i used a sample code of OAuth2 access using clientid for native application. I sent in a scope for the following:
"https://www.googleapis.com/auth/admin.directory.user"
But for some reason, i'm not presented with the acceptance for the end user. If i sent in this, i do get the consent message popup in the browser.
"https://www.googleapis.com/auth/admin.directory.orgunit"
Can you tell me what i'm missing here?
I got it to work actually. I was found that there was security under user account that i needed to revoke so new one can be accepted.
Related
I am building a frontend client for Jira and am running into some conflicting authentication methods I think.
I have setup the OAuth2 authentication method for logging in and hitting the Jira API. I have a button on a login page that redirects to Jira, you log in, hit "allow" and are redirected to my app. This step completes fine, I have a token and a secret and can make api calls just fine.
Next, I make an api call to get the user data, which returns fine. One of the pieces of data is a set of avatar urls. I put one of the urls into my site's markup. Here is where the problem begins.
If my browser session that I used to login is still active, I get an avatar. BUT if not, I get an "anonymous" avatar from Jira.
All the while, my OAuth token/api calls all seem to return fine.
This makes sense as Jira is using cookie based auth and I am not. So if that cookie dies in my browser, the call to the image will fail.
My ultimate question is how to handle this? Is this my responsibility to put an expiration on the token? What happens if they select "Stay logged in"? I don't think I get that knowledge on the OAuth side.
I kind of feel like I am missing something but I cannot figure out what. This seems like a problem that has been fixed or isn't even really a problem.
One solution would be just to switch to a cookie based authentication but OAuth seems more secure.
I've also tried directly hitting it from my server but that also yields an anon avatar. As does a curl with the access token. Maybe I didn't provide it in the correct way?
Any thoughts or ideas on this would be greatly appreciated. Thanks in advance.
I use Google oAuth for my REST API. I used Postman to test this. It seems everything correct, but getting "couldn't complete Oauth2 Login" error from postman.
Google developer console
From Postman:
Im not sure what Iam doing wrong here. Please help me
[UPDATE] Actually I missed specify scope which is required, because the client id is created for specific scope.
Actually I missed the scope which is required, because the client id is created for specific scope. After I specify the scope as below then its working
https://www.googleapis.com/auth/userinfo.email
Even I was facing the same issue while setting up oauth 2.0 for google APIs.
After adding scope it resolved.
Scope can be : https://developers.google.com/gmail/api/auth/scopes
FYI:
Auth URL: https://developers.google.com/gmail/api/auth/scopes
Access Token URL: https://www.googleapis.com/oauth2/v4/token
Grant Type : Authorization code.
Hope this information helps.
there
I'm not really sure that is the same case, but we used to have something similar.
After the postman update we had problems with receiving token. The thing that helped was 'reinstall of the postman' itself.
After the update they've got many issues (postman i mean).
Hope that helps.
How can I setup PAW to work with Facebook locally for development? Or even at all for that matter?
I have a node.js backend that I'm setting up with Facebook Auth. Every one of my routes needs the user to be logged in. I have two endpoints related to FB Auth. localhost:3000/api/v1/loginFB and localhost:3000/api/v1/callbackFB. Both of these work great in a web browser.
loginFB simply returns this string... https://www.facebook.com/dialog/oauth?client_id=523534457345&redirect_uri=https://localhost:3000/api/v1/callbackFB&scope=email,public_profile,user_friends.
When I call that URI in a browser, it returns a code=blahblah which my callbackFB endpoint uses to fire off another request to get the access token. All good.
So now in PAW I'm confused by the difference between the request URI and the Authorization URL text field? Should I use the loginFB URI for my request URI? And then https://www.facebook.com/dialog/oauth in the Authorization URL textfield?
Basically what's happening is that when I click Get Access Token, it returns the code but my callbackFB endpoint 500's by saying "This authorization code has been used." The code that it's getting returned is definitely different each time I Get Access Token.
This is where I'm at with this thing (Client ID and Client Secret are actually my App ID and App Secret from fb's dev management site, and the Access Token URL is actually set to https://graph.facebook.com/v2.3/oauth/access_token which I'm 99% sure is the correct URI):
This is the error I get when I click Get Access Token button:
It would be awesome to get some advice from anyone with experience with this issue. Thanks.
Re: #MichaMazaheri
tl;dr Fixed in version 2.2.2
Sorry for the super late follow-up. We actually fix this exact issue in Paw 2.2.2, which is already released on our website, and pending review for the Mac App Store. (It was some JSON vs. Form URL-Encoded parsing issue). Thanks for reporting.
I've tried do develop automatic code that would fetch data from ads campaigns under account. My plan is to have server that would query every day to get data from impressions/clicks/costs of ads and save it for later use.
I use https://developers.facebook.com/tools/explorer to get access_token for getting data (insights) from those campaign pages but when I log out to try offline_access it tells access_token is old, cause of password change or access_token getting outdated.
Isn't the whole point of offline_access to grant acccess when user is not logged in?
And besides that.. what's with most of my calls ending having reply as follows:
"(#294) Managing advertisements requires the extended permission ads_management, and a participating API key"
I've given access_token that has ads_management, but I have no idea what this Participating Api key even means. Do I need to add this to url call or something? Where do I get this Api Key?
Edit: I want to be able to get data from add campaign pages, so I'm not talking about Apps in page
You will want to read up on the deprecation of the offline_access here: https://developers.facebook.com/docs/offline-access-deprecation/
But most importantly follow the guide here on how to handle invalid access tokens:
https://developers.facebook.com/blog/post/500/
You app is to monitor the error messages coming back from the API and handle it gracefully.
I have the same issue and I found this bug can be reason of our problem. It's already accepted and assigned, but still not solved. I hope it's really bug and not a secure hole, that was closed :)
We have an application that allows to users publish content to their friends wall.
It uses the user's access_token given our application.
It works stable usually, but for some reason for one of our clients it doesn't work at all.
We've checked permissions several times, removed-added them again, but still no result.
There is no error message or something, everything looks fine, complete the action, but no posts published in fact. And it doesn't work only for one person.
What possibly can be a problem?
Updated: The problem is actually in this OAuthException:
Error validating access token: Session does not match current stored
session. This may be because the user changed the password since the
time the session was created or Facebook has changed the session for
security reasons.
We tried to get access token one more time, but that didn't help. Somebody familiar with this issue?
your user might forbid people/applications to post on his wall.
"There is no error message or something, everything looks fine, complete the action, but no posts published in fact."
Are you sure about this? You should be getting back a unique stream id of the feed item just posted.
Facebook frequently changes its policies that sucks!
Now, you need permission to access the wall.
You need to check if the user has permission to access your application / wall page. if user hasn't got permission then you need to ask for permission before message is streamed. Yes, that's true, it won't display any error message, unless you manually debug this to see where it is stopping.
My suggestion is:
1. use FB.login method to verify, if the user is not logged in then he should login
2. verify the user permission for the wall page
FB.api('/id', function(response){});
3. publish / stream the comments on wall
FB.api("/id/feed", 'post', { ... blah blah blah !
edits:
At FB.login method, you should ask for permisions
e.g. FB.login(function(response) {..} ... ,{scope: 'offline_access,publish_stream'});