Please note: All new registrants to the Panopto Community Forum must be approved by a forum moderator or admin. As such, if you navigate to a feature that is members-only, you may receive an error page if your registration has not yet been approved. We apologize for any inconvenience and are approving new members as quickly as possible.
Generating OAuth2 Access Token
Firman Sugiharto
Tyro
in API
Hello,
I have been following this guide to generate access token, but so far have not been successful: https://support.panopto.com/s/article/How-to-Get-OAuth2-Access-Tokens-for-Users
- first, I base64-encoded my APIKey and SecretValue separated by a colon
- then I log in to our Panopto installation
- after that, I send the redirect to OAuth2 authorization URL https://mediaweb.ap.panopto.com/Panopto/oauth2/connect/authorize?client_id=87baa530-a307-4e0c-8665-adf10086991c&scope=openid%20api&redirect_uri=https%3A%2F%2Fwebapps.duke-nus.edu.sg%2Felentra%2F&response_type=code&nonce=123
- from here, I get the code https://webapps.duke-nus.edu.sg/elentra/?code=84e25ba9e49989e992ba80a50b1c5a77&session_state=BuJYrviCcOAtOtiLZCXMawLowv5Ai-23MnT-cDyVpvc.39703e37161862c332efc8655d1214ac
- I enter the authorization token with header prefix Basic into Postman
- I set the params with grant_type "authorization_code", the code is the one from the above URL, and redirect_uri to our LMS
- the result is "error": "unsupported_grant_type"
Did I miss something?
Thank you in advance for any pointers.
0
Answers
Hello,
Overall, that all looks correct. The only thing that seems odd to me is the
redirect_uri
parameter, since it appears to still be encoded. Since that should be sent as a POST request, the redirect_uri should not need to be URL encoded.Can you try sending the redirect_uri in the POST request to get an access token from an authorization code unencoded and see if that resolves the 400 response you are receiving?
If that doesn't resolve it, would you please open a support ticket with Panopto, so I can get some additional information from you?
Please let me know if you have any questions.
Thanks,
Kevin
Hi Kevin,
I tried without percent encoding for
redirect_uri
and still got the same error message:Hello,
Would you please open a support ticket with Panopto? I will need some additional information from you in order to continue to look into this issue.
Thanks,
Kevin
Hi Kevin,
I have actually opened a ticket several weeks ago, and in response to the ticket I got the suggestion to post my question here in the Panopto Community Forum. The ticket's case link is https://support.panopto.com/s/case/5005Y000023JdDe/detail
Thanks,
Firman
Hello,
Thank you for sending me the case link, that's very helpful. I took a look at the file you attached to the case, and it seems that you are sending the grant_type, code, and redirect_uri as query parameters in the post to the token endpoint. Those parameters should be sent in the POST body rather than the query parameters.
In Postman, you can click on the Body tab, ensure that the x-www-form-urlencoded radio button is selected, and add the 3 parameters in the boxes below. Please make sure to remove them from the query parameters in the Params tab.
Please try that, and let me know if it helps.
Thank you,
Kevin
Hello,
I removed the 3 Params and added them to Body with x-www-form-urlencoded and now I got a different error message "invalid_grant" (previously it was "unsupported_grant_type").
The cURL from Postman is
Any further help is appreciated.
Best regards,
Firman
Hi Kevin,
where can I find all the possible values for grant types? I have searched Panopto documentation but they are not listed anywhere. Perhaps I can use trial and error method to see which grant types are supported. Our local Panopto admins could not help us with this question.
Best regards,
Firman
Hi Kevin,
I have tried various grant types with the following response from Panopto:
Are there other grant types that I can try?
Best regards,
Firman
Hi @Kevin Baum ,
unfortunately, there is no one at our Panopto admin who can help me with grant types because the person who installed Panopto left the team. I have tried the above grant types, do you have a list of other grant types I can try?
Best regards,
Firman
Hello,
Thank you for the additional information.
authorization_code
is the correct grant type to use in this case. I've taken a closer look at our logs, since I had the additional information in the support case, and based on that I don't believe that the grant type is the issue.invalid_grant
is a generic message indicating that there was a problem exchanging the provided code for an access token.In this case, it appears that you are using two different OAuth2 clients to try to get the access token. From what I can see, you are using one client to get the code, and a different client to exchange the code for a token. In order to exchange an authorization code for an access token, you must use the same OAuth2 client you used to get the authorization code to also get the access token.
Can you please check to make sure that you are using the same OAuth2 client for both getting an authorization code and for exchanging the code for an access token?
Please let me know if you have any other questions.
Thanks,
Kevin
Hi @Kevin Baum ,
thanks for the response. According to Panopto documentation, I should use a browser to get authorization code, then send a POST request to exchange the code for an access token.
Assuming that this documentation is wrong, I tried using Postman (Windows app) to get authorization code. I was able to send a GET request with client_id, scope, redirect_uri, response_type, and nonce. From this, I got an HTML response (the same login page I also get from the browser). However, unlike on a browser, I can't log in on Postman. When I click on the login button, nothing happens.
The other alternative is to use a browser for both getting the authorization code and sending the POST request to exchange to code to token. Is this what you meant? Do I have to use a browser extension to do this?
EDIT: I did not use an extension, but I use Postman from the browser by visiting web.postman.co and using the same values, but I still got the error code "invalid_grant".
Thanks,
Firman
Hi Firman,
That documentation is correct. The Server Side Web Application flow should start in the browser for the user to log into Panopto and get an authorization code. Both the initial URL in the browser and the request to exchange the authorization code for an access token should use the same API client, and from what I saw in our logs it looks like you may be using two different API clients for these two sections of the workflow.
You can use Postman as well to get an access token using this flow. We have a support article with some additional information on how to get an access token using Postman: https://support.panopto.com/s/article/How-to-use-Postman-with-the-Panopto-REST-API
Can you please let me know if you are using two separate API clients for this workflow (one in the browser, and different one in Postman), as that may be what is causing you to get the invalid_grant error?
Thanks,
Kevin
Hi @Kevin Baum
in the beginning I was using two separate clients (browser and Postman), but after your post, I tried using just one browser (Firefox). I was using Postman but instead of the Windows app, I was using the Postman website from the same browser. Does this count as one client or two separate clients?
Is it more efficient to discuss this with a Zoom meeting? Are you available for a quick one in the following days? My time zone is Singapore (UTC+8). If you're not available, is there anyone else who can meet with me? I think that we might be able to cover more in shorter time than using the community forum or emails.
EDIT: I should also mention that I don't have admin privilege on Panopto. I have asked our local Panopto administrator if I can have admin rights but they said that this is not possible unless we are managing our own Panopto instance.
Thanks,
Firman
Hi Firman,
I apologize for any confusion on my part. When I refer to the two separate clients, I was referring to the API clients and their credentials (client ID and client secret values), not the browser and Postman. Using two separate browsers or applications is fine, but looking at my logs it appears you are using two separate sets of API credentials, one for getting the authorization code and then a separate one for getting the access token from that code. Is that correct?
I may need some additional information from you regarding the client credentials you are using. Would you be able to open a Panopto support ticket so I can get some additional information from you?
Thanks,
Kevin
Hi @Kevin Baum ,
I have asked our Panopto admin to generate a new client secret because I don't know if the previous one was defect.
After this, I base64-encoded the new client secret and tried it, this time I got "invalid_client".
Using the previous client secret, I got "invalid_grant".
I have opened a new Panopto support ticket and have received a rejection email: Hello ,Your case, Generating authorization token, has been closed. You are not currently a Panopto customer and cannot submit support cases. If you are a Panopto customer, please be sure to use the email address provided by your school or organization. Best, Panopto Support
This is using the same email address that I previously used to generate another ticket.
Thanks,
Firman
Hi Firman,
Would you be able to ask your Panopto admin or POC to open a support ticket on your behalf, and I can add you to the ticket? I'd like to be able to get some additional information from you to keep looking into this.
Thanks,
Kevin
Hi @Kevin Baum ,
I just answered to the old support email and now it doesn't send me any rejection email. Can you access the ticket?
Thanks,
Firman
Hi @Kevin Baum ,
I have replied to the old ticket with the above link. Is there anyone who can do a quick Zoom meeting with me, probably less than 30 minutes?
Thanks,
Firman