I am trying to get the linkedin accesstoken from authorize code. I get from the https://www.linkedin.com/uas/oauth2/authorization. But when i send the resquest from the accesstoken to the url
https://www.linkedin.com/uas/oauth2/accessToken?code=AQTxKjDnKVK8bhxJf10fHE8kEfGh9APlnGTRXyrNMLx-RkZ_EEKfvpx1YRMlhsr5R_qdNlxZ1DUqZR0xCkZe_4hIl_Ih8d1x3_sdf0xqjMu6lp2Ny48&client_id=75g9zob6m8cpzi&client_secret=gsEVhrKzrByUwPOy&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback%3Fsite%3Dlinkedin&grant_type=authorization_code
i am getting error when i make http get request from in angular js. I am able to get access token when i make request through the postman or browser
my console error is
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access
Related
When using the Rossum API for data capture with Postman, I'm getting this error for any HTTP request after a login:
{
"detail": "CSRF Failed: Referer checking failed - no Referer.",
"code": "permission_denied"
}
It turns out that the Rossum API is Django-based and uses special cookies to prevent CSRF attacks, issued during the /login call. The CSRF cookie guard prevents from third-party websites wrongly issuing calls through a logged-in user browser - the cookie must be set in combination with a correct referer setting to verify that the call is not issued by a third-party website.
However, Postman is using the cookie but not setting a referer properly. Clearing the cookies in Postman resolves the issue.
This is also why the issue does not appear while using curl or HTML5 fetch.
I have integrated LinkedIn in my ASP.Net website and trying to read user profile data who logs in. I am accessing following URL but getting error. My application has authorized and got access token from LinkedIn.
URL
https://api.linkedin.com/v1/people/MyAccessToken
Error
The remote server returned an error: (401) Unauthorized.
It seems I am not using correct format to pass access token to this URL to get the data. Can someone please guide me on correct format.
the accesstoken should be added as an Bearer-Token and the API path should be :
https://api.linkedin.com/v1/people/person_ID/
I am not able to get the JSON Data for the below API Request.
Getting Authentication problem.
https://api.test.sabre.com/v1/shop/flights?origin=JFK&destination=LAX&departuredate=2018-07-07&returndate=2018-07-09&onlineitinerariesonly=N&limit=10&offset=1&eticketsonly=N&sortby=totalfare&order=asc&sortby2=departuretime&order2=asc&pointofsalecountry=US
{"status":"NotProcessed","type":"Validation","errorCode":"ERR.2SG.SEC.MISSING_CREDENTIALS","timeStamp":"2018-04-10T12:11:35.221-05:00","message":"Authentication data is missing"}
You would need to manipulate your headers to contain the credentials on your request with a plugin like tampermonkey for chrome
I am using JWT Bearer authentication scheme in a REST api. For returning jwt token to client after successful authentication, currently i am using access token response in body as described in https://www.rfc-editor.org/rfc/rfc6750#page-10
{
"access_token":"mF_9.B5f-4.1JqM",
"token_type":"Bearer",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
}
But need to return token in other HTTP request too like signup where body is already present.
So, was thinking of using "Authentication-Info" header for it. But Bearer Scheme does not specify "Authentication-Info" header anywhere. Should i use Authentication-Info header for returning jwt token?
Not using OAuth 2.0, just JWT.
What you have there might be correct for OAuth 2.0, but for ordinary JWT it's much simpler. When you use ordinary self-made JWT, the client will put the token on an HTTP header called Authorization. The value of the header is something like this
Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
The header field could be called something else too. The server and client has to agree on the name. Authorization is just the most common name.
The server will usually issue the token by responding to the POST request on the login endpoint. The token can be a part of the response body when the login is successful. The client will store the token and send the token with every request by using the header above. You can forget everything that has to do with access token and refresh token. When using "ordinary" basic JWT you will only have one token, and that is the value after Bearer.
I don't see any reason to issue a token when the user is signing up. They can get it when they log in after signing up.
I would recommend you to read this over the RFCs for OAuth if you're just implementing ordinary authentication.
Which status code would you use in this scenario, assuming you're using a token based authentication:
The client has a token and makes a request to the server.
The token expired and the server sends a 401 Unauthorized.
The client sends the refresh token.
The token is invalid and the server responds with XXX?
The use case would be an application, that automatically catches 401's and makes a request with the refresh token. If the server would respond with a 401 if this token is not valid, the client would try to request a new access token with the refresh token forever. But it should tell the client, that it should re-authenticate with its credentials (e.g. email and password).
I was just wondering which status code would be the best fit in this scenario, as the spec says in case of a 403 Forbidden "authorization will not help".
I would not make access and refresh tokens interchangeable: Use Access-Tokens to access protected resources and use Refresh-Token to fetch new Access-Token from a special end-point. OpenID Connect works this way.
You would have one HTTP request more but HTTP codes would not be a problem and, in my opinion, you would get a cleaner code.