I'm trying to validate a token (just using postman), final solution would be written in Java (spring). The problem is I don't find the exact URL to validate the token against AAD.
I found this helpful article : https://learn.microsoft.com/en-us/answers/questions/884100/azure-ad-access-token-validation.html
And in that article they said to validate the token against this URL: https://login.microsoftonline.com/<<<tenant_id>>>/v2.0/
The problem is I got 404 when I hit that URL.
I also got "200 OK status" when I hit this URL https://login.microsoftonline.com/<<<tenant_id>>/oauth2/v2.0/authorize no matter what I put in the token !! Which is strange!
This link works for me: https://login.microsoftonline.com/<<<tenant_id>>/discovery/v2.0/keys - and I get back a very descriptive JSON, but I am still stuck.
Could you please provide me the URL which would give me 200-ok when I have a valid token, and also to give me a bad-invalid response when I have a wrong token ?
I found some sample Postman requests here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc?WT.mc_id=AZ-MVP-5003203
I got same behavior with them.
Thank you.
There is no introspection endpoint listed in https://login.microsoftonline.com/common/.well-known/openid-configuration
This authorization-server obviously supports JWTs only. To validate access-tokens, you'll have to configure a JWT decoder/validator in your Java app.
With Spring, this is done by configuring a JWT resource-server. Sample in this article. Skip the part about Keycloak and use
spring.security.oauth2.resourceserver.jwt.issuer-uri=https://login.microsoftonline.com/common in properties
not sure this authorization-server provides with user roles or groups or whatever claim to map spring authorities from (try to submit an access-token to https://jwt.io to see if you have a claim like that)
I will ask again. Hope someone who has experienced the same issue offer me some help.
Background: to build a translation app from Swedish to English with ReactApp.
Issue: when access an open URL with axios.get(https://dictapi.lexicala.com/test), I am able to get data, but if replace with axios.get(https://dictapi.lexicala.com/search?source=global&language=sv&text=${keyWord}), resulted in GET https://dictapi.lexicala.com/search?source=global&language=sv&text=asdf 401
I suppose I need to find a way to embed my user credentials for api provider in my ReactApp code, everytime before use axios.get(https://dictapi.lexicala.com/search?source=global&language=sv&text=${keyWord}), I should make a login act to this api server. Because, I can access api server with URL in chrome, e.g. https://dictapi.lexicala.com/search?source=global&language=es&text=azul due to the fact chrome saved my user credentials.
Please indicate how to search the right question for sovling this problem? I am not expert with ReactJS and neither am I an English native speaker. What techniques should I refer to ?
The question is not related to React. It's related to a network call.
Looking at https://dictapi.lexicala.com looks like it requires a basic auth.
So probably what do you want to check is that question: How to send Basic Auth with axios
I haven't signed up for the service so I cant analyse the API, but I imagine you're assigned an API key - you'll want to either send this via url parameters or headers, depending on how the api works. These are both pretty easy to do with axios basic auth.
I have an API that I want to make a request to from my frontend, which is built using React. However, I don't want anyone to be able to see the API call in my code, because if someone just opens the inspect window, then they can see the API call. I've thought of perhaps adding some sort of header to be sent as authentication in the request, but that doesn't work either because you can just see the code if you inspect the site.
How would I do this? My API returns a private key that I can't just store in a variable directly within my code.
Sorry if this question doesn't make sense, but I appreciate all the help.
Your frontend code is insecure and observable by default. There is no secret in the frontend.
If your API returns confidential data that should only be accessed by the appropriate user you will have to implement authentication of any sort.
A user would then for example provide a password in order to call the API or he logged in before and got a token (e.g. JWT) that he sends with every request to authenticate. There is a user identity on every request then and your backend can decide if the user is allowed to get that private key.
If you really really want to make it difficult for someone to see your frontend code your router might provide a feature like "protected routes" that require such a token in order to access certain routes of your application. It will still always be possible to get the frontend code because the business logic has to stay on the backend.
I'm creating an app that prints out a pdf from the server after it has been generated.
When using google cloud print I keep getting:
User credentials required
Error 403
Note: making this print request in the simulating page works fine, but that's because I'm already logged into my google account.
After doing some research I found out I need to use OAuth to get an access token to send with the request to make a print job.
And every single page I can find tells me to redirect me to: https://www.googleapis.com/auth/cloudprint, which gives me a 404 error, neither can I find it in the google playground, and using any older versions of authentication ends up in the request to sign in being flagged as an attack from a hacker.
Is there any way around this?
I was stuck on this for a while. The docs don't tell you which scope to use or how to use it. I haven't implemented a Google API using OAuth2 yet, so I didn't have an understanding of how the scoping works.
It turns out the scope is just the base API route for CloudPrint.
To make sure your refresh_token or access_token is scoped properly to use the CloudPrint API you need to use have the following string in your scope object:
https://www.googleapis.com/auth/cloudprint
Surely someone else is using the API, I've looked and searched, I cannot seem to find the correct value to place for the scope parameter when authenticating:
I've looked at all these scope lists, nothing, tried the OAuth 2.0 playground, translation is not there.
oauth playground v1
oauth playground v2
oath supported scopes
auth scopes
Any clues welcomed, thank you.
Error message:
Error: invalid_request
Missing required parameter: scope
Learn more
Request Details
Update
User Ezra explained that OAuth2 authentication is not needed for the Translation API.
I got down this road by this path:
I was trying to make the sample code here work:
translation api sample code
And didn't have the apiclient.discovery module
from apiclient.discovery import build
I went off looking for that which landed me here to this quick-start configurator
which gave me an autogenerated translation api project here:
This starter project which is supposed to be tailored for Translation API includes a whole bunch of OAuth configuration and so I wound up asking the question because of the error mentioned here
exception calling translation api: <HttpError 400 when requesting https://www.googleapis.com/language/translate/v2?q=zebra&source=en&alt=json&target=fr&key=MYSECRETKEYWENTHERE returned "Bad Request">
The code I'm using to make said call which errors out in this way is:
service = build('translate', 'v2',
developerKey='MYSECRETKEYWENTHERE')
result = service.translations().list(
source='en',
target=lang,
q='zebra'
).execute()
If I make the same call directly that the error complains about, it works ok
https://www.googleapis.com/language/translate/v2?key=MYSECRETKEYWENTHERE&q=zebra&target=fr&alt=json&source=en
Updated Again
Okay, I removed all the OAuth code from the sample project and then ran it again and then finally noticed that I had a typo in my secret key... donk
Thanks for the answers!
.
Thank you
I think you are misunderstanding what OAuth scopes are for. You didn't list any of your code, so I'm going to explain some concepts, and hope that you can apply them to your situation.
OAuth Scopes explained:
The purpose of OAuth scopes is accessing information about authenticated users. The scopes are different for each applications, and determine what information about a user that an application is granted access to.
Concretely, an OAuth request with the scope parameter as
https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile
Would show the user a prompt similar to the following when logging in:
+ View basic information about your account
* View your name, public profile URL, and photo
* View your gender and birthdate
* View your country, language, and timezone
+ View your email address
* View the email address associated with your account
While one with only https://www.googleapis.com/auth/userinfo.email would show something like:
+ View your email address
* View the email address associated with your account
Translate API explained:
To use the Translate API, you don't have to have users authenticated with OAuth. You simply get an API Key, and provide that key in your request to the service.
The use of the Translate API is completely orthogonal to the use of OAuth.
As documented on the Translate API site, to translate something you simply make a request to
https://www.googleapis.com/language/translate/v2?parameters
with the appropriate parameters.
The parameters needed are, as listed in the documentation, the
API key. Use the key query parameter to identify your application.
Target language. Use the target query parameter to specify the language you want to translate into.
Source text string. Use the q query parameter to identify the string to translate.
Concretely, a request to translate the text "hello world" into German would be:
https://www.googleapis.com/language/translate/v2?key=INSERT-YOUR-KEY&source=en&target=de&q=Hello%20world
Look at the parameters specification to get an idea of what you have to supply.
What to do:
Look at the source of the Python example using the Translate API or look up the API library for the language you want to use.
You'll see in the examples that there is no mention of OAuth scopes, because it's not needed to authenticate against the Translate API service. You only need to provide your API key, and the text to be translated in your request to the service.
There may be API calls that require scope, but Translate is not one of them.
If there is some piece of information about a user that you need, you will have to look up the API and Scope needed to access that piece of information. You will then supply this information to the Translate API as necessary.
In case of 400:
If you are getting an error response, that's good, because the call to the service is working, even if it's not doing what you want.
In the case of a 400, the Translate API's response will give you a clue about your error in its response.
{
"error": {
"errors": [
{
"domain": "usageLimits",
"reason": "keyInvalid",
"message": "Bad Request"
}
],
"code": 400,
"message": "Bad Request"
}
}
The response above indicates that the key is invalid. You can request a new one (or find out your old one) through the Google API Console.
Summary:
OAuth scopes are used for requesting information about a user. You will have to identify the scope when authenticating the user, and you will have access to all information provided by those scopes.
The Translate API doesn't need a scope. You provide an API Key (and some other information) in your request, and it gives back the translation as documented.
If there is information about a user that you wish to translate, it must be done in two steps. First, collect the information by authenticating the user in the appropriate scope, and second by providing that information to the Translate API.
If you're getting a 400, the response will include some information you can use to debug the problem.
According to Google's documentation, you have to look at the documentation for your specific API.
Update as per this Google Group question:
"The Translate API (both v1 and v2) is an unauthenticated API, so you don't need to use OAuth with it. Instead, for v2, you should use an API key, which you can get here: http://code.google.com/apis/console"
For error message
Error: invalid_request
Missing required parameter: scope
You need to add scopes in your form
<input type="hidden" name="scope" value="https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo#email https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/tasks https://www-opensocial.googleusercontent.com/api/people https://www.googleapis.com/auth/plus.login" />
Please refer spring social login with linkedin,facebook,twitter and google providers.