Amending scope values in token request causes problems accessing APIs afterwards - wso2-api-manager

I am encountering the following error after amending a scope value being sent in the headers of a token POST request against the token API endpoint for our WSO2 instance:
ERRORS.900901
Invalid CredentialsAccess failure for API: /scheme/v1, version: v1 with key: fa41109938522762bcca953336f0e0e2.
Make sure your have given the correct access token
This error comes after I successfully get a token returned and then use that token for a an API setup in WSO2 publisher. This particular endpoint in the error does not actually have any scopes applied to it which causes me some confusion about why this error comes up since its not a scope protected endpoint so my token shouldn't matter?
This happened after I realised there was a typo in a scope value I was sending in the POST request and so I updated it accordingly.
If I leave the typo in I can use the token generated for a subsequent API request and dont get this error.
Am I right in thinking that tokens are generated based on the list of scopes returned back by the Token API for the given user?
I have tried manually revoking the access token using a cURL command as documented here and generating a new one using the corrected scope names, but still this error comes back after trying to access that API.
What could be the issue here?
Thanks

This error comes after I successfully get a token returned and then
use that token for a an API setup in WSO2 publisher. This particular
endpoint in the error does not actually have any scopes applied to it
which causes me some confusion about why this error comes up since its
not a scope protected endpoint so my token shouldn't matter?
This also can happen if there were any errors while validating the token. This doesn't look like a scope issue. So if you can provide the corresponding logs in wso2carbon.log, I can tell the exact reason.
Am I right in thinking that tokens are generated based on the list of
scopes returned back by the Token API for the given user?
Yes.

Related

Using the Logic App HTTP connector, I get "BadGateway. Http request failed as there is an error getting AD OAuth token", when trying to call Graph API

I am trying to make an API call to Microsoft Graph using the Microsoft Logic App HTTP connector. The call fails with the error:
"BadGateway. Http request failed as there is an error getting AD OAuth token: 'Failed to extract error details from response content ''.'.".
I have been trying many things including being able to run the call successfully via Postman. I have decrypted the Postman token with jwt.ms and verified certain values such as:
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/{{tenantId}}/",
I went through stacks of Google searches, and as for Stack Exchange, these are the closest matching posts that I could find.
Http request failed as there is an error getting AD OAuth token: 'AADSTS50001: The application named https://management.azure.windows.net
In this case the audience paramater was wrong, and in my case I have tried many, and not really sure anymore which is the correct one, even though none of them worked for me when tested.
Azure Logic App HTTP action authorization fails
The post deals with a shared key use case. My current requirement for this project is to use OAuth.
Secure access and data in Azure Logic Apps
I have tried the following for "Authority":
"authority": "https://sts.windows.net/{{tenantId}}/"
"authority": "HTTPS://login.microsoftonline.com/{{tenantId}}/"
"authority": "HTTPS://login.microsoftonline.com/{{tenantId}}/oauth2/v2.0/authorize"
This is the screen that shows the HTTP connector inside the logic app.
This is the same connector at runtime.
This is the raw HTML that the HTTP connector generates.
Hoping someone can spot where I am going wrong.

Bearer token invalid on here fuel prices API even though apikey is included as parameter

I am new to Here and am trying to make my first API call but I keep getting back this error:
{"Type":"Unauthorized","Message":["Bearer token invalid. Bearer missing or bearer value missing."]}
Here's the URL that I'm using to call the API:
https://fuel-v2.cc.api.here.com/fuel/stations.json?apiKey=${hereApiKey}&prox=${lat},${lng},1600
I have also tried including the api key in an authorization header and get the exact same thing. I've tried with apikey= and apiKey= and the results are the same. I've also tried moving the apikey param to after the prox param (though I know that shouldn't matter). I feel like I'm following the documentation when it says that I can use api key authentication for this call and that app code authentication is deprecated, so I'm not sure what I'm doing wrong.
I am currently on a Here Freemium plan and making this call from a Node JS server application.
The token expires in 24 hours, you need to generate a new token and test again
In order to use OAuth token authentication please use the below request
https://fuel-v2.cc.ls.api.here.com/fuel/stations.xml?prox=52.516667,13.383333,5000
And in header please include
Authorization = Bearer "Oauth token"
other way to include the token is -
https://developer.here.com/documentation/fuel-prices/dev_guide/topics/request-here-environments.html

WSO2 ESB - HTTP 401 Unauthorized Error

I have been creating a Proxy service using service chaining mechanism.
1. First I make a call to an endpoint, get the result and send the result to a sequence.
2. In the sequence, I have a data mapper and then a property to specify the username and password to a secure endpoint and then send mediator to call an endpoint.
However, I have been getting the following error:
HTTPSender Unable to sendViaPost to url[endpoint Url] org.apache.axis2.AxisFault: Transport error: 401 Error: Unauthorized,
With the description as "This request requires HTTP authentication"
The solution I have tried:
1. Tried adding a property "FORCE_HTTP_1.0" to true before making a call to the endpoint.
But nothing seems to work. Any help would be appreciated.
Thanks in advance.
If your backend requires Basic authentication, set the following property before your backend call.
Mmh seems like it's not possible to paste Code from my iPhone. Hope the link works.
https://docs.wso2.com/display/ESB470/Enabling+HTTP+Basic+Authentication+through+a+Proxy+Server
Just set the property "Proxy-Authorization"

how do i resend a request after processing it inside my apigee endpoint

I have a endpoint called get user data which accepts a token
I need to read this token in my apigee and send it to tokenVarificationExtUrl
which gets back to me with
a) valid 200
b) userid attached with that token
now what i have to do is i need to read the response header and then conditionally check it for 200 success and then extract the userid from the response.
Once its extracted i need to attach it with another request; which i need to send to getUserData external url
which will get back to me with required user details.
I am successful of extracting data and doing conditional check. I am seeking help for
how do i send another request to getUserData external url.
You need to use a few policies in your proxy.
For example
For checking a header and throwing an error, you may want to use rasie fault policy conditionally
For making an API call to external end-point you can use service callout policy or a standard target
For exrtacting response data from json or xml payload you can use json path of xpath policies
and so on.
I suppose you may want to take a look at a few sample proxies with these functions to be able to design your own.
Check this link out. http://apigee.com/docs/content/using-sample-api-proxies

Linkedin API access token generation error

i am trying to generate access token to collect linkedin data. I followed the instructions provided in the linkedin API documentaion. I created an app in developers page and got the following:
Application Details
• Company:
Fresher
• Application Name:
xxxxxxxxxx
• API Key:
75pcum6zb2cael
• Secret Key:
xxxxxxxxxxxxxxxx
• OAuth User Token:
xxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
• OAuth User Secret:
xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx
Using the API Key i generated the authorization_code with the URL:
https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=75pcum6zb2cael&state=DCEEFWF45453sdffef424&redirect_uri=https://www.google.com
but when i finally tried to generate the access token using the below URL, i got an error response :
https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&code=AUTHORIZATION_CODE&redirect_uri=https://www.google.com&client_id=75pcum6zb2cael&client_secret=xxxxxxxxxxxxxxxx
{"error_description":"missing required parameters, includes an invalid
parameter value, parameter more than once. : Unable to retrieve access
token : appId or redirect uri does not match authorization code or
authorization code expired","error":"invalid_request"}
Even after multilple validations, the same error messages appears.
please help. thanks.
finally, i got the access token. The authorization code expires in 20 seconds, so the access token URL must be called immediately after generating the authorization code.
Well, I went through the same problem and here is the process which i went through to fix it.
STEP#1: Authentication:
Firstly, the authentication API is to be hit to fetch the authentication token.
For this, a URL with Encoded parameters is to be hit as a GET request.
Example: https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id=[your_client_id]&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flinkedin%2Fcallback&scope=r_emailaddress
Please note that here, the parameters are to be encoded programatically.
My non-encoded callback URL is: http://localhost:8080/linkedin/callback
Therefore, my encoded URL is: http%3A%2F%2Flocalhost%3A8080%2Flinkedin%2Fcallback
Once you hit this as a GET request, you will receive a callback with a code and an optional state parameter.
STEP#2: Getting Access Token:
There are three pre-requisites to this call:
The call must be POST
It must have a header Content-Type with value application/x-www-form-urlencoded
The data must be sent in request body.
The value of redirect_url MUST BE SAME as in the previous call.
In my case, it was: http://localhost:8080/linkedin/callback
Now the trick here is, that the call in (STEP#1 Authentication) was a GET request. Therefore, the redirect_url had to be programatically encoded.
Since the second call for is POST and is also application/x-www-form-urlencoded encoded, therefore the request body parameters do not have to be explicitly encoded. So, in this case, the redirect_uri would be sent as-is (http://localhost:8080/linkedin/callback)
Here is a snapshot of my Access Token API via postman:
My problem was in redirect_uri which contained url with query parameters (like redirect_uri=encodeURIComponent(http://example.com/callback?query=string)).
If redirect url is completely different linkedin will show you an error before showing you login form, but if redirect_url matches what you specified in linkedin app and contains extra query parameters, you'll not get an error, so once login form is submitted you'll get an invalid code and as a result error as above.
This error may be scopes related.
On the details of your application when selecting scopes there is this message:
Selecting both r_basicprofile and r_fullprofile is redundant.
r_basicprofile will be selected if neither r_basicprofile nor
r_fullprofile is checked.
If you are selecting both r_basicprofile and r_fullprofile just uncheck r_basicprofile or remove it from your Authorization Code Request.
I had the same problem, in my case I was using different redirect_uri for authorization and for access token. I had "proxy": "localhost:3001" in my package.json, and it overriden my request_uri.
So my suggestion: make sure the hosts and redirect_uri are all the same for two requests (both backend and server side).

Resources