Unable to get authorization code (token) from account server using OAUTH

abhishekpandey · November 27, 2019, 7:14am

When we call below URL from the browser we are getting token in the browser as well as on the callback URL.

https://account.thethingsnetwork.org/users/authorize?client_id=xxxxxxx&redirect_uri=http://xxxxxxxxxxx/xxxx/callback&response_type=code

But when we call above URL from the postman or code it shows following response.

Thanks in advance.

arjanvanb · November 27, 2019, 7:53am

The response_type=code flow needs a browser window to show the user’s authorization/permissions dialog. When you look at the source of that page you’ll probably see some redirect to a login page. How would you want Postman to show that?

That said: you’ll need another type of flow if you don’t have a human interaction available. I don’t know if TTN supports that, and I don’t know what you’re trying to build. You might want to look at Account Server in the documentation.

abhishekpandey · November 27, 2019, 9:00am

Thanks for the quick reply.

I have a TTN Client Id and Client Secret. I want to access list of application and for this I need a authorization token. I am using TTN SDK to get authorization token but unable to fetch one.

I tried below code to fetch renewable Json web token mentioned in SDK documentation,

       AuthorizationCode tokenProvider = new AuthorizationCode(_clientId, _clientSecret);
        URI uri = new URI(_callback_uri);
        String redirect = tokenProvider.buildAuthorizationURL(uri).toString();

        System.out.println("TTN SDK: here is the authorization url: " + redirect);
        BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
        String code = br.readLine();
        if (code == null || code.equals("")) {
            throw new IllegalArgumentException("invalid code");
        }

        RenewableJsonWebToken token = tokenProvider.getToken(code);

Thanks

arjanvanb · November 27, 2019, 9:50am

I think you need to read about OAuth before you continue. Google is your friend for that.

The flow you’re using in your code needs you to show a browser window with the given redirect URL. This allows you to create an application in which other users can see their list of applications, without giving you their secret login credentials. For that, those users will need to be redirected to TTN to be shown the authorization/permissions screen (and they might also still need to authenticate/log in if they’re not logged in yet).

To see your own applications (for which you know your secret login credentials) you’ll either need to run the above once and store the tokens (and refresh them before the refresh token expires; I don’t know how long that’s valid). Or, you need the password flow instead.

From the documentation:

There’s support for both the password flow and the authorization_code flow, based on the grants of the client you are using.

abhishekpandey · November 27, 2019, 10:42am

Yes, I am using OAuth authorization. It takes the user to login screen and screen freezes. Thus, I mentioned using Postman and code.

Thanks

arjanvanb · November 27, 2019, 10:56am

Oh well, you didn’t mention that earlier? Also, I’ve already explained why Postman is not good for the flow you’re using. Please read about OAuth first. Success.