I am working in a Golang application, this one is connected to a Oauth2 service, right now I have the refresh token and I need to get a new access token with it, I am using golang.org/x/oauth2 but it wans't successful, so there's something that I am missing, currently I have:
refresh_token := "some_refresh_token"
var conf = oauth2.Config{
ClientID:MY_CLIENT,
ClientSecret:MY_CLIENT_SECRET,
Scopes:[]string{"refresh_token"},
RedirectURL:"https://mydomain/callback",
Endpoint: oauth2.Endpoint{
AuthURL:"myoauth2Cluster.com/oauth2/auth",
TokenURL: "myoauth2Cluster.com/oauth2/token",
},
}
t := new (oauth2.Token)
t.RefreshToken=refresh_token
myclient := conf.Client(context.Background(),t)
req, err := http.NewRequest("GET",DontKnowWhichURLhere , nil)
if err != nil {
fmt.Println("error:",err.Error())
}
mrr, er := myclient.Do(req)
if(er!=nil){
fmt.Println(er.Error())
}else{
fmt.Println("status code:",mrr.StatusCode)
}
But I am getting a 404 status, I checked the logs of the Oauth2 server and there I have
msg="completed handling request" measure#https://myOauth2Cluster.latency=100648 method=GET remote=xxx.xxx.xx.xxx request="/" status=404 text_status="Not Found" took=100.648µs
Also, I am not really sure which URL should I stablish when I create the http.NewRequest should it be a callback? or the url of the Oauth2 Server?
If there's some example of how to renew the access token using this library would be nice, but at the moment I haven't found it
Normally you just use your old token and it is refreshed by the oauth2 library implicitly.
Example:
In the code below conf is *oauth2.Config.
Say I'm exchanging the code for the token (first-time auth):
token, err := conf.Exchange(ctx, code)
if err != nil {
log.Fatalln(err)
}
SaveToken(token)
Now I have my token and I can use it to make requests.
Later, before I use my token, I let oauth2 automatically refresh it if need:
tokenSource := conf.TokenSource(context.TODO(), token)
newToken, err := tokenSource.Token()
if err != nil {
log.Fatalln(err)
}
if newToken.AccessToken != token.AccessToken {
SaveToken(newToken)
log.Println("Saved new token:", newToken.AccessToken)
}
client := oauth2.NewClient(context.TODO(), tokenSource)
resp, err := client.Get(url)
Related
I created this method, which essentially does what I need:
clientId := os.Getenv("CLIENT_ID")
tenantId := "common"
scopes := []string{"calendars.read", "calendars.readwrite"} // todo add offline_access
credential, err := azidentity.NewDeviceCodeCredential(&azidentity.DeviceCodeCredentialOptions{
ClientID: clientId,
TenantID: tenantId,
UserPrompt: func(ctx context.Context, message azidentity.DeviceCodeMessage) error {
fmt.Println(message.Message)
return nil
},
})
if err != nil {
log.Print(err)
return
}
authProvider, err := auth.NewAzureIdentityAuthenticationProviderWithScopes(credential, scopes)
if err != nil {
log.Print(err)
return
}
adapter, err := msgraphsdk.NewGraphRequestAdapter(authProvider)
if err != nil {
log.Print(err)
return
}
result, err := msgraphsdk.NewGraphServiceClient(adapter).Me().Calendar().Events().Get(context.Background(), nil)
if err != nil {
log.Print(err)
}
for _, event := range result.GetValue() {
log.Print(*event.GetICalUId())
log.Print(*event.GetSubject())
}
However, this one will print out https://microsoft.com/devicelogin and the code to authenticate interactively. I have the access token and refresh token from another resource. I would need to inject either access token or refresh token into something, to replace the logic that results in interactivity. I need that for a back-end service that handles calendar synchronization. What do I need to do? Do you have some pointers? I am using Golang and I am breaking my head for the last few days (nothing I tried worked). Please, help.
I went through all tutorials on Microsoft Graph for Go that I could find. I read tons of documentation. I suspect that publicClientApp, err := public.New("client_id", public.WithAuthority("https://login.microsoftonline.com/common")) and publicClientApp.AcquireTokenSilent(context.Background(), []string{"calendars.read", "calendars.readwrite"}, ...) could be the answer, but I cannot make it work. I have a working solution with curl, but I need to use Go SDK.
Im using next.js auth0 and a custom golang api backend and I'm
having trouble getting the decoded token on the backend side.
On the frontend side I followed this tutorial -
https://auth0.com/docs/quickstart/webapp/nextjs/01-login
and I managed to send the accessToken to my backend API successfully
on the backend side I followed this tutorial -
https://auth0.com/docs/quickstart/backend/golang/01-authorization
The middleware has successfully verified the token
Example middleware from auth0 implementation
func EnsureValidToken(next http.Handler) http.Handler {
// EnsureValidToken is a middleware that will check the validity of our JWT.
err := godotenv.Load()
if err != nil {
log.Fatal("Error loading .env file")
}
issuerURL, err := url.Parse("https://" + os.Getenv("AUTH0_DOMAIN") + "/")
if err != nil {
log.Fatalf("Failed to parse the issuer url: %v", err)
}
provider := jwks.NewCachingProvider(issuerURL, 5*time.Minute)
jwtValidator, err := validator.New(
provider.KeyFunc,
validator.RS256,
issuerURL.String(),
[]string{os.Getenv("AUTH0_AUDIENCE")},
validator.WithCustomClaims(
func() validator.CustomClaims {
return &CustomClaims{}
},
),
validator.WithAllowedClockSkew(time.Minute),
)
if err != nil {
log.Fatalf("Failed to set up the jwt validator")
}
errorHandler := func(w http.ResponseWriter, r *http.Request, err error) {
log.Printf("Encountered error while validating JWT: %v", err)
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusUnauthorized)
w.Write([]byte(`{"message":"Failed to validate JWT."}`))
}
middleware := jwtmiddleware.New(
jwtValidator.ValidateToken,
jwtmiddleware.WithErrorHandler(errorHandler),
)
return middleware.CheckJWT(next)
}
Example token
I'm using https://docs.gofiber.io/ to handle the HTTP methods
Main function
func main() {
// This is to translate the net/http -> fiber http
var ensureValidToken = adaptor.HTTPMiddleware(EnsureValidToken)
app := fiber.New()
app.Use(cors.New())
app.Use(logger.New())
// routes
app.Use(ensureValidToken)
app.Get("/api/books", getAll)
app.Listen(":8080")
}
func getAll(c *fiber.Ctx) error {
token := c.Context().Value(jwtmiddleware.ContextKey{}).(*validator.ValidatedClaims)
// The above code will always panic, I'm assuming that it already stored in the context since it passes the validation
}
Panic example
panic: interface conversion: interface {} is nil, not
*validator.ValidatedClaims
I dig deeper into the auth0 golang implementation, it does store in the context, I think the translation between http.Request to fiber HTTP failed
r = r.Clone(context.WithValue(r.Context(), ContextKey{}, validToken))
Seems like more people have faced the same issue when they used the gofiber adaptor. The way others have solved it was to create their own implementation of HTTPMiddleware middleware adaptor with the only change being that they set the context to the fiber.Ctx.
You can find an the thread on the gofiber/adaptor github page here: https://github.com/gofiber/adaptor/issues/27#issuecomment-1120428400
I got the same panic in the gin framework, I resolved the panic error by changing the code snippet to c.Request.Context().Value() but this is not available in fiber framework. If you want the decoded jwt token either you can get it from the header of the fiber context and decode it appropriately inside the controller, and pass the token you get from the header to the below function and decode.
import (
extract "github.com/golang-jwt/jwt"
"fmt"
)
func Extractor(tokenString string) {
token, _, err := new(extract.Parser).ParseUnverified(tokenString, extract.MapClaims{})
if err != nil {
fmt.Printf("Error %s", err)
}
if claims, ok := token.Claims.(extract.MapClaims); ok {
// obtains claims
subId := fmt.Sprint(claims["sub"])
fmt.Println(subId)
}
}
Implement your logic after this and pass the values you needed to the next handler.
I'm using a service account on google cloud. For some reason, I want to get the access token programmatically in golang. I can do gcloud auth application-default print-access-token on the command line.
There is a library by google that seems to allow me to get the token. Here is how I try to use it:
credentials, err := auth.FindDefaultCredentials(ctx)
if err == nil {
glog.Infof("found default credentials. %v", credentials)
token, err2 := credentials.TokenSource.Token()
fmt.Printf("token: %v, err: %v", token, err2)
if err2 != nil {
return nil, err2
}
However, I get an error saying token: <nil>, err: oauth2: cannot fetch token: 400 Bad Request.
I already have GOOGLE_APPLICATION_CREDENTIALS env variable defined and pointing to the json file.
Running your code as-is, returns an err:
Invalid OAuth scope or ID token audience provided
I added the catch-all Cloud Platform writable scope from Google's OAuth scopes:
https://www.googleapis.com/auth/cloud-platform
Doing so, appears to work. See below:
package main
import (
"context"
"log"
"golang.org/x/oauth2"
auth "golang.org/x/oauth2/google"
)
func main() {
var token *oauth2.Token
ctx := context.Background()
scopes := []string{
"https://www.googleapis.com/auth/cloud-platform",
}
credentials, err := auth.FindDefaultCredentials(ctx, scopes...)
if err == nil {
log.Printf("found default credentials. %v", credentials)
token, err = credentials.TokenSource.Token()
log.Printf("token: %v, err: %v", token, err)
if err != nil {
log.Print(err)
}
}
}
I had some challenges using this library recently (to access Cloud Run services which require a JWT audience). On a friend's recommendation, I used google.golang.org/api/idtoken instead. The API is very similar.
I am trying to send an email with Gmail API. But I get this error
googleapi: Error 403: Request had insufficient authentication scopes.
More details:
Reason: insufficientPermissions, Message: Insufficient Permission
I think it might bee related to config, I also followed google's quickstart for Go
here is the getClient func:
func getClient(config *oauth2.Config) *http.Client {
// The file token.json stores the user's access and refresh tokens, and is
// created automatically when the authorization flow completes for the first
// time.
tokFile := "token.json"
tok, err := tokenFromFile(tokFile)
if err != nil {
tok = getTokenFromWeb(config)
saveToken(tokFile, tok)
}
return config.Client(context.Background(), tok)
}
here is the code send:
case "pass":
templateData := struct {
VerPass string
}{
VerPass: cont1,
}
emailBody, err := parseTemplate("ver.html", templateData)
if err != nil {
fmt.Println("Parse Err")
return false, err
}
var message gmail.Message
emailTo := "To: " + to + "\r\n"
subject := "Subject: " + sub + "\n"
mime := "MIME-version: 1.0;\nContent-Type: text/html; charset=\"UTF-8\";\n\n"
msg := []byte(emailTo + subject + mime + "\n" + emailBody)
message.Raw = base64.URLEncoding.EncodeToString(msg)
// Send the message
fmt.Println("OOOOOYYYYY")
//here is the problem
b, err := ioutil.ReadFile("credentials.json")
if err != nil {
log.Fatalf("Unable to read client secret file: %v", err)
}
// If modifying these scopes, delete your previously saved token.json.
config, err := google.ConfigFromJSON(b, gmail.MailGoogleComScope)
if err != nil {
log.Fatalf("Unable to parse client secret file to config: %v", err)
}
client := getClient(config)
srv, err := gmail.New(client)
if err != nil {
log.Fatalf("Unable to retrieve Gmail client: %v", err)
}
//GmailService
res, err := srv.Users.Messages.Send("me", &message).Do() // change me
if err != nil {
fmt.Println("Res Err")
fmt.Println(err)
return false, err
}
fmt.Println(res)
I tried for config, err := google.ConfigFromJSON(b, gmail.MailGoogleComScope), I tried using GmailReadonlyScope and gmail.GmailSendScope, but I got the same error.
Request had insufficient authentication scopes.
Means that the user who has authorized your application to access their data has not granted your application enough permissions in order to do what you are trying to do.
You apear to be using the user.message.send method. If you check the documentation you will find that that method requires that the user be authorized with one of the following scopes.
If you did follow Googles quick start for go then you used gmail.GmailReadonlyScope as a scope which will only give you read only access.
However your code now apears to contain the mail.MailGoogleComScope scope which should work however i am guessing you neglected to reauthorize the application. And didn't see the comment in the tutorial
// If modifying these scopes, delete your previously saved token.json.
I suggest you deleted token.json and then the application will require that you authorize it again and your code should work with the elevated permissions.
I am trying to connect to IBM Watson's speech to text WebSocket with a new account, that has IAM authorization only.
My WS endpoint is wss://stream-fra.watsonplatform.net/text-to-speech/api/v1/recognize and I get an access token via https://iam.bluemix.net/identity/token. Now when I open the socket connection with Authorization header with value Bearer token I get a bad handshake response: websocket: bad handshake, Unauthorized 401. Language is Go.
Am I doing something wrong or it is not possible to connect to Watson's speech to text WebSocket without username/password authentication i.e. the deprecated watson-token?
EDIT:
Code to open WebSocket:
headers := http.Header{}
headers.Set("Authorization", "Bearer " + access_token)
conn, resp, err := websocket.DefaultDialer.Dial("wss://stream-fra.watsonplatform.net/text-to-speech/api/v1/recognize", headers)
I have also tried basic authorization with apikey:**api_key** and the result is the same: 401.
EDIT 2:
Code to get the access token (based on the Watson Swift and Python SDKs) which succeeds and returns access and refresh tokens:
func getWatsonToken(apiKey string) (string, error) {
// Base on the Watson Swift and Python SDKs
// https://github.com/watson-developer-cloud/restkit/blob/master/Sources/RestKit/Authentication.swift
// https://github.com/watson-developer-cloud/python-sdk/blob/master/watson_developer_cloud/iam_token_manager.py
const tokenUrl = "https://iam.bluemix.net/identity/token"
form := url.Values{}
form.Set("grant_type", "urn:ibm:params:oauth:grant-type:apikey")
form.Set("apikey", apiKey)
form.Set("response_type", "cloud_iam")
// Token from simple "http.PostForm" does not work either
//resp, err := http.PostForm(tokenUrl, form)
req, err := http.NewRequest(http.MethodPost, tokenUrl, nil)
if err != nil {
log.Printf("could not create HTTP request to get Watson token: %+v", err)
return "", nil
}
header := http.Header{}
header.Set("Content-Type", "application/x-www-form-urlencoded")
header.Set("Accept", "application/json")
// "Yng6Yng=" is "bx:bx"
header.Set("Authorization", "Basic Yng6Yng=")
req.Header = header
req.Body = ioutil.NopCloser(bytes.NewReader([]byte(form.Encode())))
resp, err := http.DefaultClient.Do(req)
if err != nil {
log.Printf("problem executing HTTP request to get Watson token: %+v", err)
return "", err
}
defer resp.Body.Close()
if resp.StatusCode != 200 {
return "", errors.New(fmt.Sprintf("failed to get Watson token: %d", resp.StatusCode))
}
jsonBody, err := ioutil.ReadAll(resp.Body)
if err != nil {
log.Printf("problem reading Watson token from response body: %+v", err)
}
tokenResponse := &struct {
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token"`
TokenType string `json:"token_type"`
ExpiresIn int64 `json:"expires_in"`
Expiration int64 `json:"expiration"`
}{}
err = json.Unmarshal(jsonBody, tokenResponse)
if err != nil {
log.Printf("could not parse Watson token response: %+v", err)
return "", err
}
return tokenResponse.AccessToken, err
}
I made an error in the endpoint and used the text-to-speech instead of the speech-to-text. With the correct URL the WebSocket API works.
wss://stream-fra.watsonplatform.net/text-to-speech/api/v1/recognize should be wss://stream-fra.watsonplatform.net/speech-to-text/api/v1/recognize