I use the standard go library golang.org/x/oauth2 to acquire an OAuth2 token from Microsoft users.
This is the oauth2 config I use:
return oauth2.Config{
ClientID: clientID,
ClientSecret: clientSecret,
Endpoint: microsoft.AzureADEndpoint("common"),
Scopes: []string{
"https://graph.microsoft.com/.default",
},
}
This is how I get the redirect URL:
oauth2Config.AuthCodeURL(state, oauth2.ApprovalForce, oauth2.AccessTypeOffline)
And this is how I exchange the code acquired in my oauth2 callback to the oauth2 token:
oauth2Config.Exchange(ctx, code)
I use the same code for integrating with github, google cloud platform, bitbucket and digitalocean. It has been working fine for me and it does work with Microsoft but sometimes I randomly get one of the following errors:
AADSTS90013 Invalid input received from the user
or
AADSTS900144: The request body must contain the following parameter: 'grant_type'.
And I don't understand what might be the reason. The first error potentially could be caused by some JS bugs in the Microsoft consent screen. The second error makes no sense – oauth2 lib sets grant_type value correctly, I search for this error and it says the issue could be in the incorrect encoding which should be x-www-form-urlencoded but I've looked up oauth2 library and confirmed that's exactly what it does.
Or maybe there's a timeout for a repeated acquisition of a token under the same user.
UPD: I get these errors during the exchange of a code to a token
UPD2: I started to get oauth2 errors randomly with other providers, such as DigitalOcean, the errors also happens during the code to a token exchange. Errors like this:
ERROR STACKTRACE: oauth2: cannot fetch token: 400 Bad Request
Response: {"error":"bad_request","error_description":"invalid semicolon separator in query"}{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed."}
could not get auth token
I've looked up values in my oauth2 config, it's all correct, the values however are not url encoded (I assume oauth2 lib handles this).
I've recently upgraded my go to 1.17.6
UPD3: I've noticed that my oauth2 configs both for DigitalOcean and Microsoft didn't have AuthStyle specified, so I've set it manually to oauth2.AuthStyleInParams. But this still didn't resolve the issue. After a few repeated attempts with DigitalOcean it started to randomly return the following error:
Response: {"error":"bad_request","error_description":"invalid semicolon separator in query"}{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed."}
which I don't even think is a valid error, there's no semicolon symbol neither in the request URL nor the body
UPD4. It may sound stupid but when I restart my app (I run-debug it via GoLand) DigitalOcean oauth works just fine until I connect a Microsoft account via oauth2 (which also works fine), but then if I connect (reconnect) DigitalOcean account again then it just stops working ¯_(ツ)_/¯
UPD5. Below is the debug watch of doTokenRoundTrip function inside oauth2 library. The token exchange request returns 400 bad request
The request body:
client_id=[redacter]&client_secret=[redacted]&code=e50e6dc91ec6b855becdef7a32cc4e28684851ccf385b2f6bb667ed6ec1172df&grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fv1%2Fdigitalocean%2Foauth2%2Fcallback
The URL and the body both looks good to me. However this returns the following error:
Response: {"error":"bad_request","error_description":"invalid URL escape "%\x9b\x06""}{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed."}
UPD6. Exchange request headers:
The issue caused by the extra headers. Normally it should be only Content-Type: application/x-www-form-urlencoded header but as you can see above there are extra headers including Content-Encoding: gzip which probably causes the issues. These headers added after I connect Microsoft account via oauth2, more specifically is because I use microsoft graph sdk (github.com/microsoftgraph/msgraph-sdk-go) after acquiring the token. This SDK implements RoundTripper interface that eventually adds extra headers.
Submitted the issue to graph sdk https://github.com/microsoftgraph/msgraph-sdk-go/issues/91
I think second error refers to the grant_type missing in the config
grant_type:authorization_code,
code: {code you got from the authorization step},
client_secret: ****
Other way of accessing the OAuth 2.0 Token, Please refer this Document
Related
I am trying to get an access token via RestTemplate.postForEntity().
myRestTemplate.postForEntity(authBaseUrl, request, Object.class);
I have a specific class for it, but let's use now a simple Object as type. It contains an access_token field.
It works, because I can get response, but the length if the access tokens (which is a string)
is 1196 character long. And I can get the same length in Postman too.
But if I use the intelliJ built-in REST client, the length is 1199.
Only the token from the intelliJ rest client works (So the longer).
Because I always get a new access token, it is impossible to get the same token twice.
How can I debug it?
What could be the problem?
Is the code that generates the response available to you? if so in your response add a header content-length so you can see what the server sent and what you received. Also, debug the server side and see what is being generated. In addition take another 3d party Http client and test it with this client see if you see a difference. The Http clients that you can try are Apache Http client, OK Http client, or my favorite - a very simplistic client written by me as part of my own Open Source MgntUtils library. Here is the Javadoc for my http client Here is a link to a similar question where you can get the references for any of above mentioned Http clients: How to check the status of POST endpoint/url in java
I thought that using Google's official ruby client API would be the easiest way to validate an access_token that hits my backend server.
Not really.
Version 0.9 has not a simple sample of validating an access token and API docs doesn't help neither.
I have got this far:
require 'google/apis/oauth2_v2'
oauth = Google::Apis::Oauth2V2::Oauth2Service.new
oauth.tokeninfo({access_token: 'aaaaaaaa...'})
=> Google::Apis::ClientError: Invalid request
docs on google-api-client-0.9.4/generated/google/apis/oauth2_v2/service.rb say that tokeninfo method raises:
[Google::Apis::ServerError] An error occurred on the server and the request can be retried
[Google::Apis::ClientError] The request is invalid and should not be retried without modification
[Google::Apis::AuthorizationError] Authorization is required
How can I tell that the token is invalid ?!?
Can you guys share some examples ?
Today I faced the problem that (suddenly) the SAP Gateway stopped acceppting CSRF tokens issued by himself.
Checked the network trace, everything is fine. The Client gets a token using GET Method and the HTTP Header
X-CSRF-Token: Fetch
receiving one, followed by an immediate POST request using the received Token and getting a 403 Forbidden status with response Body "CSRF Token could not be verified" (or similar)
By default, the CSRF Protection is only enabled over HTTPS in SAP Netweaver Gateway. How to enable CSRF over HTTP (and why not to do so) is described in the following SAP Note:
1896961 - HTTP/HTTPS Configuration for SAP NetWeaver Gateway
The important bit of the Note:
... set the instance profile parameter login/ticket_only_by_https to 0...
I'm trying to use a parse.com cloud function in a mailgun route action (forward).
My action is like this (with my app id and JS key included of course):
forward("https://myAppId:javascript-key:myJSkey#api.parse.com/1/functions/hello")
In the mailgun logs, I see it call, but I get the following error:
HTTP Error 401: Unauthorized Server response: 401 HTTP Error 401: Unauthorized
My function is just a simple response.send("OK");
Obviously I'm missing something.
Greg
The issue I think is that the Cloud Code calling convention requires you use special Parse headers, not just keys: it may be different if its being called from a browser with sets the referer headers. I'm not sure you'll be able to call it this way directly from Mailgun: you may need a proxy of some sort.
EDIT: I think you'll need to use the Express Webhook implementation instead, and then you can use standard basic authentication. Cloud Code is really for cases where you have control over the HTTP client you're using.
I am able to get authorization token, but getting error at access Token, These are the steps I am doing now,
1.Obtain the code:
https://{host}/oauth2/endpoint/connectionsProvider/authorize?response_type=code&client_id=sample_application&redirect_uri=http://{host}
I got back something like:
http://{host}/?code=XMQPNpxCxkRCfIXMFbWiTQVD4PcM11
2.Try to get access token using: POST method:
POST https://{host}/oauth2/endpoint/connectionsProvider/token?grant_type=authorization_code&redirect_uri=http://{host}&client_id=sample_application&client_secret=pIEaHOQ6odz0Vr9fKTmiS0NgQF2uGAUDl2i9ZHS38qE7TGZD2nn3RcSl2bEI
With payload data as: code=XMQPNpxCxkRCfIXMFbWiTQVD4PcM11
In the 2nd steps only I am getting error.
Please advice me.
-WillSteel
Resolved the issue the problem was the header we were sending was MediaType.APPLICATION_JSON but the token end point api expects MediaType.APPLICATION_FORM_URLENCODED, so by changing the header the oauth flow worked.