enter image description here getting following error
i add url parameters client_id,redirecturl,scope and response type but getting this error
{
"error_id": "invalid_request",
"error_description": "Input request parameters are invalid.",
"http_status_code": 400
}{
User access token Steps
#1 Check App Key
#2 Registry User
#3 Get User Token
#4 API call
#1 Check App Key after Registry App
https://developer.ebay.com/my/keys
#2 Registry User - once if not user registry
I tested in sandbox,
If you use production, needs to change production URL
https://developer.ebay.com/sandbox/register
#3 Get User Token
Sign in from developer portal
https://developer.ebay.com/
Click Sign In
Enter e-mail of user
Enter password of user
Finally Got the user access-token
#4 API call
API call with #3 user access token.
In this case, user can't get the inventory due to limited scope for inventory.
But I shows how to use user-token to call API.
Using Postman
Using API explorer
https://developer.ebay.com/DevZone/build-test/test-tool/default.aspx?index=0
App (Client) access token Steps
Documentation in here
You needs three information
#1 Token endpoint
sandbox - using test, use this at this time
https://api.sandbox.ebay.com/identity/v1/oauth2/token
production - using production
https://api.ebay.com/identity/v1/oauth2/token
#2 Get your cleint id and client secret
https://developer.ebay.com/my/keys
AppID (=Client ID) & Cert ID (= Cleint Secret)
#3 Enter #1/ #2 information in to Postman
#1 -> into URL with POST method
Select Authrization tab and select Basic Auth Type
#2 -> Paste client id into Username and cleint secret into password
Change the Body tab and select x-www-form-urlencoded
Then key -> grant_type , value -> client_credentials
#4 Finally click Send button, then can get access token.
Related
I am trying to get and change some specific user (name, surname, email, etc), but my link returns some unknown error. This is my link: http://localhost:8080/admin/realms/space-realm/users. Can you please explain me what I am doing wrong? Will be very apprecaited.
This step is overview.
1 Find master access token URL
In my demo URL,
http://localhost:8180/auth/realms/master/protocol/openid-connect/token
This may help long life of access-token time if you needs to more space time to handle step 3 and 4
2 Get master token
run postman, use #1-4 URL
assign variable in tests tab
access-token variable will be use #3 and #4
var jsonData = JSON.parse(responseBody);
postman.setEnvironmentVariable("access-token", jsonData.access_token);
set the Key in Body tab with x-www-form-urlencoded option
Click Send button
Should be return OK 200 status and see the access token
3 Get space-realm user
I added one user, I will get this user information
In my get user list URL
http://localhost:8180/auth/admin/realms/space-realm/users
Use this variable in Authorization Tab
{{access-token}}
4 Update user properties with 3's user UI
set header
The status should be 204 No Content status
if get user information by id, get this result
with changed properties.
First, you need to get an access token for the service account through client credentials grant type flow that has the required roles to manage users in Keycloak. From the Box keycloak has the following hardcoded in the source code roles that allow doing something like that:
manage-users
view-users
query-users
Second. Perform needed requests to the Admin REST API endpoints of Keycloak - https://www.keycloak.org/docs-api/18.0/rest-api/#_users_resource with the retrieved access token in the Authorization Bearer header to manage the users.
I am trying to build a REST API that will login to Facebook using socialite with lumen, a micro-service of Laravel. I have set up my Facebook app and configured the client_id, secret and access url accordingly.
The work flow is:
Here is the work flow
1.get user details from socialite
2.check the user existence with email ,if its exists execute auth::login, otherwise create a new record in users table and redirect to profile.
The program now redirects me to Facebook, however once the user presses the login button, it returns the following error:
Client error: `POST https://graph.facebook.com/v3.3/oauth/access_token` resulted in a `400 Bad Request` response:
{"error":{"message":"This authorization code has been used.","type":"OAuthException","code":100,"error_subcode":*****,"f (truncated...)
I am confused as it has not been long since I generated the token and no user login/ permissions have changed, so the token should not be expired. Do I need to store the access token in a database in order to grant the user permission or is there some way to store it in a user's browser session?(I already have a database configured on forge for user name and email)
In AppSync when I try to Login via Cognito User Pools and enters ClientID it gives an error Use a clientId without a client secret.
I am entering only ClientID but it not proceeding
Go to your user pool in the console.
Go to General Settings -> App Clients (NOT App Integration -> App client settings)
Click on "Show details" under each one.
Look at the "App client secret" field.
In my case Amplify had created two app clients for me, one with _app_client at the end, which had a client secret. One with _app_clientWeb at the end which had no client secret. They appeared to be otherwise identical. You want to select the App Client id from the one without the secret, or create a new app client that has no secret.
I had the same issue, it seems that AppSync doesnt allow using a user pool that has a client secret, so i created new user pool and I unchecked the generate client secret option while creating the App Client. Now it is working well.
I was using Amazon Cognito user pool for login. When I access my web application, I get a redirect to
https://<domain>.auth.<region>.amazoncognito.com/login?response_type=code&client_id=<client id>&redirect_uri=<callback> .
Once logged in with the username/password of a user from the pool, I will be redirected to the callback URL with the code as a query parameter. I can use this to get tokens. How do I integrate this in postman so that I can use the token for my upcoming request?
I have an example of doing this...
The callback URL as defined in the Cognito User Pool console under App Integration / App client settings.
The URL for the login endpoint of your domain. This will be under Cognito User Pool / App Integration / Domain Name
Client ID is found under Cognito User Pool / General Settings / App clients
List the scopes you want to include in the Access Token. These must be enabled under Cognito User Pool / App Integration / App client settings. These can be either standard or custom scopes. Custom scopes are defined under App Integration / Resource servers and must include the resource server ID (e.g. https://myresource.com/myscope)
Click Request Token
You may now log in to your Cognito User Pool and receive an Access Token!
The problem is that once you have the Access Token it isn't usable within Postman because Cognito expects it to be bare and Postman automatically prepends 'Bearer' to the token:
The token can be used in cURL though:
curl -i -H "Authorization: dyJraWQiOiI1YVcwTUlqN1hBaHg4Yzh4Q3JNT2RsQjhZWjlCR3NQOE9BbkFlVFJtUklRPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI3YmEwZmMzOC01ZDcwkYS05MTI5ZTBmYTUzNTEiLCJ0b2tlbl91c2UiOiJhY2Nlc3MiLCJzY29wZSI6Imh0dHBzOlwvXC9hcGkubXk5MC5jb21cL3BvbGljZURlcGFydG1lbnRzLnJlYWQiLCJhdXRoX3RpbWUiOjE1NDA1OTIzMTYsImlzcyI6Imh0dHBzOlwvXC9jb2duaXRvLWlkcC51cy1lYXN0LTEuYW1hem9uYXdzLmNvbVwvdXMtZWFzdC0xX2xIbGo4NXpRYSIsImV4cCI6MTU0MDU5NTkxNiwiaWF0IjoxNTQwNTkyMzE2LCJ2ZXJzaW9uIjoyLCJqdGkiOiJhN2JiOWU2MC1kNmY1LTQ3ODYtODMwYi0xODdkZDZmYTZlODAiLCJjbGllbnRfaWQiOiI2MzhlYmZ1dTdiZDRkMXVkYnRzY2pxcnJncyIsInVzZXJuYW1lIjoicm9qbyJ9.O_GAxfFX3IQfLUu5Hxr05Wrk_2QDwNSL8tvDdEU0Dzs9d1XhQPafT6ney6yiGnKPOwsO8HhWdbT1QdDmByjuwQAURf1Da4Au7c-yhfgJcqWuHWZ4mledTSP8ukXqihMb4PoaDdU4JXyOdMLa50dBXVMgJNyXTpIulWOxFhiTW6DeQbnxNDk94cGNz_CTKCEqKStiloFZfLR7ndSrWqdOQ_SU__YV0RyKXZyK5yguv3nkUcI6cuKpbPVIZ5DNdpufbrtOLuZcC6HePBKrbTKjSZCt5-swy3YrwnY4ApTX7QUFzof6FylWaLA_KVP3Zv6ksSJ_IjBMFH1NRVHh4lbsOA" \
https://xxxxx.execute-api.us-east-1.amazonaws.com/v1/myresource/1234
by yl.
Thanks to Robert Jordan for his above postman OAuth2.0 configuration post.
I'll try to cover here the entire Cognito user pool definition part to make it easier.
Ok,
Open the Cognito console and follow the bellow stages:
1) create new user pool
name: Test1
left panel menu->Attributes
Select the following radio buttons:
o Email address or phone number - Users can use an email address or phone number as
their "username" to sign up and sign in.
o Allow email addresses
And checkboxes:
[v] email
[v] name
Screenshot:
Press the [Create Pool] button.
(if not available yet to the wizard - press [Review Details] option on the left panel menu)
2) left panel menu->App Clients
press: [add app client]
App client name: me1
clear all checkboxes but the:
[v] Enable username password based authentication (ALLOW_USER_PASSWORD_AUTH)
Leave Radio buttons as is:
o Enabled (Recommended)
Screenshot:
press [create app client]
3) copy and keep the 'App client id'
this is a string format similar to 5psjts111111117jclis0mu28q
Screenshot:
4) left panel menu->App Client settings
Enabled Identity Providers: [v]Select all
[v] Cognito User Pool
Callback URL(s): put the api gw url or https://www.google.com/
OAuth 2.0
Allowed OAuth Flows
[v] Implicit grant
Allowed OAuth Scopes
[v] openid
Screenshot:
5) left panel menu->Domain name
put a string in the prefix field, for instance: music123456789
check if available using the 'check' button.
your domain now is: https://music123456789.auth.us-east-1.amazoncognito.com
Screenshot:
6) left panel menu->Users and Groups
press [Create user]
Username (Required): Your.Mail#company.com
clear all [v] check boxes
Temporary password: Xx123456!
eMail: Your.Mail#company.com
7) in POSTMAN
Press new Request
enter the 'Authorization' tab
Select TYPE: OAuth 2.0
press the [Get new Access Token] button and fill in:
Token Name: myToken123
Grant Type: select 'implicit' from the listbox
callback URL: https://www.google.com/
(as in clause 4 or in cognito console->App Integration->App client settings)
Auth URL: https://music123456789.auth.us-east-1.amazoncognito.com/login
(as in clause 5 + '/login' suffix, what you have defined in cognito
console->App Integration->Domain Name)
Client ID: 5psjts343gm7gm7jclis0mu28q (the app client id - as in 3,
what you have defined in cognito console->General Settings->App clients)
Scope: openid (as in 4, what you have defined in cognito console->App
client settings->Allowed OAuth Scopes)
COGNITO to OKTA idp configuration
When connecting Cognito to Okta IDP, Configuration should be as follows:
Okta Setup
Cognito Setup
Postman setup
As an addition to very through explanations of Robert Jordan and ylev, I made it work by using the id_token instead of the Access Token.
In the token details page, copy the id_token and add it to the header manually without Bearer prefix:
Source: https://github.com/postmanlabs/postman-app-support/issues/6987
For those wanting to move away from the deprecated "implicit" grant to the recommended "authorization" aka "authorization code" grant, you'll want to have the following in Postman:
Grant Type: Authorization Code (Authorization Code with PKCE would prevent the code from being used by anyone else if it were intercepted in transit but either or... you probably want to start with getting "Authorization Code" working.)
Callback URL: https://oauth.pstmn.io/v1/callback (or whatever Postman sets it to when you check "Authorize using browser"
Auth URL: https://{app name you chose when creating the custom auth domain}.auth.{aws region}.amazoncognito.com/login e.g. https://myapp.auth.us-east-1.amazoncognito.com/login. You can find this in AWS Console -> Cognito -> the user pool -> App Integration tab -> Domain section -> Cognito domain (use the Actions dropdown to create a custom domain if you don't already have one).
Access Token URL: https://{app name}.auth.{aws region}.amazoncognito.com/oauth2/token e.g. https://myapp.auth.us-east-1.amazoncognito.com/oauth2/token.
Client ID: The Client ID corresponding to the "App Client" (e.g. the web app users will be authenticating through Cognito to use), found in AWS Console -> Cognito -> the user pool -> App Integration tab -> App Client List section -> the App Client.
Client Secret: An optional added security measure. This should never be sent to the web app as the client secret could then be extracted by a nefarious user via Chrome Dev Tools or the like. You can (and should) however use Client Secret with backend applications e.g. the API service backing your frontend web app. This is a decision that has to be made in AWS when the App Client is created within the Cognito User Pool, but don't fret- App Clients are easy to create/delete/recreate if you change your mind or pick the wrong setting.
Scope: OAuth uses "scopes" as a means of defining what the application which holds and uses the access token (e.g. some web app) can do/access on behalf of the user whose account it's using. It's similar to authorization in a web app (e.g. only users in the "admin" group can access the settings page) but it's meant to be authorization with respect to a user's metadata, so typically that manifests as user metadata the app has access to, for example the user's calendar or contacts or phone number. OAuth scope is not meant to replace an app's authorization system (e.g. RBAC) so if you're just making some web app and just need Cognito to handle user signup, storing and resetting passwords for users, etc. you can more or less ignore OAuth "scope", though you should probably be setting the "Scope" value in Postman to something like "openid email" (Scopes are separated by a single space and you can't request and obtain the "email" scope without also requesting "openid") so you at least get the user's email address in the access token to compare with your "Users" table in your app's database. Scope makes more sense and becomes more relevant in a scenario where your web app is authenticating with an actual third-party (not your own Cognito user pool), like Facebook or Google. Maybe you're making an app that syncs users' friends' contact data from Facebook to.. I don't know, a CSV file downloaded to your computer for backup purposes. In this case you want to request from Facebook's OAuth server the "friends-list" scope or whatever Facebook decided to call that scope. On the other hand, if you just need Facebook as a means for allowing your users to easily sign in to your app without having to create an account, you don't need the "friends-list" or any other scope from Facbeook (maybe just the scope that gives you the user's email address?).
Other fields:
Client Authentication: Send client credentials in body
Type: OAuth 2.0
Add authorization data to: Request Headers
Sources:
https://www.czetsuyatech.com/2021/01/aws-generate-cognito-access-token.html
https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/
https://api.slack.com/legacy/oauth-scopes
If your client supports USER_PASSWORD_AUTH you can request valid bearer tokens using the aws client.
read -s -p "Password: " && \
aws cognito-idp initiate-auth \
--client-id <client id> \
--auth-flow USER_PASSWORD_AUTH \
--auth-parameters "USERNAME=<username>,PASSWORD=$REPLY"
This can be added to Postman under Authorization / Type: Bearer Token.
For Postman 8.5.1 and AWS Chalice + Cognito user pool on the backend I have working example:
Cognito > User pools > > App integration > App client settings
About vars:
{{cognito_callback_url}} - Your Callback URL(s) from App client
settings
{{cognito_auth_url}} - Cognito > User pools >
> App integration > Domain name + /login
(https://.....auth.ap-south-1.amazoncognito.com/login)
{{cognito_client_id}} - Your App client web id from App client
settings
{{cognito_scope}} - Use 'openid'
Now click the Get the new access token in the bottom and authorize yourself using existing user data from pool
I thought i would post some more information about using cognito with an elastic load balancer. AWS load balancers do not current support auth via headers :( you can get it working on postman by copying cookies from a successfull web request into the postman request
The use-case you want to implement can be achieved by using the OAuth 2.0 authorization. If you can get the Auth URL/ Access Token URL, Client ID, and the Client Secret- you should be able to do it.
Here's a link to the documentation of the various authorization types we support including the above mentioned one- https://www.getpostman.com/docs/v6/postman/sending_api_requests/authorization.
Cheers.
Is it possible to retrieve the refresh token from a google account for an application?
I use a google oauth login for my web application. When signing in the first time the refresh token is generated. But when something goes wrong or the the program doesnt accept the user, but the user allready signed in the refresh token is allready generated. The second time when the user wants to log in the refresh token isn't generated. the user must first revoke the web application before the new refresh token will be generated.
Is there a way to retrieve the refresh token of a user? or maybe even better, kick out the user from the web application?
this is how I get the refresh token:
code = request.args.get('code')
credentials = cls.flow.step2_exchange(code)
print 'refresh_token:{}'.format(credentials.refresh_token)
I am using Flask
Ok I found the answer.
When a user accepts your application a refresh_token is generated.
If a user comes back later and hasn't revoked your application, google won't generate another refresh token. You can use approval_prompt='force' to force the user to go through the approval prompt.
A user can revoke your application by going to myaccount.google.com > Connected apps and services, selecting your application and revoke.
To revoke the user in your application you can call the following URL:
'https://accounts.google.com/o/oauth2/revoke?token={token}'
example:
def revoke(token)
url = 'https://accounts.google.com/o/oauth2/revoke?token=%s' % token
h = httplib2.Http()
return h.request(url, 'GET')[0]
the token can be an access_token or a refresh_token