I am trying to retrieve 'Access Token' using 'Authorisation Code' grant type using Ping Federate.
Ping federate is configured with
Callback URL,
Auth URL,
Access Token URL,
Client ID and Client Secret
Scope: openid
But when i try to request for Access token using Postman 'Get Access Token' feature, i am getting below error.
"The global default access token manager is not available for the selected client and authentication context"
I have configured Access token manager to the client.
Anybody have come across such error and would appreciate if you could help with this.
PingFederate Logs:
entityId: devenuat (null)
virtualServerId: null
Binding: oauth:authz
relayState:
params: {code=IVFUPjrUIMYVP8Djti9Bkwz3gLDbygS5_nMAAAAC, state=}
Endpoint: http://ec2-34-255-9-65.eu-west-1.compute.amazonaws.com:8080/authentication/login?code=IVFUPjrUIMYVP8Djti9Bkwz3gLDbygS5_nMAAAAC&state= <http://ec2-34-255-9-65.eu-west-1.compute.amazonaws.com:8080/authentication/login?code=IVFUPjrUIMYVP8Djti9Bkwz3gLDbygS5_nMAAAAC&state=>
SignaturePolicy: BINDING_DEFAULT
2019-11-29 11:20:35,305 DEBUG [org.sourceid.servlet.HttpServletRespProxy] adding lazy cookie Cookie{PF=hashedValue:26e1qHIcgNhYfWhMIqK35xMF_mU; path=/; maxAge=-1; domain=null} replacing null
2019-11-29 11:20:35,305 tid:26e1qHIcgNhYfWhMIqK35xMF_mU DEBUG [org.sourceid.websso.servlet.ProtocolControllerServlet] ---REQUEST (POST)/as/token.oauth2 from 92.123.73.225:
---PARAMETERS---
code:
IVFUPjrUIMYVP8Djti9Bkwz3gLDbygS5_nMAAAAC
grant_type:
authorization_code
redirect_uri:
http://ec2-34-255-9-65.eu-west-1.compute.amazonaws.com:8080/authentication/login <http://ec2-34-255-9-65.eu-west-1.compute.amazonaws.com:8080/authentication/login>
client_id:
devenuat
Related
I am trying to run a simple report on GA4 by using Google Analytics Data API Python client with a regular user credentials:
request = RunReportRequest(
property=f"properties/11111",
dimensions=[Dimension(name=f['name']) for f in report_definition['dimensions']],
metrics=[Metric(name=f['expression']) for f in report_definition['metrics']],
date_ranges=[DateRange(start_date=date, end_date=date)],
)
response = client.run_report(request)
And the client is BetaAnalyticsDataClient as also mentioned in the documentation:
credentials = Credentials(
token=None,
refresh_token=config['refresh_token'],
client_id=config['client_id'],
client_secret=config['client_secret'],
token_uri="https://accounts.google.com/o/oauth2/token",
scopes=["https://www.googleapis.com/auth/analytics.readonly"]
)
client = BetaAnalyticsDataClient(credentials=credentials)
It is not a Service Account so I am using google.oauth2.credentials.Credentials class as same in other Google APIs.
However, this operation is throwing an exception during the run_report function:
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNAVAILABLE
details = "Getting metadata from plugin failed with error: ('invalid_grant: Bad Request', {'error': 'invalid_grant', 'error_description': 'Bad Request'})"
debug_error_string = "UNKNOWN:Error received from peer analyticsdata.googleapis.com:443 {created_time:"2023-01-14T14:12:10.907813+03:00", grpc_status:14, grpc_message:"Getting metadata from plugin failed with error: (\'invalid_grant: Bad Request\', {\'error\': \'invalid_grant\', \'error_description\': \'Bad Request\'})"}"
>
And when I try to use my access token in the credentials:
credentials = Credentials(
token=config["token"],
refresh_token=config['refresh_token'],
client_id=config['client_id'],
client_secret=config['client_secret'],
token_uri="https://accounts.google.com/o/oauth2/token",
scopes=["https://www.googleapis.com/auth/analytics.readonly"]
)
This time I am getting following error:
google.api_core.exceptions.Unauthenticated: 401 Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
I am sure that my credentials is correct since I am using same account in my other repos.
Also, note that, I tried same operation with a service account and it does not give any error. However, for this purpose, I need to use a regular developer account since the OAuth flow is on a frontend project.
What are the suggestions on that issue? Is it possible to use a developer account in here and if yes, how?
I was able to fix the issue. The app just needs a sign-out sign-in (or refreshing the access token).
I'm trying to adapt the Qt Network Authorization OAuth2 example for Reddit to work with Azure AD.
I went to https://portal.azure.com/ -> Azure Active Directory -> App registrations then clicked "New application registration" and entered:
Name: QtNetworkAuthProject
Application type: Name
Redirect URI: http://localhost:1337/
I copied the resulting Application ID into the app then got the URIs from Authorization Code Grant Flow:
Authorization Code Request: https://login.microsoftonline.com/common/oauth2/authorize
Access Token Request: https://login.microsoftonline.com/common/oauth2/token
The first part appears to work; the webpage opens and asks me to authenticate the login. But then the token request seems to fail. My logging shows:
AzureWrapper::grant()+
setModifyParametersFunction(): stage = RequestingAuthorization
AzureWrapper::grant()-
statusChanged(): status = TemporaryCredentialsReceived
setModifyParametersFunction(): stage = RequestingAccessToken
qt.networkauth.oauth2: Unexpected call
qt.networkauth.replyhandler: Error transferring https://login.microsoftonline.com/common/oauth2/token - server replied: Bad Request
What have I done wrong?
Azure AD needs in either the authorization code request or in the access token request the App ID URI of the target web API (secured resource) that you want to use. (See https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code)
You can add this extra resource parameter in the authorization code request like this:
oauth2.setModifyParametersFunction([](QAbstractOAuth::Stage stage, QVariantMap* parameters) {
if (stage == QAbstractOAuth::Stage::RequestingAuthorization) {
parameters->insert("resource", "<App ID URI>");
}
});
I'm trying to authenticate against an App Service that I have defined in Azure Active Directory. When accessing it, I first get the access token and the continue with the rest of the OAuth procedure.
The problem, however, is that I can only get the token when posting the request via Postman. When I try to call the same URL, with the same data using an HTTP action in flow, it fails:
{
"error": "invalid_client",
"error_description": "AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.\r\nTrace ID: 67250fbf-ad20-47f1-b3a3-dbce1e813600\r\nCorrelation ID: f9eaaa13-cee3-4f5c-a96a-6846c4392dd9\r\nTimestamp: 2018-01-17 12:21:51Z",
"error_codes": [
70002,
50012
],
"timestamp": "2018-01-17 12:21:51Z",
"trace_id": "67250fbf-ad20-47f1-b3a3-dbce1e813600",
"correlation_id": "f9eaaa13-cee3-4f5c-a96a-6846c4392dd9"
}
This is how it is set up in Flow:
When executed in Postman it works just fine:
I cannot figure out why this doesn't work when running the request from within a Flow. Am I missing something in the HTTP action card configuration?
Kind regards,
Peter
I found the reason for this not working. I had to fully URL encode the value for client_secret.
/Peter
Any ideas why this is. I have configured a Server Application and a Web API and an ID Token, Access Token & Refresh token is issued. However calling the userinfo endpoint return a 401 with the following header message:
WWW-Authenticate →Bearer error="invalid_token", error_description="MSIS9920: Received invalid UserInfo request. The access token in request is not valid."
The access token is valid according to http://jwt.io
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVVbEw5a1JocDJNLUVzTDlBRDJOQ055aHZtdyJ9.eyJhdWQiOiJ1cm46bWljcm9zb2Z0OnVzZXJpbmZvIiwiaXNzIjoiaHR0cDovL3Rlc3Rsb2dpbi51bm9wcy5vcmcvYWRmcy9zZXJ2aWNlcy90cnVzdCIsImlhdCI6MTQ4NjYyOTUxOSwiZXhwIjoxNDg2NjMzMTE5LCJhcHB0eXBlIjoiQ29uZmlkZW50aWFsIiwiYXBwaWQiOiJrbnVkIiwiYXV0aG1ldGhvZCI6InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0IiwiYXV0aF90aW1lIjoiMjAxNy0wMi0wOVQwODozMjo1Ny4xNDZaIiwidmVyIjoiMS4wIiwic2NwIjoib3BlbmlkIiwic3ViIjoiM2krUGlyRncwSVlkdDVzTVNKQlpKbjVOTXZVWXZVdyt2WHI2Ujd1N0dBZz0ifQ.ajKtSk0xQE1crJkIA-lMLBZj2DtYE6xQo-Stmevh4pOGX17GEePbAFP-g6qPUwtGT_whVj74wRpSlyTBscp2JDsp_CW2E6BsTUI810S6jYRVjkYGxL1QcL1KoKJ8wyYKcxsCeOY2IUKNPnJOxV53Rs8E9EvJgjcsjTJHQw5Z_zC43dsTfCZvVfGrwJ3nn6BGxhIE_bEXvrWdgmg49V7-KK2kVDbDwJGr1iLpqU88-bkHdjGCIuc8XKX5pobWWlcyBmR_dpACM6Tu-d8jYJ_8mbof-eZrqn8YS61rgvRAhAAONyDklWcPgiYnhcMQVHZoCME-rVTjI6LDDY2czhL0rg
This question is asked long time ago but let me share my experience.
if you want to execute ADFS 4.0 userInfo endpoint(win server 2016) in a hope to get User profile but what i experienced is it return only Sub attribute
ex:
{
"sub": "MpR57wSIQz1kiR2uUMrkCQadbgDoztWmMV863Dugdso="
}
for anyone to try UserInfo endpoint you need to modify your application group, add api with Identitfier https://adfs.example.com/adfs/userinfo & at Client permission tab tick openId.
for execution of userinfo
Ex:
curl -X GET \
https://adfs.example.com/adfs/userinfo \
-H 'Authorization: Bearer ACCESS_TOKEN
Note: In your Acquire Accesstoken code you need to pass your resource = urn:microsoft:userinfo
The ADFS userinfo endpoint always returns the subject claim as
specified in the OpenID standards. AD FS does not provide additional
claims requested via the UserInfo endpoint. If you need additional
claims in ID token, refer to Custom ID Tokens in AD FS.
I've only done this once so I don't have much suggestions to make yet. So I cant make any suggested unless there is more detail.
You should try and get more evidence from the AD FS side. Enable debug logs using
wevtutil sl "ad fs tracing/debug" /l:5 /e:true
Do the repro and then disable logs as follows.
wevtutil sl "ad fs tracing/debug" /e:false
Then export the logs to view using
wevtutil epl "ad fs tracing/debug" c:\temp\userinfoerr.evtx
Open that event log in event viewer and have look and see what other errors are reported around validating the JWT.
Swift + Vapor framework for server + Xcode 8.1
I am trying to read Firebase Realtime Database making HTTP requests to my DB, but I get permission denied.
These are the steps:
1. create JWT sign it with secret key downloaded from "console.developers.google.com"
2. send POST request to OAuth2 server and get access token
3. send GET request to firebase database with access token received from OAuth2 server.
I get "Permission denied", HTTP/1.1 403 Forbidden
// the header of the JSON Web Token (first part of the JWT)
let headerJWT = ["alg":"RS256","typ":"JWT"]
// the claim set of the JSON Web Token
let jwtClaimSet =
["iss":"firebase-adminsdk-kxx5h#fir-30c9e.iam.gserviceaccount.com",
"scope":"https://www.googleapis.com/auth/firebase.database", //is this the correct API to access firebase database?
"aud":"https://www.googleapis.com/oauth2/v4/token",
"exp": expDate,
"iat": iatDate]
drop.get("access") { request in
var accesstoken = "ya29.ElqhA-....XXXX"
let responseFirebase = try drop.client.get("https://fir- 30c9e.firebaseio.com/data/Users.json",
headers: ["Authorization":"Bearer \(accesstoken)"],
query: [:])
print("FirebaseResponse_is \(responseFirebase)")
return "success"
}
TLDR; Try placing auth=<TOKEN> in your query string instead of using the authorization header.
The Firebase documentation is unclear on how this works. According to the documentation, there are three methods that should work.
auth=<TOKEN> in query string (link)
access_token=<TOKEN> in query string (link)
Authorization: Bearer <TOKEN> in request header (link)
I'm not convinced that all three methods do actually work however. I'm using method 1 in my application, so I know that one works for sure.
The scope key was missing value https://www.googleapis.com/auth/userinfo.email
let jwtClaimSet =
["iss":"firebase-adminsdk-kxx5h#fir-30c9e.iam.gserviceaccount.com",
"scope": "https://www.googleapis.com/auth/firebase.database
https://www.googleapis.com/auth/userinfo.email",
"aud":"https://www.googleapis.com/oauth2/v4/token",
"exp": expDate,
"iat": iatDate]
I found the answer browsing google groups here
headers: ["Authorization":"Authorization: Bearer \(accesstoken)"],
should be
headers: ["Authorization":"Bearer \(accesstoken)"],