I made a oauth2 server, and now I want to make c client using symfony2 to connect to it (when I click login, I'm redirected on the site with oauth2 server, I login, then I'm redirected to my client with the token).
I followed this: http://symfony.com/doc/current/cookbook/security/api_key_authentication.html
The problem is whem they retrieve the apikey. If I decide to use implicit grant with oauth2, the token is sent like that: example.com/#token
So I can't retrieve it with query->get.
If I send the code it's fine, but when I tried to curl my server somehow it broke (yeah, not specific error, still looking into it)
So I was wondering, is this the proper way of doing it?
Also, when they write about he specific url, why would I need one, if I can check everywhere?
Thanks :)
you can get your token like this in php :
For known url if you have your url with the hash, this part after # is called fragment.
$url=parse_url($yoururl);
echo $url["fragment"];
if you don't have this url in your backend, you need some javascript magic :
var token = window.location.hash;
then send it to your backend.
Maybe there is some other more symfonyc way to do this properly, but i never used oauth2 yet.. :D
Related
I have a problem setting up simple single sign on with Azure AD for our pHp website. The app is registered in azure and I have all the necessary details like Client ID, secret, tenant.
My requirement is to get authorized and also pull back the user's employee id, name and email id. I am working on single sign on for the first time, and need some help on this.
While creating the authorization URL, I am requesting for code, which is right according to the Azure documentation. I am successfully able to retrieve the code after authorization. However, I am not able to request id_token along with code as response_type=code+id_token, which should be possible. I could trace the URL flow and extract the id_token field manually. If I do this, I am prompted with the logon and MFA. But the response goes into infinite loop by just prompting with infinite number of MFA pings on my phone. This is weird, my program has a check to redirect on code response, which doesn't seem to work. I have tried using session_id cookie too, which has the same behavior.
If I just choose code as response type and request for id_token using token granting URL, I don't get any response back. Its blank or null but no errors.
Can you please help suggest if I am making a mistake. Is my method right or wrong to request code first and token next. How can I successfully retrieve id_token.
Just summary the comment into reply to help others who have the same problem.
response_mode: Specifies the method that should be used to send the resulting authorization code back to your app. Can be form_post or fragment. For web applications, we recommend using response_mode=form_post, to ensure the most secure transfer of tokens to your application.
If you want to use code + id_token in the response_type,you should be using OIDC Hybrid Flow.
However, if you just use code in the response_type, you should be using Authorization Code flow.
For more details, you could refer to this SO thread.
I've seen similar Questions like this before but don't understand the correct way of doing it. Or rather the questions were always a little different.
The scenario: I have a site where the user should log in via twitch.tv
I have a button which refers him to this url
https://api.twitch.tv/kraken/oauth2/authorize?response_type=code
&client_id=exampleclientid
&redirect_uri=http://example.com
&scope=user_read
I have censored redirect_uri and the client_id but basicly on this site the user needs to login into twitch or if he already is he can authorize that my application gets acess to "scope" here in this case "user_read" which is his email adress.
Now to my problem. When returning to my site my url will look like this
example.com/#access_token=exampleacesstoken&scope=user_read
example acess token is just a combination of numbers and letters which I need to acess private information like his email even his username.
Over this url
https://api.twitch.tv/kraken?oauth_token=exampletoken
I get acess to my needed information, but how do I grab the token from my url via php and delete everything after http://example.com to make it look good again.
The offical API documentation might be helpful and talks about CURL but I don't understand how it works and the PHP manual is very indepth.
https://github.com/justintv/Twitch-API
Sorry if I'm taking the lazy way here, but I think I'm missunderstanding something big because I just have to make a simple grab of the URL
From the Twitch documentation:
https://github.com/justintv/Twitch-API/blob/master/authentication.md#implicit-grant-flow
If the user authorizes your application, they will be redirected to
the following URL:
https://[your registered redirect URI]/#access_token=[an access
token]&scope=[authorized scopes]
Note that the access token is in the
URL fragment, not the query string, so it won't show up in HTTP
requests to your server. URL fragments can be accessed from JavaScript
with document.location.hash.
Today, after we migrated to the new members permissions api, everything goes wrong.
Im using the cosumer key and secret that i've got from the linkedin api dashboard itself with the oauth token and secret as well.
There is 3 kind of problems that keeps on coming:
first one:
{"errorCode": 0,"message": "Could not find person based on: ~","requestId": "7GPT96SW3C","status": 404,"timestamp": 1369827647671}
second:
<error><status>401</status><timestamp>1369826490661</timestamp><request-id>ZYWPUD43G3</request-id><error-code>0</error-code><message>[unauthorized]. The token used in the OAuth request is not valid. ******</message></error>
third:
com.linkedin.anet.auth.pub.ANetAuthException: other: anetID=*****
has anyone got some of these too? if yes, so how did you solved them?
thanks!
Once you have authenticated the user, you no longer need to make the access token calls - simply store the access token and reuse that for the subsequent requests.
Check are you sending a request once or twice for authentication, there may be the case your token getting replaced by another request.
I've gotten the "401<" and fixed it by correcting the URL which I was formatting incorrectly and consequently requesting a resource that did not exists (reported as unauthorized). You probably have the same issue with your 404 error. Can you please post the specific URLs you are using. That would give a little more insight. Also, make sure that you are not passing params via GET when you should be passing them via POST and that all your POST requests are via HTTPS
I am trying to setup an automatic way to upload videos to YouTube using the YouTube API. The application needs the videos to be uploaded for some processing by YouTube. Currently, I am setting up the oauth2.0 piece and I am able to redirect the user to login with their information. However, when the user is then redirected back to my site with my specified redirect uri, I need to be able to accept custom fields on the end of the URL. Right now, the web server just redirects the user to the page I want, but strips off all of the information returned by YouTube about authentication. I do not know much PHP at all, but think that it might be the way to solve this problem. Essentially, I want to be able to redirect the user to a page on the website where the extra information is retained so that I can use it. Thanks for your help.
http://ocf.berkeley.edu/~gregory/youtubeTestCode/indexRedirect#access_token=ya29.AHES6ZS8kOZN2T59fKpoUE0t7roUXqTPWDAwTMvrhZ5TjlZO57JZNQ&token_type=Bearer&expires_in=3600
The format of the redirect is http://ocf.berkeley.edu/~gregory/youtubeTestCode/indexRedirect followed by #access_token=ya9232.jdfka7327293&token_type=Bearer&expires_in=3600
However, I have no page with this specific URL..
There are two authentication methods for YouTube - client-side and server-side. (Actually there are more, but I've never used the others).
Documentation is https://developers.google.com/youtube/2.0/developers_guide_protocol_oauth2 but I'l try to paraphrase the bits you need.
"client-side" is what you are using - you basically send the user over the a URL and let google do the work and get the access token back.
"server-side" is what you'll need (as you guessed). To convert, as opposed to sending the user off to a url that ends "&response_type=token", change this bit to "&response_type=code& access_type=offline"
When you get the call back, you have ?code=4/ux5gNj-_mIu4DOD_gNZdjX9EtOFf - hopefully you can read this as it's before the #
You then use a POST to send this code to the Google servers and it sends back the token in JSON. Taken from that page before:
POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded
code=4/ux5gNj-_mIu4DOD_gNZdjX9EtOFf&
client_id=1084945748469-eg34imk572gdhu83gj5p0an9fut6urp5.apps.googleusercontent.com&
client_secret=hDBmMRhz7eJRsM9Z2q1oFBSe&
redirect_uri=http://localhost/oauth2callback&
grant_type=authorization_code
and response is:
{
"access_token" : "ya29.AHES6ZTtm7SuokEB-RGtbBty9IIlNiP9-eNMMQKtXdMP3sfjL1Fc",
"token_type" : "Bearer",
"expires_in" : 3600,
"refresh_token" : "1/HKSmLFXzqP0leUihZp2xUt3-5wkU7Gmu2Os_eBnzw74"
}
So "relatively" simply change, but you need the PHP part to do the POST as it requires your secret key (which you don't want to reveal through Javascript).
I'll leave you to Google on how to:
read parameters in PHP (hint - use $_GET['paramter name'])
send a POST message to Google using CURL.
An alternative is to check out YouTube SDK for PHP - these are pre-written libraries that contain the POST and the GET bits for you. But this uses something called "Zend" which can get complex. https://developers.google.com/youtube/2.0/developers_guide_php
Hope this doesn't get too complicated. :) thing is..
I'm trying to make my PHP code post notes to Google Buzz using OAuth as authentication mechanism. I'm doing the typical "OAuth dance" (get request token, authorise it, exchange for access token), but i've ran into some problems that seem to be on Google's side. Hope i'm wrong - it would be much easier to fix. :)
To get to the point - oauth_callback parameter doesn't seem to get passed to the authorization form. Authorization URI i'm redirecting to is like:
https://www.google.com/buzz/api/auth/OAuthAuthorizeToken
?domain=<my.domain>
&scope=<urlencode(https://www.googleapis.com/auth/buzz)>
&oauth_token=<request_token>
&oauth_callback=<my.domain/callback>
When redirected, client is asked to authorize site to read/write from/to Buzz. If accepted, Google asks again (but in different form) to allow access to .. after allowing for second time, success message is shown, but it doesn't return any tokens to my site, not redirecting to oauth_callback uri.
Workaround i found is to manually add form field 'oauth_callback=' trough firebug/chrome inspector, and then, after these two confirmations it redirects to my site and i can extract authorized token from response, and exchange it for access token. If i use 'standard' Google's authorization endpoint, i get redirected correctly (one confirmation only), but then the access token i get after that is invalid for Buzz.
So, am i wrong or google?! :D I've implemented OAuth for cooperation with some other services (Facebook, MySpace..) but i've never had this much trouble.
ok, when i got on the problem next morning, with (partially) fresh eyes, solution was pretty easy (but still undocumented).. :) in case anybody else needs answer - oauth_callback parameter should be specified when requesting request token.