I want to develop a Django application to send message thr google c2dm server to andriod device.it uses OAuth2 to authorization.
first i got the credentials and store it in the storage as storage and then i want to get the credentials from
storage and send this credentials together other params and headers to c2dm api.
i could get the credentials for scope https://android.apis.google.com/c2dm and store it in storage.
please some one guide me,how can i make the request with credentials and send to https://android.clients.google.com/c2dm/send to deliver.
Thanks in advance,
I suppose you've been able to perform step 2 Exchange authorization code for tokens on Google OAuth 2.0 Playground. Then you should have acquired a refresh token and an access token (if you didn't receive a refresh token, verify that you have checked Force approval prompt and selected offline for Access type in the OAuth 2.0 Configuration.
The access token will expire after some time (usually 1 hour), but the refresh token does not. The refresh token (together with the OAuth Client ID and the OAuth Client secret) can be used to obtain a new access token:
curl --data-urlencode "client_id=OAuthClientID"
--data-urlencode "client_secret=OAuthClientSecret"
--data-urlencode "refresh_token=RefreshToken"
-d "grant_type=refresh_token" "https://accounts.google.com/o/oauth2/token"
(Replace OAuthClientID, OAuthClientSecret, RefreshToken). For futher reading refer to: Using OAuth 2.0 for Web Server Applications - Offline Access
Now you can use this access token and the registration ID of the device to send messages to that device using C2DM:
curl -k -H "Authorization: Bearer AccessToken"
--data-urlencode "registration_id=RegistrationID"
--data-urlencode "collapse_key=0"
--data-urlencode "data.message=YourMessage"
"https://android.apis.google.com/c2dm/send"
(Replace AccessToken, RegistrationID and YourMessage)
Related
Hy Everyone, I was stuck while authorizing the service provider after its successful creation. Let me explain to you I created the service provider using this API set( https://is.docs.wso2.com/en/latest/apis/application-rest-api/#/Applications/createApplication).
I added users to it. Once the successful creation of the service provider I get the clientId and secret key. After that I use that clientId and secret key to get the access and refresh token (cool so far), to get the access token and refresh token I use this curl request.
curl -u <client_id>:<secret_id> -k -d "grant_type=password&username=admin#easybazaar.co&password=admin" -H "Content-Type:application/x-www-form-urlencoded" https://<ip>/oauth2/token
once I have the access token I give it to the user (frontend team) to store it in his/her storage session. Now user wants to access some resources like the list of activities, he/she also sends that access token in the header of that request as a bearer token like;
curl -k http://localhost:8080/activities -H "Authorization: Bearer <access-token>
Now I want to authenticate that access token and check its validation and expiry. I explore the introspection API which requires the username and password, but the client doesn’t provide it in each request.
curl -k -u <USERNAME>#<TENAND_DOMAIN>:<PASSWORD> -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=<ACCESS_TOKEN>' https://<IS_HOST>:<IS_PORT>/t/<TENANT_DOMAIN>/oauth2/introspect
So How can, I achieve it, is there any set of APIs available for this task?
Any help will be appreciated.
I am not taking any username and password from the user to apply introspect APIs, should I take email in the token while creating the service Provider, so by using this email I will look into user inside my database and fetch the credentials and then hit the introspection APIs.
Seems like this is not there in older versions of IS and was introduced from IS 6.0.0 onwards. Found this migration issue.
If you are unable to migrate to IS 6.0.0, what I could recommend you is that, create a user with the permissions to introspect tokens only (this user will only be used for token introspection) and use that username and password to authenticate the introspect request.
Edit:
For IS 6.0.0 you can use the following basic config.
[[resource.access_control]]
context="(.*)/oauth2/introspect(.*)"
secure = "true"
http_method = "all"
cross_tenant = true
allowed_auth_handlers="BasicClientAuthentication"
Or you can use the advanced configurations as follows.
[[resource.access_control]]
context="(.*)/oauth2/introspect(.*)"
secure = "true"
http_method = "all"
cross_tenant = true
cross_access_allowed_tenants="carbon.super"
allowed_auth_handlers="BasicClientAuthentication"
permissions=["/permission/admin/manage/identity/applicationmgt/view"]
scopes=["internal_application_mgt_view"]
I am trying to access to an API that uses OAuth2 authentication with the Refresh Token grant.
So, to request this API, I need a Client Id, a Client Secret and a Refresh Token.
Using https://console.cloud.google.com/apis/credentials, I created a new OAuth 2.0 Client ID, which gives me a Client Id and a Client Secret.
But I struggle generating a Refresh Token.
By looking at this article, it looks like I need to execute the following POST query :
curl -X POST -d "code=[CODE]&client_id=[CLIENT_ID]&client_secret=[CLIENT_SECRET]&redirect_uri=[REDIRECT_URI]&grant_type=authorization_code" https://oauth2.googleapis.com/token
To retrieve the CODE parameter, I need to do another call to this URL : https://accounts.google.com/o/oauth2/v2/auth?scope=[SCOPE]&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=[REDIRECT_URI]&client_id=[CLIENT_ID]
This call opens the Google login page.
However, I don't know how to log in with an OAuth 2.0 Client ID. I don't have an email linked to these credentials.
Am I following the correct steps to retrieve a Refresh Token in my use case, and if so, what am I missing here ?
How can I obtain a Spotify access token for my own user, but from Postman ?
I want to use Postman to fetch the access token from Spotify (without a preceeding manual log in).
If that's complicated, I would accept to manually log in first,
before fetching the token from Postman.
Details:
To get an access token (to be used further in my own Postman requests),
I manually have to get one, while logged in on the Spotify Developer website.
Therefore, I would like to obtain it directy from Postman,
where I could immediately use it further in other requests/tests.
How could this be achieved ?
I did define an app on Spotify (so I have the client_id and client_secret).
I also have tried sending the cURL suggested in this Client Credentials Flow (one of the Authorization flows). Unsuccessfully:
curl -X "POST"
-H "Authorization: Basic ZjM4ZjAw...WY0MzE="
-d grant_type=client_credentials
https://accounts.spotify.com/api/token
Postman actually has all the various types of Spotify auth requests nicely packaged up in an exportable set of requests.
Came across it while researching the same issue and came across their blog post on using PKCE instead of implicit OAuth2 flows.
As per google's docs, I'm generating my oauth access token like this:
export TOKEN=$(~/go/bin/oauth2l fetch -jwt -json ~/.google/my-service-key.json cloud-platform)
I'm then doing requests to Google's REST API like this:
curl -v -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d (...) $URL
The response I'm getting back from Google is that I'm not providing an OAuth token, when I clearly am:
Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
Other posts suggest to use gcloud auth application-default print-access-token instead of the OAuth token, but I know this to be the incorrect approach, as Google's API responds back that it wants a service account OAuth token and not an identity.
Any idea what's happening here?
Sometimes an old (bad) token gets cached from before you rotated the service_account.json.
Delete Cache
Try this:
rm ~/.oauth2l
Token vs JWT
And try getting an API token before you sign the JWT:
oauth2l fetch cloud-platform
Scope vs Audience
Also, the API token requires a scope (shown above), whereas the JWT requires an audience aud, which is a URL:
oauth2l fetch --jwt https://www.googleapis.com/auth/cloud-platform
ENVs
You may also want to make sure that you don't have competing configuration, see if GOOGLE_APPLICATION_CREDENTIALS is set.
echo $GOOGLE_APPLICATION_CREDENTIALS
unset GOOGLE_APPLICATION_CREDENTIALS
Or potentially use it instead of --json ./service_account.json:
export GOOGLE_APPLICATION_CREDENTIALS=$HOME/.config/google/service_account.json
HTH
I have successfully configured the API Manager, ID and IS according to the documentation: https://docs.wso2.com/display/AM260/JWT+Grant#JWTGrant-UsingtheJWTgrant.
I invoke the WSO2 token endpoint to exchange an external JWT for a WSO2 access token:
curl -i -X POST -k -d 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6WyJ3c28yIl0sImVudmlyb25tZW50Ijp7InByb2ZpbGVzIjpbImRldiJdfSwiYXV0aCI6eyJyb2xlcyI6WyJVU0VSIiwiQURNSU4iXX0sInVzZXJfbmFtZSI6IjAwMDAwMDk5Iiwic2NvcGUiOlsib3BlcmF0ZSJdLCJpc3MiOiJQQVMiLCJleHAiOjE1NDUzNDgyODcsImdlbmVyYXRlZEJ5IjoiUEFTIiwianRpIjoiOWQ4ZWU3ZTgtNDBlZS00MTZjLTlkYjgtYjU2NDZhYTZhN2JmIiwiY2xpZW50X2lkIjoiZnJvbnQtcG9saXphcyJ9.Ccs1OxjteRsvHTump-ZTawEsqlTrIeO0LJUzt5Ita8udvMOa_tB1rHOtI8GAa2mDCPMD_Z_jtZ2SlXPs10GvsYlF4jS_wcCVAPtHsoigzuNtg5t7CVfeCI2Bzhak721LdYBcjB9s0Jn24G9eb2jqx8NF0RPlKgmhbxwdY0b8XeigLp-kGCsFKY_fDIjFUM0oifzCWOmtaCRMtMx3CKVZOWq9dBIokheCi2foL8YkBCz57yo4vb782AYWXdiHj38TPPe4IguARuoc9FSymyiL1gWHJmyMZFvAeAJkDnHHEnnezqPmcWQweC1ylLwUYGNVLM8YSfuBDtcGBWSO0F-WKw' -H 'Content-Type: application/x-www-form-urlencoded' https://localhost:9443/oauth2/token -d 'client_id=w_paekjnDDY8zcCfCRgj_81g2eYa'
This answers successfully with an access token, a refresh token etc etc.
I have created an application in the WSO2 APIM store. In the production/sandbox tabs, the only checked Grant Type item is JWT.
The point is, I use the previously gotten access token (which is itself an JWT token) to invoke an API subscribed with the above application:
curl -k -X GET "https://192.168.179.129:8243/myapp/api/v1/customers" -H "accept: application/json;charset=UTF-8" -H "Authorization: Bearer eyJ4NXQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJraWQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6IndfcGFla2puRERZOHpjQ2ZDUmdqXzgxZzJlWWEiLCJuYmYiOjE1NDUzNDgxOTgsImF6cCI6IndfcGFla2puRERZOHpjQ2ZDUmdqXzgxZzJlWWEiLCJzY29wZSI6ImRlZmF1bHQiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iLCJleHAiOjE1NDUzNDgyODcsImlhdCI6MTU0NTM0ODE5OCwianRpIjoiNjRlM2I5N2UtOTNlNC00YzQ2LThlNmQtMzlmZjQzOWQxM2Y0In0.UBLOsCCD3t4Wf8nXBnDkkGXxefYySelDzEcs1F_IrbshMJXohxcL92Av1nmcpdNdjin7GdC8Y305rrkBt9T1L_cMAHLYYcI5cI1J7wmAgEd1CEv9gI7IUYfAdbga2AeV4kIlNsgiV6PKnU34WnY7rEVqXD908eEHY5UvaNXc0Bz6C8d-p39-SqKUblGHPh9vdkpcCGcK0CgGKjtiU2lai_JkRALdgEgonT37R5eqmuxPxUouWNz9TCJgTuonKPA-9bYOsMvbzGlm--0m0j9gdxnv-3N1Kv_2JqSCR4pToDClhSKgFCE1L025LIICM-sLd_PDU5pwYge_iKseiIDZfA" -d 'client_id=w_paekjnDDY8zcCfCRgj_81g2eYa'
I get the following error (900908) - Resource forbidden:
<ams:fault xmlns:ams="http://wso2.org/apimanager/security"><ams:code>900908</ams:code><ams:message>Resource forbidden </ams:message>
<ams:description>Access failure for API: /myapp/api/v1, version: v1 status: (900908) - Resource forbidden </ams:description></ams:fault>%
I must be missing the final step which is how to allow those access tokens gotten in the JWT grant to be used to access an API subscribed by an application.
The error code 900908 means the API is not subscribed by the application. Please double check.
Technically Bee was right in his answer, but I would like to point specifically at what I was doing wrong in case it happens to others:
The problem was that the client_id/client_secret I was using when exchanging the JWT to get the access token were the ones from the Service Provider I had created. WRONG!
The ones was that need to be sent are those from the subscribed application. With that the resource forbidden error doesn't show up anymore.