They are saying like:
After the user has logged in and given their permission, the Envato
API will redirect them back to your application on the Confirmation
URL provided, with a single-use authentication code provided in the
query string (eg. http://your.app/callback?code=abc123...). You must
use this code to request an access token from the API, by sending the
following POST request from your server (encoded as
application/x-www-form-urlencoded), replacing [CODE] with the code
you've just received, [CLIENT_SECRET] with your secret application
key, and the other fields as necessary:
POST https://api.envato.com/token
grant_type=authorization_code&
code=[CODE]&
client_id=[CLIENT_ID]&
client_secret=[CLIENT_SECRET]
I am able to get the code by $_GET('code'); how make a post request to above url?
You'd probably want to use curl or a similar library. Here's a quick tutorial about curl that includes a post: http://codular.com/curl-with-php. It even mentions oauth, which sounds like what you're doing.
Related
I'm actually working on twitter api and get some difficulties.
My GET request are working fine (With Oauth1 so I correctly generate signature, nonce and all the others required stuff by twitter api.
But when I try a POST request I got the code 32 error message "Could no authenticate you".
I changed my options to the following :
Options list for cUrl
and the content-type is "application/x-www-form-urlencoded".
So do you have any idea of what the problem could be ?
My authorization string look like that :
Authorization: OAuth oauth_consumer_key=CONSUMER_KEY,
oauth_nonce=2005939658,
oauth_signature=0J5GFS0a0%2FClDvslG%2FWrhTYNbeQ%3D,
oauth_signature_method=HMAC-SHA1, oauth_timestamp=NOW(),
oauth_token=OAUTH_TOKEN,
oauth_version=1.0
My problem is similor to
Authentication no longer works after GET to POST change
(same code used) and
Twitter API Issue: OAuth Request Token using GET works, POST fails
Ask me if you need any extra informations, thanks
EDIT :
The solution was the following : The text (status message) sending to build the signature and the text used in cUrl request was not the same
(thanks to #CBroe)
I have a problem setting up simple single sign on with Azure AD for our pHp website. The app is registered in azure and I have all the necessary details like Client ID, secret, tenant.
My requirement is to get authorized and also pull back the user's employee id, name and email id. I am working on single sign on for the first time, and need some help on this.
While creating the authorization URL, I am requesting for code, which is right according to the Azure documentation. I am successfully able to retrieve the code after authorization. However, I am not able to request id_token along with code as response_type=code+id_token, which should be possible. I could trace the URL flow and extract the id_token field manually. If I do this, I am prompted with the logon and MFA. But the response goes into infinite loop by just prompting with infinite number of MFA pings on my phone. This is weird, my program has a check to redirect on code response, which doesn't seem to work. I have tried using session_id cookie too, which has the same behavior.
If I just choose code as response type and request for id_token using token granting URL, I don't get any response back. Its blank or null but no errors.
Can you please help suggest if I am making a mistake. Is my method right or wrong to request code first and token next. How can I successfully retrieve id_token.
Just summary the comment into reply to help others who have the same problem.
response_mode: Specifies the method that should be used to send the resulting authorization code back to your app. Can be form_post or fragment. For web applications, we recommend using response_mode=form_post, to ensure the most secure transfer of tokens to your application.
If you want to use code + id_token in the response_type,you should be using OIDC Hybrid Flow.
However, if you just use code in the response_type, you should be using Authorization Code flow.
For more details, you could refer to this SO thread.
I'm working with new SAGE API v3.1.
For first steps, I'm testing with Postman according manual for get authorization.
Any problem, with test. When make a call for get New Access Token, postman send request, and SAGE open a modal window for ask my credentials for connect my request to one account.
Well. I try several options with Laravel 5.7, include modifications on Laravel Socialite, but not work. On all tries, get a Internal Server Error and I assume it's because I'm sending the request wrong.
On SAGE manual, I don't see more that Postman example for get access token. Not example for php, curl, ...
For others request I don't problem using Guzzle, but I need get tokern y refreesh token, with Postman. Horrible.
Image show real information for Test account.
On postman console, get some infor, but I lost with this and Internal Server error
Request Headers:
content-type:"application/x-www-form-urlencoded"
user-agent:"PostmanRuntime/7.3.0"
accept:"*/*"
host:"oauth.accounting.sage.com"
accept-encoding:"gzip, deflate"
content-length:274
Request Body:
grant_type:"authorization_code"
code:"ES/e1fd0bc2-1d06-41b6-902a-beb584f24ccf"
redirect_uri:"https://localhost/login/sage/callback"
client_id:"c420127c-76f3-48e5-9c11-77fcba90402d/2c09ea61-249c-4958-96f0-89209f1939e8"
client_secret:"?]#4iVWBhx/)gN;bA2M%"
NOTE: All data es valid for testing.
NOTE2: this is a piece that i don't understand code:"ES/e1fd0bc2-1d06-41b6-902a-beb584f24ccf" What is it? How to generate?
With this data, I try to put link https://www.sageone.com/oauth2/auth/central?grant_type%3Aauthorization_code%26code%3DES%2F37048339-8db2-4168-bfb0-760ef6709b93%26redirect_uri%3Dhttps%3A%2F%2Flocalhost%2Flogin%2Fsage%2Fcallback%26client_id%3Dc420127c-76f3-48e5-9c11-77fcba90402d%2F2c09ea61-249c-4958-96f0-89209f1939e8%26client_secret%3D%3F%5D%404iVWBhx%2F)gN%3BbA2M%25%0A) imitate Postman, but after put my credentials, not return to callback. It instead got to SAGE Account.
Postman sends the get new token request as a GET request, Laravel expects it to be a POST request.
I had to make my own POST OAuth Token request in Postman to get it to work since the Postman new access token feature does not let you change the request method to POST.
From a custom POST request you have to manually copy the response token, Right click edit your collection, go to Authorization tab, Select Type OAuth 2.0 and paste in your oAuth token in the available field.
All requests than need to use the token, make sure in the Authorization tab of each request entry that Inherit auth from parent is selected for the TYPE in order to inherit the token from the collection.
I am using Moodle core REST API and I am following this Stackoverflow answer for my login request. login end-point is working successfully.
API Request
$ curl -d username="fmcorz" -d password="$PASSWORD" 'https://moodle.org/login/token.php?service=moodle_mobile_app'
Response
{
"token":"SNIPTOKEN",
"privatetoken":"SNIPPRIVATE"
}
I am using token to get User ID and other stuff. But I want to know what is the main purpose of privatetoken?
according to my understanding this will use if moodle installation is on Https and "token" will we used when we use http but not sure as I have only http based server
please help to understand this so I can choose best available token to implement Moodle REST API.
thanks.
According to the token docs, privatetoken is only sent when the token is first created and should be saved by the client. The source says it's only sent when the connection is https and the user is not an admin. So I assume it's an edge thing as it should be returned only in very special circumstances. It sounds like it's the Random all-time valid token which can only be sent over https and not for an admin user.
I am trying to setup an automatic way to upload videos to YouTube using the YouTube API. The application needs the videos to be uploaded for some processing by YouTube. Currently, I am setting up the oauth2.0 piece and I am able to redirect the user to login with their information. However, when the user is then redirected back to my site with my specified redirect uri, I need to be able to accept custom fields on the end of the URL. Right now, the web server just redirects the user to the page I want, but strips off all of the information returned by YouTube about authentication. I do not know much PHP at all, but think that it might be the way to solve this problem. Essentially, I want to be able to redirect the user to a page on the website where the extra information is retained so that I can use it. Thanks for your help.
http://ocf.berkeley.edu/~gregory/youtubeTestCode/indexRedirect#access_token=ya29.AHES6ZS8kOZN2T59fKpoUE0t7roUXqTPWDAwTMvrhZ5TjlZO57JZNQ&token_type=Bearer&expires_in=3600
The format of the redirect is http://ocf.berkeley.edu/~gregory/youtubeTestCode/indexRedirect followed by #access_token=ya9232.jdfka7327293&token_type=Bearer&expires_in=3600
However, I have no page with this specific URL..
There are two authentication methods for YouTube - client-side and server-side. (Actually there are more, but I've never used the others).
Documentation is https://developers.google.com/youtube/2.0/developers_guide_protocol_oauth2 but I'l try to paraphrase the bits you need.
"client-side" is what you are using - you basically send the user over the a URL and let google do the work and get the access token back.
"server-side" is what you'll need (as you guessed). To convert, as opposed to sending the user off to a url that ends "&response_type=token", change this bit to "&response_type=code& access_type=offline"
When you get the call back, you have ?code=4/ux5gNj-_mIu4DOD_gNZdjX9EtOFf - hopefully you can read this as it's before the #
You then use a POST to send this code to the Google servers and it sends back the token in JSON. Taken from that page before:
POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded
code=4/ux5gNj-_mIu4DOD_gNZdjX9EtOFf&
client_id=1084945748469-eg34imk572gdhu83gj5p0an9fut6urp5.apps.googleusercontent.com&
client_secret=hDBmMRhz7eJRsM9Z2q1oFBSe&
redirect_uri=http://localhost/oauth2callback&
grant_type=authorization_code
and response is:
{
"access_token" : "ya29.AHES6ZTtm7SuokEB-RGtbBty9IIlNiP9-eNMMQKtXdMP3sfjL1Fc",
"token_type" : "Bearer",
"expires_in" : 3600,
"refresh_token" : "1/HKSmLFXzqP0leUihZp2xUt3-5wkU7Gmu2Os_eBnzw74"
}
So "relatively" simply change, but you need the PHP part to do the POST as it requires your secret key (which you don't want to reveal through Javascript).
I'll leave you to Google on how to:
read parameters in PHP (hint - use $_GET['paramter name'])
send a POST message to Google using CURL.
An alternative is to check out YouTube SDK for PHP - these are pre-written libraries that contain the POST and the GET bits for you. But this uses something called "Zend" which can get complex. https://developers.google.com/youtube/2.0/developers_guide_php