I am trying to utilize the OroCommerce Web API which was introduced to interact with my clients.
The first step of oauth2-token seems to be working well, but he consequent requests to the api's such as customers GET, customerusers GET etc all end up with 401-Unauthorized Error.
I am trying to test the whole flow through the POSTMAN.
I have checked the Web API access is enabled and also verified that the guest users are enabled.
What's strange is the the /api/doc seems to be working well, but when I try to mimic the same via POSTMAN, it always ends up with 401 -Unauthorized Access.
Any idea why it could be failing?
Make sure you included Content-Type and Bearer prefixed Authorization headers in the request built using POSTMAN. Like explained in the OroCommerce documentation.
The authentication with Bearer header also explained in POSTMAN documentation.
Related
I am pretty new into web development. Currently I am trying to do an Form Based Authentication on my Jakarta app. I managed to create a realm on Glassfish 6.0.0 and to integrate it on the web.xml descriptor. I managed to make the Basic Authentication work, but when I try it to change to Form Authentication I get an 403 status code ever time I want to login. I got the following error every time I send a POST request to j_security_check with good credentials, along with 403 status code:
***WEB9102: Web Login Failed:
com.sun.enterprise.security.auth.login.common.LoginException
: Login failed: Security Exception*** which doesn't say to much for me.
I wanted to create an Form Authentication in order to use j_security_check to login using form-data format from Postman. If I can not do this, is there a way to create a custom endpoint to send a request in order to authenticate?
I found out a method to do what I needed for the moment. I just sent parameters in URL. For now it is perfect, even though the security suffer with this method.
I'm attempting to interact with the Google Sheets API and running into an inexplicable problem that I'm finally reaching out to see how anyone else may have tackled it. Put simply, I can use the in-page API Explorer tool with only the https://www.googleapis.com/auth/spreadsheets.readonly OAuth2 scope at https://developers.google.com/sheets/api/reference/rest/v4/spreadsheets/get to query my spreadsheet (just the spreadsheet ID, leaving all other fields to empty defaults) and I'll see the 200 with the response in the bottom as expected.
Of course, I can't re-use the same access token that tool uses, but if provision an access code for the same user for my own app (same scope), and make the same GET request to https://sheets.googleapis.com/v4/spreadsheets/<spreadsheetId> in Postman (again, no other fields populated), substituting the access token into the Authentication header with Bearer <accessToken>, I get a 404.
I know the file is there - I've triple checked that I'm using the same spreadsheet ID across either request and I'm consistently getting a 404 (not a 401 or 403) indicating that my access token does authenticate.
I've tried broadening my OAuth2 scopes to include the full range listed on the API Explorer:
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/drive.file
https://www.googleapis.com/auth/drive.readonly
https://www.googleapis.com/auth/spreadsheets
https://www.googleapis.com/auth/spreadsheets.readonly
Of course, I don't want to have to use all those scopes for my purposes - I'd like to use the most narrow scope possible, but I also wanted to rule out that it wasn't failing to work for some scoping scenario. No difference - still a 404 every time I make the request in Postman. I've tried issuing multiple access tokens now, using accounts.google.com to invalidate the tokens for my app between re-issuances, but to no avail.
To be clear, the Google Sheets API has been enabled for my app.
In hopes that someone else has experienced the same inability to query Google's v4 REST API despite using valid access tokens, could you share how you managed to do it?
I appreciate it!
Update:
So I've been playing around with the OAuth 2.0 Playground shared in the comments and found that the authorization endpoint I was using was identical, but the token endpoint differed. This doesn't seem to matter since I used the custom option to use the alternate endpoint and the Playground was still able to work without issue just like the API Explorer.
Using the custom entries, I also entered my own app's client ID and client secret (after registering the playground redirect URI), minimizing the differences between what I'm doing in Postman and in the various Google tools. Again, my GET request to the spreadsheet works without issue.
Just to be clear, here's what I've been doing in the Playground:
In Step 1, I've specified the https://www.googleapis.com/auth/spreadsheets.readonly scope to authorize. I click the Authorize APIs button and log in with the user account.
It returns with the authorization code, so I exchange that code for the tokens via a POST to the token endpoint.
I then make a GET request to https://sheets.googleapis.com/v4/spreadsheets/<spreadsheetId> with no additional headers and it works without issue - 200 OK and all the data I'm expecting to see.
Here my approach in Postman:
Make a GET request to:
https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&response_type=code&redirect_uri=https://<myDomain>/oauthResp&client_id=<appClientId>&scope=https://www.googleapis.com/auth/spreadsheets.readonly&state=abc123
Receive a response similar to the following in my browser on the redirect (since the domain intentionally 404s).
https:///oauthResp?state=abc123&code=zyx098&scope=https://www.googleapis.com/auth/spreadsheets.readonly
Make a POST request to: https://www.googleapis.com/oauth2/v4/token with a body of:
client_id=<appClientId>
client_secret=<appClientSecret>
redirect_uri=https://<myDomain>/oauthResp
grant_type=authorization_code
Receive a response similar to:
{
"access_token": "abc123",
"expires_in": 3599,
"refresh_token": "zyx098",
"scope": "https://www.googleapis.com/auth/spreadsheets.readonly",
"token_type": "Bearer"
}
Make a GET request to https://sheets.googleapis.com/v4/spreadsheets/<spreadsheetId> with a 'Content-Type' header of application/json and an 'Authorization' header of Bearer abc123 (per the access token above).
Unlike the API Explorer and the OAuth 2.0 Playground, this yields a 404 - exactly the issue I've been experiencing for no obvious reason.
Further, if I simply take the fresh access token from the Playground and drop that into Postman, I get the same 404.
Any other ideas?
I am trying to make a post call in Exact Online REST API. I'm trying to create a SalesInvoiceLine. I can perfectly do a GET call via my browser. I am logged in in Exact Online so I don't need authentication since this should be passed via a cookie. I tried POST via a browser. The browser prompts me to login, when I do nothing happens. I've also tried this in Postman:
I am 100% certain these initials are correct, I can login with them in Exact Online. What am I doing wrong?
If this is not the way, how can I post data to Exact Online? There are not that many concrete examples to find online.
You can't log on to the Exact Online REST API with Basic authentication, the mode you are using now.
The web service uses OAuth as authentication mechanism, meaning you have to acquire a token first. The steps to do so are outlined in the official documentation.
It will need some work on your end to register an app, get the flow up and running. Depending on your business needs, you might be helped with one of the apps for Exact Online by the company I work for.
You need to retrieve the CurrentDivision through GET Request https://{Base Uri}/api/v1/current/Me only from OAuth then you need to assign
CurrentDivision to whatever may be the API call .../api/v1/{CurrentDivision}/../....
Without authorization by Auth 2.0, neither is impossible.
To authorize the ExactOnline API calls you have to do the following:
Register the app in the developer portal. Bear in mind that you have to do a separate registration for French, UK or Dutch version of ExactOnline (this is indeed a pain).
In case you want your application to be used by other accounts than yours, you have to submit the app for validation, this usually takes 2-3 weeks.
EO uses standard OAuth 2.0 schema (very similar to what Google is using with their services). You have to use endpoint GET /api/oauth2/auth for building an authorization link and endpoint POST /api/oauth2/token for obtaining both access and refresh tokens.
Please bear in mind that many Auth 2.0 services are proving long-lasting refresh token. This is not the case of EO. The refresh token is invalidated every time when the access token is requested (endpoint POST /api/oauth2/token). With access token new refresh token is supplied, so make sure you update you refresh token as well.
The access token is placed in HTTP header as "Authorization: Bearer {{ACCESS_TOKEN}}"
In case you want to automate the EO API calls and do not want to code anything on your own, you can try one of the pre-build Exact Online API connectors, created by the company I work for.
I'm working on the Google FCM message service. I deploy my API with my server it's working fine. But when I do the same within Client Production Service it gives me 401 error.
I'm running Window Service and hitting Restful API. I validate each and everything within Google account also but not able to rectify the same.
I've recently the same problem. I implemented everything right with all parameters. Finally I found the solution. I used the API Key from Google developer console and not from firebase. So go to the following url: https://console.firebase.google.com/project/YOUR_PROJECT_ID/settings/cloudmessaging/
There you can see two API keys. Choose the longer top server key.
After I replaced the key in the header Authorization: key=YOUR_KEY, it finally works.
UPDATED QUESTION to clarify more.
I have two servers : wso2greg containing custom artefacts and wso2am (api manager).
The gouvernance register is intended to be used internally (intranet) and some of it's feature are intended to be exposed externally and acceded via it's rest API.
In order to manage wso2greg API accesss, we used an wso2am (api manager) server, where we did define an API that act as a proxy for the wso2greg API.
In our experiments, we found the strange behaviour described below :
Successfully direct calling wso2greg artefact rest api (the exact url is
https://localhost:9443/resource/1.0.0/artifact/_system/governance/myartifact/art1 and i'm following the documentation of this REST API from here https://docs.wso2.com/display/Governance520/Resources+with+REST+API ) using postman. The API reacts as described in the documentation.
Error 500, reported on wso2greg server, when calling the same REST API, but via API manager (using publisher application).
So as a summary :
Directly calling wso2greg rest API woks fine and a got results back
Adding this working API, in wso2am and than calling it gives always error 500.
As extra information:
Tested with other wso2greg REST API , such as "rating" or "comments" and I was able to call it successfully either directly or throw Api manager.
Tried to get information related to default wso2greg artifacts such as restservice, but i got exactly the same pb when (error 500) interagting with API manager.
Working with the last version of both products : wso2greg version 5.2.0 and wso2am version 1.10.0
Please advice, or clarify how could i debug this internal error in wso2greg.
Regards,
I hope your not using G-Reg + APIM feature installed version. I presume your using separate G-reg 5.2.0 and APIM x.x.x. Since your using the second option you can't use G-Reg REST API with APIM, therefore you have to use APIM REST API instead.
Get an API
Description: Get details of a specific API.
URI: http://localhost:9763/publisher/site/blocks/listing/ajax/item-list.jag
URI Parameters: action=getAPI&name=xxx&version=xxx&provider=xxx
HTTP Methods: POST
Example:
curl -X POST -b cookies http://localhost:9763/publisher/site/blocks/listing/ajax/item-list.jag -d "action=getAPI&name=PhoneVerification&version=1.0.0&provider=admin"
Please follow this link to see all the api usage.
Thanks #thusharaK for providing help.
The solution was to add Message Mediation Policies which forces json header on output.
Now i got my correct response from API manager (in fact, i got a binary response in test console and a json response in postman) .