I tried to start working the "tuber" package. A tutorial on how to use this package can be found here: https://www.r-bloggers.com/using-the-tuber-package-to-analyse-a-youtube-channel/
Now I've set up OAuth 2.0 client in my google developer account (web client). However when i try to log in with my details like this:
user <- my_user_name
key <- my_key
yt_oauth(my_user_name, my_key, token = '')
I get the following error:
The redirect URI in the request, urn:ietf:wg:oauth:2.0:oob, can only be used by a Client ID for native application. It is not allowed for the WEB client type. You can create a Client ID for native application at https://console.developers.google.com/apis/credentials/oauthclient
When creating your OAuth client ID, set http://localhost:1410/ as Authorized redirect URIs. You may need to edit and update your existing client ID.
Related
I hope you are doing fine :)
I have the following problem/problems.
I have created a dummy (robot) user. In Azure AD there is an App Registration with some Power BI delegated permission services.
I want to automate the deletion of a push dataset via a HTTP request.
For this, I need to authenticate against that App Registration from Azure AD. With postman, everything worked perfectly, I got the token as a response.
Then, I tried to make the same request using the HTTP connector in PowerAutomate.
I get the following error
{"error":"invalid_request","error_description":"AADSTS900144: The request body must contain the following parameter: 'grant_type'.\r\nTrace ID: e6d68953-ce1c-4217-856c-ae3aada82e00\r\nCorrelation ID: f50db4d9-d5bb-4396-af11-214717721f43\r\nTimestamp: 2022-10-26 19:12:48Z","error_codes":[900144],"timestamp":"2022-10-26 19:12:48Z","trace_id":"e6d68953-ce1c-4217-856c-ae3aada82e00","correlation_id":"f50db4d9-d5bb-4396-af11-214717721f43","error_uri":"https://login.microsoftonline.com/error?code=900144"}
The connector looks like this->
I have tried other ways as well.
The following error ->
{"error":"invalid_grant","error_description":"AADSTS50126: Error validating credentials due to invalid username or password.\r\nTrace ID: fec65949-0701-4727-af3b-2c2b8eb73a00\r\nCorrelation ID: 42c6c04b-98be-477d-8d36-52a01a473a40\r\nTimestamp: 2022-10-26 19:23:50Z","error_codes":[50126],"timestamp":"2022-10-26 19:23:50Z","trace_id":"fec65949-0701-4727-af3b-2c2b8eb73a00","correlation_id":"42c6c04b-98be-477d-8d36-52a01a473a40","error_uri":"https://login.microsoftonline.com/error?code=50126"}
I get from the the next HTTP connector inputs. I tried creating a query out of the previous json. It says the username or password are invalid but I logged in successfully for a number of times with those exact credentials. That I am sure of.
The dummy inputs in the picture are used to avoid the real ids, username and password.
This worked for me ...
Add a header setting Content-Type to application/x-www-form-urlencoded and add the URL form encoded content string like thus ...
client_id=<CLIENT_ID>c&grant_type=password&username=<USERNAME>&password=<PASSWORD>&scope=User.read
If you're using the password grant type approach, you shouldn't need a client secret, just the client ID.
I want to log in https://adventofcode.com/2021 programatically using httr.
I have only a very superficial understanding of the OAuth "dance", so to understand the principles I did the following:
Create an OAuth App on GitHub
Used the following code to authenticate (N.B. I know I could simply use oauth2.0_token but I felt that this workflow helped me to better understand the different messages, which are exchanged).
library(httr)
client_id <- "<my client id>"
base_url <- "https://github.com"
path <- "login/oauth/authorize"
client_secret <- "<my secret>"
url <- modify_url(base_url, path = path,
query = list(client_id = client_id,
redirect_uri = oauth_callback()))
code <- oauth_listener(url) ## needed to provide credentials in the web browser
access_token <- POST(modify_url(base_url, path = "login/oauth/access_token"),
add_headers(Accept = "application/json"),
body = list(client_id = client_id,
client_secret = client_secret,
code = code$code))
## successfully returns the values
GET("https://api.github.com/rate_limit",
add_headers(Authorization = paste(content(access_token)$access_token,
"OAUTH-TOKEN")))
From this example I think I understand the steps as highlighted in the documentation.
However, I fail to see how I could use this to login to https://adventofcode.com/2021. I have, of course, not the client_secret nor can I redirect the response to my localhost (as GitHub requires that the stored callback matches the redirect URI).
Thus, I was wondering how I could programatically login to https://adventofcode.com/2021 to fetch my task data, say?
I think you are mismatching OAuth2 roles. If you want to use adventofcode.com, you are a resource owner, adventofcode.com is a client and github is an authorization server. So you authenticate, adventofcode.com gets an auth code and then tokens. They can use the tokens to get information about your github account.
The example code you posted is different - your application is a client that gets a code and tokens from the authorization server (github) after a user was authenticated and gave a consent to passing the tokens to your app (permission delegation). So you probably cannot include adventofcode.com into this scenario.
The only way is if adventofcode.com takes a role of a resource server and their API accepts github tokens from different clients. But I know nothing about their API.
I'm trying to implement the "on behalf of" flow in an application using ADFS 2016 as STS. As a reference, I look at this Microsoft tutorial (https://learn.microsoft.com/en-ca/windows-server/identity/ad-fs/development/ad-fs-on-behalf-of-authentication-in-windows-server). It's working as it should, I can login into my web application and then use my original access token in UserAssertion to generate a new access token with the proper audience to call my API BUT I found absolutely no way to include any user informations (sub, name, email, upn etc.) into the access token for my API, even if I set claim rules into my ADFS configurations for the API.
I checked the communication between my app and adfs using Fiddler and everything looks like the informations in the tutorial. See the screen shot of the "on behalf of" request below :
Here's the resulting access token :
Finally, here's the code I use to generate my new access token :
private async Task<string> GetAccessToken(ClaimsPrincipal user, string originalAccessToken)
{
var authority = "[authority]";
var context = new AuthenticationContext(authority, false);
string userName = user.FindFirstValue("upn");
var userAssertion = new UserAssertion(originalAccessToken, "urn:ietf:params:oauth:grant-type:jwt-bearer",userName);
var cc = new ClientCredential("https://localhost:44387/", "[client_secret]");
var result = await context.AcquireTokenAsync("https://localhost:44339/", cc, userAssertion);
return result.AccessToken;
}
Have you struggle with that scenario and if yes, did you find a way to fix this ?
Thanks
I've only used the Microsoft On Behalf Of flow with Azure AD and not ADFS, but it looks like you need to send a more detailed scope in your User Info request.
Maybe try sending 'openid profile email', to indicate that you want that type of detail, as in Section 17 of my blog post. Of course this assumes that this type of data has been registered for all users.
TROUBLESHOOTING
Looks like one of these will be the cause:
A suboptimal Microsoft library that does not allow you to send the required scope
Or ADFS 2016 perhaps lacks the scope features that work correctly in Azure AD
I would concentrate on making extra sure you are sending the correct form URL encoded request message, using a tool such as curl, Postman or a plain C# HttpClient. Here is the code I used to send the correct scope - using an open source library rather than a Microsoft one:
Sample NodeJS Code
If you can get the scope sent correctly then you should have a resolution either way:
Either you get the correct data and can update your code
Or the behaviour you want is not supported by ADFS
Good luck ...
I am trying to geocode some addresses with python
so I created a freemium account on https://developer.here.com
my code is this
(...)
here = Here(here_config.app_id, here_config.app_code, timeout=5)
here.geocode(string_to_geocode)
I am getting the following error message:
HTTP Error 401: Unauthorized
my doubt comes from the difference between the terms "app_code" on my code sample and "app_key" on my credential screen.
Is there another step I need to do in order to get a "app_code" or is my "app_key" already supposed to be it?
P.S. on that same screen Here provides me an option of getting JAVASCRIPT keys, HERE SDK FOR IOS (PREMIUM EDITION) [this option cleary has a button that says "generate app_key and app_code", however, I am not developing a cellphone app, but a python program.
What am I missing ?
here_credential_screen
App ID and App Code have been replaced. We encourage all users to switch to API Key or OAuth 2.0 (JSON Web Tokens) authentication. Please be aware that as part of adapting to the new authentication method, some endpoints have also changed.
please check the new domains here
You can either use your ApiKey or App_Id/App_Code.
for example like this-
https://geocoder.ls.hereapi.com/6.2/geocode.json?apiKey={YOUR_API_KEY}&searchtext=425+W+Randolph+Chicago
https://developer.here.com/documentation/geocoder/dev_guide/topics/quick-start-geocode.html
I need to make calls to a rest API service via BizTalk Send adapter. The API simply uses a token in the header for authentication/authorization. I have tested this in a C# console app using httpclient and it works fine:
string apiUrl = "https://api.site.com/endpoint/<method>?";
string dateFormat = "dateFormat = 2017-05-01T00:00:00";
using (var client = new HttpClient())
{
client.DefaultRequestHeaders.Add("token", "<token>");
client.DefaultRequestHeaders.Add("Accept", "application/json");
string finalurl = apiUrl + dateFormat;
HttpResponseMessage resp = await client.GetAsync(finalurl);
if (resp.IsSuccessStatusCode)
{
string result = await resp.Content.ReadAsStringAsync();
var rootresult = JsonConvert.DeserializeObject<jobList>(result);
return rootresult;
}
else
{
return null;
}
}
however I want to use BizTalk to make the call and handle the response.
I have tried using the wcf-http adapter, selecting 'Transport' for security (it is an https site so security is required(?)) with no credential type specified and placed the header with the token in the 'messages' tab of the adapter configuration. This fails though with the exception: System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
I have tried googling for this specific scenario and cannot find a solution. I did find this article with suggestions for OAUth handling but I'm surprised that even with BizTalk 2016 I still have to create a custom assembly for something so simple.
Does anyone know how this might be done in the wcf-http send adapter?
Yes, you have to write a custom Endpoint Behaviour and add it to the send port. In fact with the WCF-WebHttp adapter even Basic Auth doesn't work so I'm currently writing an Endpoint Behaviour to address this.
One of the issues with OAuth, is that there isn't one standard that everyone follows, so far I've had to write 2 different OAuth behaviours as they have implemented things differently. One using a secret and time stamp hashed to has to get a token, and the other using Basic Auth to get a token. Also one of them you could get multiple tokens using the same creds, whereas the other would expire the old token straight away.
Another thing I've had to write a custom behaviour for is which version of TLS the end points expects as by default BizTalk 2013 R2 tries TLS 1.0, and then will fail if the web site does not allow it.
You can feedback to Microsoft that you wish to have this feature by voting on Add support for OAuth 2.0 / OpenID Connect authentication
Maybe someone will open source their solution. See Announcement: BizTalk Server embrace open source!
Figured it out. I should have used the 'Certificate' for client credential type.
I just had to:
Add token in the Outbound HTTP Headers box in the Messages tab and select 'Transport' security and 'Certificate' for Transport client credential type.
Downloaded the certificate from the API's website via the browser (manually) and installed it on the local servers certificate store.
I then selected that certificate and thumbprint in the corresponding fields in the adapter via the 'browse' buttons (had to scroll through the available certificates and select the API/website certificate I was trying to connect to).
I discovered this on accident when I had Fiddler running and set the adapter proxy setting to the local Fiddler address (http://localhost:8888). I realized that since Fiddler negotiates the TLS connection/certificate (I enabled tls1.2 in fiddler) to the remote server, messages were able to get through but not directly between the adapter and the remote API server (when Fiddler WASN'T running).