I got the code successfully from the reddit oauth api but I am getting invalid grant(Before I was getting 401 unauthorized on sending data as json) error when trying to get the access token after that. I am using postman for sending the post request to https://www.reddit.com/api/v1/access_token Here is My header and form data which I am using in postman. I am sending my client id and secret in authorization tab(tried in sending header) from postman and using x-www-form-urlencoded to send grant type, code and redirect uri(tried sending them as a form data and json as well). In headers my content type is x-www-form-urlencoded. Please help in getting the token if someone have used reddit api.
//Headers
Content-Type:application/x-www-form-urlencoded
//authorization
Authorization:Basic Base.Encode64(clientid:secret)
//client id and secret are those which I got by creating the app in reddit
//x-www-form-urlencoded.
{
"grant_type":"authorization_code",
"code":"authcode which I got from the get request before",
"redirect_uri":"http://localhost:3000"
}
//I tried sending these through query string as well
Your token expires after 3600 minutes if I am not mistaken
Related
I'm trying to do some basic authorisation to my the endpoints in an express app using express-basic-auth, but it keeps giving me a 401 unauthorised. I think the headers I'm sending in Post man are incorrect:
Middleware:
app.use(basicAuth({
users: {'admin': 'supersecret'},
unauthorizedResponse: 'You are not authorized.'
}));
Postman GET request headers:
Authorization:admin:supersecret
How can I get authorised based on the headers?
Your authorization header should look like this: Authorization: Basic YWRtaW46c3VwZXJzZWNyZXQ=
The last part is the result of encoding admin:supersecret. I just found this tool to generate basic authentication headers, however, Postman can generate the headers itself. Just click on the Authorization option next to Headers and choose Basic Auth.
I've followed the guide Google login / Expo and got both access token and refresh token.
But after access token expiring I can't get the new token.
When I try to get new one I get this error:
"error": "unauthorized_client", "error_description": "Unauthorized"
Here is the sample of the sent request for getting the new access token (Google docs):
POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded
client_id=<your_client_id>&
client_secret=<your_client_secret>&
refresh_token=<refresh_token>&
grant_type=refresh_token
P.S. I did not forget to replace client_id and other relevant data.
The same client ID that got the refresh token must be used to get another access token!
You are probably using this code on Android, for mobile devices Google doesn't give you a secret since it is not needed. You can remove the secret from the request and change the client ID to match your mobile client ID.
This is the Endpoint for getting user account and its Api Key:
https://dev.openclinica.com/apidoc/#api-User_Account-getAccountByUserName
using the folling endpoint with postman
POST http://89.221.253.174:8080/OpenClinica/pages/accounts/login?username=pranv&password=XXXX
I am getting 500 Internal Server Error and I dont know why.
I am not even quite sure if the URL is correct on my Postman.
Any help on this?
The url should be:
POST http://89.221.253.174:8080/OpenClinica/j_spring_security_check?username=pranv&password=XXXX
pages/accounts/login submits to j_spring_security_check
I am trying to sign up new user on a REST API, and the request should be in this way:
POST /api/oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic YW75cm9pZC12tb28Jp8bGU6c2Vj
grant_type=client_credentials&scope=write
Question 1: the Authorization code is static it must be the same every time I request a new user or I should generate a new base46 code every time?
Question 2: The grant_type.... is a parameter request or a body ( shall I send it with the body or as a parameter)
Very big thanks in advance!
First, from the request code that you provide:
POST /api/oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic YW75cm9pZC12tb28Jp8bGU6c2Vj
grant_type=client_credentials&scope=write
It seems to me that the request is for acquiring a client (app) access token (using OAuth Client Credentials Grant), rather than a request to sign-up a user. So, I'm basing my answer bellow on this assumption.
Question 1: the Authorization code is static it must be the same every time I request a new user or I should generate a new base46 code every time?
In the case of OAuth Client Credentials Grant, the Authorization header contains the client authentication information (e.g, client_id and client_secret). You usually get this information by registering your client (application) with the API provider.
So the answer is, YES, it should be static as long as the information (the client_id/secret) doesn't change/ expire.
Question 2: The grant_type.... is a parameter request or a body ( shall I send it with the body or as a parameter)
The OAuth spec specifies that grant_type parameter is written in the HTTP request entity-body, so it should be sent in the request body. But, some implementation does allow passing the grant_type parameter in url too.
Question 1: Usually you should use a public token (in this case Basic oauth token) and when this token expires then you should renew it. In the documentation of your api it should exists the time to expire the token and perform a token refresh.
Question 2: Looking your information "grant_type=client_credentials&scope=write" it's a body param request (is a post request with a body)
I have an Angular.js application and I am trying to implement authentication to my PHP backend using a JWT.
I have the app setup to set the token on login and send the token with every request if it exits. I was following the information here, though it is for Node.js not PHP: https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/.
The information there was extremely helpful, but I do not understand why the token should be in the Authorization header with the text 'Bearer ' before the token. Could I just put the token there without 'Bearer '? Is there a recommended method for where the token should go in the request?
My other issue is where to store the token on the front end. The website recommended using $window.sessionStorage which doesn't seem to work well for my case because it seems to prevent someone from using multiple tabs which isn't very intuitive.
My question really comes down to:
Where do I put the token in the request header?
How should I store the token on the front end?
The use of the Bearer keyword is recommended in the RFC6750 - section Authorization Request Header Field:
Clients SHOULD make authenticated requests with a bearer token using
the "Authorization" request header field with the "Bearer" HTTP
authorization scheme. Resource servers MUST support this method
The libraries I've been working with always require it before the token itself. So the request header should be as follows:
Authorization: Bearer your_token
Regarding the storage I have seen it in $window.sessionStorage too