OAuth 101 - requesting the authorisation token

Hey,

I just wanted to check a couple of things with OAuth if someone
doesn’t mind a bit of hand holding…

From the docs, it talks about the general flow, the first step I take
to mean requesting an Authentication Token.

“The App makes an HTTP Basic Auth request to the FreeAgent OAuth Token
Endpoint including the Client ID, Secret and the Authorisation Token
amongst other parameters. In return the App will receive an Access
Token and a Refresh Token.”

So, working with raw HTTP messages, I was expecting to make a GET
request (with no additional headers) to something like

https://api.sandbox.freeagent.com/v2/approve_app?client_id=4ta9v9JrXqSGdcdNuzTUtA&response_type=code&redirect_uri=https%3A%2F%2Fcode.google.com%2Foauthplayground%2F&client_secret=xxxx

and should expect 302 back with a Location header indicating the
redirect along with a new Authorisation code (as a URL parameter).

Is this correct so far?

If that’s correct, I’m a bit confused about the basic auth part and
the need to supply client Id (some of the docs also talk about
supplying the client secret) on the URL (as request parameters).

I’ve made requests to both and am basically given back HTML content
asking me to log in. If I change the request headers to ask for JSON,
I get 404. I suspect I’m not setting up basic authentication properly.
Using the Apache HC (Java) library, I associate a username and
password to a URL, which do I use…

https://api.sandbox.freeagent.com?

with the username as client id and the password as the secret?

If I do this, do I still need to supply one or both of them on the
URL?

ps, it doesn’t seem to make a difference so far if I use a redirect
url in the request. As I’m writing a programatic / rich client thing,
I don’t have a logical redirect URL so am unsure what to use here.

Thanks for the hand holding :wink:

Hi Graeme,

Thanks for the tips, I’ll look at the listening to a localhost port
for the token.

I’ll no doubt bug the list as I go :slight_smile:

ps, the app I’m working on this for is a rich (java) desktop
application. So far, I’m avoiding any OAuth libraries as I’m curious
about getting it working using just ‘raw’ HTTP messages. Should be
easy right!?

Thanks again,
TobyOn Jun 7, 12:58 pm, Graeme Boyd graeme.b...@freeagent.com wrote:

Hi Toby,

With API 2 and OAuth 2.0 you don’t ask the user for their FreeAgent
username and password. This means that you do have to send the user to
FreeAgent and complete the OAuth 2.0 flow.

However, this doesn’t mean that you have to have a server running to handle
the tokens. You could:

  1. Register a custom url scheme on the computer and set this as the
    redirect_uri. For example, register desktopapp://tokens as the
    redirect_uri and set the operating system to run a script to handle these
    URLs. You can then use this script to grab the tokens and feed them to
    your app.

  2. Run a web browser view inside your app and when the user completes the
    OAuth flow you can sniff the tokens from the redirect uri.

  3. Have your app listen on a certain localhost port and set this as the
    redirect url e.g.http://localhost:8000. Your app would then receive the
    token there.

I think the important thing to realise is that at the end of the OAuth flow
the FreeAgent server sends the user’s browser a HTTP 302 Redirect with the
redirect_uri. That redirect_uri doesn’t have to send the user to a remote
server but can be processed on the users computer.

There are probably libraries you can use which implement all of this for
you as for example all Twitter or Facebook desktop and mobile apps work
this way. What platform are you using?

Kind regards,

Graeme

On 6 June 2012 20:30, Toby toby.wes...@gmail.com wrote:

Hi,

Thanks for the reply.

Just to pick up on the basic auth part to my ramblings above… I’ve
been playing with the google’s oauthplayground and inspecting the
messages as well as looking through the documents. I think I need to
step back a little and ask about non-web based API clients and what
the redirect URL means for them. I spotted the docs mention that iOS
apps would most likely use a custom URL scheme but that there are
other options available.

I wonder if you could talk about those other options?

When I asked about basic auth, it was from the perspective of my
desktop app. The redirect URL doesn’t seem to make sense here as I
won’t redirect to a page where the user can login, I’ll already have
their username and password at that point. I’d assumed that I could
use basic auth to send those over to the equivalent step to logging
in. So for example, sending something like this over in the header
responding to the redirect

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

I suspect this is off the mark though so I’ll keep looking at the
playground and see if anything pops up.

I’ve recorded the basic flow (from the oauthplayground) here,

https://github.com/tobyweston/blog/blob/master/source/_posts/2012-06-
and I basically musing how I can programatically code around the
login / approve steps (which in the example are done via user
interaction).

Thanks for now,
Toby

On Jun 6, 9:58 am, Graeme Boyd graeme.b...@freeagent.com wrote:

Hi Toby,

On 5 June 2012 18:24, Toby toby.wes...@gmail.com wrote:

Hey,

I just wanted to check a couple of things with OAuth if someone
doesn’t mind a bit of hand holding…

From the docs, it talks about the general flow, the first step I take
to mean requesting an Authentication Token.

“The App makes an HTTP Basic Auth request to the FreeAgent OAuth Token
Endpoint including the Client ID, Secret and the Authorisation Token
amongst other parameters. In return the App will receive an Access
Token and a Refresh Token.”

So, working with raw HTTP messages, I was expecting to make a GET
request (with no additional headers) to something like

https://api.sandbox.freeagent.com/v2/approve_app?client_id=4ta9v9JrXq.

and should expect 302 back with a Location header indicating the
redirect along with a new Authorisation code (as a URL parameter).

Is this correct so far?

You must not include the client secret here as this defeats the security
of
OAuth.

A correct example can be seen at:

https://dev.freeagent.com/docs/oauth#the-authorisation-request

If that’s correct, I’m a bit confused about the basic auth part and
the need to supply client Id (some of the docs also talk about
supplying the client secret) on the URL (as request parameters).

I’ve made requests to both and am basically given back HTML content
asking me to log in. If I change the request headers to ask for JSON,
I get 404. I suspect I’m not setting up basic authentication properly.
Using the Apache HC (Java) library, I associate a username and
password to a URL, which do I use…

https://api.sandbox.freeagent.com?

with the username as client id and the password as the secret?

If I do this, do I still need to supply one or both of them on the

URL?

I’m not sure what you mean here. The request to make is detailed at:

https://dev.freeagent.com/docs/oauth#the-access-token-request

You can either use HTTP Basic Auth or you can just include the client_id
and client_secret as URL parameters.

ps, it doesn’t seem to make a difference so far if I use a redirect> url
in the request. As I’m writing a programatic / rich client thing,

I don’t have a logical redirect URL so am unsure what to use here.

You must either have registered a redirect_uri at dev.freeagent.com in

which case you don’t have to supply it here or you must supply one on
each
request. Additionally, you must do the same as you did when your
requested
the authorisation token - if you didn’t supply one when requesting the
authorisation token you must not supply one when requesting the access
token or if you did supply one when requesting the authorisation token
you
must supply the same one when requesting the access token.

Thanks for the hand holding :wink:

I’m not sure I’ve really answered your questions above. It might be
work

having a play with the Google OAuth 2.0 Playground (see below) as you can
copy their example requests. Alternatively, why not use a library which
already implements the OAuth 2.0 flow? This would save you having to
write
your own implementation.

https://dev.freeagent.com/docs/quick_start

Kind regards,

Graeme

You received this message because you are subscribed to the Google
Groups

“FreeAgent API” group.
To post to this group, send email to freeagent_api@googlegroups.com.
To unsubscribe from this group, send email to
freeagent_api+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/freeagent_api?hl=en.


Graeme Boyd
Senior Software Engineer

Web. freeagent.com http://www.freeagent.com/ Blog.
freeagent.com/blog
Twitter. @freeagent https://twitter.com/#!/freeagent Facebook.
facebook.com/freeagentapp

SOFTWARE SATISFACTION AWARDS 2012* * - *Vote for
us<
http://www.clicktools.com/survey?iv=1c8dgs13zfxs7r&q1=FreeAgent%20Cen…>
** * (We’d be super stoked!)

40 Torphichen Street, Edinburgh, EH3 8JB
FreeAgent Central Ltd. Registered in sunny Scotland SC316774


You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To post to this group, send email to freeagent_api@googlegroups.com.
To unsubscribe from this group, send email to
freeagent_api+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/freeagent_api?hl=en.


Graeme Boyd
Senior Software Engineer

Web. freeagent.com http://www.freeagent.com/ Blog. freeagent.com/blog
Twitter. @freeagent https://twitter.com/#!/freeagent Facebook.
facebook.com/freeagentapp

SOFTWARE SATISFACTION AWARDS 2012* * - *Vote for
ushttp://www.clicktools.com/survey?iv=1c8dgs13zfxs7r&q1=FreeAgent%20Cen...
** * (We’d be super stoked!)

40 Torphichen Street, Edinburgh, EH3 8JB
FreeAgent Central Ltd. Registered in sunny Scotland SC316774

go to groups.google.com and do it there.On Thu, Jun 7, 2012 at 3:44 AM, zee zeeqtao@gmail.com wrote:

How do I unsubscribe from this mail list

Zee

On 6 June 2012 16:58, Graeme Boyd graeme.boyd@freeagent.com wrote:

Hi Toby,

On 5 June 2012 18:24, Toby toby.weston@gmail.com wrote:

Hey,

I just wanted to check a couple of things with OAuth if someone
doesn’t mind a bit of hand holding…

From the docs, it talks about the general flow, the first step I take
to mean requesting an Authentication Token.

“The App makes an HTTP Basic Auth request to the FreeAgent OAuth Token
Endpoint including the Client ID, Secret and the Authorisation Token
amongst other parameters. In return the App will receive an Access
Token and a Refresh Token.”

So, working with raw HTTP messages, I was expecting to make a GET
request (with no additional headers) to something like

https://api.sandbox.freeagent.com/v2/approve_app?client_id=4ta9v9JrXqSGdcdNuzTUtA&response_type=code&redirect_uri=https%3A%2F%2Fcode.google.com%2Foauthplayground%2F&client_secret=xxxx

and should expect 302 back with a Location header indicating the
redirect along with a new Authorisation code (as a URL parameter).

Is this correct so far?

You must not include the client secret here as this defeats the security
of OAuth.

A correct example can be seen at:

https://dev.freeagent.com/docs/oauth#the-authorisation-request

If that’s correct, I’m a bit confused about the basic auth part and
the need to supply client Id (some of the docs also talk about
supplying the client secret) on the URL (as request parameters).

I’ve made requests to both and am basically given back HTML content
asking me to log in. If I change the request headers to ask for JSON,
I get 404. I suspect I’m not setting up basic authentication properly.
Using the Apache HC (Java) library, I associate a username and
password to a URL, which do I use…

https://api.sandbox.freeagent.com?

with the username as client id and the password as the secret?

If I do this, do I still need to supply one or both of them on the
URL?

I’m not sure what you mean here. The request to make is detailed at:

https://dev.freeagent.com/docs/oauth#the-access-token-request

You can either use HTTP Basic Auth or you can just include the client_id
and client_secret as URL parameters.

ps, it doesn’t seem to make a difference so far if I use a redirect
url in the request. As I’m writing a programatic / rich client thing,
I don’t have a logical redirect URL so am unsure what to use here.

You must either have registered a redirect_uri at dev.freeagent.com in
which case you don’t have to supply it here or you must supply one on each
request. Additionally, you must do the same as you did when your requested
the authorisation token - if you didn’t supply one when requesting the
authorisation token you must not supply one when requesting the access token
or if you did supply one when requesting the authorisation token you must
supply the same one when requesting the access token.

Thanks for the hand holding :wink:

I’m not sure I’ve really answered your questions above. It might be work
having a play with the Google OAuth 2.0 Playground (see below) as you can
copy their example requests. Alternatively, why not use a library which
already implements the OAuth 2.0 flow? This would save you having to write
your own implementation.

https://dev.freeagent.com/docs/quick_start

Kind regards,

Graeme


You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To post to this group, send email to freeagent_api@googlegroups.com.
To unsubscribe from this group, send email to
freeagent_api+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/freeagent_api?hl=en.


Graeme Boyd
Senior Software Engineer

Web. freeagent.com Blog. freeagent.com/blog
Twitter. @freeagent Facebook. facebook.com/freeagentapp

SOFTWARE SATISFACTION AWARDS 2012 - Vote for us (We’d be super stoked!)

40 Torphichen Street, Edinburgh, EH3 8JB
FreeAgent Central Ltd. Registered in sunny Scotland SC316774


You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To post to this group, send email to freeagent_api@googlegroups.com.
To unsubscribe from this group, send email to
freeagent_api+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/freeagent_api?hl=en.


You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To post to this group, send email to freeagent_api@googlegroups.com.
To unsubscribe from this group, send email to
freeagent_api+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/freeagent_api?hl=en.

Nic Wise
t. +44 7788 592 806 | @fastchicken | http://www.linkedin.com/in/nicwise
b. http://www.fastchicken.co.nz/

Earnest: Self-employed? Track your business expenses and income.


Nearest Bus: find when the next bus is coming to your stop. http://goo.gl/Vcz1p
mobileAgent (for FreeAgent): get your accounts in your pocket.
http://goo.gl/IuBU
Trip Wallet: Keep track of your budget on the go: http://goo.gl/ePhKa
London Bike App: Find the nearest Boris Bike, and get riding! http://goo.gl/Icp2

A quick google says:

http://support.google.com/groups/bin/answer.py?hl=en&answer=46608On 7 June 2012 03:44, zee zeeqtao@gmail.com wrote:

How do I unsubscribe from this mail list

Zee

On 6 June 2012 16:58, Graeme Boyd graeme.boyd@freeagent.com wrote:

Hi Toby,

On 5 June 2012 18:24, Toby toby.weston@gmail.com wrote:

Hey,

I just wanted to check a couple of things with OAuth if someone
doesn’t mind a bit of hand holding…

From the docs, it talks about the general flow, the first step I take
to mean requesting an Authentication Token.

“The App makes an HTTP Basic Auth request to the FreeAgent OAuth Token
Endpoint including the Client ID, Secret and the Authorisation Token
amongst other parameters. In return the App will receive an Access
Token and a Refresh Token.”

So, working with raw HTTP messages, I was expecting to make a GET
request (with no additional headers) to something like

https://api.sandbox.freeagent.com/v2/approve_app?client_id=4ta9v9JrXqSGdcdNuzTUtA&response_type=code&redirect_uri=https%3A%2F%2Fcode.google.com%2Foauthplayground%2F&client_secret=xxxx

and should expect 302 back with a Location header indicating the
redirect along with a new Authorisation code (as a URL parameter).

Is this correct so far?

You must not include the client secret here as this defeats the security
of OAuth.

A correct example can be seen at:

https://dev.freeagent.com/docs/oauth#the-authorisation-request

If that’s correct, I’m a bit confused about the basic auth part and
the need to supply client Id (some of the docs also talk about
supplying the client secret) on the URL (as request parameters).

I’ve made requests to both and am basically given back HTML content
asking me to log in. If I change the request headers to ask for JSON,
I get 404. I suspect I’m not setting up basic authentication properly.
Using the Apache HC (Java) library, I associate a username and
password to a URL, which do I use…

https://api.sandbox.freeagent.com?

with the username as client id and the password as the secret?

If I do this, do I still need to supply one or both of them on the

URL?

I’m not sure what you mean here. The request to make is detailed at:

https://dev.freeagent.com/docs/oauth#the-access-token-request

You can either use HTTP Basic Auth or you can just include the client_id
and client_secret as URL parameters.

ps, it doesn’t seem to make a difference so far if I use a redirect

url in the request. As I’m writing a programatic / rich client thing,
I don’t have a logical redirect URL so am unsure what to use here.

You must either have registered a redirect_uri at dev.freeagent.com in
which case you don’t have to supply it here or you must supply one on each
request. Additionally, you must do the same as you did when your requested
the authorisation token - if you didn’t supply one when requesting the
authorisation token you must not supply one when requesting the access
token or if you did supply one when requesting the authorisation token you
must supply the same one when requesting the access token.

Thanks for the hand holding :wink:

I’m not sure I’ve really answered your questions above. It might be
work having a play with the Google OAuth 2.0 Playground (see below) as you
can copy their example requests. Alternatively, why not use a library
which already implements the OAuth 2.0 flow? This would save you having to
write your own implementation.

https://dev.freeagent.com/docs/quick_start

Kind regards,

Graeme

You received this message because you are subscribed to the Google
Groups “FreeAgent API” group.
To post to this group, send email to freeagent_api@googlegroups.com.
To unsubscribe from this group, send email to
freeagent_api+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/freeagent_api?hl=en.


Graeme Boyd
Senior Software Engineer

Web. freeagent.com http://www.freeagent.com/ Blog. freeagent.com/blog
Twitter. @freeagent https://twitter.com/#!/freeagent Facebook.
facebook.com/freeagentapp

SOFTWARE SATISFACTION AWARDS 2012* * - *Vote for ushttp://www.clicktools.com/survey?iv=1c8dgs13zfxs7r&q1=FreeAgent%20Central%20Ltd&q2=FreeAgent&q3=Accounting%20and%20Finance
** * (We’d be super stoked!)

40 Torphichen Street, Edinburgh, EH3 8JB
FreeAgent Central Ltd. Registered in sunny Scotland SC316774


You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To post to this group, send email to freeagent_api@googlegroups.com.
To unsubscribe from this group, send email to
freeagent_api+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/freeagent_api?hl=en.


You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To post to this group, send email to freeagent_api@googlegroups.com.
To unsubscribe from this group, send email to
freeagent_api+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/freeagent_api?hl=en.

Graeme Boyd
Senior Software Engineer

Web. freeagent.com http://www.freeagent.com/ Blog. freeagent.com/blog
Twitter. @freeagent https://twitter.com/#!/freeagent Facebook.
facebook.com/freeagentapp

SOFTWARE SATISFACTION AWARDS 2012* * - *Vote for
ushttp://www.clicktools.com/survey?iv=1c8dgs13zfxs7r&q1=FreeAgent%20Central%20Ltd&q2=FreeAgent&q3=Accounting%20and%20Finance
** * (We’d be super stoked!)

40 Torphichen Street, Edinburgh, EH3 8JB
FreeAgent Central Ltd. Registered in sunny Scotland SC316774

Hi Toby,

Hey,

I just wanted to check a couple of things with OAuth if someone
doesn’t mind a bit of hand holding…

From the docs, it talks about the general flow, the first step I take
to mean requesting an Authentication Token.

“The App makes an HTTP Basic Auth request to the FreeAgent OAuth Token
Endpoint including the Client ID, Secret and the Authorisation Token
amongst other parameters. In return the App will receive an Access
Token and a Refresh Token.”

So, working with raw HTTP messages, I was expecting to make a GET
request (with no additional headers) to something like

https://api.sandbox.freeagent.com/v2/approve_app?client_id=4ta9v9JrXqSGdcdNuzTUtA&response_type=code&redirect_uri=https%3A%2F%2Fcode.google.com%2Foauthplayground%2F&client_secret=xxxx

and should expect 302 back with a Location header indicating the
redirect along with a new Authorisation code (as a URL parameter).

Is this correct so far?

You must not include the client secret here as this defeats the security of
OAuth.

A correct example can be seen at:

https://dev.freeagent.com/docs/oauth#the-authorisation-request

If that’s correct, I’m a bit confused about the basic auth part and
the need to supply client Id (some of the docs also talk about
supplying the client secret) on the URL (as request parameters).

I’ve made requests to both and am basically given back HTML content
asking me to log in. If I change the request headers to ask for JSON,
I get 404. I suspect I’m not setting up basic authentication properly.
Using the Apache HC (Java) library, I associate a username and
password to a URL, which do I use…

https://api.sandbox.freeagent.com?

with the username as client id and the password as the secret?

If I do this, do I still need to supply one or both of them on the

URL?

I’m not sure what you mean here. The request to make is detailed at:

https://dev.freeagent.com/docs/oauth#the-access-token-request

You can either use HTTP Basic Auth or you can just include the client_id
and client_secret as URL parameters.

ps, it doesn’t seem to make a difference so far if I use a redirect

url in the request. As I’m writing a programatic / rich client thing,
I don’t have a logical redirect URL so am unsure what to use here.

You must either have registered a redirect_uri at dev.freeagent.com in
which case you don’t have to supply it here or you must supply one on each
request. Additionally, you must do the same as you did when your requested
the authorisation token - if you didn’t supply one when requesting the
authorisation token you must not supply one when requesting the access
token or if you did supply one when requesting the authorisation token you
must supply the same one when requesting the access token.

Thanks for the hand holding :wink:

I’m not sure I’ve really answered your questions above. It might be work
having a play with the Google OAuth 2.0 Playground (see below) as you can
copy their example requests. Alternatively, why not use a library which
already implements the OAuth 2.0 flow? This would save you having to write
your own implementation.

https://dev.freeagent.com/docs/quick_start

Kind regards,

Graeme

You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To post to this group, send email to freeagent_api@googlegroups.com.
To unsubscribe from this group, send email to
freeagent_api+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/freeagent_api?hl=en.

Graeme Boyd
Senior Software Engineer

Web. freeagent.com http://www.freeagent.com/ Blog. freeagent.com/blog
Twitter. @freeagent https://twitter.com/#!/freeagent Facebook.
facebook.com/freeagentapp

SOFTWARE SATISFACTION AWARDS 2012* * - *Vote for
ushttp://www.clicktools.com/survey?iv=1c8dgs13zfxs7r&q1=FreeAgent%20Central%20Ltd&q2=FreeAgent&q3=Accounting%20and%20Finance
** * (We’d be super stoked!)

40 Torphichen Street, Edinburgh, EH3 8JB
FreeAgent Central Ltd. Registered in sunny Scotland SC316774

Hi Toby,

With API 2 and OAuth 2.0 you don’t ask the user for their FreeAgent
username and password. This means that you do have to send the user to
FreeAgent and complete the OAuth 2.0 flow.

However, this doesn’t mean that you have to have a server running to handle
the tokens. You could:

  1. Register a custom url scheme on the computer and set this as the
    redirect_uri. For example, register desktopapp://tokens as the
    redirect_uri and set the operating system to run a script to handle these
    URLs. You can then use this script to grab the tokens and feed them to
    your app.

  2. Run a web browser view inside your app and when the user completes the
    OAuth flow you can sniff the tokens from the redirect uri.

  3. Have your app listen on a certain localhost port and set this as the
    redirect url e.g. http://localhost:8000. Your app would then receive the
    token there.

I think the important thing to realise is that at the end of the OAuth flow
the FreeAgent server sends the user’s browser a HTTP 302 Redirect with the
redirect_uri. That redirect_uri doesn’t have to send the user to a remote
server but can be processed on the users computer.

There are probably libraries you can use which implement all of this for
you as for example all Twitter or Facebook desktop and mobile apps work
this way. What platform are you using?

Kind regards,

GraemeOn 6 June 2012 20:30, Toby toby.weston@gmail.com wrote:

Hi,

Thanks for the reply.

Just to pick up on the basic auth part to my ramblings above… I’ve
been playing with the google’s oauthplayground and inspecting the
messages as well as looking through the documents. I think I need to
step back a little and ask about non-web based API clients and what
the redirect URL means for them. I spotted the docs mention that iOS
apps would most likely use a custom URL scheme but that there are
other options available.

I wonder if you could talk about those other options?

When I asked about basic auth, it was from the perspective of my
desktop app. The redirect URL doesn’t seem to make sense here as I
won’t redirect to a page where the user can login, I’ll already have
their username and password at that point. I’d assumed that I could
use basic auth to send those over to the equivalent step to logging
in. So for example, sending something like this over in the header
responding to the redirect

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

I suspect this is off the mark though so I’ll keep looking at the
playground and see if anything pops up.

I’ve recorded the basic flow (from the oauthplayground) here,

https://github.com/tobyweston/blog/blob/master/source/_posts/2012-06-06-oauth-and-http-part-i.md
and I basically musing how I can programatically code around the
login / approve steps (which in the example are done via user
interaction).

Thanks for now,
Toby

On Jun 6, 9:58 am, Graeme Boyd graeme.b...@freeagent.com wrote:

Hi Toby,

On 5 June 2012 18:24, Toby toby.wes...@gmail.com wrote:

Hey,

I just wanted to check a couple of things with OAuth if someone
doesn’t mind a bit of hand holding…

From the docs, it talks about the general flow, the first step I take
to mean requesting an Authentication Token.

“The App makes an HTTP Basic Auth request to the FreeAgent OAuth Token
Endpoint including the Client ID, Secret and the Authorisation Token
amongst other parameters. In return the App will receive an Access
Token and a Refresh Token.”

So, working with raw HTTP messages, I was expecting to make a GET
request (with no additional headers) to something like

https://api.sandbox.freeagent.com/v2/approve_app?client_id=4ta9v9JrXq.

and should expect 302 back with a Location header indicating the
redirect along with a new Authorisation code (as a URL parameter).

Is this correct so far?

You must not include the client secret here as this defeats the security
of
OAuth.

A correct example can be seen at:

https://dev.freeagent.com/docs/oauth#the-authorisation-request

If that’s correct, I’m a bit confused about the basic auth part and
the need to supply client Id (some of the docs also talk about
supplying the client secret) on the URL (as request parameters).

I’ve made requests to both and am basically given back HTML content
asking me to log in. If I change the request headers to ask for JSON,
I get 404. I suspect I’m not setting up basic authentication properly.
Using the Apache HC (Java) library, I associate a username and
password to a URL, which do I use…

https://api.sandbox.freeagent.com?

with the username as client id and the password as the secret?

If I do this, do I still need to supply one or both of them on the

URL?

I’m not sure what you mean here. The request to make is detailed at:

https://dev.freeagent.com/docs/oauth#the-access-token-request

You can either use HTTP Basic Auth or you can just include the client_id
and client_secret as URL parameters.

ps, it doesn’t seem to make a difference so far if I use a redirect> url
in the request. As I’m writing a programatic / rich client thing,

I don’t have a logical redirect URL so am unsure what to use here.

You must either have registered a redirect_uri at dev.freeagent.com in

which case you don’t have to supply it here or you must supply one on
each
request. Additionally, you must do the same as you did when your
requested
the authorisation token - if you didn’t supply one when requesting the
authorisation token you must not supply one when requesting the access
token or if you did supply one when requesting the authorisation token
you
must supply the same one when requesting the access token.

Thanks for the hand holding :wink:

I’m not sure I’ve really answered your questions above. It might be
work

having a play with the Google OAuth 2.0 Playground (see below) as you can
copy their example requests. Alternatively, why not use a library which
already implements the OAuth 2.0 flow? This would save you having to
write
your own implementation.

https://dev.freeagent.com/docs/quick_start

Kind regards,

Graeme

You received this message because you are subscribed to the Google
Groups

“FreeAgent API” group.
To post to this group, send email to freeagent_api@googlegroups.com.
To unsubscribe from this group, send email to
freeagent_api+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/freeagent_api?hl=en.


Graeme Boyd
Senior Software Engineer

Web. freeagent.com http://www.freeagent.com/ Blog.
freeagent.com/blog
Twitter. @freeagent https://twitter.com/#!/freeagent Facebook.
facebook.com/freeagentapp

SOFTWARE SATISFACTION AWARDS 2012* * - *Vote for
us<
http://www.clicktools.com/survey?iv=1c8dgs13zfxs7r&q1=FreeAgent%20Cen…>
** * (We’d be super stoked!)

40 Torphichen Street, Edinburgh, EH3 8JB
FreeAgent Central Ltd. Registered in sunny Scotland SC316774


You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To post to this group, send email to freeagent_api@googlegroups.com.
To unsubscribe from this group, send email to
freeagent_api+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/freeagent_api?hl=en.

Graeme Boyd
Senior Software Engineer

Web. freeagent.com http://www.freeagent.com/ Blog. freeagent.com/blog
Twitter. @freeagent https://twitter.com/#!/freeagent Facebook.
facebook.com/freeagentapp

SOFTWARE SATISFACTION AWARDS 2012* * - *Vote for
ushttp://www.clicktools.com/survey?iv=1c8dgs13zfxs7r&q1=FreeAgent%20Central%20Ltd&q2=FreeAgent&q3=Accounting%20and%20Finance
** * (We’d be super stoked!)

40 Torphichen Street, Edinburgh, EH3 8JB
FreeAgent Central Ltd. Registered in sunny Scotland SC316774

Hi,

Thanks for the reply.

Just to pick up on the basic auth part to my ramblings above… I’ve
been playing with the google’s oauthplayground and inspecting the
messages as well as looking through the documents. I think I need to
step back a little and ask about non-web based API clients and what
the redirect URL means for them. I spotted the docs mention that iOS
apps would most likely use a custom URL scheme but that there are
other options available.

I wonder if you could talk about those other options?

When I asked about basic auth, it was from the perspective of my
desktop app. The redirect URL doesn’t seem to make sense here as I
won’t redirect to a page where the user can login, I’ll already have
their username and password at that point. I’d assumed that I could
use basic auth to send those over to the equivalent step to logging
in. So for example, sending something like this over in the header
responding to the redirect

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

I suspect this is off the mark though so I’ll keep looking at the
playground and see if anything pops up.

I’ve recorded the basic flow (from the oauthplayground) here,
https://github.com/tobyweston/blog/blob/master/source/_posts/2012-06-06-oauth-and-http-part-i.md
and I basically musing how I can programatically code around the
login / approve steps (which in the example are done via user
interaction).

Thanks for now,
TobyOn Jun 6, 9:58 am, Graeme Boyd graeme.b...@freeagent.com wrote:

Hi Toby,

On 5 June 2012 18:24, Toby toby.wes...@gmail.com wrote:

Hey,

I just wanted to check a couple of things with OAuth if someone
doesn’t mind a bit of hand holding…

From the docs, it talks about the general flow, the first step I take
to mean requesting an Authentication Token.

“The App makes an HTTP Basic Auth request to the FreeAgent OAuth Token
Endpoint including the Client ID, Secret and the Authorisation Token
amongst other parameters. In return the App will receive an Access
Token and a Refresh Token.”

So, working with raw HTTP messages, I was expecting to make a GET
request (with no additional headers) to something like

https://api.sandbox.freeagent.com/v2/approve_app?client_id=4ta9v9JrXq

and should expect 302 back with a Location header indicating the
redirect along with a new Authorisation code (as a URL parameter).

Is this correct so far?

You must not include the client secret here as this defeats the security of
OAuth.

A correct example can be seen at:

https://dev.freeagent.com/docs/oauth#the-authorisation-request

If that’s correct, I’m a bit confused about the basic auth part and
the need to supply client Id (some of the docs also talk about
supplying the client secret) on the URL (as request parameters).

I’ve made requests to both and am basically given back HTML content
asking me to log in. If I change the request headers to ask for JSON,
I get 404. I suspect I’m not setting up basic authentication properly.
Using the Apache HC (Java) library, I associate a username and
password to a URL, which do I use…

https://api.sandbox.freeagent.com?

with the username as client id and the password as the secret?

If I do this, do I still need to supply one or both of them on the

URL?

I’m not sure what you mean here. The request to make is detailed at:

https://dev.freeagent.com/docs/oauth#the-access-token-request

You can either use HTTP Basic Auth or you can just include the client_id
and client_secret as URL parameters.

ps, it doesn’t seem to make a difference so far if I use a redirect> url in the request. As I’m writing a programatic / rich client thing,

I don’t have a logical redirect URL so am unsure what to use here.

You must either have registered a redirect_uri at dev.freeagent.com in

which case you don’t have to supply it here or you must supply one on each
request. Additionally, you must do the same as you did when your requested
the authorisation token - if you didn’t supply one when requesting the
authorisation token you must not supply one when requesting the access
token or if you did supply one when requesting the authorisation token you
must supply the same one when requesting the access token.

Thanks for the hand holding :wink:

I’m not sure I’ve really answered your questions above. It might be work

having a play with the Google OAuth 2.0 Playground (see below) as you can
copy their example requests. Alternatively, why not use a library which
already implements the OAuth 2.0 flow? This would save you having to write
your own implementation.

https://dev.freeagent.com/docs/quick_start

Kind regards,

Graeme

You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To post to this group, send email to freeagent_api@googlegroups.com.
To unsubscribe from this group, send email to
freeagent_api+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/freeagent_api?hl=en.


Graeme Boyd
Senior Software Engineer

Web. freeagent.com http://www.freeagent.com/ Blog. freeagent.com/blog
Twitter. @freeagent https://twitter.com/#!/freeagent Facebook.
facebook.com/freeagentapp

SOFTWARE SATISFACTION AWARDS 2012* * - *Vote for
ushttp://www.clicktools.com/survey?iv=1c8dgs13zfxs7r&q1=FreeAgent%20Cen...
** * (We’d be super stoked!)

40 Torphichen Street, Edinburgh, EH3 8JB
FreeAgent Central Ltd. Registered in sunny Scotland SC316774

How do I unsubscribe from this mail list

ZeeOn 6 June 2012 16:58, Graeme Boyd graeme.boyd@freeagent.com wrote:

Hi Toby,

On 5 June 2012 18:24, Toby toby.weston@gmail.com wrote:

Hey,

I just wanted to check a couple of things with OAuth if someone
doesn’t mind a bit of hand holding…

From the docs, it talks about the general flow, the first step I take
to mean requesting an Authentication Token.

“The App makes an HTTP Basic Auth request to the FreeAgent OAuth Token
Endpoint including the Client ID, Secret and the Authorisation Token
amongst other parameters. In return the App will receive an Access
Token and a Refresh Token.”

So, working with raw HTTP messages, I was expecting to make a GET
request (with no additional headers) to something like

https://api.sandbox.freeagent.com/v2/approve_app?client_id=4ta9v9JrXqSGdcdNuzTUtA&response_type=code&redirect_uri=https%3A%2F%2Fcode.google.com%2Foauthplayground%2F&client_secret=xxxx

and should expect 302 back with a Location header indicating the
redirect along with a new Authorisation code (as a URL parameter).

Is this correct so far?

You must not include the client secret here as this defeats the security
of OAuth.

A correct example can be seen at:

https://dev.freeagent.com/docs/oauth#the-authorisation-request

If that’s correct, I’m a bit confused about the basic auth part and
the need to supply client Id (some of the docs also talk about
supplying the client secret) on the URL (as request parameters).

I’ve made requests to both and am basically given back HTML content
asking me to log in. If I change the request headers to ask for JSON,
I get 404. I suspect I’m not setting up basic authentication properly.
Using the Apache HC (Java) library, I associate a username and
password to a URL, which do I use…

https://api.sandbox.freeagent.com?

with the username as client id and the password as the secret?

If I do this, do I still need to supply one or both of them on the

URL?

I’m not sure what you mean here. The request to make is detailed at:

https://dev.freeagent.com/docs/oauth#the-access-token-request

You can either use HTTP Basic Auth or you can just include the client_id
and client_secret as URL parameters.

ps, it doesn’t seem to make a difference so far if I use a redirect

url in the request. As I’m writing a programatic / rich client thing,
I don’t have a logical redirect URL so am unsure what to use here.

You must either have registered a redirect_uri at dev.freeagent.com in
which case you don’t have to supply it here or you must supply one on each
request. Additionally, you must do the same as you did when your requested
the authorisation token - if you didn’t supply one when requesting the
authorisation token you must not supply one when requesting the access
token or if you did supply one when requesting the authorisation token you
must supply the same one when requesting the access token.

Thanks for the hand holding :wink:

I’m not sure I’ve really answered your questions above. It might be work
having a play with the Google OAuth 2.0 Playground (see below) as you can
copy their example requests. Alternatively, why not use a library which
already implements the OAuth 2.0 flow? This would save you having to write
your own implementation.

https://dev.freeagent.com/docs/quick_start

Kind regards,

Graeme

You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To post to this group, send email to freeagent_api@googlegroups.com.
To unsubscribe from this group, send email to
freeagent_api+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/freeagent_api?hl=en.


Graeme Boyd
Senior Software Engineer

Web. freeagent.com http://www.freeagent.com/ Blog. freeagent.com/blog
Twitter. @freeagent https://twitter.com/#!/freeagent Facebook.
facebook.com/freeagentapp

SOFTWARE SATISFACTION AWARDS 2012* * - *Vote for ushttp://www.clicktools.com/survey?iv=1c8dgs13zfxs7r&q1=FreeAgent%20Central%20Ltd&q2=FreeAgent&q3=Accounting%20and%20Finance
** * (We’d be super stoked!)

40 Torphichen Street, Edinburgh, EH3 8JB
FreeAgent Central Ltd. Registered in sunny Scotland SC316774


You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To post to this group, send email to freeagent_api@googlegroups.com.
To unsubscribe from this group, send email to
freeagent_api+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/freeagent_api?hl=en.