I am trying to authenticate my python app to a specific user using spotipy. I have done this before with a few other users with no problems. This user however each time I try I keep getting '{"error":"invalid_grant","error_description":"Invalid authorization code"}'
I have also tried manually a couple different ways including curl:
curl -H "Authorization: Basic OTQxNDliNjI3...WRhMzk5YTY2ZTliZWY=" -d grant_type=authorization_code -d code=AQByvdq4Vr9-L_ZLrySeTOx...pm1vmb8vwGe2GUXcmTY#= -d redirect_uri=http%3A%2F%2Flocalhost%3A8888%2Fcallback https://accounts.spotify.com/api/token
{"error":"invalid_grant","error_description":"Invalid authorization code"}
I have tried both putting the client_code and client_secret in the header (as shown above) and in the post body both with the same error
keep in mind I am using the exact code I get from my callback url as soon as I can (cut and paste) and like I said before, this method has worked with other users with no problems. Can anyone think of anything else I can try?
Spotipy currently has a bug where it doesn't correctly parse out the code from a given redirect_uri if that uri contains a trailing "#" segment. When spotipy propmts for you to paste in the redirect_uri do so by copying the uri without including the "#" and everything following it
Related
i'm integrating the docusign api with my angular application, everything is working good, i created a proxy configuration in order to do the api calls, im using the demo url since i have a demo developer account.
The problem is that when i run my program in local (using localhost) the authentication token is successfully returned by the oauth call but when i upload my program on an external domain the same call returns me an html with irrelevant information with status 200 OK.
I tried to search this on google but i can't find nothing good.
What should i do?
this is the error i get:
ERROR qm
error: {error: SyntaxError: Unexpected token < in JSON at position 0
at JSON.parse ()
at XMLHtt…, text: "<!doctype html>↵↵↵ <meta ch…b0a19788ec.js" defer="">↵↵"}headers: DmlazyInit: ()=> {…}lazyUpdate: nullnormalizedNames: Map(0) {}proto: Objectmessage: "Http failure during parsing for http://frontendly.it/oauth/token"name: "HttpErrorResponse"ok: falsestatus: 200statusText: "OK"url: "http://frontendly.it/oauth/token"proto: Bm
The OAuth call you are making has a parameter called redirectUri.
Look for &redirect_uri= in the URL.
You have to change that for each location, if you put this in a domain - then you cannot use localhost in there.
This URL has to match exactly to where you deployed your application.
For the second call, make sure to make it a POST, not GET, add the headers like this: (more information)
curl --header "Authorization: Basic NWMyYjhkN.....FhODg2MQ=="
--data "grant_type=authorization_code&code=eyJ0eXAi.....QFsje43QVZ_gw"
--request POST https://account-d.docusign.com/oauth/token
So I'm having some issues with getting my Keycloak-Connect sample to work.
Basically I have a simple check with Keycloak on an express route On my VM
(10.10.10.54:8081) as follows.
app.get('/api*', keycloak.protect(), (req, res) => res.status(200).send({
message: 'Hit API Backend!',
}));
My Keycloak Server is on a separate VM (for this example http://keycloak.myexternaldomain.ca/auth/)
the calls I've been making to test this out are.
RESULT=`curl --data "grant_type=password&client_secret=mysecret&client_id=account&username=myusername&password=mypassword" http://keycloak.myexternaldomain.ca/auth/realms/TEST/protocol/openid-connect/token`
This returns the proper access token everytime,
TOKEN=`echo $RESULT | sed 's/.*access_token":"//g' | sed 's/".*//g'`
To parse token into a variable.
curl http://10.10.10.54:8081/api -H "Authorization: bearer $TOKEN"
Which still constantly returns Access Denied, I tried this in a similar example with the Keycloak-Quickstart Node Service to see if there was a more verbose error in that. What i'd receive back was
Validate grant failed
Grant validation failed. Reason: invalid token (wrong ISS)
Though if I waited a little bit it'd give me an Expired Token error so I feel like i'm on the right track.
so obviously there is something wrong from where i'm issuing the token from not matching where it's expecting? I can make a call to get the Users credentials from the keycloak server itself by cURLing to
curl --data "grant_type=password&token=$TOKEN&client_secret=secret&client_id=account&username=myaccount&password=mypassword" http://keycloak.myexternaldomain.ca/auth/realms/TEST/protocol/openid-connect/token/introspect
am I misinterpreting how I am supposed to be using Keycloak, or is this a settings issue?
Thanks in advance
My Issue was in my keycloak.json ... I had a different realm vs the one I was authenticating for.
If you're ever having this issue I suggest modifying keycloak-auth-utils to give you more verbose error logging on the grant-manager.
Specifically changing
else if (token.content.iss !== this.realmUrl) {
reject(new Error('invalid token (wrong ISS)'));
}
to
else if (token.content.iss !== this.realmUrl) {
reject(new Error('invalid token (wrong ISS) Expecting: '+this.realmUrl+' Got: '+token.content.iss);
}
helped me track down this issue myself.
If you are working in localhost and getting the same problem, my issue was that I was using https in localhost, i.e realmUrl: "https://localhost:8080/auth/realms/master" instead of realmUrl: "http://localhost:8080/auth/realms/master"
I have also faced with same issue . i used following checks to solve this
1.check the configuration in your project
is serverurl exact (127.0.0.1 , localhost, 0.0.0.0 are different urls ..mention
same as keycloak url)
is realm in small case
is client id and secret is correct
if still you are facing a problem try to use single quote instead of double quote
ex-
realm_name:"demo-realm" --> realm_name:'demo-realm'
it is working for me
Hi I used the deploy to bluemix button at the top right of this page
https://alchemy-language-demo.mybluemix.net/?cm_mc_uid=69990450306114782046823&cm_mc_sid_50200000=1478206651
to create an Alchemy language node server. It runs ok -
https://alchemylanguage-nodejs-encekxdev-216.mybluemix.net/
but when I try to post to it using postman I get the response 'internal server error'.
Checking the server logs, it seems to respond to the request with
code: 'EBADCSRFTOKEN', error: 'invalid csrf token'
Even if I try to send the csrf from the webpage version of the site, it still doesn't work.
I feel like I have missed something in the configuration of the server but don't know what. I'm not great with servers etc so sorry if this is super basic.
EDIT - I should mention I have also tried sending an apikey in the request which I got from the service credentials section in the alchemy service bit off the dashboard but the same error occurs.
EDIt - The call to the API I am making looks like this:
POST https://alchemylanguage-nodejs-encekxdev-216.mybluemix.net/api/keywords
with headers:
text: 'this is some dummy text I have made'
I have also tried adding apikey to the headers.
Thanks.
You do not POST your application, you have to POST to the API.
Here is the link with API URL and various samples:
http://www.ibm.com/watson/developercloud/alchemy-language/api/v1
For example, here is a curl request for keywords:
curl -X POST \
-d "outputMode=json" \
-d "url=http://www.twitter.com/ibmwatson" \
"https://gateway-a.watsonplatform.net/calls/url/URLGetRankedKeywords?apikey=$API_KEY"
Make sure you export $API_KEYto your environment before running the command above. You can find the $API_KEY in the AlchemyAPI instance you created in Bluemix.
I'm integrating Google's login with a Flask site using Flask-OAuth.
Everything is working fine. I can authorise the login and get a token back etc without any difficulties. But when I use Flask-OAuth's get method to request the logged in user's email address I get an error saying:
TypeError: Unicode-objects must be encoded before hashing
I'm using Python3 and this has the smell of a Python version issue but I can't figure out what I'd need to change.
The code I'm using is this:
def get_additional_data(self):
access_token = session.get('oauth_token')
headers = {'Authorization': 'OAuth ' + access_token[0]}
return self.service.get(
'https://www.googleapis.com/oauth2/v1/userinfo', None,
headers=headers)
I'm not sure what I can encode in that request. Even if I don't pass the headers I get the same error (rather than an invalid request or something like that).
I've run 2to3 on oauth2/__init__.py and the tweaks is suggests are very minor and shouldn't prevent the code from running in Python 3. Also, everything else OAuth2 related is working.
The bad news is that the solution to this problem is switching to Flask-OAuthlib.
The good news is it required very few changes from Flask-OAuth to get it working.
I'm trying to use the Power BI REST API, using an access token acquired with the "client credentials" method, but I keep getting 403 Forbidden on my requests.
My code follows the pattern demonstrated in this AzureAD sample. In fact, to isolate this problem, I'm running that sample code (with my own values in the parameters.json, of course):
{
expiresIn: 3599,
tokenType: 'Bearer',
expiresOn: Tue Sep 01 2015 16:56:07 GMT-0500 (CDT),
resource: '00000002-0000-0000-c000-000000000000',
accessToken: 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSIsImtpZCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSJ9.eyJhdWQiOiIwMDAwMDAwMi0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8xM2QxNzIwNC0wZGU2LTQ1NzQtOTgzYS05NjFhYjk0M2M3Y2UvIiwiaWF0IjoxNDQxMTQwNjcwLCJuYmYiOjE0NDExNDA2NzAsImV4cCI6MTQ0MTE0NDU3MCwidmVyIjoiMS4wIiwidGlkIjoiMTNkMTcyMDQtMGRlNi00NTc0LTk4M2EtOTYxYWI5NDNjN2NlIiwib2lkIjoiYzM1ZWQyYTktYTYzZS00YzAwLThmYmYtY2FlYjlmZjYwMjYwIiwic3ViIjoiYzM1ZWQyYTktYTYzZS00YzAwLThmYmYtY2FlYjlmZjYwMjYwIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvMTNkMTcyMDQtMGRlNi00NTc0LTk4M2EtOTYxYWI5NDNjN2NlLyIsImFwcGlkIjoiNDQ2Y2Y5OTItMDQzYS00YjgxLWJhYzQtY2RlZWYyNGFhNzFjIiwiYXBwaWRhY3IiOiIxIn0.YTGJfdW1wP09bDHwwsv3FPAmEpmQdc_kifvgY-1KjhkZWANfYtd050wfeZdNgMUeSPZyFdWnoBjnJ4xrlDtnsADwV1Grr6TXYcymPLofbY-xy0cjyvzxTmM11DJ9XN8A4tkgvK0jtR-YyIjPw5EKJSKyeEbD9U3mWsE_gu7IzKzXl8e-dfVAqRYS6WHZy6_0FaNmppPDls5s_QIPOHofFSiWVISw41Mz0fQnP2QEGyceOCvKYJtrUOCDwfVuwFS-gSLmYvEGOJfmIjftP3srda0JPirVzBeU0IFJJ1KW81kE5cfKw1KkBB04VVetRUs_7HqloYaKKiTybauhXAodRQ',
isMRRT: true,
_clientId: '[snip]',
_authority: 'https://login.windows.net/[snip]'
}
When I use that access token in a curl request, as follows, I get a 403:
curl -vv -X GET https://api.powerbi.com/v1.0/myorg/datasets -H"Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSIsImtpZCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSJ9.eyJhdWQiOiIwMDAwMDAwMi0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8xM2QxNzIwNC0wZGU2LTQ1NzQtOTgzYS05NjFhYjk0M2M3Y2UvIiwiaWF0IjoxNDQxMTQwNjcwLCJuYmYiOjE0NDExNDA2NzAsImV4cCI6MTQ0MTE0NDU3MCwidmVyIjoiMS4wIiwidGlkIjoiMTNkMTcyMDQtMGRlNi00NTc0LTk4M2EtOTYxYWI5NDNjN2NlIiwib2lkIjoiYzM1ZWQyYTktYTYzZS00YzAwLThmYmYtY2FlYjlmZjYwMjYwIiwic3ViIjoiYzM1ZWQyYTktYTYzZS00YzAwLThmYmYtY2FlYjlmZjYwMjYwIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvMTNkMTcyMDQtMGRlNi00NTc0LTk4M2EtOTYxYWI5NDNjN2NlLyIsImFwcGlkIjoiNDQ2Y2Y5OTItMDQzYS00YjgxLWJhYzQtY2RlZWYyNGFhNzFjIiwiYXBwaWRhY3IiOiIxIn0.YTGJfdW1wP09bDHwwsv3FPAmEpmQdc_kifvgY-1KjhkZWANfYtd050wfeZdNgMUeSPZyFdWnoBjnJ4xrlDtnsADwV1Grr6TXYcymPLofbY-xy0cjyvzxTmM11DJ9XN8A4tkgvK0jtR-YyIjPw5EKJSKyeEbD9U3mWsE_gu7IzKzXl8e-dfVAqRYS6WHZy6_0FaNmppPDls5s_QIPOHofFSiWVISw41Mz0fQnP2QEGyceOCvKYJtrUOCDwfVuwFS-gSLmYvEGOJfmIjftP3srda0JPirVzBeU0IFJJ1KW81kE5cfKw1KkBB04VVetRUs_7HqloYaKKiTybauhXAodRQ"
Wondering if that curl request was flawed somehow, I snooped out an access token “the wrong way” via browser webtools, and the above works fine, returning a 200 and a JSON response listing my datasets.
I did also notice that the return code is 403 (forbidden), not 401 (unauthorized), so I wondered if the authorization was okay but the permissions on the Power BI side were wrong. But I also get 403 when I use any garbage text for the access token (e.g., Authorization: Bearer foo), so I discarded that theory.
So. I think I have a valid test, and I’m getting what I think is a valid access token (from that client-credentials-sample.js code), but it’s still not working. What am I missing?
With the assistance of some Microsoft folks (thanks, Jon Gallant & Josh Caplan), I've learned that authenticating with an OAuth client-credentials flow, as I was doing with that JavaScript sample, provides insufficient access. To use Power BI, authentication needs to be based on a particular user.
I tried using:
the similar JavaScript sample username-password-sample.js
a resource value of https://analysis.windows.net/powerbi/api (thanks, slugslog)
adding username and password to the parameters.json
That got me closer, but I was still getting a 400 response: "error_description":"AADSTS90014: The request body must contain the following parameter: 'client_secret or client_assertion'. …".
A hack to the adal-node library (hardcoding the client secret, i.e., oauthParameters[OAuth2Parameters.CLIENT_SECRET] = "my-client-secret"; after line 217 of token-request.js) was enough to get back an access token which works in the Authorization header for my original curl call.
Of course hardcoding that value in there isn't my final solution. I don't plan to use the adal-node library, anyway. But as far as this proof-of-concept for this authentication case goes, that's the answer I came to.
Make sure that your app that you registered with AAD has the read write all datasets permission. That should solve the problem.
This is not an answer but one step forward in the debug process. I think the resource for which the token is requested should be "https://analysis.windows.net/powerbi/api". I've seen these in multiple references; one of them is linked below. Even after changing this, I still get a 403. As the OP mentioned if we use the accessToken from the powerBI portal, everything works.
So I tried this with my own app, the following command works (for me):
curl -vv -X GET https://api.powerbi.com/v1.0/myorg/datasets -H"Authorization: Bearer ey....qqqq"
BTW, the extra "v" after -v seems redundant.
So what I can conclude is that your application is missing the required permissions to call Power BI's APIs.
One thing you might try is grab one of our samples, create a new application in AAD for it, and then see if the authorization token works for it. Here's a good one to try: https://github.com/PowerBI/Integrate-a-tile-into-an-app