Hi am trying to call an API from Postman.
The framework used is : Laravel
The website has browser authentication (using .htacess)
And The API has user authentication (Laravel Passport) (user must be logged in)
Now,
I need to call an API and include both the headers, i.e.
I added Basic Auth with username/pwd as browser credentials
Basic Auth : username/pwd
And in Headers I added
Authorization : Bearer oauthtoken
(where oauthtoken is the key retreived from an API call https://servername/auth and Basic Auth : username/pwd)
Now when I send the API call,
The Authorization Header changes to :
Authorization : Basic some_key
And thus I get Unauthorized in response.
Is there some way I can send browser creds and user auth header together?
Your OAuth token retrieved after authentication is not the same as the token attached by Postman for Basic Authentication.
If you wish to use your OAuth token in request I recommend looking at Postman variables and store that token in there.
Here is an article that helped me build my Postman collection using JWT
But some of the script in there is out of date.
I would start by creating an environment (local) in which you add a key to store the token (oauth_token) with value empty.
In the auth endpoint while in Postman you can check the Tests tab in which you can place a script to update the oauth token:
pm.test("Logged in successfully", function () {
var jsonData = pm.response.json();
pm.environment.set('oauth_token', jsonData.token);
});
After this you can add Authorization Bearer with value {{oauth_token}} to an endpoint that is using OAuth token.
If you wish to learn more about Postman variables this is a great post variables
To recap:
Send username and password to the auth endpoint
Store oauth token in Postman variable returned from step 1
Use your new token as Postman variable using {{VARIABLE_NAME}} notation
I would advise to use Guzzle Library
$http = new \GuzzleHttp\Client;
$response = $http->request('POST', 'http://quotible.web3box.com/oauth/token', [
'headers' => [
//you headers here
],
'form_params'=>[
//your browser based parameters here
]
]);
Related
I have an issue with Socialite authentication via Google. I have two separate apps: Laravel and React Native. For react native app I use #react-native-community/google-signin and after getting a token on the client I'm sending it to the Laravel app, where I pass this token into Socialite function: Socialite::driver('google')->userFromToken($token); . I get this error:
Client error: GET https://www.googleapis.com/oauth2/v3/userinfo?prettyPrint=false resulted in a 401 Unauthorized response:
{
"error": "invalid_request",
"error_description": "Invalid Credentials"
}
I've rechecked credentials 4 times and I'm sure they are right. I use the same client id as in react native app. What am I doing wrong?
Note: I am using ID token to authorise instead of auth token.
From my research on a similar issue - It looks like Google one tap doesn't work in the same way as oAuth does.
So, you'd have to fetch a user from the $token manually, using the google/apiclient package.
There's an example in Google docs (it's in the android-section, but these particular snippets refer to back-end part, so it should still do the trick)
composer require google/apiclient
// Get $id_token via HTTPS POST.
$client = new Google_Client(['client_id' => $CLIENT_ID]); // Specify the CLIENT_ID of the app that accesses the backend
$payload = $client->verifyIdToken($id_token);
if ($payload) {
$userid = $payload['sub'];
// If request specified a G Suite domain:
//$domain = $payload['hd'];
} else {
// Invalid ID token
}
You can find more info on this Google Docs Page
I requested authorization for a public application to be able to access store data via the Shopify API.
The store successfully authorized my application via an authorization request URL such as
https://some-store.myshopify.com/admin/oauth/authorize?client_id=123abc&scope=read_inventory%2Cread_products&redirect_uri=http%3A%2F%mysite.com%2Fauth.php&state=123456
and the response was passed back to my application. This response (containing the code that can be exchanged for a permanent access token) was mishandled by my application (an error on the page meant that the access token was not stored).
Everything I read regarding requesting these tokens involves authorization by the store - but given the store has already authorized my application, passed back the code and that code has already successfully been exchanged for a token: is there a way my application can request that same token or a fresh one using my API keys given that the application is already authorized?
The only method I currently can find for requesting a token requires starting back at the beginning and fetching a code for exchange etc.
I working in PHP and using Luke Towers' php shopify wrapper
This stage was completed successfully:
function check_authorization_attempt()
{
$data = $_GET;
$api = new Shopify($data['shop'], [
'api_key' => '123',
'secret' => '456',
]);
$storedAttempt = null;
$attempts = json_decode(file_get_contents('authattempts.json'));
foreach ($attempts as $attempt) {
if ($attempt->shop === $data['shop']) {
$storedAttempt = $attempt;
break;
}
}
return $api->authorizeApplication($storedAttempt->nonce, $data);
}
$response = check_authorization_attempt();
and I would have been able to read the access token from :
$access_token = $response->access_token;
But this was the stage at which my application hit an error in accessing a database in which to write said token.
I cannot repeat it without repeating the auth request because the data in $_GET that's passed to this function comes from Shopify's response to the shop owner authorizing the access, and includes amoung other things the code for exchange.
You have to re-ask for authorization. It is no one's fault but yours that your persistence layer code was incorrect. So there is nothing you can do to change that. Ensure your code works. Since the client has no token in your App persistence layer, your App will retry the authorization token exchange. They do not have to delete your App first. So basically, the next time your client tries to use the App, YES they will asked to approve it, but who cares, they will, and you'll get a good auth token to store. You have fixed your code (right), so that will work. You are one step closer to glory.
Shopify does return the Permanent Access Token, but the ACCESS_MODE must be "Offline" for the token to be permanent.
With ACCESS_MODE offline, your app receives the permanent access token
to make requests whenever you want, without the user's permission.
Documentation:
https://shopify.dev/tutorials/authenticate-with-oauth#step-2-ask-for-permission
https://shopify.dev/concepts/about-apis/authentication#api-access-modes
I am having account in sandbox.coinbase and I have used oauth2 where I have add new app.
It'll provide me :
clientid = 'xxxxxxxx'
clientsecreateid = 'xxxxxxxxxxxxxxxx'
authredirecturl = 'xxxxxxx'
But when I am configure it using below code
$configuration = Configuration::oauth($accessToken);
$client = Client::create($configuration);
I need $accessToken, I go through the document file but I can't find anywhere so any one have idea where to find or how to get accessToken..?
As the documentation states:
This library does not handle the handshake process, and assumes you
have an access token when it's initialized. You can handle the
handshake process using an OAuth2 client such as league/oauth2-client.
So you have to use the oauth2 client first, configure it with the coinbase server (using clientId, clientSecret and redirectUrl that you have) and pass the authorization process (much like "Login with facebook"). At the end of the oauth2 authorization coinbase will send you both access token and refresh token. They are generated on-the-fly.
Alternatively as I can see you can use the apiKey/apiSecret mode. This is essentially like having login/password.
I got a problem with oAuth authentification in magento.
I used following guide to create connection:
http://www.magentocommerce.com/api/rest/authentication/oauth_authentication.html
First of all I granted all privileges for all accounts in magento / System / WebServices / REST ... Also I created oAuth Consumer. I got with it two variables (key and secret).
According the guide (Getting an Unauthorized Request Token) I configured RESTClient for Firefox. Selected oAuth 1.0 option, inserted data from magento and added them to headers.
And now I have something like that:
http://www.mg19.local/oauth/initiate
OAuth oauth_version="1.0",
oauth_signature_method="PLAINTEXT",
oauth_nonce="pzmp8IZuroEP6gf",
oauth_timestamp="1410271763",
oauth_consumer_key="9ad2067e70a4c3b799ab2799203b3e3b",
oauth_signature="a37633084e79432568181ef00410140e%26"
Then if I submit this, I will get following error:
Status Code: 400 Bad Request
oauth_problem=parameter_absent&oauth_parameters_absent=oauth_callback
I don't know the main purpose of the callback link, therefore I used random link. For example: http://www.mg19.local
When i submit
http://www.mg19.local/oauth/initiate/?oauth_callback=http://www.mg19.local
I got following result:
oauth_token=e00fc8386ba523bdd1d79a2fe61d59cb&oauth_token_secret=ca0d999010b2b149e2d51feefc328722&oauth_callback_confirmed=true
According the guide I moved to the 2nd step (User Authorization):
I copied data from the response to request. And forward the link:
http://www.mg19.local/oauth/authorize
I redirected to the following page:
Authorize application
Postman requests access to your account
After authorization application will have access to you account.
Authorize | Reject
And when I select Authorize I'm getting the following error:
An error occurred. Your authorization request is invalid.
Using xDebug I have found that the problem is near:
/**
* Load token object, validate it depending on request type, set access data and save
*
* #return Mage_Oauth_Model_Server
* #throws Mage_Oauth_Exception
*/
protected function _initToken()
{
....
} elseif (self::REQUEST_AUTHORIZE == $this->_requestType) {
if ($this->_token->getAuthorized()) {
$this->_throwException('', self::ERR_TOKEN_USED);
...
I'm not sure, but I think, once autorization finished successfully, then I moved from index to account area page and when authorization start again - it fail and I move on index again.
Please give any advice.
For what I see, the callback URL is the one that is messing up the whole thing. Callback is the most important link in OAuth. The callback should be a valid URL pointing to you site.
Once the user logs in auth server (Magneto in your case) Magneto will do a callback to the Callback URI you provided with the oauth_verifier. Like below:
/callback?oauth_token=tz2kmxyf3lagl3o95xnox9ia15k6mpt3&oauth_verifier=cbwwh03alr5huiz5c76wi4l21zf05eb0
Then your server should all the token API /oauth/token with the all the required Authorization headers below. Pasted from Magneto document link you provided
oauth_consumer_key - the Consumer Key value provided after the registration of the application.
oauth_nonce - a random value, uniquely generated by the application.
oauth_signature_method - name of the signature method used to sign the request. Can have one of the following values: HMAC-SHA1, RSA-SHA1, and PLAINTEXT.
oauth_signature - a generated value (signature).
oauth_timestamp - a positive integer, expressed in the number of seconds since January 1, 1970 00:00:00 GMT.
oauth_token - the oauth_token value (Request Token) received from the previous steps.
oauth_verifier - the verification code that is tied to the Request Token.
oauth_version - OAuth version.
Hope this makes it clear. Please read the sections User Authorization and Getting Access Token sections of the link you pasted.
I'm using Guzzle and had a real hard time with it. In my case it was failing because I was using oauth_callback instead of callback, it worked when I changed it to:
use GuzzleHttp\Client;
use GuzzleHttp\HandlerStack;
use GuzzleHttp\Subscriber\Oauth\Oauth1;
$stack = HandlerStack::create();
$middleware = new Oauth1([
'consumer_key' => $key,
'consumer_secret' => $secret,
'token' => null,
'token_secret' => null,
'callback' => 'https://callback.co.uk'
]);
$stack->push($middleware);
$client = new Client([
'base_uri' => $magentoCredentials->shopUrl,
'handler' => $stack
]);
$res = $client->post('/oauth/initiate?oauth_callback', ['auth' => 'oauth']);
Having recently finished the process of having created the script that retrieves permissions from a account holder I now find that I have to convert the retrieved access token and token secret (from the GetAccessToken response) to the API signature in order to create a X-PAYPAL-AUTHORIZATION header.
The X-PAYPAL-AUTHORIZATION header contains:
A timestamp
The access token from the GetAccessToken response
A signature generated from the following information:
Your API username
Your API password
The access token from the GetAccessToken response
The token secret from the GetAccessToken response
The endpoint for the PayPal API operation's request, such as https://api.paypal.com/nvp
HTTPS delivery method, such as POST
Request parameters associated with the request
The problem is I can't find how to generate the signature. There are no guides in PHP (JAVA and Ruby).
I did however note the line in the guide I followed (first link) to retrieve the permissions:
PayPal provides SDKs that you can use to generate authentication header signatures for Java, PHP, and .NET. When you use the SDK, you will get two values, such as the following:
But what followed was the JAVA guide and I could not find anything amongth Paypal's SDKs.
Any help would be greatly appreciated!
This documentation actually cuts out the function from their PHP SDK that should do it for you.
private function generateAuthString($apiCred, $accessToken, $tokenSecret, $endpoint)
{
$callerUid = $apiCred->getUserName();
$callerPswd = $apiCred->getPassword();
$auth = new AuthSignature();
$response = $auth->genSign($callerUid,$callerPswd,$accessToken,$tokenSecret,'POST',$endpoint);
$authString =
"token=".$accessToken.
",signature=".$response['oauth_signature'].
",timestamp=".$response['oauth_timestamp'];
return $authString;
}