invalid or malformed authorization header provided
899 views
Skip to first unread message
billyj....@gmail.com
Aug 3, 2015, 11:10:55 AM8/3/15
to Clever Developer Program: Discussions
Hello Clever team,
I am running into the following error
when trying to post the following to tokens
curl -H "Authorization: Bearer DEMO_TOKEN" -d "client_secret=xxxxxxxx&grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin%2Foauth&code=f0401268ba5c589a05184292e21d299a74ea927d&client_id=xxxxx" https://clever.com/oauth/tokens
I am manually trying to check this with curl because on the browser there isn't much information and neither does curl. The following link is created within my application which already has its own framework for doing this sort of things. The first link is the authorization link
https://clever.com/oauth/authorize?scope=read%3Auser_id%20read%3Ateachers%20read%3Astudents&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin%2Foauth&state=df5112f6-f47c-497d-ade5-10c31e0b4ab5&client_id=xxxxx&district_id=xxxxxxxxxx
I have removed the client secret and id from the links but I have valid ones in the links when running my app.
I am running into the following error
"invalid or malformed authorization header provided"
when trying to post the following to tokens
curl -H "Authorization: Bearer DEMO_TOKEN" -d "client_secret=xxxxxxxx&grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin%2Foauth&code=f0401268ba5c589a05184292e21d299a74ea927d&client_id=xxxxx" https://clever.com/oauth/tokens
I am manually trying to check this with curl because on the browser there isn't much information and neither does curl. The following link is created within my application which already has its own framework for doing this sort of things. The first link is the authorization link
https://clever.com/oauth/authorize?scope=read%3Auser_id%20read%3Ateachers%20read%3Astudents&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin%2Foauth&state=df5112f6-f47c-497d-ade5-10c31e0b4ab5&client_id=xxxxx&district_id=xxxxxxxxxx
I have removed the client secret and id from the links but I have valid ones in the links when running my app.
Taylor Singletary
Aug 3, 2015, 11:29:28 AM8/3/15
to Clever Developer Program: Discussions, billyj....@gmail.com
Hi there!
Thanks for writing in.
Our DEMO_TOKEN is made available for testing resource-based requests but does not function with the authentication (OAuth 2.0) API. When you're approaching these steps, it's best to forget about the DEMO_TOKEN completely. It represents a specific relationship between the demo district and a special demo application used in our API Explorer.
If you're trying to retrieve negotiated district bearer tokens form GET oauth/tokens, then you must leverage your client ID and secret, but in a very specific way. I notice you pass client_secret as a query parameter in your first example curl request -- you don't want to ever send this value in plain text or as a query parameter. You'll also never want to use bearer-token based auth with this method -- you're using this method to obtain bearer tokens. Instead, you use your client ID and client secret as a username and password value for what's called "HTTP Basic Auth."
With curl, specifying basic auth credentials is simple -- if you client ID were "abcd" and your client secret were "efgh", and instead of using the '-H "Authorization: Bearer..." directive, you can use "-u abcd:efgh" to specify that as your user/password combination.
If you're trying to obtain the district bearer tokens already associated with your app, the request might look something like:
curl -u abcd:efgh https://clever.com/oauth/tokens?owner_type=district
If you're trying to exchange a code value that you received on your redirect, it gets a little more complicated and curl isn't necessarily the right tool for the job since all the components of the OAuth 2.0 sequence are time-sensitive. But assuming the same redirect value and code you've received here, the request should look more like:
curl -u abcd:efgh -X POST https://clever.com/oauth/tokens -d "grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin%2Foauth&code=f0401268ba5c589a05184292e21d299a74ea927d"
Notice I'm setting the HTTP method to POST (a GET is not correct when exchanging codes for tokens). I'm not explicitly sending client ID or secret as query parameters -- they're being used to create a HTTP basic authorization instead.
What framework are you working with?
Best,
Taylor Singletary
Clever developer relations
Billy Figueroa
Aug 3, 2015, 11:52:07 AM8/3/15
to Taylor Singletary, Clever Developer Program: Discussions
Taylor,
Thanks. I am working with Orion.https://orionhub.org/mixloginstatic/LoginWindow.html
https://github.com/eclipse/orion.server/tree/master/bundles/org.eclipse.orion.server.authentication/src/org/eclipse/orion/server/authentication/oauth/google
https://docs.oracle.com/javase/8/docs/api/java/net/HttpURLConnection.html
https://github.com/eclipse/orion.server/blob/master/bundles/org.apache.oltu.oauth2.client/src/org/apache/oltu/oauth2/client/URLConnectionClient.java
Reply all
Reply to author
Forward
0 new messages