the project that I am trying to automate is This.
Manual Logged in
When I click on Google logged-in it will redirect to manual login.
after I logged in successfully I can see there Post method
Request URL: https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyAssertion?key=AIzaSyDF-qMBES2pwjDAzWRRsu-FiAxZgJsBuIk
Request Method: POST
with the body
requestUri: "FirebaseappURL"
returnIdpCredential: true
returnSecureToken: true
sessionId: "SessionID???"
after that, it generates a Large respond
context: ""
displayName.
emailverified.
expiresIn:3600
federatedId:...
firstName:.
fullName:.
idToken: <Token>
kind: "identitytoolkit#VerifyAssertionResponse"
lastName: ...
localId: <ID>
oauthAccessToken: <Token>
oauthExpireIn: 3600
oauthIdToken: <Token>
photoUrl: <url>
providerId: "google.com"
rawUserInfo: <long json>
refreshToken: <token>
I want to simulate it with post request with the postman
after that, I will transfer it to Script
What I tried
Google API Config
I went to Google DashBoard Create Project.
Then I go to the OAuth consent screen and add my user as test users.
Add all the Clawee sites as authorizes.
Then I Went to Credentials and add Oauth 2.0 Client ID's of the Desktop client
and got his ClientID and SecretID
Now from postman, I went to
https://accounts.google.com/o/oauth2/v2/auth?client_id=<ClientID>.apps.googleusercontent.com&response_type=code&scope=openid%20email&access_type=offline&redirect_uri=urn:ietf:wg:oauth:2.0:oob
I got my auth-code
now I send a request to
https://oauth2.googleapis.com/token
with params clientid,secretId,authCode,grant_type
and get my Access Token + Refress Token
Now to check that, I navigate to
https://www.googleapis.com/oauth2/v3/userinfo?access_token="
I got My User Info... It works
Now I tried to use that Access Token
To login to Firebase app as they did
but because I using my Own token and not a manual login
I read about the "signInWithIdp" or "verifyCustomToken"
And I tried
with 'postBody': 'access_token=[My_Token]&providerId=google.com' or
token: [My_Token]
Both Failed...
What am I doing wrong?
Related
We are trying to use auth0 for spring-boot application authentication.
Created Regular Web Application and Machine to Machine Applications in auth0.com and added users under User Management.
Intention is to have a login API to authenticate users and get the access-token after the successful authentication. Use access token (as bearer token) to access other APIs of the spring-boot application.
We provided proper login and callback urls under the Machine To Machine application configuration in auth0.com.
While generating bearer token, apart from client_id, client_secret we have provided grant_type (as client_credentials), audience as https://<>/api/v2 and scope with (openid profile my_scope email roles).
We are getting 401 error while accessing the other APIs using bearer token generated using client_id, client_secret, grant_type and audience.
Wherein, we are getting 403 error while accessing the other APIs using bearer token generated using client_id, client_secret, grant_type, audience and scope.
403 error stack is as below
Client is not authorized to access <<application-domain-in-auth0>>/api/v2/. You need to create a client-grant associated to this API.
We referred to the udemy session (https://www.udemy.com/course/build-secure-apis-with-auth0-and-postman/learn/lecture/12716335#overview)
Any inputs on the overall approach and where we are going wrong.
Thanks
Venkata Madhu
not sure if it can help, but found this more relevant to the problem statement.
https://community.auth0.com/t/how-to-generate-a-management-api-token-automatically/6376
There are a few things you need to do/check:
Create a non-interactive client in Auth0, which will be used to represent your service.
Authorize the non-interactive client to call the Auth0 Management API:
Dashboard > APIs > Auth0 Management API > Non Interactive Clients > Authorize your client
Ensure that the parameters used in the call to /oauth/token are for your non interactive client:
{
grant_type: 'client_credentials',
client_id: 'NON-INTERACTIVE-CLIENT-ID',
client_secret: 'NON-INTERACTIVE-CLIENT-SECRET',
audience: 'https://yourdomain.auth0.com/api/v2/" }
Make sure the access token you receive is passed in the Authorization header for every request made to the Management API. Authorization: Bearer <access_token>
So I'm trying to use the Home Graph API by calling the API endpoint
https://homegraph.googleapis.com/v1/devices:requestSync
It is a HTTP POST request and it needs an ACCESS_TOKEN and service account key.
Getting the service account key is easily done as per Google's documentation. The issue is getting the ACCESS_TOKEN.
As per this documentation by Google, I need to get ACCESS_TOKEN created using the following scope of permissions
https://www.googleapis.com/auth/homegraph
I opened OAuth 2.0 Playground to request a developer temporary ACCESS_TOKEN for testing. I wrote all the necessary urls and in scope I wrote this-
scope is written to be authorized
Now after this, I am navigated to my Authorization URL (ie, Google's sign in page). I login with email id and password.
If credentials are correct and scope mentioned is valid then I should have been redirected to OAuth playground page with authorization code which I would have exchanged for access token and refresh token.
But, what actually happens is after I enter my credentials, I get following error and I am never redirected to Oauth Playground page-
Authorization Error
Error 400: invalid_scope
Some requested scopes cannot be shown: [https://www.googleapis.com/auth/homegraph]
Request Details
access_type=offline
o2v=2
response_type=code
redirect_uri=https://developers.google.com/oauthplayground
prompt=consent
client_id=xxxxxxxxx.apps.googleusercontent.com
scope=https://www.googleapis.com/auth/homegraph**
I searched a lot online too, but couldn't find the actual reason.
So due to this issue with scope, I am not able to get ACCESS_TOKEN.
I have followed Google's documentation and the scope was mentioned there.
This is the pic from oauth 2.0 playground settings- OAuth 2.0 configuration
The issue is that you, a user, should not be getting and sending an access token. The service account should be getting and sending an access token. This is to make sure your service is authorized to talk to the Home Graph API.
You indicated you logged into the OAuth playground with "userid and password". But service accounts don't have passwords.
If you are using one of Google's libraries, it will take care of getting the access token for you, and this is the easiest way to do so. If you are just testing and need an access token, you can use something like oauth2l to get the access token based on the service account credentials.
I had implemented the REST approach to call HomeGraph Report State as below.
We need to follow the below steps:
Create a service account for your project and safely store the json file
Using the service account JSON, get the access token from Google
Using Oauth 2.0 token as Bearer authorization, invoke Report State API
Step 1:
This is straightforward. Please follow the steps in the below link
https://developers.google.com/assistant/smarthome/develop/report-state#expandable-1
Step 2:
Refer below code to get the Access token using service account json
GoogleCredentials credentials = GoogleCredentials
.fromStream(Helper.class.getClassLoader().getResourceAsStream("smart-home-key.json"))
.createScoped("https://www.googleapis.com/auth/homegraph");
credentials.refreshIfExpired();
AccessToken token = credentials.getAccessToken();
return token.getTokenValue();
Step 3:
Invoke Report State API
curl -X POST -H "Authorization: Bearer [[Access token from Step 2]]"
-H "Content-Type: application/json"
-d #request-body.json
"https://homegraph.googleapis.com/v1/devices:reportStateAndNotification"
Reference Links :
https://developers.google.com/assistant/smarthome/develop/report-state#http-post
https://cloud.google.com/endpoints/docs/openapi/service-account-authentication
https://developers.google.com/identity/protocols/oauth2/service-account#httprest_1
https://developers.google.com/assistant/smarthome/develop/report-state#expandable-1
Im follow the react-hosted-login sample project here: https://github.com/okta/samples-js-react/tree/master/okta-hosted-login
I created my application in okta like so:
I configured the react-sample appropriately
export default {
oidc: {
clientId: '0oaewvbvbyZdmYZb60h7',
issuer: 'https://dev-572586.oktapreview.com/oauth2/default',
redirectUri: 'http://localhost:8080/implicit/callback',
scope: 'openid profile email',
},
resourceServer: {
messagesUrl: 'http://localhost:8000/api/messages',
},
};
When I run the app, I can successfully login when I click the login button in the react app. i.e It takes me to my okta sign-in page and redirects back with the access token and all that stuff
However, when the login is initiated from okta, I get the following error AuthSdkError: Unable to parse a token from the url:
What am I doing wrong?
I can assume It's because your Login Redirect URL's and Initiate Login URL
Are the same values on general setting of your app in okta
Try commenting out this if you have disabled PKCE flow,
//pkce: false
One thing you might check:
Make sure you've got the #okta/okta-react package installed (NPM), you've imported the ImplicitCallback component, and your routing has the route to it:
Well, since the Other problem(solved) remain unsolved, I was thinking to use POSTMan to do Trial and Error on each steps that the Client library will do.
So I read the Basic steps of Google OAuth2 again, created another OAuth 2 ID at Api Manager > Credentials in Dev Console and ID type is Web Application, and filled them into the POSTMan:
New tab in POSTMan, then click the Authorization label.
Choose type as OAuth 2.0 and select "Add token to the url"
Auth URL: https://accounts.google.com/o/oauth2/v2/auth
Access Token URL: https://www.googleapis.com/oauth2/v4/token
Client ID: [the Client ID that I just received]
Client Secret: [the Client secret that I just received]
Scope: [empty]
Grant Type: Authorization Code
Request access token locally: Selected
Click "Request Token"
POSTMan replied me: "Could not complete OAuth2.0 login"
Do I missed something?
(Google redirect URI could be found here)
(API scope could be found here)
You get access Token only when a Google User Logs in through the google signin page.
Step 1:
Redirect
https://accounts.google.com/o/oauth2/auth?client_id=" + GoogleClientID + "&redirect_uri=" + Url.Encode(GoogleRedirectURL) + "&response_type=code&scope=email"
Step 2:
Now you are on google signin page and you would enter your google credentials.
Step 3 :
Google will redirect you back to the redirect_uri that you have configured in the Google Developer Console and you can get the "code" from the QueryString
Step 4:
Now you post a form to https://www.googleapis.com/oauth2/v4/token
with client_id, client_secret, redirect_uri, code(you obtained in Step 3), and the grant_type=authorization_code
Result: You should now receive the access_token from Google
BigHomie's suggestion of scope to 'email' worked for me as well.
But I used a different Auth URL and Access Token URL than BigHomie, because I think it's been updated.
Auth URL:
https://accounts.google.com/o/oauth2/auth
Access Token URL:
https://accounts.google.com/o/oauth2/token
I followed Rajat's instructions, and they worked but afterward I tried what the OP did again but this time setting the scope to 'email' instead of leaving it blank, I got a prompt to enter my gmail creds, and was able to get access token.
Update
I have been able to get a Bearer token using instructions from this thread
Here are the instructions in Postman:
Url: https://login.windows.net/[tenantname].onmicrosoft.com/oauth2/token
Type: POST
Headers: none
Body: form-data
grant_type: client_credentials
client_id: [client-id]
client_secret: [client-secret]
However, if I send the same token in my call to a Web API endpoint, I still get back "Authorization has been denied for this request"
Why is it still not authorizing ?
End Update
I have created an ASP.Net Web API project which is protected using an organizational Azure AD instance. I have set up the tenant id, client id and secret correctly.
The Azure AD instance is the same one backing our Office 365/SharePoint instance and the idea is to create SharePoint Add-Ins which can call the services using the logged in user's context.
I am stuck at testing the API. I can call unauthorized endpoints without any issue. However, when I add the [Authorize] attribute, I always get back this response: "Authorization has been denied for this request."
As I understand it, I need to generate a bearer token and add it to my Postman request in the header (see image). After much Googling, I still have not been able to make this work.
My question is: How do I generate a bearer token for a Web API instance protected by Azure AD.
My configuration code is as below:
public void ConfigureAuth(IAppBuilder app)
{
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
TokenValidationParameters = new TokenValidationParameters {
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
},
});
}
First, you can use POSTMAN to test web api protected by the Bearer token. Here's my postman screenshot:
POSTMAN sending bearer token to web api
Basically: in the request header, specify the key as "Authorization", and value as "Bearer [your token". IF you run into errors, look the headers of the response and you'll see more detailed error info.
Note, most tokens have an expiration period, you can try to verify if your token is valid. e.g. https://jwt.io/