Forum Discussion

iarriola's avatar
iarriola
Ace
8 years ago

Unable to get authorization code using V2 oauth2

I'm trying to call Community API v2 in order to:

1. Get an authorization code

2. Which can be used to request access tokens

3. Later be able to make request to v2 API passing the access token as Bearer.

 

All this following the instructions in the OAuth 2.0 authorization grant flow document.

 

Instructions seems pretty straightforward:

1. Make a GET call to the authorize endpoint (I'm using Paw REST client). Making notice that I'm, including both header and url parameter with the client ID which I already created at community admin. I didn't included a redirect url, because I don't need it, this is intended to be a Backend call.

 

GET /auth/oauth2/authorize?client_id=COMPANY-CLIENT-ID%3D%3D&response_type=code HTTP/1.1
client-id: COMPANY-CLIENT-ID==
Host: www.stg.company.com
Connection: close
User-Agent: Paw/3.1.4 (Macintosh; OS X/10.12.6) GCDHTTPRequest

 

 

2. After this call I should get in return as the doc textually says: 

After you call the authorization endpoint, redirect the member to your client application with the authorization code and tenant ID returned with the response to complete the request.

At this point my request does not return what is expected, instead I'm getting 302 Found response, with the below headers.

HTTP/1.1 302 Found
Server: Apache
X-Frame-Options: SAMEORIGIN
Set-Cookie: LiSESSIONID=SOME-SESSION_ID; Path=/; Secure; HttpOnly
Set-Cookie: LithiumVisitor=~SOME_COOKIE~VALUE..; Expires=Mon, 13-Sep-2027 21:30:07 GMT; Path=/; HttpOnly
Location: https://www.stg.company.com/?response_type=code&redirect_uri=https%3A%2F%2Fwww.stg.company.com%2F%2F&client_id=6XmMCgSBjYo%2F8boYwsEdICuK3O%2FvA5U6Huf%2FjE2kNxw%3D
Via: 1.1 varnish
Fastly-Debug-Digest: 0e18909eb3f76f7dad7f8262a3c3ed27d2e751a77b5cdad6f72b85e51b13fdb5
Strict-Transport-Security: 608400
Content-Length: 0
Accept-Ranges: bytes
Date: Fri, 15 Sep 2017 21:30:07 GMT
Via: 1.1 varnish
Age: 0
Connection: close
X-Served-By: cache-sjc3125-SJC, cache-dfw18639-DFW
X-Cache: MISS, MISS
X-Cache-Hits: 0, 0
X-Timer: S1505511008.567881,VS0,VE62
Access-Control-Allow-Origin: https://www.stg.company.net

So I'm not even able complete this first step successfully.  Any suggestion about what am I missing?

 

9 Replies

Sort By
  • DougS's avatar
    DougS
    Khoros Oracle
    8 years ago

    The first call (to /auth/oauth2/authorize) needs to be made via a web browser, and requires you to sign into (or already be signed into) the community. Once that has happened, that page will redirect you to whatever URL you registered your API client with and should include the authorization code as a parameter in that redirect.

     

    If that is not working for some reason, I would recommend opening a support case and include all the details about what API client you were using (client id should be enough) and what user id you signed into the community using and support should be able to help get this resolved for you.

  • Gagandeeps's avatar
    Gagandeeps
    Expert
    8 years ago

    Hi 

     

    You can try the solution mentioned below it seems to be a perfect one .

     

    Let me know if you are stuck somewhere will help you with that .

     

    Thanks

  • robertcavanna's avatar
    robertcavanna
    Mentor
    8 years ago

    I'm posting what worked for me here since I struggled with the first step for a while. The example included in the documentation for the request authorization looks like this:

    https://community.example_community.com/auth/oauth2/authorize?client_id=CbEwDo2NtAhXLSt4Y49D1yVE9D371eyZFWRSSXvNLvA=&response_type=code&redirect_uri=http%3A%2F%2Fredirect.example_community.com%2FgetaccessToken

    That example above implies that the client_id is un-encoded and the redirect_uri is URL encoded. It's the other way around. From my experience with this, I found that the client_id needs to be URL encoded and the redirect_uri must NOT be URL encoded, as in:

    https://community.example_community.com/auth/oauth2/authorize?client_id=CbEwDo2NtAhXLSt4Y49D1yVE9D371eyZFWRSSXvNLvA%3D&response_type=code&redirect_uri=http://redirect.example_community.com/getaccessToken

    Once I followed that format, using that URL in my browser while I was logged in, I was able to get a response with a code value in the URL. Note that the Code value that is returned in the URL is URL encoded. You'll need to decode it before using it in the next step when you request the access token and refresh token at: 

     

    https://api.stage.lithium.com/auth/v1/accessToken?restapi.response_format=json

     

    Be sure to include the Content-Type and client_id in the header, and include the code, client_id, client_secret, redirect_uri, grant_type in the body in proper JSON format. I was using Advanced Rest Client to do this manually. This second step also needs to be done within a couple of minutes after getting the Code itself. 

  • iarriola's avatar
    iarriola
    Ace
    7 years ago

    Hello, its been a while since I posted this one. This is what I'm receiving after performing the operation:

    URL:

    https://TENANT_ID.stage.lithium.com/forum/s/auth/oauth2/authorize?response_type=code&client_id=CLIENT_ID_ENCODED&redirect_uri=https://webhook.site/c8e57cc3-96f8-47e4-b48a-82940aa1f7f4

    or

    https://api.stage.lithium.com/forum/s/TENANT_ID/auth/oauth2/authorize?response_type=code&client_id=CLIENT_ID_ENCODED&redirect_uri=https://webhook.site/c8e57cc3-96f8-47e4-b48a-82940aa1f7f4

    {"status":"Bad Request","message":"Error fetching service details","statusCode":400}

     If I use tenant Id in the URL,I get this code:

    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>

    So then, I provide basic authentication and get the following:

    < HTTP/1.1 302 Found
< Date: Thu, 14 Jun 2018 06:46:52 GMT
< Server: Apache
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: LiSESSIONID={VALUE}; Path=/; Secure; HttpOnly
< Set-Cookie: LithiumVisitor={VALUE}; Expires=Sun, 11-Jun-2028 06:46:52 GMT; Path=/; HttpOnly
< Location: https://{TENANT_ID}.stage.lithium.com/?response_type=code&redirect_uri={webhook_URL}
< Content-Length: 0
< Connection: close

    and redirect URI, does not receive any incoming "code" 

     

    So, still none of the suggestion sadly seems to work.

     

    I really appreciate your time for replying, :) robertcavannaGagandeeps and DougS

  • ashok285's avatar
    ashok285
    Ace
    7 years ago

    Hai iarriola

     

    Basically for getting  an authorization code below one is url:

     https://community.example_community.com/auth/oauth2/authorize?client_id=CbEwDo2NtAhXLSt4Y49D1yVE9D371eyZFWRSSXvNLvA=&response_type=code&redirect_uri=http%3A%2F%2Fredirect.example_community.com%2FgetaccessToken

     

    https://community.lithium.com/auth/oauth2/authorize?client_id=CbEwDo2NtAhXLSt4Y49D1yVE9D371eyZFWRSSXvNLvA=&response_type=code&redirect_uri=http%3A%2F%2Fredirect.example_community.com%2FgetaccessToken

    But you are giving  https://api.stage.lithium.com instead of this one  community.example_community.com .Give your community name at above URL it will work.

     

    Give kudos if you find my posts helpful or mark solution if it answers your query

  • joylim's avatar
    joylim
    Contributor
    7 years ago

    Quick question: For server-to-server calls, is there a programmatic way (an endpoint perhaps) to logon an API user?

    Context: In order to make the authorize endpoint work, the following should be done:

    1. Using a browser,  manually logon to the community site as an API user

    https://community.example_community.com/

    2. Paste the URL in the browser

    https://community.example_community.com/auth/oauth2/authorize?client_id=<urlEncodedClientId>&response_type=code&redirect_uri=<urlDecodedRedirectURI>

    3. Once submitted, note that the request has been redirected and the browser now shows authorization code as  'code'.

    https://community.example_community.com?code=<urlEncodedCode>&user-id=<userId>&tenant-id=<tenantId>&proxy-host=<proxyHost>

    I'd like to skip Step 1 (the manual part where the user needs to logon as an API user.) Is there a REST endpoint for logging in?  Thanks!

     

  • joylim's avatar
    joylim
    Contributor
    7 years ago

    In that case, I need to create a user account (that has a user id, password, and email) for an application.  How does the client id, and client secret tie all into this, in that case? I tested using clientId as userId and clientSecret as password but it didn't work. It really does seem that I need to have an email address tied to my application. Pls. confirm. Thanks!

     

  • DougS's avatar
    DougS
    Khoros Oracle
    7 years ago

    If you use Session Key Auth, you use it instead of OAuth, so none of the OAuth stuff (client id, client secret, etc.) apply. I think you can create an api user via the admin (Users > Create Users tab I think), but this might be something that Support needs to do for you (if you don't see that tab, contact support to have them create the user for you). You have to supply username, password, and email address when you create the user.