I'm integrating Asana OAuth2 using https://packagist.org/packages/ajimix/asana-api-php-class
When I set up my app on Asana and use an internal url, such as https://intranet, my redirect always fails with
invalid_request: The `redirect_uri` parameter does not match a valid url for the application
However, when I use any public url such as https://www.domainname.com it works. I can then append the code parameter to my internal page.
Is there any way to use an internal url, ie. one that is not on public DNS?
I'm a Developer Advocate for Asana. Intuitively, I didn't think you should be having any difficulty accessing the redirect simply because it's a redirect - we don't try to access the URL at all, but rather tell your browser to redirect to that URL containing the authorization to access Asana. If your browser can go to that url when you browse, your browser can go to that url when instructed to with a redirect, right? So I looked into it just in case.
That particular error code is sent back when we compare the redirect url you provide for your OAuth app to the one that you registered when you generated the app - i.e. your credentials are compared to a whitelist of locations (of length 1, but what's a single whitelist? A whitevalue?) that is OK to redirect to. If your URL is not that value when you try to auth, we return that error, and it doesn't look like that particular error is involved in deeper error checking (we don't try to ping your redirect location).
I think what may be happening here is that you've registered your OAuth app on Asana as redirecting to a particular URL, and when you're pinging the https://app.asana.com/-/oauth_authorize endpoint, you're passing a different URL in the redirect_uri param. Since it doesn't match the one for which you registered your app, we send back that error. (This is what we mean when we say "The URI to redirect to on success or error. This must match the Redirect URL specified in the application settings." when describing the OAuth workflow here.
If this is the case, you can either change the redirect URL for your app, or register a new OAuth app that uses the intranet URL and use that credential to authorize with Asana.
I hope this is the root cause, but if that doesn't seem to be the case (if the URL registered with Asana and you are indeed passing the same one while trying to authorize) be sure to let us know and I'll dive deeper!
-Matt
Related
I have done some research and got a specific problem with facebook login SDK. I use the PHP SDK.
So, as from march 2018 all facebook developers will be seing "Use Strict Mode for Redirect URIs" turned on (and cannot turn it off).
My website was working fine before the latesr API update. The basic login logic was this:
Users go to https://my-website.com/take.php?someGetParam=here-goes-the-parameter.
If there is no facebook user logged in, the current user will be redirected to the facebook login dialog, will check the permissions and on success the user will be redirected back to the URL above, and then will be redirected to another page.
As from now, with the newest changes, in order for the login flow with this GET Parameters to work, I have to manually insert them in the "Valid OAuth redirect URIs" field in the facebook developers dashboard of my API like this:
https://my-website.com/take.php?someGetParam=parameter-1
https://my-website.com/take.php?someGetParam=parameter-2
https://my-website.com/take.php?someGetParam=parameter-3
and so on...
otherwise I get the error:The domain of this URL isn't included in the app's domains. To be able to load this URL, add all domains and subdomains of your app to the App Domains field in your app settings.
Is there a way not to include manually this URLs (because there are many) but to insert only one and get the login flow to work.
PS: I am trying to insert:
https://my-website.com/take.phpOR
https://my-website.com/take.php?someGetParam=
but no effect
You can add any value that you want in the state parameter. The most frequent usage for this parameter is to prevent CSRF, but you can pass anything you would want to be sent back, even an encoded JSON.
This parameter will be returned to you and is exempted on the strict URL matching.
This is documented in Invoking the Login Dialog and Setting the Redirect URL
state. A string value created by your app to maintain state between the request and callback. This parameter should be used for preventing Cross-site Request Forgery and will be passed back to you, unchanged, in your redirect URI.
I encountered a similar situation, I manged to solve it by setting the Valid "OAuth redirect URIs" as follows:
https://localhost/FacebookLogin/fb-callback.php?client_id=<insert_your_app_id_her>&return_scopes=true
Please note the following
Insert you facebook app id in the place holder in the sample url
above.
Make sure you use the latest version of the SDK which is 5.6.2
I want to use the Reddit REST API for PHP. I have downloaded all necessary files and have used my id and secret however I have no idea what to have as the redirect uri. Every time I try to execute the code, it goes to the reddit site and says it's an invalid redirect_uri.
What can I use as a redirect uri?
The redirect URI is where the user is sent after they've granted OAuth access to your application. There's more information about this in the reddit OAuth docs.
I'm working on an application that is loaded inside iframe within other web page. When user launches application I got request to my app like this one:
www.mypage.com/?user=1234
Then my app redirects user to
https://login.host.com/oauth2?response=code&client_id=my_app_id&scope=&
redirect_url=www.mypage.com/?index/loadApp
Given user id is used to check if there is already token in DB, if not - received code is used to receive new access token.
Question is following:
How do I prevent calls that aren't going from i-frame on www.host.com? Request "www.mypage.com/?user=1234" can be seen in firebug console, so, if someone manually enters this url in browser, he can launch app for random user. Whats more, if there will be found such token in DB, person will see this random user data!
I use request signing for all my requests. But I dont know what to do with this first request (www.mypage.com/?user=1234).
Whats is the best practice in such cases?
Thanks!
Your problem is, in essence, that your site isn't using any authentication for that first request! You need to come up with some scheme for the other web page to sign the request, and verify that signature before performing the redirect.
(Additionally, make sure that the URL that's being redirected to performs appropriate authentication as well...)
I'm making a script that gets my latest played song from Spotify. I seem to need authentication. I've registerd my app and am making a curl to Spotify
https://accounts.spotify.com/authorize?client_id=MYCLIENTID&response_type=code&scope=playlist-read-private&show_dialog=true&redirect_uri=http%3A%2F%2Fwww.stevenliemberg.nl%2Fspotify%2F%3Faction%3DrequestAcces
I do get a login screen, but when I try to login with Facebook I get a generic text saying 'the developer has done something wrong' that ends up in a recursive loop. Once you click ok, the error comes back.
When I try to login via the form with my userID (I can't use email addresses to log on, as I get an error on typing #) it says something's "gone wrong".
The return uri is registered to my app. Does anyone have an idea what's going on? Is it my account or my code?
I'm not sure why you are curling the authorize endpoint, it's meant for your application to direct your users there.
I assume that your web server on http://www.stevenliemberg.nl has an endpoint at /spotify/, handling the query parameter action=requestAcces. (typo?) I also assume that this exact redirect URI is registered for your client ID in https://developer.spotify.com/my-applications/. It's of course important that you don't direct them back at the authorization URL after this, as that would create a redirection loop.
It's correct that if you don't use Facebook to log in, you only provide a username. If you originally registered through Facebook, I believe you can find your username by going to https://www.spotify.com/us/account/overview/.
There is a requirement in an application in which we use only URL to access information on twitter. We cannot use twitter API for that. I have a reference URL : https://dev.twitter.com/docs/api/1/get/direct_messages/sent but it is not working as it needs authentication.
Is there some other way to access it using URL only? I want to list all Direct messages of an account on twitter in my application.
If it requires Authentication then the only way you'll be able to "get" it using GET is to authenticate the user. Otherwise you'll see an error code in the response. Recent changes were made in the applications permission model for Direct Messages.
Lean More Here
Your going to need some code besides a URL to send, receive and validate authentication tokens.