I have problems with the authentication, i am doing this steps:
1. First time I get the oauth_signature by using this site url with following details:
http://7digital.github.io/oauth-reference-page/
url: https://api.7digital.com/1.2/oauth/requesttoken
consumer key: MY_KEY
consumer secret: MY_SECRET_KEY
nonce: 814629426
**timestamp: 1383291284
body encoding:** application/json
and them send request to get the oauth_token for the 7digital API:
https://api.7digital.com/1.2/oauth/requesttoken?oauth_consumer_key=MY_KEY&oauth_nonce=184615245&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1383144733&oauth_version=1.0&oauth_signature=sJ%2B%2BPq2i9LfC1xGG1EHx2DrTBxg%3D
This request gets the oauth_token and the oauth_token_secret.
2. I need to authorize the oauth_token with the client key:
https://account.7digital.com/7dysvzdxkkmf/oauth/authorise?oauth_token=7EP6KGD
The request responses a page to registration or login if i have a 7digital account.
3. I need to access token:
https://api.7digital.com/1.2/oauth/accesstoken?oauth_token=JXLDXZY&oauth_consumer_key=MY_KEY&oauth_signature=uJ8jUSre5%2Fe5qiJsA5jeN54143M%3D&oauth_timestamp=1383204749&oauth_nonce=558206579
But on step 3 i got error message:
OAuth authentication error: Invalid signature.
What's wrong in my code?
Related
Hi am trying to call an API from Postman.
The framework used is : Laravel
The website has browser authentication (using .htacess)
And The API has user authentication (Laravel Passport) (user must be logged in)
Now,
I need to call an API and include both the headers, i.e.
I added Basic Auth with username/pwd as browser credentials
Basic Auth : username/pwd
And in Headers I added
Authorization : Bearer oauthtoken
(where oauthtoken is the key retreived from an API call https://servername/auth and Basic Auth : username/pwd)
Now when I send the API call,
The Authorization Header changes to :
Authorization : Basic some_key
And thus I get Unauthorized in response.
Is there some way I can send browser creds and user auth header together?
Your OAuth token retrieved after authentication is not the same as the token attached by Postman for Basic Authentication.
If you wish to use your OAuth token in request I recommend looking at Postman variables and store that token in there.
Here is an article that helped me build my Postman collection using JWT
But some of the script in there is out of date.
I would start by creating an environment (local) in which you add a key to store the token (oauth_token) with value empty.
In the auth endpoint while in Postman you can check the Tests tab in which you can place a script to update the oauth token:
pm.test("Logged in successfully", function () {
var jsonData = pm.response.json();
pm.environment.set('oauth_token', jsonData.token);
});
After this you can add Authorization Bearer with value {{oauth_token}} to an endpoint that is using OAuth token.
If you wish to learn more about Postman variables this is a great post variables
To recap:
Send username and password to the auth endpoint
Store oauth token in Postman variable returned from step 1
Use your new token as Postman variable using {{VARIABLE_NAME}} notation
I would advise to use Guzzle Library
$http = new \GuzzleHttp\Client;
$response = $http->request('POST', 'http://quotible.web3box.com/oauth/token', [
'headers' => [
//you headers here
],
'form_params'=>[
//your browser based parameters here
]
]);
I'm trying to implement Yahoo OAuth 2.0 to import contacts to my application. I'm using PHP, and this guide (Server-side Apps part) :
https://developer.yahoo.com/oauth2/guide
I have created my app, authorize access and receive my code
"authorization code is appended to the redirect_uri, shown below as
code=abcdef"
I've successfully arrive at step 4.
https://developer.yahoo.com/oauth2/guide/#step-4-exchange-authorization-code-for-access-token
Here, I cannot get a response for https://api.login.yahoo.com/oauth2/get_token and receive my Access Token.
I'm using https://github.com/saurabhsahni/php-yahoo-oauth2/blob/master/YahooOAuth2.class.php class.
Here is my code :
include_once("/libraries/Yahoo/YahooOAuth2.class.php");
// step 1, step2, step3
// Successfully received authorization code and stored in my session
[...]
//my Client ID (Consumer Key)
$cc_key = 'x3485sdfsfsdfsdfsdf[..]';
//Client Secret (Consumer Secret)
$cc_secret = '3423423fddssdfsdf';
//my authorization code receive
$code = $_GET['code'];
define("CONSUMER_KEY",'$cc_key');
define("CONSUMER_SECRET",$cc_secret);
$redirect_uri="http://dev.example.com/user/register-step4";
$token=$oauth2client->get_access_token(CONSUMER_KEY,CONSUMER_SECRET,$redirect_uri,$code);
I'm getting 401 error:
"Received error: 401 Raw response:{"error":"invalid_grant"}"
From yahoo api errors:
401 invalid_grant : An invalid or expired token was provided.
This is not true, because my authorize code should be good, because I just received exactly like in the specifications.
Related problems:
https://developer.yahoo.com/forum/Messenger-IM-SDK/not-getting-response-for-https-api-login-yahoo-com-oauth-v2-get-request-token/1310023528000-09714556-4cd3-38c5-b799-d29e8d5f9bcb/
I'm getting google api authorization code from this page on my server
https://github.com/google/google-api-php-client/blob/master/examples/user-example.php
the same page on my hosting to test
http://mawk3y.net/google/google-api-php-client/examples/user-example.php
after adjusting client id, secret and redirect uri.
$data =file_get_contents('https://accounts.google.com/o/oauth2/auth?code='.$code.'&client_secret={secret}&redirect_uri={my web page}&grant_type=authorization_code');
print_r($data);
but i get an error so i'm trying to paste the full url to the browser address bar after getting authorization code from that page like this (the same auth code I get from this page https://developers.google.com/oauthplayground/)
https://accounts.google.com/o/oauth2/token?code={authorization code}&redirect_uri=mywebpage.php&client_id={my client id}&client_secret={secret code}&grant_type=authorization_code
but the result is
{
"error" : "invalid_request"
}
how to solve this and exchange the authorization code for access token
You're sending the parameters in a GET request to the authorization endpoint (https://accounts.google.com/o/oauth2/auth), but you must send them in a POST request to the token endpoint (https://accounts.google.com/o/oauth2/token).
I had an implementation of OAuth working with Fitbit to pull data from fitbit's service. However they recently updated their service and now the request is failing whenever I try to get an access token.
They have made the following statement about the new requirement:
The solution is to OAuth sign the requests to <https://api.fitbit.com/oauth/request_token> and <https://api.fitbit.com/oauth/access_token> in a similar manner that all other calls to the Fitbit API are signed.
Requests to <https://api.fitbit.com/oauth/request_token> need to be signed with your application's consumer key and secret.
Requests to <https://api.fitbit.com/oauth/access_token> need to be signed with your application's consumer key and secret and the oauth_token and oauth_verifier received from the authorization callback.
I am using the PHP PECL OAuth library for OAuth requests. However I can't find a way to add additional parameters to the signature. I am trying the following but I'm not sure that this is the correct way to update the OAuth Signature:
$params['consumer_key'] = $this->consumer_key;
$params['consumer_secret'] = $this->consumer_secret;
$params['oauth_token'] = $this->oauth_token;
$params['oauth_verifier'] = $_REQUEST['oauth_verifier'];
$this->signature = $this->oauth->generateSignature('GET', $this->access_url, $params);
$this->access_token = $this->oauth->getAccessToken($this->access_url, $this->signature, $_REQUEST['oauth_verifier']);
The OAuth error I get is:
401
Invalid auth/bad request (got a 401, expected HTTP/1.1 20X or a redirect)
oauthoauth_signatureInvalid signature: FfvYDv5MSOfwcOwLZBJa0TlKS4Q=false
The signature which is stored from the code above shows that the proper signature should be:
[signature] => wlfzqPs4aEkTkHfqyaO65D/RW6o=
This is the "Headers Sent" piece of the debug information:
[headers_sent] => Authorization: OAuth oauth_session_handle="Frdnxw8oHe3BgNVi0Fy4jBXrZko%3D",
oauth_verifier="ss6nmke8elf3so66jg3auued49",
oauth_consumer_key="(my key)",
oauth_signature_method="HMAC-SHA1",
oauth_nonce="30463910852ea5cc2d04e60.71895372",
oauth_timestamp="1391090882",
oauth_version="1.0",
oauth_token="2cabd6beab341e332bdf8e522b6019ef",
oauth_signature="hULwWcQOl%2F8aYjh0YjR843iVXtA%3D"
I can't find anything in the documentation which explains how I can set the signature for OAuth to use with it's request. Any Help would be greatly appreciated!!!
Please let me know if you need more information!
I have found the issue.
It turns out I was not saving the oauth_token_secret being handed back and I was instead using the consumer secret.
Once I updated this, the process ran as expected.
I'm making the huge mistake of writing my own OAuth library and wrapper classes in PHP. Everything works wonderfully for Twitter's OAuth implementation, but I fail on signing the access_token step for both Tumblr and Flickr.
The ONLY difference in that step, is now I have oauth_token and oauth_verifier parameters. I'm using the Authorization header, and the only problem I can think of is that there are some character encoding issues, but I'm not sure.
Base string (broken for clarity):
POST&
http%3A%2F%2Fwww.flickr.com%2Fservices%2Foauth%2Faccess_token&
oauth_consumer_key%3Deeedfcd4c46a2c12080f58eb90a974d8
%26oauth_nonce%3D322190b47ca680d053338724ad1cc56d35d3e7b5
%26oauth_signature_method%3DHMAC-SHA1
%26oauth_timestamp%3D1322981994
%26oauth_token%3D72157628270097303-18aa378b4ab02af3
%26oauth_verifier%3Dec7811503fdd4380
%26oauth_version%3D1.0
This is exactly what Flickr expects (they tell me so in the error response), which leads me to believe the signature is the problem.
Authorization header (also broken for clarity):
Authorization: OAuth
oauth_consumer_key="eeedfcd4c46a2c12080f58eb90a974d8",
oauth_nonce="322190b47ca680d053338724ad1cc56d35d3e7b5",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1322981994",
oauth_token="72157628270097303-18aa378b4ab02af3",
oauth_verifier="ec7811503fdd4380",
oauth_version="1.0",
oauth_signature="LYJtgHetQWNKX3rtQlSs643FdWY%3D"
And Flickr's response:
oauth_problem=signature_invalid&
debug_sbs=POST&
http%3A%2F%2Fwww.flickr.com%2Fservices%2Foauth%2Faccess_token&
oauth_consumer_key%3Deeedfcd4c46a2c12080f58eb90a974d8
%26oauth_nonce%3D322190b47ca680d053338724ad1cc56d35d3e7b5
%26oauth_signature_method%3DHMAC-SHA1
%26oauth_timestamp%3D1322981994
%26oauth_token%3D72157628270097303-18aa378b4ab02af3
%26oauth_verifier%3Dec7811503fdd4380
%26oauth_version%3D1.0
There are no GET or POST parameters. Everything seems to be escaped correctly from what I see here. The signing works for the request_token step (and for Twitter, for ANY request). I've verified that my server clock is within a second of theirs. Am I missing something obvious? How would you go about diagnosing this?
I'll answer my own question.
There were a few discrepancies between the different oauth service provider implementations:
Twitter
Expects oauth_callback on request_token step
Doesn't return oauth_token_secret until access_token response
Therefore, there's an empty oauth_token_secret in signing the access_token request
Flickr & Tumblr
Expect oauth_callback on authenticate (i.e. authorize) step
Return oauth_token_secret on request_token step (and expect you to remember it and use it to sign access_token request)
Youtube (and other Google OAuth service providers):
Expects Google-proprietary "scope" on request_token step
Expects oauth_callback on authenticate (i.e. OAuthAuthorizeToken) step
Doesn't seem to like oauth_token passed in Authorization header in the access_token step (responds with "token invalid" due to required double-encoding in base string). Pass it in the post body or query string instead.