This question is related to this other post: how to get 'code' for getting access_token when using Azure AD Graph API. Let me open a new thread as I cannot write a comment. I will try to explain my problem as best as possible:
Context
My app is a web server written in Django with several REST APIs used by the frontend. I had an API for the users to register, which used to use Microsoft login api perfectly. Everything was fine until we found out some clients had MFA and we could not use the api anymore.
Possible solution
I followed the instructions in https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow for getting the token, and I can do it correctly manually. That is:
Step 1: I write this url on the browser and login
// Line breaks for legibility only
"https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize?
client_id=<client_id>
&response_type=code
&redirect_uri=<redirect_uri>
&response_mode=query
&scope=https://graph.microsoft.com/.default"
Step 2: The response I get in the browser address bar contains the code. I extract it manually, using the console.
<redirect_uri>/?code=?code=<authorization_code>&session_state=<session_state>
Step 3: With this code I can ask for a token to the api:
// Line breaks for legibility only
POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=<client_id>
&scope=https://graph.microsoft.com/.default
&code=<authorization_code>
&redirect_uri=<redirect_url>
&grant_type=authorization_code
&client_secret=<client_secret>
Problem
Ok, so far, everything works fine, the problem is that I have to get the code in step 2 manually and I want to include it in my Django code. What can I do?
Thank you!
Related
I've been trying to add google login to my django app following this tutorial:
https://github.com/RealmTeam/django-rest-framework-social-oauth2
By following exactly the instructions, everything works fine in local.
However, when I try to replicate the same on the server, I get the following error on the redirect page of the login:
Error 400: redirect_uri_mismatch
redirect_uri: http://localhost:8000/auth/complete/google-oauth2/
What is strange to me is, in my google developer console, I have set up the correct redirect url in my app, as follows:
https://mydjangoapp.com/auth/complete/google-oauth2/
And I have also put 'mydjangoapp.com' under 'Authorised JavaScript origins'.
So my question is, why google keeps telling me that the redirect url is
http://localhost:8000/auth/complete/google-oauth2/
which is not the one I have set up in the console? Perhaps there is something obvious that I'm missing here. Thank you!
Why google keeps telling me that the redirect url is
Because your application is sending its in your code the app is running on http://localhost:8000 and if you are using a client library its probably adding the rest automatically.
http://localhost:8000/auth/complete/google-oauth2/
The redirect uri must exactly match what you are sending from your application.
You need to add
http://localhost:8000/auth/complete/google-oauth2/
Javascript origin is only needed if your code is using javascript.
This video will show you how to fix the error. Google OAuth2: How the fix redirect_uri_mismatch error. Part 2 server sided web applications.
If you want your code to send https://mydjangoapp.com then your going to have to be running it from https://mydjangoapp.com probably and you may need to figure out how to configure it so that it is running from the correct host.
i am playing around with Postman to get some insight on how things work behind the curtain and ran into, what I believe, is an issue but wanted to ask before I create a new issue on GitHub.
I am intercepting the request from my browser to the same site using the Postman Interceptor to use the request values in the native app. I have cookies enabled and the site (the whole domain) whitelisted.
When I use the history to resend the same request that was captured I get an auth error that is caused by the fact that the cookies are not included in the request (found that out by checking the cURL code snippet). I believe the reason for that is, that the cookies are set under another sub domain than that the request is send to.
I will try to include some pictures to clarify. My question here is:
Am I missing something/did I set something up in the wrong way
or is this an issue and I should create an issue in the official Postman Github page
cURL request
Cookies in Postman Native App
you should see if cookie is being send not using code snippet but the console :
its indeed sending cookies ,
With this minimal program, I can download a text file and print it using libcurl. And I do this anonymously, just like any https get request.
Now this URL: https://api.github.com/repos/bitcoin/bitcoin
Is an example of a Restful API case I don't understand but interests me because I need to retrieve the releases of my project anonymously on Github. If you click on it, you get the JSON information anonymously on your web browser with no problems. It works without any authentication. But then when I put that URL in my minimal program, I get error 403!
So any normal https URL works fine in my minimal program, but this Github URL doesn't.
Why am I getting error 403? Do I have to authenticate in some way (and I don't mean with my personal username and password because my requirement is to get this anonymously)? Is this a bug in Github or my code?
OK. I know now what my mistake is. I seem to have confused authentication username/password with the so called "user agent". Adding this line to libcurl configuration:
curl_easy_setopt(curl, CURLOPT_USERAGENT, "Dark Secret Ninja/1.0");
will make it work. No authentication is required.
I'm trying to post a feed on my wall or on the wall on some of my friends using Graph API. I gave all permissions that this application needs, allow them when i make the request from my page, I'm having a valid access token but even though this exception occurs and no feed is posted. My post request looks pretty good, the permissions are given. What do I need to do to show on facebook app that I'm not an abusive person. The last think I did was to dig in my application Auth Dialog to set all permission I need there, and to write why do I need these permissions.
I would be very grateful if you tell me what is going on and point me into the right direction of what do I need to do to fix this problem.
Had the same problem. I figured out that Facebook was refusing my shortlinks, which makes me a bit mad...but I get the point because its possible that shortlinks can be used to promote malicious content...so if you have shortlinks as part of your test, replace them w the full url...
I believe this message is encountered for one of the two reasons :
Your post contains malicious links
You are trying to make a POST request over a non-https connection.
The second one is not confirmed but I have seen that behavior. While same code in my heroku hosted app worked fine, it gave this #368 error on my 000webhost hosted .tk domain which wasn't secured by SSL
Just in case anyone is still struggling with this, the problem occurs when you put URLs or "action links" that are not in your own app domain, if you really need to post to an extarnal page, you'll have to post to your app first, then redirect from there using a script or something. hope that helps.
also it's better in my opinion to use HTTPS links, as sometimes i've seen a behaviour where http links would be rejected, but that's intermittent.
I started noticing that recently as well when running my unit tests. One of the tests I run is submitting a link that I know Facebook has blocked to verify that I handle the error correctly. I used to get this error:
Warning: This Message Contains Blocked Content: Some content in this message has been reported as abusive by Facebook...
But starting on July 4th, I started receiving this error instead:
(#368) The action attempted has been deemed abusive or is otherwise disallowed'
Both errors indicate that Facebook doesn't like what you're publishing.
I am sending get httpwebrequests to the facebook graph api and all was working fine till I deployed to production server and now module that expects html/xml response is not working and when tested url in internet explorer, the save file dialog pops up and the file needs to be saved.
Other modules also send requests to the facebook graph but just differ in the form of requests so not sure what is going on here.
Any ideas appreciated
Edit:
Let me try and rephrase this. On my production server the httpwebrequest was not returning the correct result. So to Test it I copied the url http://graph.facebook.com/pepsi which is an example, should return the profile info viewable in the browser. The server has internet explorer v8 and I am not sure why it tries to download the file instead of displaying it in the browser. this is what is happening in my code and when I make a request to a different part of the api, then it works in my app but not in the browser
Your question is not very clear. From what I gather, you want the display the JSON response in a browser. Instead, you are being asked to download a file by the browser.
Well, this is normal behaviour. The response you get from Facebook would most likely have a MIME type of application/json. Most newer web browsers display the text in the browser itself. Some browsers, however don't know how to handle this content type and just ask you to download the file.
You mentioned that your module expects an html/xml response. Try changing this to application/json.
You also said that it works in your app but not in your browser. I don't know what you're making, but generally you wouldn't show raw json to the user in a browser, right?