I'm working with the Instagram API.
I registered an application and get my clientId et clientSecret. I didn't disabled the implicit OAuth.
For the authentication, I use this URL :
https://instagram.com/oauth/authorize/?client_id=CLIENTID&redirect_uri=URL&response_type=token
Then, it redirects to my URL with the access_token in parameter.
In PHP, how can I retrieve the access token from the first url?
I tried with curl function. But I can obtain the final redirection which is :
URI?access_token=ACCESS_TOKEN
When using the Implicit grant the Authorization Server (Instagram) will deliver the token on the redirect URI in the fragment part of the URL ("#"). This flow is meant for in-browser Javascript clients and not for server side PHP. In fact the browser will strip off the fragment portion from the URL before calling the server so the PHP code will never see the access token.
You may use the Authorization Code grant that is meant for web server clients like PHP, so response_type=code.
Related
I'm integrating Asana OAuth2 using https://packagist.org/packages/ajimix/asana-api-php-class
When I set up my app on Asana and use an internal url, such as https://intranet, my redirect always fails with
invalid_request: The `redirect_uri` parameter does not match a valid url for the application
However, when I use any public url such as https://www.domainname.com it works. I can then append the code parameter to my internal page.
Is there any way to use an internal url, ie. one that is not on public DNS?
I'm a Developer Advocate for Asana. Intuitively, I didn't think you should be having any difficulty accessing the redirect simply because it's a redirect - we don't try to access the URL at all, but rather tell your browser to redirect to that URL containing the authorization to access Asana. If your browser can go to that url when you browse, your browser can go to that url when instructed to with a redirect, right? So I looked into it just in case.
That particular error code is sent back when we compare the redirect url you provide for your OAuth app to the one that you registered when you generated the app - i.e. your credentials are compared to a whitelist of locations (of length 1, but what's a single whitelist? A whitevalue?) that is OK to redirect to. If your URL is not that value when you try to auth, we return that error, and it doesn't look like that particular error is involved in deeper error checking (we don't try to ping your redirect location).
I think what may be happening here is that you've registered your OAuth app on Asana as redirecting to a particular URL, and when you're pinging the https://app.asana.com/-/oauth_authorize endpoint, you're passing a different URL in the redirect_uri param. Since it doesn't match the one for which you registered your app, we send back that error. (This is what we mean when we say "The URI to redirect to on success or error. This must match the Redirect URL specified in the application settings." when describing the OAuth workflow here.
If this is the case, you can either change the redirect URL for your app, or register a new OAuth app that uses the intranet URL and use that credential to authorize with Asana.
I hope this is the root cause, but if that doesn't seem to be the case (if the URL registered with Asana and you are indeed passing the same one while trying to authorize) be sure to let us know and I'll dive deeper!
-Matt
I want to use the Reddit REST API for PHP. I have downloaded all necessary files and have used my id and secret however I have no idea what to have as the redirect uri. Every time I try to execute the code, it goes to the reddit site and says it's an invalid redirect_uri.
What can I use as a redirect uri?
The redirect URI is where the user is sent after they've granted OAuth access to your application. There's more information about this in the reddit OAuth docs.
I'm using the Instagram Api.
To retrieve the access token, I use the method with the parameter 'code'.
From this code parameter, I can build a url which will returns me the access token.
Example :
https://instagram.com/oauth/authorize/?client_id=CODE_ID&redirect_uri=my-redirect-url&response_type=code
When I reach this URL through my web browser, after a redirection by Instagram, it returns to a web service I created. Then, my access token is stored.
How can I automatize this in PHP?
This example doesn't work:
exec('curl https://instagram.com/oauth/authorize/?client_id=CODE_ID&redirect_uri=my-redirect-url&response_type=code');
How can I handle the redirection by Instagram?
Thanks in advance.
There's no way to automate this since explicit user authentication is required before an authorization code is generated. So you'll have to redirect using PHP:
header('Location: https://instagram.com/oauth/authorize/?client_id=CODE_ID&redirect_uri=my-redirect-url&response_type=code');
have the user authenticate in the browser to Instagram and then grab the code that is delivered to the redirect_uri by Instagram.
Does the following authentication system seem reasonable:
Client calls the login end point with a user name and password to the main server. The main server sends this off to another authentication server (which will receive no further mention), which returns a yes/no if this is valid and a user ID that the main server is aware of. If yes, generate a random token (using some crypto library that spits out random strings), and store the hash of this (using PHP's password_hash()) and an expiry 12 hours from now on the user record. Return the token to the client.
Client now adds "Authorization: Token TOKEN+HERE+ABCD1234" to their requests to other endpoints. The server ensures that the hash of the token in the auth header matches the one in the database (using salts through PHP's password_verify()), and that the expiry hasn't been hit. If it doesn't match, or the expiry is exceeded, then send back a 401.
Seems at least as secure as basic HTTP authentication, which just has the base-64 encoded user:password in the header? The reason I'm considering this scheme over basic is that the main server won't store the username/password that the authentication server is using to log in.
What am I forgetting? Is this grossly insecure?
Your scheme is not that different from the standard server-side sessions where SESSION-ID is normally nothing more than a random token and stored on the client side within a cookie, with 2 improvements:
Instead of a cookie you would use Authorization header to deliver the token. This acts as a CSRF protection.
You would hash a token on the server-side. This helps against session hijacking in case someone gets access to your token-store on the server-side.
If you see the oAuth process of Google then you will get idea of how Authorization works for them.
They have different servers for Authorization and API calls. User sends authentication details to Authorization server and receive a code. Google is having process of taking user consent to access details but you can skip this process to take consent and just return code on successful details.
This code can be further used to get the Access Token from the API server. So your first request to API server would be to get the Access Token. Google is having facility to refresh your Access Token as well.
And all subsequent request to API server must contain Access Token. So you seems to be missing this Code exchange process to make it more secure.
More info: https://developers.google.com/identity/protocols/OAuth2
I have been trying to connect to the Salesforce REST API but am not having very much luck.
The Salesforce REST API Quick Start Guide states that an HTTPS callback url is required, but then in the example they use https://localhost:8443/RestTest/oauth/_callback as the callback url.
I tried connecting on my testing server (HTTP) using this php Salesforce REST API example, but Salesforce seems to have had a fit and entered a redirect loop.
Is it possible to connect to the Salesforce REST API if I do not have an SSL Certificate, and if so, how might I go about doing so? For the record, my application is written in PHP, not Java like most of the official examples are.
For localhost it accepts http, and you should use https for other than localhost.
But the redirect URI in the request and the callback url in the connected app should get matched.
You can use http://localhost:8080/<any_page_in_ur_project> in both connected app and in request.
I've never used the Salesforce REST API, but I have read the page you linked to.
The OAuth callback URL must be HTTPS. You seem to have discovered this yourself, both in the documentation:
It must be secure: http:// does not work, only https://
...and the example:
#WebInitParam(name = "redirectUri", value =
"https://localhost:8443/RestTest/oauth/_callback")
As for your other question:
Is it possible to connect to the Salesforce REST API if I do not have an SSL Certificate, and if so, how might I go about doing so?
Presumably by the second method, as alluded to in the first sentence on the page you linked to:
You can set up authorization using OAuth 2.0 or by passing a session ID.
...
Session ID Authorization
You can use a session ID instead of an OAuth 2.0 access token if you aren't handling someone else's password:
Obtain a session ID, for example, a SOAP Web services API login() call returns the session ID. You may also have the session ID, for example as part of the Apex current context.
Use the session ID when you send a request to the resource. Substitute the ID for the token value.
So provided you aren't handling some else's password (whatever that means), you can use login() to get a Session ID and communicate with the web service from there.