameters
"id":Unique string ( channel id) ,
"type": "web_hook",
"address": "https://abc-api.herokuapp.com/user/notifications"
In the header , we are sending
Authorization : **Bearer 'Access_token'**
and content type : json
We already added domain as authorized domain in the google api console
Access_token is user's account access token .
We are getting "Unauthorized webhook call" error.
{
"error": {
"errors": [
{
"domain": "global",
"reason": "push.webhookUrlUnauthorized",
"message": "Unauthorized WebHook callback channel: https://abc-api.herokuapp.com/user/notifications"
}
],
"code": 401,
"message": "Unauthorized WebHook callback channel: https://abc-api.herokuapp.com/user/notifications"
}
}
Anyone here who can help us to solve the issue ?
You might want to check this post, providing solution like verifying if your domain have a valid (not self-signed) SSL license. Also in google-api-php-client GitHub, instead of setting https://example.com/google/push (resulted in Unauthorized WebHook callback channel) or https://www.example.com/google/push (allowed me to successfully open channel, and object has been returned, however webhook has not been fired) as address they tried https://www.example.com/google/push/index.php and worked.
One potential issue is if you're testing in Google's "try it" section of the documentation. It's not stated, but this particular request does not work there.
Otherwise, there are a few things that need to happen with the domain you are supplying in the address. First, you need to make sure its verified in the google developers console for the application you are hitting the api with. Additionally, you need to add the website property to your search console (even if its just an api) and verify ownership.
Also, once you get past the unauthorized address issue, you will get another error requiring a resourceId be supplied.
Newbie trying to figure out how to get a Node.js application to authenticate and query Google BigQuery, trying to adapt this CodeLab tutorial from Java. What step might i be missing?
First I create this Oauth2 URL using my clientid:
https://accounts.google.com/o/oauth2/auth?
client_id=1047877053699-den6kbs4v3f2bft6clonsirkj1pc7t6j.apps.googleusercontent.com
&scope=https://www.googleapis.com/auth/bigquery
&redirect_uri=http://localhost:3000/oauth2callback
&access_type=offline
&response_type=code
This successfully reaches Google, which prompts
A third party service is requesting permission to access your Google Account.
Agreeing that generates a second prompt:
Nodejs_Test is requesting permission to:
View and manage your data in Google BigQuery
Agreeing to that, the callback URL is called, with a parameter accessToken.
I think the following url should list tables in my BigQuery project/dataset:
https://www.googleapis.com/bigquery/v2/projects/1047877053699/datasets/visits&accessToken=4%2FC196NizZwlNgWSt5oNqQwendmLNW.0vgUrlGJ6kMRshQV0ieZDApig3NfcgI
But calling with or without the accessToken returns the following message that "Login Required".
{
"error": {
"errors": [
{
"domain": "global",
"reason": "required",
"message": "Login Required",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Login Required"
}
}
I know you can't repeat the code because of permissions, expired tokens, etc. But I wonder what step I might be missing conceptually.
Have you tried sending the accesstoken as an authorization header rather than as a url parameter?
as in
https://www.googleapis.com/bigquery/v2/projects/1047877053699/datasets/visits
Authorization: OAuth Your-access-token-here-not-urlencoded
FYI - looks like you originally used the parameter accessToken in the URL. It should instead by access_token, which looks like it works fine. Of course, Jordan's suggestion of using a Header is better if you're able to do it though-- it's more secure as it's unlikely to get logged in access logs, proxy server logs, etc.