I have a problem setting up simple single sign on with Azure AD for our pHp website. The app is registered in azure and I have all the necessary details like Client ID, secret, tenant.
My requirement is to get authorized and also pull back the user's employee id, name and email id. I am working on single sign on for the first time, and need some help on this.
While creating the authorization URL, I am requesting for code, which is right according to the Azure documentation. I am successfully able to retrieve the code after authorization. However, I am not able to request id_token along with code as response_type=code+id_token, which should be possible. I could trace the URL flow and extract the id_token field manually. If I do this, I am prompted with the logon and MFA. But the response goes into infinite loop by just prompting with infinite number of MFA pings on my phone. This is weird, my program has a check to redirect on code response, which doesn't seem to work. I have tried using session_id cookie too, which has the same behavior.
If I just choose code as response type and request for id_token using token granting URL, I don't get any response back. Its blank or null but no errors.
Can you please help suggest if I am making a mistake. Is my method right or wrong to request code first and token next. How can I successfully retrieve id_token.
Just summary the comment into reply to help others who have the same problem.
response_mode: Specifies the method that should be used to send the resulting authorization code back to your app. Can be form_post or fragment. For web applications, we recommend using response_mode=form_post, to ensure the most secure transfer of tokens to your application.
If you want to use code + id_token in the response_type,you should be using OIDC Hybrid Flow.
However, if you just use code in the response_type, you should be using Authorization Code flow.
For more details, you could refer to this SO thread.
Related
I am using Moodle core REST API and I am following this Stackoverflow answer for my login request. login end-point is working successfully.
API Request
$ curl -d username="fmcorz" -d password="$PASSWORD" 'https://moodle.org/login/token.php?service=moodle_mobile_app'
Response
{
"token":"SNIPTOKEN",
"privatetoken":"SNIPPRIVATE"
}
I am using token to get User ID and other stuff. But I want to know what is the main purpose of privatetoken?
according to my understanding this will use if moodle installation is on Https and "token" will we used when we use http but not sure as I have only http based server
please help to understand this so I can choose best available token to implement Moodle REST API.
thanks.
According to the token docs, privatetoken is only sent when the token is first created and should be saved by the client. The source says it's only sent when the connection is https and the user is not an admin. So I assume it's an edge thing as it should be returned only in very special circumstances. It sounds like it's the Random all-time valid token which can only be sent over https and not for an admin user.
I made a oauth2 server, and now I want to make c client using symfony2 to connect to it (when I click login, I'm redirected on the site with oauth2 server, I login, then I'm redirected to my client with the token).
I followed this: http://symfony.com/doc/current/cookbook/security/api_key_authentication.html
The problem is whem they retrieve the apikey. If I decide to use implicit grant with oauth2, the token is sent like that: example.com/#token
So I can't retrieve it with query->get.
If I send the code it's fine, but when I tried to curl my server somehow it broke (yeah, not specific error, still looking into it)
So I was wondering, is this the proper way of doing it?
Also, when they write about he specific url, why would I need one, if I can check everywhere?
Thanks :)
you can get your token like this in php :
For known url if you have your url with the hash, this part after # is called fragment.
$url=parse_url($yoururl);
echo $url["fragment"];
if you don't have this url in your backend, you need some javascript magic :
var token = window.location.hash;
then send it to your backend.
Maybe there is some other more symfonyc way to do this properly, but i never used oauth2 yet.. :D
How can I "link" a person's youtube account to an account on my website? I am trying to get Analytics from videos, how much money they have made, etc. I know i am supposed to be using the YouTube Analytics API, but I see tons of different documentation and it gets SO confusing. Are there any PHP libraries I can use to get this data and to link the user's account to my web application? I am also confused on where I get an OAuth Key.
Here are some sites i have looked at:
1) Site One
2) Site Two
On site two, I looked at the examples, but nothing really helped me understand even how to start.
A lot of the relevant info you'll need can be found in this document:
https://developers.google.com/youtube/analytics/authentication
Basically, it outlines the following 4 steps:
1) Register your web app in the Google Cloud Console
This is needed so you can get a client secret and client ID, which your server-side PHP code will need in order to do the oAuth flow (and get the right scope to be able to query analytics data for the user that's authenticating). See here for more info on how to do this:
https://developers.google.com/youtube/analytics/registering_an_application
The most important things to do as your register your app are to turn on the YouTube Analytics API and create a new client ID for your web application.
2) When a user visits your page, you'll need some way (i.e. a login button, for example) to trigger the start of the oAuth flow. When this is triggered, you'll want to redirect the browser to this URL:
https://accounts.google.com/o/oauth2/auth?client_id=[YOUR CLIENT ID]&redirect_uri=[THE URL YOU WANT THE USER TO BE DIRECTED TO AFTER AUTHENTICATION]&scope=https://www.googleapis.com/auth/yt-analytics.readonly&response_type=code&access_type=offline
This will present them with a window asking them if they want to give permission to your app to read their analytics. Note that the client id parameter is the same that you received when you registered your app in step 1. That registration process also will require you to set the allowed redirect URIs, so here you must pass one you set in the registration.
3) The redirect URL will be requested, from step two, by Google's servers with a "code" parameter attched. So when it is requested, it should immediately do a POST to another URL (i.e. with cURL or something similar), that looks like this:
POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded
code=[CODE THAT CAME IN AS A GET PARAMETER] &client_id=[YOUR CLIENT ID]&client_secret=[YOUR CLIENT SECRET]&redirect_uri=[THE REGISTERED REDIRECT URI]&grant_type=authorization_code
If you do it as a POST with cURL, then the response will be a JSON packet that has an access token and a refresh token.
4) Your php page can store these both (in your DB, for example), note that the user should be treated as logged in at this point, and you can use the access token in the header of all API requests send to the analytics API.
https://developers.google.com/youtube/analytics/authentication#OAuth2_Calling_a_Google_API
IT'll expire in an hour, so with each request you should be checking its age (i.e. when you stored it in the DB, you could store the expiry time, for example), and when you're getting close you can use the refresh token to get a new access token.
https://developers.google.com/youtube/analytics/authentication#OAuth2_Refreshing_a_Token
You can now redirect them to wherever your app needs them to be to start interfacing with the API.
Seems like a lot? It can be, but once you get the paradigm down it's pretty simple. And you asked about a client for PHP, and thankfully there is one:
https://github.com/google/google-api-php-client
It's got simple handlers for the whole oAuth2 flow, and also has a YouTube analytics service object that sets the access token automatically for you as it's making its various calls.
Today, after we migrated to the new members permissions api, everything goes wrong.
Im using the cosumer key and secret that i've got from the linkedin api dashboard itself with the oauth token and secret as well.
There is 3 kind of problems that keeps on coming:
first one:
{"errorCode": 0,"message": "Could not find person based on: ~","requestId": "7GPT96SW3C","status": 404,"timestamp": 1369827647671}
second:
<error><status>401</status><timestamp>1369826490661</timestamp><request-id>ZYWPUD43G3</request-id><error-code>0</error-code><message>[unauthorized]. The token used in the OAuth request is not valid. ******</message></error>
third:
com.linkedin.anet.auth.pub.ANetAuthException: other: anetID=*****
has anyone got some of these too? if yes, so how did you solved them?
thanks!
Once you have authenticated the user, you no longer need to make the access token calls - simply store the access token and reuse that for the subsequent requests.
Check are you sending a request once or twice for authentication, there may be the case your token getting replaced by another request.
I've gotten the "401<" and fixed it by correcting the URL which I was formatting incorrectly and consequently requesting a resource that did not exists (reported as unauthorized). You probably have the same issue with your 404 error. Can you please post the specific URLs you are using. That would give a little more insight. Also, make sure that you are not passing params via GET when you should be passing them via POST and that all your POST requests are via HTTPS
Hope this doesn't get too complicated. :) thing is..
I'm trying to make my PHP code post notes to Google Buzz using OAuth as authentication mechanism. I'm doing the typical "OAuth dance" (get request token, authorise it, exchange for access token), but i've ran into some problems that seem to be on Google's side. Hope i'm wrong - it would be much easier to fix. :)
To get to the point - oauth_callback parameter doesn't seem to get passed to the authorization form. Authorization URI i'm redirecting to is like:
https://www.google.com/buzz/api/auth/OAuthAuthorizeToken
?domain=<my.domain>
&scope=<urlencode(https://www.googleapis.com/auth/buzz)>
&oauth_token=<request_token>
&oauth_callback=<my.domain/callback>
When redirected, client is asked to authorize site to read/write from/to Buzz. If accepted, Google asks again (but in different form) to allow access to .. after allowing for second time, success message is shown, but it doesn't return any tokens to my site, not redirecting to oauth_callback uri.
Workaround i found is to manually add form field 'oauth_callback=' trough firebug/chrome inspector, and then, after these two confirmations it redirects to my site and i can extract authorized token from response, and exchange it for access token. If i use 'standard' Google's authorization endpoint, i get redirected correctly (one confirmation only), but then the access token i get after that is invalid for Buzz.
So, am i wrong or google?! :D I've implemented OAuth for cooperation with some other services (Facebook, MySpace..) but i've never had this much trouble.
ok, when i got on the problem next morning, with (partially) fresh eyes, solution was pretty easy (but still undocumented).. :) in case anybody else needs answer - oauth_callback parameter should be specified when requesting request token.