How can get userToken parameter for auth GDK from callback url - google-glass

I cannot get "userToken" parameter from the redirected callback url.
Under Glassware GDK authorization guideline like below I should have seen “userToken” parameter on redirected callback url after turned on our glassware.
GDK Authentication Process
When users turn on your Glassware in MyGlass, they are redirected to your authentication URL. These requests include a query parameter named userToken that you need to use later.
However, when i debug the redirected callback url on callback server, there had just "code" parameter.
It looks like the successful authorization flow of Mirror API under Glassware Mirror API authrization guideline like below. (Not Glassware GDK authorization flow)
Authenticate the user
This initial sign-in returns an authorization result object that contains an authorization code if successful.
I insert the informations like below on glassware submission web page.
Client ID = Client ID for Service Account
Authorization URL = https://accounts.google.com/o/oauth2/auth?response_type=code&scope=https://www.googleapis.com/auth/userinfo.profile+https://www.googleapis.com/auth/userinfo.email+https://www.googleapis.com/auth/drive.file+https://www.googleapis.com/auth/glass.timeline+https://www.googleapis.com/auth/glass.location&redirect_uri=http://www.aaa.com/auth/google/callback&access_type=offline&approval_prompt=force&client_id=Client ID for web application
Package Name = Package Name from AndroidManifest.xml.
What i have to fix for getting "userToken" parameter on redirected callback url ??

The ?userToken= query parameter is not retrieved from the OAuth 2.0 redirect callback but from the URL that MyGlass uses to open the pop-up.
If the URL you gave the review team was something like https://www.example.com/auth, MyGlass will open a pop-up with this URL https://www.example.com/auth?userToken=<USER_TOKEN>. It is you responsibility to save this value until you can fully process the request.

Related

Sveltekit newly created cookie is not showing in the hook's getSession() function

Summary
Hello everyone, as in this topic, I'm experimenting issues with my newly created cookie. I'm implementing Oauth2 to authenticate with Discord account in my SvelteKit project.
The flow is as follows:
User clicks on index.svelte hyperlink which redirect to /api/auth endpoint in my app.
The /api/auth endpoint is managed by auth.ts which makes a request to Discord Authentification Endpoint using my ClientID, RedirectURI (/api/callback) and Scope identify
Discord redirects to my callback endpoint /api/callback with a code set in the url, that a retrive using url.searchParams.get('code')
Then my callback function redirect the user to my main index.svelte file by setting a cookie containing the code sent by discord, I coded it to create the cookie no matter if the code is correctly retrived or no so I would know if the problem was here
In my index.svelte file, I call the getSession in hooks.ts to retrieve the cookie value and console log it.
The attended behavior is that after my callback redirection, the cookie should appear on the main page and it's value printed to my console. Which is not the case.
Instead I have to refresh my index.svelte page to get the cookie.
The link code to access /api/auth endpoint from index.svelte:
<a rel="external" href="/api/auth">
Connexion
</a>
All my redirections are set with a status code of 302.
Reproduction
You can find all my files at pastebin.com by following this link.
Anyone got an idea ?

Need Help to do Login authentication oauth2.0 while load testing

I have a BlazeMeter Pro account and I am stuck on the step I try to record in Jmeter and also try with BlazeMeter recording but not able to do it.
Now flow is I have to login into the system and perform the operation, we implement oAuh2.0 from the development side to authenticate the user from the Gmail and we face issue while record script that user is not able to authenticate to login when you hit with single or multiple users.
to authenticate I need all the below parameters and I have all details but now in Jmeter or BlazeMeter, I do not understand where I add all details.
client_id=
client_secret=
refresh_token=
grant_type=refresh_token
we are implementing a following steps at record time
Load a respective URL and open Gmail Login page
After Enter email and password page is redirect and particular website will be display
After enter user name and password on the website UI is display.
Please guide me on how I implement this and process my flow for load testing.
As per Google documentation in OAuth 2.0 for Client-side Web Applications you need to
Send a request to https://accounts.google.com/o/oauth2/v2/auth with:
client_id
redirect_uri
response_type
scope
parameters.
This request you should be able to record using your favourite recording option.
In your case you need to change this redirect_uri to some web server which you control as you will receive the token there in form of https://your_redirect_url_here/callback#access_token=your_token_will_be_here&token_type=Bearer&expires_in=3600
It's a good idea to use HTTP Mirror Server for this purpose.
Once you get the token you will be able to add HTTP Header Manager and configure it to send Authorization header with the value of Bearer ${your_token}
More information:
OAuth 2.0 Documentation
OAuth 2.0 Playground (if your application uses different flow you can replicate it there and see relevant requests/responses which can be later on implemented in JMeter)

How can I get a response when calling Slack's oauth/authorize?

When I try to make the following call using postman I get no response: https://slack.com/oauth/authorize?client_id={{client id}}&scope=chat:write:bot
However, when I try it without the scope I do get a response, saying I need to add a scope.
I've put this call together according to the first step of https://api.slack.com/docs/oauth
I've tried using both GET and POST verbs and my header is empty.
What can I do to get a authorization token for Slack?
This is part of the OAuth flow/spec.
What you need to do to is follow/perform the OAuth flow:
Register your application with slack
Provide a redirect_uri - this is the callback URI - this callback/handler will be called with the authenticationCode by the slack OAuth server.
Only if the user authorizes your app, Slack will redirect back to your specified redirect_uri with a temporary code in a code GET parameter, as well as a state parameter if you provided one in the previous step.
It's true that the redirect url is optional, but if left out, Slack will redirect users to the callback URL configured in your app's settings.
the authenticationCode then needs to be changed in code to the accessToken.
So if all is well and user gave its consent, you need to exchange the authorization code for an access token using the OAuth.access API method (method documentation), int the following URL and retrieve your accessToken.
https://slack.com/api/oauth.access
if you decide to use a bot user and your Slack app includes a bot user, you will get an additional node containing an access token to be specifically used for your bot user.

OAuthException error in app center mobile authentication

I'm trying to do authentication from app center for mobile devices but I get this error when I try to exchange code parameter for access token:
{
"error": {
"message": "Error validating verification code. Please make sure your redirect_uri is identical to the one you used in the OAuth dialog request",
"type": "OAuthException",
"code": 100
}
}
Auth token parameter is in Query String format because my app uses server-side authentication.
The url I'm calling is https://graph.facebook.com/oauth/access_token and the redirect_uri parameter I'm sending to is like the following one:
http://www.example.com?ref=app_directory&code=codefromfb&fb_source=appcenter_mobile&fb_appcenter=1
www.example.com is the value I've set in mobile site url field in app settings.
Authentication from app center for web it's ok.
I don't understand what it's wrong in redirect uri form mobile devices...
Could you help me?
I found this post referencing needing a trailing slash on the URI
redirect_uri error in oauth for facebook django app
I had the same error. I couldn't solve it but found a workaround:
I ignore the code param that is sent to my mobile web app by Facebook automatically; instead I make a request for code myself, then I exchange code for access_token using the same redirect_uri I used to request for code.
To make it easier to apply the workaround, in your app > settings > permissions, you can change Auth Token Parameter from query string to URI fragment. Then Facebook won't send you code param automatically--you will have to make a request for it--that's what is needed.
Another way to solve it is to implement client-side authentification flow using URI fragment or parse URI fragment at the client-side and send access_token to the server as a param. I didn't test this approach yet.
Redirect URLs that are working for app center authentication
desktop: http://www.example.com/?fb_source=appcenter&fb_appcenter=1
mobile: http://www.example.com/?ref=app_directory
(part fb_source=appcenter_mobile&fb_appcenter=1 should be excluded for mobile, I think that it's FB bug)
Where:
http/https - depends on request
www.example.com - you should use exactly same string as saved at application settings (https://developers.facebook.com/apps/YOUR_APPLICATION_NUMBER/summary) Domain name is case sensitive for Facebook (also bug)

Oauth2 code from mobile app

I'm writing an Android app which will authenticate itself using OAuth2 to a Web server under my control.
I'm using Apache Amber on the client side, and oauth2app with Django on the server side.
From the client, I can generate an authorization request, and start a browser Activity that goes to a page asking whether to allow the client access, and after answering in the affirmative, redirects to a page with a "code" parameter.
But how do I get the "code" back to my client, in order to make the subsequent access_token request?
Do I need to bypass the browser entirely? How would that work?
I believe you have a couple of choices here.
The redirect_uri parameter will indicate to the server where it should send the code.
From the ouath2app docs:
If a request is authorized, Authorizer:grant_response() will serialize an object into a JSON response will return a redirect response to the client’s redirect_uri with information on the authorization code passed as query string parameters (response_type CODE) or access token passed as URI fragments.
So armed with that:
If that value is a location on your server, then your mobile browser is going to get the value as part of the redirect. Specifically, you're trying to read the URI fragments in the redirect. I believe this is the intended usage for an application like yours. This blog post seems to have code that might be relevant, under the section "Retrieving the access token".
Alternatively, as you pointed out, you could send the token to a different handler on your server, and then pass it back to your client. It must the callback URL defined in the service.
I found a different blog post, specific to OAuth 2:
http://blog.doityourselfandroid.com/2011/08/06/oauth-2-0-flow-android/
The trick is to fire up a new Activity whose content is provided by a WebView (rather than a layout). You can attach a handler to the WebView that's called on the redirect to the page containing the "code" parameter.
Some of the specifics in the blog post concern Google APIs, but so far my experiments suggest that it will work in my situation.