so I am trying to request an authorization code from smartsheet using postman.
I created a new app on my smartsheet with the following url:
app url: https://localhost:3000/
redirect url: https://localhost:3000/callback
so I tried to use the
GET https://app.smartsheet.com/b/authorize
and input my client id, scope, repsonse_type, and state in postman
the result says there is an error and it did not direct me to a page where I am able to allow authorization.
I am expecting something similar to what the website says (http://smartsheet-platform.github.io/api-docs/#access-levels). I am not sure which part I did was wrong, I am wrong home for this volunteer work hence I do not have an appropriate url. I don't know if it's my urls that are causing the problem or there's something else.
thank you guys in advance
If you are building out the Smartsheet OAuth flow you will need to have a hosted environment where you can have requests sent and be able to open a page in a browser to authenticate to the Smartsheet account and select the Allow button to confirm the access token should be created and returned to your application.
For development purposes you can use a service like ngrok to create a publicly available URL for your localhost which will allow you to send and receive the necessary data from Smartsheet in your development environment.
Authorization tokens cannot be generated from the API - you must do them from the website. From the API documentation:
Click the "Account" button in the upper-right corner of the Smartsheet screen, and then click "Personal Settings".
Click the "API Access" tab.
Click the "Generate new access token" button to obtain an access token.
Related
I am having a hard time making a Cloud Run app that would serve as an internal API for employees (no frontend).
This would have endpoints like: POST api.mydomain.com/post-some-data where i want to pass some body parameters.
After IAP is setup and applied through a Load Balancer, I can enter the url in a browser and a consent screen appears. I log in with an account that has permissions and the relevant code runs as expected.
BUT
When trying with Postman, having the OAuth2 set as Authentication, setting all the token configurations etc - I get a consent screen in the browser as expected. After authentication I get a Access Token back to Postman in the format ya28.a0 ... w0123. When clicking "SEND" it returns
Invalid IAP credentials: Unable to parse JWT
My question
What is required to reach the endpoint (code/app) with the given OAuth header after consent? It works from the browser directly but not through Postman after getting the Access Token from browser consent. The endpoint/app is not reached at all from my understanding. So I cant break down the header in the endpoint-code as far as I know.
The goal is to be able to pass body parameters and having a nice shared API collection in postman. And that cant be done in the same way directly through a browser.
Thanks,
I've set up all the necessary steps in GCP for a Cloud Run app secured by IAP.
I've made sure a simple endpoint works as expected directly through a browser + consent screen.
I've successfully made Postman OAuth2 go through my consent in GCP and ask for auth.
I've got an Access Token back to Postman before sending the request.
I'm trying to understand the process of login to a website using the Network tab on Google Chrome because I have to use that process for autenticate accounts on an mobile application.
The login is completed when I reach the page "HomepageStudente.do", but I don't understand how to replicate all this on Postman. I've tried to do this:
Right-click on the SSO request
Copy as Curl (bash)
And it seems to work, but when I do the same thing with the second request (POST) I get a different message compared to the one on the Network tab.
Those 3 calls are based on automatic redirect by the browser, and I don't understand how to replicate it on Postaman. Is this possibile to do? Any other suggestion on how to use those requests for authenticate an account outside the website (example mobile app)?.
Thanks
I am hitting a wall while developing seamless integration of a Facebook page with my bot.
Essentially I want to achieve same integration than Chatfuel or Manychat have, where being logged in with your Facebook account lets you to just choose what page you are connecting to them and you are good to go.
The problem I am facing is generating the proper token in order to bind the selected page to my app (bot). As per Facebook documentation:
When you create a subscribed_apps edge, the page-id you use in endpoint must match the page ID of the page access token used in the API call. The app that the access token is for is installed for the page.
Given the call has no other parameter than the access token, this access token has to be enough for Facebook to:
Authorize the action on the page.
Identify what app is being subscribed to the page.
This is confirmed while using the Facebook Graph API Explorer, where one selects the page and the app to bind and a proper access token is generated:
This token properly works using cURL in the terminal:
$ curl -X POST 'https://graph.facebook.com/v3.0/<MY_APP_ID_HERE>/subscribed_apps?access_token=<TOKEN_PASTED_FROM_GRAPH_API_EXPLORER>'
{"success":true}
With the Facebook Access token debugger (info icon on the left of the access token, then open in Access token tool), it is confirmed that the token knows about both the page and the app that have to be connected.
The question is, how are these page-app related token programmatically produced? I can't seem to find the proper API call in Facebook documentation and it is by all means possible, as Chatfuel and Manychat are doing this.
Thanks in advance for your support Lars Schwarz and community!
Adding some detail to Alex's answer, for it to be more complete.
When subscribing an app to a page, Facebook needs to:
Know what app you are talking about.
Know what page you are talking about.
Know that you have permissions on that page to subscribe an app.
How does Facebook know it all?
1 comes from the fact that Facebook login happens in the context of a page, actually, the Javascript code for Facebook contains your appId:
js.src = 'https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v3.0&appId=<YOUR_APP_ID_IS_HERE>&autoLogAppEvents=1';
2 Comes from the page_id in the URL used to subscribe apps to pages:
https://graph.facebook.com/v3.0/YOUR_APP_ID_HERE/subscribed_apps?access_token=YOUR_ACCESS_TOKEN_HERE
3 Comes from the access token, obtained in the context of an APP through Facebook login, that is passed as parameter in the URL used to subscribe apps to pages:
https://graph.facebook.com/v3.0/YOUR_APP_ID_HERE/subscribed_apps?access_token=YOUR_ACCESS_TOKEN_HERE
To do this, you need to put FB Login on your site/customer portal and request pages_messaging and manage_pages permissions. The person that logs in must be a Page Admin.
Once your app has been granted that permission for the page, you can generate a page access token as described here:
https://developers.facebook.com/docs/pages/access-tokens
I'm having problems with Get New Access Token for Postman and SmartSheet.
All URLS are prefixed with https:// but StackOverflow would not allow that.
Callback URL: www.getpostman.com/oauth2/callback]
Token Name: Test
Auth URL: app.smartsheet.com
Access Token URL: app.smartsheet.com/token
Client ID: used the one provided when registering my app with SmartSheet
Client Secret: used the one provided when registering my app with SmartSheet
Scope: blank
Grant Type: [Authorization Code]
When I click Request Token it takes me to the SmartSheet Login. After I login and close the SmartSheet browser I get Could not complete OAuth 2.0 Login.
Looking at your example the Auth URL is incorrect. That should be
https://app.smartsheet.com/b/authorize
Also, the Access Token URL should be
https://api.smartsheet.com/2.0/token
The Smartsheet OAuth2 flow also requires a Scope, so it can't be left blank in spite of what Postman says.
More information on all of this can be found in the documentation:
http://smartsheet-platform.github.io/api-docs/#oauth-flow
It is important to note that with all of this set correctly setting this up in Postman still won't work. This is due to the fact that the Smartsheet process of obtaining and refreshing the token Smartsheet requires clients to hash the authorization code (with a pipe and the app secret, using SHA256) rather than sending it in clear text. This is arguably non-standard, but is still within the OAuth2 spec. More information on this process is at the documentation I referenced above.
Unfortunately, it does not look like Postman supports these types of deviations from "vanilla" OAuth2. Depending on what you are trying to accomplish, you will either have to go though the steps of the process manually, or stand up a third-party app in a hosting environment. If you are simply looking to generate a token, this approach http://smartsheet-platform.github.io/api-docs/#direct-api-access may work for you instead.
If you are trying to test in Postman the Direct API approach works. http://smartsheet-platform.github.io/api-docs/#direct-api-access
Step 1) Go to your actual smartsheet "https":"//app.smartsheet.com/b/home" and under Account>Personal Settings>API Access -- Generate a token (copy it you wont be able to copy after you close)
Step 2) Get the url for your sheet. Right click on the sheet name tab and select Properties. Copy the the Sheet ID (ie 123456). Add it to the end of the url: "https":"//api.smartsheet.com/2.0/sheets/123456"
Step 3)The most confusing one in my opinion. In Postman select No Authorization. Then go and update the header with "Bearer 0da6cf0d848266b4cd32a6151b1". You have to have the word Bearer and the randomly generated string of numbers is from Step 1.
Then send the get request and you get your sheet back in json format.
How can I setup PAW to work with Facebook locally for development? Or even at all for that matter?
I have a node.js backend that I'm setting up with Facebook Auth. Every one of my routes needs the user to be logged in. I have two endpoints related to FB Auth. localhost:3000/api/v1/loginFB and localhost:3000/api/v1/callbackFB. Both of these work great in a web browser.
loginFB simply returns this string... https://www.facebook.com/dialog/oauth?client_id=523534457345&redirect_uri=https://localhost:3000/api/v1/callbackFB&scope=email,public_profile,user_friends.
When I call that URI in a browser, it returns a code=blahblah which my callbackFB endpoint uses to fire off another request to get the access token. All good.
So now in PAW I'm confused by the difference between the request URI and the Authorization URL text field? Should I use the loginFB URI for my request URI? And then https://www.facebook.com/dialog/oauth in the Authorization URL textfield?
Basically what's happening is that when I click Get Access Token, it returns the code but my callbackFB endpoint 500's by saying "This authorization code has been used." The code that it's getting returned is definitely different each time I Get Access Token.
This is where I'm at with this thing (Client ID and Client Secret are actually my App ID and App Secret from fb's dev management site, and the Access Token URL is actually set to https://graph.facebook.com/v2.3/oauth/access_token which I'm 99% sure is the correct URI):
This is the error I get when I click Get Access Token button:
It would be awesome to get some advice from anyone with experience with this issue. Thanks.
Re: #MichaMazaheri
tl;dr Fixed in version 2.2.2
Sorry for the super late follow-up. We actually fix this exact issue in Paw 2.2.2, which is already released on our website, and pending review for the Mac App Store. (It was some JSON vs. Form URL-Encoded parsing issue). Thanks for reporting.