I am trying to integrate Uber with my web app following their oauth guides. I currently have a redirect from my website to my server, where I make a request to https://login.uber.com/oauth/v2/authorize and get a 302. However, I am not ever getting a response back from uber with the access_token and refresh_token.
I have a server running at https://mobilius-app.herokuapp.com and a front-end at http://mobilius-website.herokuapp.com. I am currently sending a request to https://login.uber.com/oauth/v2/authorize with payload of
{
'client_secret' => UBER_CLIENT_SECRET,
'client_id' => UBER_CLIENT_ID,
'grant_type' => 'authorization_code',
'redirect_uri' => `https://mobilius-app.herokuapp.com/api/uber_tokens`,
'code' => [the auth code]
}
https://mobilius-app.herokuapp.com/api/uber_tokens never gets a response from uber with the auth token and refresh token, however. Any help is much appreciated!
First you should double check if you set the correct redirect url in the dashboard.
Second your request to 'https://login.uber.com/oauth/v2/authorize' seems to contain invalid payload. Please follow the steps of the authentication guide. Briefly, you need to:
Send user to authorize url
Receive the redirect with a authorization code
make a POST call to: https://login.uber.com/oauth/v2/token
Store access and refresh token for future use
Related
My SPA is in the same repository as my laravel application and the documentation states that when using sanctum, your SPA's "login" page should first make a request to the /sanctum/csrf-cookie endpoint to initialize CSRF protection for the application.
Link: https://laravel.com/docs/9.x/sanctum#spa-authenticating
In my case, When I register a user successfully I'm not redirecting them to the login page to log in but rather to their dashboard. So, in my understanding going by the point above, I think I should first make a request to the /sanctum/csrf-cookie endpoint as well before making a post request to the register api so that we have a logged-in user that is protected from CSRF attacks but I'm not that sure if I'm interpreting the text correctly.
my method
public function register(Request $request){
$fields = $request->validate([
'name' => 'required',
'email' => 'required|email|unique:users,email',
'password' => 'required|confirmed',
]);
$fields['password'] = bcrypt($fields['password']);
$user = User::create($fields);
auth()->login($user);
}
I investigated this issue further and found that the /sanctum/csrf-cookie endpoint actually only returns a 204 empty content. You can check here:
https://github.com/laravel/sanctum/blob/5a602d520474e103174900301d7b791e6d7cd953/src/Http/Controllers/CsrfCookieController.php#L12
return new JsonResponse(null, 204);
And the comment in the file says:
Return an empty response simply to trigger the storage of the CSRF cookie in the browser.
Actually you can call any GET API endpoint from your SPA and it will return the CSRF cookie. Basically you just need to have called a GET endpoint once before calling any POST endpoint, including the login endpoint, which should be POST.
The reason for this is that sanctum by default returns a CSRF cookie when you call a GET endpoint for SPAs (using same host or same sub-host).
So for most use cases out there you might not need to call the /sanctum/csrf-cookie endpoint before login, because you might have already called a GET endpoint before that. However if the login, or any other POST endpoint is the first one you are calling, you first need to call the above GET endpoint just to trigger the storage of the CSRF cookie in the browser.
The docs are not so clear on this I am trying to submit a PR to clear this up.
I am working on Laravel 7 and for social login I am using Socialite package.
I am following this article for reference and did exactly the same but I am getting
an unauthorized response with a message - "Bad Credentials". I have also tried resetting the secret key.
This is my Github settings
Thanks for the response.
Aside from making sure that your client_id and client_secret are set correctly, you also need to ensure that your redirect value in your config/services.php:
'github' => [
'client_id' => env('GITHUB_CLIENT_ID'),
'client_secret' => env('GITHUB_CLIENT_SECRET'),
'redirect' => 'http://yourapp.test/login/github/callback'
],
Is identical to what you set under your Github app:
I am trying to login with google using socialite , my facebook login works fine so the problem in my google app, any help!!!
'google' => [
'client_id' => 'app-key',
'client_secret' => 'app-secret',
'redirect' => 'http://www.shoptizer.com/callback/google',
],
Also one more point to remember that Socialite also gives uri_mismatch_error even when your redirects are correctly defined in google console but you dynamically changed the redirectUrl through
return Socialite::with('google')->redirectUrl($redirect_url)->redirect();
So plz take care that you should also need to define while receiving the response
Socialite::driver('google')->redirectUrl($redirect_url)->stateless()->user();
where $redirect_url is your custom redirect url.
After google redirects you to correct place, but even then Socialite checks it at its end.
I found this link https://blog.damirmiladinov.com/laravel/laravel-5.2-socialite-google-login.html
From this tutorial:
Occasionally it happens that google require some time to apply client configuration If you get an error message redirect_uri_missmatch wait couple of minutes and it should work normally.
Also change the redirect uri by:
'google' => [
'client_id' => 'app-key',
'client_secret' => 'app-secret',
'redirect' => 'https://www.shoptizer.com/callback/google',
],
If your app is provided by https you must match your http scheme on google api and on your redirect callback.
The problem is in the default url, you must change it on two occasions: before the redirect and before getting the user data.
Do not do this:
return Socialite::driver('google')->redirectUrl($yourredirecturl)->redirect();
Do it:
config()->set('services.google.redirect', $yourredirecturl);
return Socialite::driver('google')->redirect();
And when accessing user data, do this:
config()->set('services.google.redirect', $yourredirecturl);
$user = Socialite::driver('google')->user();
I'm using Laravel Socialite (specifically this) and all of a sudden, I'm getting this when returning to the callback:
Received HTTP status code [401] with message "Invalid request token." when getting token credentials.
It used to work just fine. I've tried:
Deleting my test/dev application in Twitter Dev,
Regenerating my application keys,
Making sure the "Enable OAuth" option is checked,
Enabling the callback lock,
I'm completely stumped, as everything was working, and seems like it should be.
I fixed the same bug.
You will work if you modify and override the following methods.
SocialiteProviders\Manager\OAuth1\Server::getTokenCredentials()
//$response = $client->post($uri, $headers, $bodyParameters)->send();
$response = $client->post($uri, [
'headers' => $headers,
'form_params' => $bodyParameters,
]);
I can authenticate and fetch an access_token and the corresponding refresh_token fine (subsequent API interactions are also fine).
However, I seem to only be able to refresh a token (POST to /oauth/token with grant_type=refresh_token) before the access_token actually expires. After the expiration, the same refresh code (exactly that provided within the docs), returns with an error of invalid_grant.
I am using the soundcloud-ruby SDK, FWIW, but I can reproduce it through curl.
As an aside, I found some old messages from the Google Group mentioning that I can request a non-expiring token, but I do not see this mentioned anywhere in the docs. Is this still a viable option?
That is correct. Refresh tokens cannot be used after an access token expires.
You can request a non-expiring access token by specifying scope=non-expiring when constructing an authorization URL. To do this with the Ruby SDK, simply pass the additional params to the authorize_url method:
require 'soundcloud'
client = Soundcloud.new(
:client_id => 'YOUR_CLIENT_ID',
:client_secret => 'YOUR_CLIENT_SECRET',
:redirect_uri => 'REDIRECT_URI'
)
client.authorize_url(:scope => 'non-expiring')
The rest of the flow should be exactly the same (grab the 'code' parameter from the query string and make a POST request to /oauth2/token).