I'm using the ThuJohn Twitter package for Laravel and am trying to post tweets as a site user, but keep getting [89] Invalid or expired token. errors.
I know the package is installed correctly because I can send tweets using the website's app credentials; it's when I'm trying to tweet as a site user I run into problems.
I'm using the reconfig method, yet am still encountering issues. I'm wondering if my user credentials are wrong?
Here's the reconfig method:
Twitter::reconfig([
'consumer_key' => env('TWITTER_CONSUMER_KEY'),
'consumer_secret' => env('TWITTER_CONSUMER_SECRET'),
'token' => $user->twitter->token,
'secret' => $user->twitter->secret
]);
And this is how I'm grabbing the user's token and secret inside the callback method. Is this the correct way?
$request_token = [
'token' => Session::get('oauth_request_token'),
'secret' => Session::get('oauth_request_token_secret'),
];
Related
hope you all are doing well. I am stuck with an issue since couple of hours and could not be able to resolve it. Please have a look on error
enter image description here
I am trying to generate refresh token. Access_token generated successfully that is expired after 20 minutes. refresh token could not be generated
$client = new Client();
$res = $client
->request("POST",
"https://test.salesforce.com/services/oauth2/token",[
'body'=> json_encode([
'grant_type'=>'refresh_token',
'client_id'=>Config::get('forrest.info.client_id'),
'client_secret'=>Config::get('forrest.info.client_secret'),
'Authorization'=>'Bearer 00D3H0000008olE!ARYAQOzGGJDDIaygn7GokNk4T319XlDwwBXIDYPkJfej74dfhFT3CMDvBD2pZBQK_x.v2amiRe5Y29ZNXMp9EOA6ZTYyqrTW',
'access_token'=>'00D3H0000008olE!ARYAQOzGGJDDIaygn7GokNk4T319XlDwwBXIDYPkJfej74dfhFT3CMDvBD2pZBQK_x.v2amiRe5Y29ZNXMp9EOA6ZTYyqrTW',
])
]
);
dd ($res->getStatusCode());
any help or comment would be highly appreciated! thank for your time.
It seems like this error is returned from SalesForce API.
Looking at their documentation, it seems that they expect to see application/x-www-form-urlencoded not json.
Try out this code:
$client = new Client();
$response = $client->request('POST', '/post', [
'form_params' => [
'grant_type' => 'refresh_token',
'client_id' => Config::get('forrest.info.client_id'),
'client_secret' => Config::get('forrest.info.client_secret'),
'Authorization' => 'Bearer 00D3H0000008olE!ARYAQOzGGJDDIaygn7GokNk4T319XlDwwBXIDYPkJfej74dfhFT3CMDvBD2pZBQK_x.v2amiRe5Y29ZNXMp9EOA6ZTYyqrTW',
'access_token' => '00D3H0000008olE!ARYAQOzGGJDDIaygn7GokNk4T319XlDwwBXIDYPkJfej74dfhFT3CMDvBD2pZBQK_x.v2amiRe5Y29ZNXMp9EOA6ZTYyqrTW',
],
]);
dd($response);
let me know if it helped.
(Not an answer but too long for a comment)
This looks weird. "Authorization Bearer" should be a http header, not part of the message's body. Are you able to do what you need in plain old Postman, SoapUI etc?
Which OAuth2 flow did you use to generate this access token? Not all flows generate refresh token, for example https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_username_password_flow.htm&type=5 says "this flow doesn't support scopes" so you get full access - but also "this response doesn’t send a refresh token."
Have you checked the connected app (place in SF where you took client id and secret from), do the OAuth2 scopes include refresh? Did you ask for refresh token (included it in the original request's grants)?
I have a laravel application setup and I'm configuring a Discord auth system.
I have sent & requested authorization & recieved a confirmation code back.
When I try to exchange the code for an access token I'm receiving a 400 bad request and I'm not sure why.
I'm new to laravel and can't seem to find any sort of error that may help to pin point the problem.
Controller function that discord redirects after authorization
public function exchange(Request $request) {
//exchange discord code for access_token
$code = Request::get('code',false);
$params = array(
'grant_type' => 'authorization_code',
'client_id' => env('CLIENT_ID'),
'client_secret' => env('OAUTH2_CLIENT_SECRET'),
'redirect_uri' => Request::root().'/discord/return',
'scope' => 'identify guilds guilds.join',
'code' => $code
);
$access_token = Http::withOptions([
'debug' => true,
'headers' => [
'Accept' => 'application/json',
'Content-Type' => 'application/x-www-form-urlencoded'
],
'json' => $params
])->post('https://discordapp.com/api/oauth2/token');
dd($access_token);
return redirect()->route('return.discord',['token' => $access_token->access_token]);
}
I've dumped out $params and all the data is pulling in as it should.
Guzzle dumps this:
[CONNECT] [FAILURE] severity: "2" message: "HTTP/1.1 400 Bad Request " message_code: "400" [MIME_TYPE_IS] message: "application/json" [FILE_SIZE_IS] message: "Content-Length: 26" bytes_max: "26" [PROGRESS] bytes_max: "26"
I know that 400 bad request means an issue with the data being sent along, but I can't figure out what I'm doing that's not producing the correct result. The documentation states the required content type which I have set, so I'm really scratching my head here.
Any help would be much appreciated.
Here's the Discord API documentation:
https://discord.com/developers/docs/topics/oauth2#authorization-code-grant
To anyone looking for an answer...
The "invalid grant" error is due to an issue with the Discord API and non-standard requests. I could not get the Laravel HTTP class request to work for exchanging the access token. Instead, I used native php cURL within Laravel.
As for the issue with receiving '400 bad request', that was due to using incorrect function withOptions() as oppossed to asJson()->withHeaders(). Thanks #Zachary Craig!
However, I could not use this in the end due to the problem described above.
If any others find a better solution, let me know :)!
For all who have the same problem.
The solution is to use ->asForm() before the post. This changes the handling of the data from json to form_params. This way the Discord API accepts the parameters.
return Http::asForm()->post($this->endpoint.'/oauth2/token', $data);
Hello I am using JWT for authentication in my laravel 5 application. The application currently resides on a live server and has several APIs that other apps can connect to.
Currently I am building a mobile app that connects to some of these APIs, as you know with mobile apps when the user logs in once I want them to remain logged in for a very long time.
To do this I found out that I need to refresh the JWT when it's a expired, apparently this will generate a new token and blacklist the old one.
I use that latest version of Tymon/JWT which includes a new
blacklist_grace_period feature. This allows me to set a delay for when the token is refreshed and the old one is blacklisted.
My question now is, having the following in my route file:
Route::group(['domain' => 'admin.website'.(App::environment('production') ? '.com' : '.dev'), 'prefix' => '/api/v1/manager/', 'namespace' => 'App\Http\BackEnd\Controllers', 'middleware' => ['before' => 'jwt.auth', 'after' => 'jwt.refresh', 'acl'], 'is' => 'manager'], function() {
/** Manager Resource Routes */
Route::resource('events', 'EventManagerController');
});
How do I then get the newly generated token and return to the client after a jwt.refresh? Or is that automatically appended to the response of the request?
Take a look at the after-middleware that you are using:
vendor/tymon/jwt-auth/src/Middleware/RefreshToken.php
First it parses the token, then refreshes it:
try {
$newToken = $this->auth->setRequest($request)->parseToken()->refresh();
}
Then it adds it to the response's header:
$response->headers->set('Authorization', 'Bearer '.$newToken);
return $response;
So, yes, this is indeed where the newly refreshed token is added to the response.
Authentication fails for the following, which gets posted to mailchimp using CURL, where API_KEY is defined as a string containing my key. Similar code used to work just fine for mailchimp v2:
$params = array ('apikey' => API_KEY,
'email_address' => $email,
'status' => 'pending',
'merge_fields' => array ('fname' => $first_name,
'lname' => $last_name
)
);
The error is:
{"type":"http://kb.mailchimp.com/api/error-docs/401-api-key-missing",
"title":"API Key Missing",
"status":401,"detail":
"Your request did not include an API key.",
"instance":"(long number)"
}
That's not how authentication works in v3.0. From the documentation:
The easiest way to authenticate is using HTTP Basic Auth. Enter any string as the username and supply your API Key as the password. Your HTTP client library should have built-in support for basic authorization.
If you're using PHP, every HTTP library knows how to do this. I'd recommend Guzzle or PHP Requests, but even basic cURL in PHP can do basic auth easily.
The interests syntax looks okay, except that the value should be a boolean instead of a string.
the goal is to have one Google (YouTube) account for the web app. Users of the web app will be able to upload videos via this account to the one YouTube channel. After many hours im in the ends. I've found plenty of samples how to implement for Google user <-> web app interaction, but I don't need such comprehensive solution.
I'm trying over OAuth 2.0 (as recommended) and with Google API Ruby Client (https://github.com/google/google-api-ruby-client)
So far I have authorized the Google account (which will have that YouTube channel) with the web app, all necessary scopes included, offline access too and I have mechanism for refreshing access token. So I have access token, refresh token, client id and client secret.
But I don't know how to send a simple authorized request. The result below returns me "Daily Limit for Unauthenticated Use Exceeded." after a while so something wrong - i guess im missing part with client id and client secret.
So the question is: How to send simply authorized request via OAuth 2.0 with Google API Ruby Client, when we work with only one user and we have all necessary ids, secrets and tokens?
Thanks for any help or suggestion.
# Faraday connection
conn = Faraday.new(:url => 'https://accounts.google.com',:ssl => {:verify => false}) do |faraday|
faraday.request :url_encoded
faraday.response :logger
faraday.adapter Faraday.default_adapter
end
# Refresh token
result = conn.post '/o/oauth2/token', {
'refresh_token' => "1/1lDIvifN******************dk9Akuc9ELVKM0",
'client_id' => "61********506.apps.googleusercontent.com",
'client_secret' => "********************g_dLfKmi",
'grant_type' => 'refresh_token'}
#output = ActiveSupport::JSON.decode result.body
#access_token = #output['access_token']
#token_type = #output['token_type']
# Google Client
client = Google::APIClient.new
# YouTube API v3
api = client.discovered_api('youtube', 'v3')
# Retrieve list of playlists (not working)
#result = client.execute(
:api_method => api.playlists.list,
:parameters => {'part' => 'snippet', 'mine' => 'true'},
:authorization => {'token_type' => #token_type, 'access_token' => #access_token}
)
Ok, so I though the :authorization param in the execute request will add HTTP header Authorization: token_type access_token itself, but not and it was a problem.
So this works:
#result = client.execute(
:api_method => api.playlists.list,
:parameters => {'part' => 'snippet', 'mine' => 'true'},
:authorization => {:token_type => #token_type, :access_token => #access_token},
:headers => {:authorization => #token_type + ' ' + #access_token}
)