My app is using linkedin as oauthd login method. For some of users there is no valid response when I'm trying to fetch email address (https://learn.microsoft.com/en-us/linkedin/shared/references/fields/basic-profile#email-fields)
Request:
GET https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~))
Response:
200 {"elements":[]}
^^^ missing email field
200 {"elements":[{"handle":"urn:li:emailAddress:472511033","handle!":{"message":"Downstream service returned an empty response for URN.","status":404}}]}
OK, but failed?
Normal response looks like this:
200 {"elements":[{"handle~":{"emailAddress":"XXX#XXX"},"handle":"urn:li:emailAddress:XXX"}]}
Is there any settings in linkedin profile that blocks requesting emailAddress?
I found in documentation that this is related to new users that was registered using phone.
The API call would return empty response body if the authenticated user was registered via phone number, and never added any primary email address into their LinkedIn account previously. The value of type is case sensitive, and can only be EMAIL in this case.
https://learn.microsoft.com/en-us/linkedin/shared/integrations/people/primary-contact-api#retrieve-email-address
Corda Token SDK https://github.com/corda/token-sdk.
By default, the fungible token can be issued many times, to many accounts.
I do not know to limit that fungible token is issued once and sent to a specific account
(after that token will not be issued any more)
Does anyone have an idea?
To implement that, you'd have to do the following:
Create your own EvolvableTokenType.
Your evolvable token type will have 2 custom attributes (that can be changed over time, thus why we chose evolvable over fixed token type):
issued of type boolean
issueAccount of type AbstractParty
Create a contract that validates your evolvable token type (it should extend EvolvableTokenContract):
Implement additionalCreateChecks: You can keep it empty.
Implement additionalUpdateChecks: Here you can validate that you can only update the value of issued to true, you cannot update it to false (this will allow issuing more of your token type which we don't want).
Create a flow that creates your evolvable token type, it sets the issueAccount to the value that you pass as input parameter and sets issued to false.
Now you can create your evolvable token token type and use it to issue tokens of that type.
Create a flow that issues tokens of your token type:
It will fetch the latest version of your evolvable token type.
If the value of issued is true, throw a FlowException that this token has already been issued and you cannot issue it again.
Use the returned state to get the issueAccount value.
Call the IssueToken flow to issue your token type to issueAccount. Of course you need to generate a new key for the account using RequestKeyForAccount and wrap the returned PublicKey in an instance of AnonymousParty.
Now the most important part (your requirement): Call UpdateEvolvableToken flow to update your evolvable token type and set issued to true. This way if someone calls your issue tokens flow again, it will throw an exception because your token type has been issued.
The Kotlin template (token branch) has a high level example of EvolvableTokenType:
Type: https://github.com/corda/cordapp-template-kotlin/blob/token-template/contracts/src/main/kotlin/com/template/states/ExampleEvolvableTokenType.kt
Contract: https://github.com/corda/cordapp-template-kotlin/blob/token-template/contracts/src/main/kotlin/com/template/ExampleEvolvableTokenTypeContract.kt
Flow (it has 2 flows, create token type and issue it): https://github.com/corda/cordapp-template-kotlin/blob/token-template/workflows/src/main/kotlin/com/template/flows/ExampleFlowWithEvolvableToken.kt
Also the Tokens SDK has an example that uses EvolvableTokenType where the House token has an attribute that can change (valuation):
https://github.com/corda/token-sdk/blob/master/docs/DvPTutorial.md#define-your-states-and-contracts
Working with Xero API
Authorization callback returns org, which should correspond Organisation's ShortCode for which Xero user allowed access.
In callback org value is BFtWATeLda24OXh2Yv-FLG but Organisation's ShortCode is !hvw0y, which obviously does not match.
Other possible field that could be matched
OrganisationId - 29e0fd2c-15da-409e-8462-1ac28b9f8f55 no match
ApiKey - QIBVL4B2BBDNE5WBADGFHZEQYR6SXM no match
I wonder how can i link value org callback parameter to Organisation in Xero.
Using Xero API .NET Core client
Is it named the org_muid? If so, that value returned in the oauth call is actually a one way mapping of the OrganisationID. It's a legacy property from before the OrganisationID was returned from the organisation endpoint that is still returned as the removal of it could cause breaking changes for those who use it as the identifier in their token databases.
Any ideas why this is. I have configured a Server Application and a Web API and an ID Token, Access Token & Refresh token is issued. However calling the userinfo endpoint return a 401 with the following header message:
WWW-Authenticate →Bearer error="invalid_token", error_description="MSIS9920: Received invalid UserInfo request. The access token in request is not valid."
The access token is valid according to http://jwt.io
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVVbEw5a1JocDJNLUVzTDlBRDJOQ055aHZtdyJ9.eyJhdWQiOiJ1cm46bWljcm9zb2Z0OnVzZXJpbmZvIiwiaXNzIjoiaHR0cDovL3Rlc3Rsb2dpbi51bm9wcy5vcmcvYWRmcy9zZXJ2aWNlcy90cnVzdCIsImlhdCI6MTQ4NjYyOTUxOSwiZXhwIjoxNDg2NjMzMTE5LCJhcHB0eXBlIjoiQ29uZmlkZW50aWFsIiwiYXBwaWQiOiJrbnVkIiwiYXV0aG1ldGhvZCI6InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0IiwiYXV0aF90aW1lIjoiMjAxNy0wMi0wOVQwODozMjo1Ny4xNDZaIiwidmVyIjoiMS4wIiwic2NwIjoib3BlbmlkIiwic3ViIjoiM2krUGlyRncwSVlkdDVzTVNKQlpKbjVOTXZVWXZVdyt2WHI2Ujd1N0dBZz0ifQ.ajKtSk0xQE1crJkIA-lMLBZj2DtYE6xQo-Stmevh4pOGX17GEePbAFP-g6qPUwtGT_whVj74wRpSlyTBscp2JDsp_CW2E6BsTUI810S6jYRVjkYGxL1QcL1KoKJ8wyYKcxsCeOY2IUKNPnJOxV53Rs8E9EvJgjcsjTJHQw5Z_zC43dsTfCZvVfGrwJ3nn6BGxhIE_bEXvrWdgmg49V7-KK2kVDbDwJGr1iLpqU88-bkHdjGCIuc8XKX5pobWWlcyBmR_dpACM6Tu-d8jYJ_8mbof-eZrqn8YS61rgvRAhAAONyDklWcPgiYnhcMQVHZoCME-rVTjI6LDDY2czhL0rg
This question is asked long time ago but let me share my experience.
if you want to execute ADFS 4.0 userInfo endpoint(win server 2016) in a hope to get User profile but what i experienced is it return only Sub attribute
ex:
{
"sub": "MpR57wSIQz1kiR2uUMrkCQadbgDoztWmMV863Dugdso="
}
for anyone to try UserInfo endpoint you need to modify your application group, add api with Identitfier https://adfs.example.com/adfs/userinfo & at Client permission tab tick openId.
for execution of userinfo
Ex:
curl -X GET \
https://adfs.example.com/adfs/userinfo \
-H 'Authorization: Bearer ACCESS_TOKEN
Note: In your Acquire Accesstoken code you need to pass your resource = urn:microsoft:userinfo
The ADFS userinfo endpoint always returns the subject claim as
specified in the OpenID standards. AD FS does not provide additional
claims requested via the UserInfo endpoint. If you need additional
claims in ID token, refer to Custom ID Tokens in AD FS.
I've only done this once so I don't have much suggestions to make yet. So I cant make any suggested unless there is more detail.
You should try and get more evidence from the AD FS side. Enable debug logs using
wevtutil sl "ad fs tracing/debug" /l:5 /e:true
Do the repro and then disable logs as follows.
wevtutil sl "ad fs tracing/debug" /e:false
Then export the logs to view using
wevtutil epl "ad fs tracing/debug" c:\temp\userinfoerr.evtx
Open that event log in event viewer and have look and see what other errors are reported around validating the JWT.
I can't get my refresh token with my code. I can only get my access token, token type etc.,
I have followed some tutorials like putting access_type=offline on my login URL:
echo "<a href='https://accounts.google.com/o/oauth2/auth?"
. "access_type=offline&client_id=123345555.apps.googleusercontent.com& "
. "scope=https://www.googleapis.com/auth/calendar+https://www.googleapis.com/auth/plus.me&response_type=code& "
. "redirect_uri=http://www.sample.com/sample.php&state=/profile'>Google</a>";
and my fields in getting the access token:
$fields=array(
'code'=> urlencode($authcode),
'client_id'=> urlencode($clientid),
'client_secret'=> urlencode($clientsecret),
'redirect_uri'=> urlencode($redirecturi),
'grant_type'=> 'authorization_code',
);
but I can't get refresh_token, just the access_token, token_type, id_token and expires_in.
Found out by adding this to your url parameters
approval_prompt=force
Update:
Use access_type=offline&prompt=consent instead.
approval_prompt=force no longer works
https://github.com/googleapis/oauth2client/issues/453
If I may expand on user987361's answer:
From the offline access portion of the OAuth2.0 docs:
When your application receives a refresh token, it is
important to store that refresh token for future use. If your
application loses the refresh token, it will have to re-prompt the
user for consent before obtaining another refresh token. If you need
to re-prompt the user for consent, include the approval_prompt
parameter in the authorization code request, and set the value to
force.
So, when you have already granted access, subsequent requests for a grant_type of authorization_code will not return the refresh_token, even if access_type was set to offline in the query string of the consent page.
As stated in the quote above, in order to obtain a new refresh_token after already receiving one, you will need to send your user back through the prompt, which you can do by setting approval_prompt to force.
Cheers,
PS This change was announced in a blog post as well.
It is access_type=offline that you want.
This will return the refresh token the first time the user authorises the app. Subsequent calls do not force you to re-approve the app (approval_prompt=force).
See further detail:
https://developers.google.com/accounts/docs/OAuth2WebServer#offline
This is complete code in PHP using google official SDK
$client = new Google_Client();
## some need parameter
$client->setApplicationName('your application name');
$client->setClientId('****************');
$client->setClientSecret('************');
$client->setRedirectUri('http://your.website.tld/complete/url2redirect');
$client->setScopes('https://www.googleapis.com/auth/userinfo.email');
## these two lines is important to get refresh token from google api
$client->setAccessType('offline');
$client->setApprovalPrompt('force'); # this line is important when you revoke permission from your app, it will prompt google approval dialogue box forcefully to user to grant offline access
For our app we had to use both these parameters access_type=offline&prompt=consent.
approval_prompt=force did not work for us
Hi I followed following steps and I had been able to get the refresh token.
Authorization flow has two steps.
Is to obtain the authorization code using https://accounts.google.com/o/oauth2/auth? URL.
For that a post request is sent providing following parameters. 'scope=' + SCOPE + '&client_id=' + CLIENTID + '&redirect_uri=' + REDIRECT + '&response_type=' + TYPE + '&access_type=offline' Providing above will receive a authorization code.
Retrieving AcessToken and RefreshToken using https://accounts.google.com/o/oauth2/token? URL.
For that a post request is sent providing following parameters.
"code" : code,
"client_id" : CID,
"client_secret" : CSECRET,
"redirect_uri" : REDIRECT,
"grant_type" : "authorization_code",
So in your first attempt once you authorize the permissions you will be able to get the Refresh token. Subsequent attempts will not provide the refresh token. If you want the token again the revoke the access in you application.
Hope this will help someone cheers :)
OAuth has two scenarios in real mode.
The normal and default style of access is called online.
In some cases, your application may need to access a Google API when the user is not present,It's offline scenarios .
a refresh token is obtained in offline scenarios during the first authorization code exchange.
So you can get refersh_token is some scenarios ,not all.
you can have the content in https://developers.google.com/identity/protocols/OAuth2WebServer#offline
.
Since March 2016, use prompt=consent to regenerate Google API refresh token.
As mentioned in https://github.com/googleapis/oauth2client/issues/453,
approval_prompt=force has been replaced with prompt=none|consent|select_account
For those using the Google API Client Library for PHP and seeking offline access and refresh tokens beware as of the time of this writing the docs are showing incorrect examples.
currently it's showing:
$client = new Google_Client();
$client->setAuthConfig('client_secret.json');
$client->addScope(Google_Service_Drive::DRIVE_METADATA_READONLY);
$client->setRedirectUri('http://' . $_SERVER['HTTP_HOST'] . '/oauth2callback.php');
// offline access will give you both an access and refresh token so that
// your app can refresh the access token without user interaction.
$client->setAccessType('offline');
// Using "consent" ensures that your application always receives a refresh token.
// If you are not using offline access, you can omit this.
$client->setApprovalPrompt("consent");
$client->setIncludeGrantedScopes(true); // incremental auth
source: https://developers.google.com/identity/protocols/OAuth2WebServer#offline
All of this works great - except ONE piece
$client->setApprovalPrompt("consent");
After a bit of reasoning I changed this line to the following and EVERYTHING WORKED
$client->setPrompt("consent");
It makes sense since using the HTTP requests it was changed from approval_prompt=force to prompt=consent. So changing the setter method from setApprovalPrompt to setPrompt follows natural convention - BUT IT'S NOT IN THE DOCS!!! That I found at least.