using the auth0-react SDK
when I call getAccessTokenSilently()
I can see that it hits /oath/token and the response returns a new id_token as well as an access_token and some other things, however there doesn't seem to be any way to get the Id token from the response without modifying the library itself, or switching from the SDK to the API directly.
I wondered if perhaps under-the-hood it would store the id_token in a way that could be accessed with getIdTokenClaims but that doesn't seem to be the case either. anyone know how to get the id_token directly with the SDK? or if that's just not supported yet?
Related
I struggled with this annoying bug for a very long time. The issue was when trying to get the users UID via the two-legged API users/me it would result in an response from the API: Duplicate timestamp/nonce combination, possible replay attack. Request rejected. My work around for a while was basically brute forcing this API endpoint until it responded. This worked sometimes but is obviously not practical.
After going through post after post of people also having this problem I looked at the answers from Schoology support and they all said visit the docs, which I have looked over multiple times before. however this time I scrolled down and found a "short-cut" as they called it to get the UID:
So instead of trying to use the users/me endpoint you simply use the endpoint: /app-user-info which returns a JSON with timestamp and UID!
After you get the UID you can freely access the users/me endpoint by replacing me with the UID like so: users/{UID}
URL:
https://api.schoology.com/v1/app-user-info
two-legged Authorization header:
OAuth realm="Schoology API",
oauth_consumer_key="{CONSUMER_KEY}",
oauth_signature_method="PLAINTEXT",
oauth_timestamp="{TIMESTAMP}",
oauth_token="",
oauth_nonce="{RANDOM_CHARS}",
oauth_version="1.0",
oauth_signature="{CONSUMER_SECRET}%26"
I need to first fetch the oauth access token and then pass it as a parameter to my post request,
please let me know how this can be achieved using puppeteer.
I am new to puppeteer and I am stuck kindly assist.
Was unable to find an appropirate way to resolve the issue with puppeteer, I resolved it using Axios
I am trying to get a login procedure to work in AWS by following the Enhanced Authflow for Developer Authentication mentioned in the official documentation.
The code in both client and server are using JavaScript, and I'm using Node.js on the server-side.
I have managed to get the OpenId token back to the client but when I try to exchange it for credentials by calling getCredentialsForIdentity(), the client receives this error:
NotAuthorizedException: Access to Identity 'eu-west-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is forbidden.
Also on the server-side when I print the variable holding my AWS.CognitoIdentity object and check the property cognitoidentity.config.credentialProvider all I get is:
{"providers":[null,null,null,null]}
It feels like the named custom developer provider I have associated with my identity pool should be in there but I seem to not be able to get it there.
Any thoughts on where I might have gone wrong?
That error is usually thrown when you try to get access to an authenticated id without providing any of the tokens linked to that identity. If it's an authenticated identity, make sure you are giving a token for it.
I'm writing angular application that uses implicit grant oauth strategy. If I don't have valid access token in my cookies I am redirected to web interface of authentication server, input my credentials and get redirected to my site with access token in the url. My system parses it and writes down into cookies.
Currently I faced question of unit testing this parse function that consumes the url and returns access token object. Can't think the good way, so writing here:
1. How do you approach unit testing (so I can't make direct request to working oauth server) a function that parses the access token from authentication server?
2. How do you build url params with access token? Will it be secure if I copy current access token and use it in test data?
3. Are there libraries that can aid creation of mock access token object?
You could breakout "just enough" OAuth, like the service linked below. This will give you a super-basic OAuth provider, but is really geared to "integration testing" scenarios (depending on where you draw the lines on these things).
If you want to be a unit-testing purist/zealot, then you could fork this into your app's unit test code.
https://github.com/zalando-stups/mocks/tree/master/oauth2-provider
In lieu of a great answer, here's one to get you out of a hole :)
After approaching authors of my oAuth authentification service I've got insight on the data the server was sending me in case of successful authentication. In my case the response from oAuth server has the following form:
header // encoded algorithm for has creation
access token // base64 encoded object
hash // of the 3 previous items done using algorithm specified in the header.
It has the following structure: header.access_token.hash
My fear for security breach was concerned about putting correct data (that I can get from browser) into the test files. But as it turns out the token will not be valid without correct hash. The hashing of the token data is done in server side using private key, so if I change the hash the token will become obsolete.
As my token-parsing-function that I wanted to check uses only the access_token part of the request, I've changed the header and hash parts and also encoded other user name for sake of testing purposes.
So this is the resolution of my current problem. Hope this will help somebody.
I'm trying to post a score using the JS SDK. Here's the code that I'm using:
FB.api("/[USER_ID]/scores", 'post', {score:score, access_token:"APP_ACCESS_TOKEN"}, function(response){
if (!response || response.error) {
log(response);
} else {
log(response);
}
});
However, I need to do this without hardcoding the APP_ACCESS_TOKEN. Any idea on how to do it using the JS SDK?
/me/ refers to the current user - when using the app access token there is no 'current' user - you're acting as the app - make the request to /[USER ID]/scores using the app access token
You can grab access_token through JS by using FB.getLoginStatus. More can be found in the doc.
.
There is no way, that I know of.
And, nor should there be, when you consider that the App will only have one app access_token.
Think of it like your app secret, keep it safe!
Especially when you consider how you get the access_token to start with, just by making a formatted request to FB with your ID and App Secret.
If you put that client side, then ANYONE could grab it and do stuff on behalf of your app!!
I would suggest one of two things:
Try making a call to /me/scores, and use the normal access token.
Even though the API docs don't suggest this being possible, you never know.
OR
2. Encapsulate it as an AJAX call to your server, and make the Graph call from there.
Sucks, but there seems to be a few things that aren't quite designed to work on the client side yet. :-/