Spotify API scopes not being recognized - not able to access user info - api

I am currently implementing a feature that you have the ability to save a song displayed on my iOS application (written with Swift) and this save button allows the song to be appended to the user's Spotify library. According to the Spotify Developer guide, the only scope required for this feature is user-library-modify when authorizing the app with the user. The url to be opened goes like this:
https://accounts.spotify.com/authorize/?client_id=my_client_id&response_type=code&scope=user-library-modify&redirect_uri=http://my_redirect_uri
This all works perfectly - the url is opened for the user to approve of the changes my app can make and the callback url with the required code is in the url is opened.
The next step in performing the required function is to get an exact token in order to use the api, which is done by calling the url:
https://accounts.spotify.com/api/token?grant_type=client_credentials&client_id=my_client_id&client_secret=my_client_secret&response_type=code&redirect_uri=http://my_redirect_uri&code=the_code_I_just_retrieved
With this url, a json file is returned with the new token and info with it, BUT when looking at the permitted scopes the token has, it is empty:
["scope": , "token_type": Bearer, "access_token": the_token_string, "expires_in": 3600]
Also, when I still try to perform the request it returns:
["error": {
message = "Insufficient client scope";
status = 403;
}]
In this lengthy process, what am I doing wrong? In case you are wondering, here are a few things I have tried without success:
1) Re-listing the scopes in the explicit token request
2)Adding utf-8 encoding to the redirect uri (not sure if this changes anything)
3)Adding many other scopes (although this clearly does not target the problem)
If anyone knows what I am doing wrong or has any suggestions as to what I should try, I am grateful for any helpful response!

I have found my mistake. The grant_type I have entered in my url set to client_credentials. However, this method of accessing the web API only permits the usage of publicly available data, not user info. Therefore, this method of authorization does not accept the parameter scope, forcing the spotify account service to ingnore this additional parameter. The other options DO allow accessing the user data, which are:
authorization_code, and refresh_token
The way this now has to be done is to:
1) Authorize the user regularly (with supplying the scopes) to retrieve the initial authorization code
2) Then, with this code, make the token request, but specifying the grant_type to be set as authorization_code
3) You have then received a valid access_token valid for one hour AND a refresh_token
4) Use the access_token when necessary and when this token expires, make another token request, but this time with the grant_type set as refresh_token and setting the code parameter to the previously gained refresh_token
5) You now have the next access_token and refresh_token
6) Repeat steps 4-5 until infinity

Related

Ebay API: Connection between "Developer Account" and "Ebay Account"

A am just beginning to familiarize myself with the eBay RESTFUL API, forgive me this basic question, but I found no answer yet.
I have an eBay account since many years ago. I registered a developer account (same eMail address) recently, and I got the Tokens for Sandbox and Production. I have successfully used public APIs like list items, search items, and such, to verify the tokens, by querying some items in eBay.
How do I preceed from here to access data specific to my eBay account, like, for instance, the list of purchases and sales? Somehow I need to connect my app to my live eBay account, I guess, and give my app permissions to read data, but I could not find any matching setting in my eBay account settings nor in the API calls.
Please guide me through the next step: how do I give my app the required permissions, and how do I build a simple read-only query to query, for instance, the items I have purchased.
I think this question does not depend on any programming language, feel free to use any programming language you like.
Many Thanx!
Ok so if we are talking only about Authorization token and calling seller api like orders (in ebay it's called fullfilments i believe).
We need to start with creating User Token.
You can create one here:
Then you need to add ebay redirect URL:
I don't know much about Auth'n'Auth so I will talk only about OAuth
After adding new redirect URL you should add url address for authorization success and failure.
You will be redirected there after authorization.
Now we can test if generation of token works.
For this example i did set my redirect url like that:
We need to click "Test Sign-in" (set radio button to OAuth before)
You should be redirected to website:
You need to sign in with account which have access to sandbox.ebay.com or ebay.com (depends if you are on sandbox or production environment)
After logging in I don't remember if there will be another window with confirmation of App scopes to confirm (I already done it before).
But if that is the case just click confirm button.
Now you should be redirected to https://localhost.com which we did set up as our success redirect url
Url should look like that
https://localhost.com/?code=v%5E1.1%0VeMTI%3D%3D&expires_in=299
That code parameter is much longer btw. And you can see that it's url encoded so you need to decode it before using
And now you are almost at home :D
You have 300 seconds to call a POST request to authorize with that code parameter.
POST https://api.sandbox.ebay.com/identity/v1/oauth2/token
Header required
Remember first screen shot?
You need to go there and get your App ID, Cert ID then concatenate it with ":" then encode it to Base64 and add before that value "Basic " keyword.
In pseudo code it should looks like that:
Authorization:Basic Base64.encode(AppID + ":" + CertID)
Body required
format of Body needs to be "x-www-form-urlencoded" (key:value format basically)
here you need
grant_type:authorization_code
code:{code}
redirect_uri:{redirect_name}
{code} - is value from success authorization url
{redirect_name} - you can find it on screen below marked with red circle
If you did everything right you should get response from ebay
{
"access_token": "v^1.1#i^1#r^0VbbxW1wjv4HZGAAA",
"expires_in": 7200,
"refresh_token": "v^1.1#i^1#f^0#r^FDQ=",
"refresh_token_expires_in": 47304000,
"token_type": "User Access Token"
}
You should save that data, access_token is used for accessing data, refresh_token is used to refresh access_token.
Example request with authToken
GET https://api.sandbox.ebay.com/sell/fulfillment/v1/order?filter=creationdate:[2022-03-31T08:25:43.511Z..]
You need Authroization header:
Authorization:Bearer v^1.1#i^1#r^0VbbxW1wjv4HZGAAA
That's it I guess. To implement that into your app you need to be able to generate the first url which you are redirected to after clicking "Test Sign-in" and that's basically it.
Btw you refresh token like that
POST https://api.sandbox.ebay.com/identity/v1/oauth2/token
Body x-www-form-urlencoded
grant_type:refresh_token
refresh_token:v^1.1#i^1#f^0#r^FDQ=
Header
Authorization:Basic Base64.encode(AppID + ":" + CertID)
I hope that will help someone. :)

best practices for refreshing access tokens automatically

I'm building a react native app which uses the spotify web api. I'm using the authorization code flow to authorize a user. First I get a authorization code which can be used to obtain an access token and a refresh token. Everything works!
The problem is: an access token is only valid for a limited amount of time. That's where the refresh token comes in. I understand this concept, but I'm breaking my head about how to implement this.
Let's say a users opens the app, requests an access token and uses this for some time. Then, the user closes the app. After 15 minutes, the users opens the app again. The access token has now expired, so I need to request a new access token.
I've come op with several "solutions". Can someone point me to the correct solution?
Solution 1:
Every time the user opens the app, I request a new access token and use this. Problem: when the user uses the app longer than the valid time of the access token, I won't work anymore.
Solution 2:
I use the access token that's stored in the secure storage on every request. When a request comes back with 'access token invalid' (I don't know the exact error code but you guys know what I mean), I request a new access token with the stored refresh token, and then I send the previous command again (with the new access token). But my question here is: can I use some kind of "wrapper function" which checks the response of the request, and if the response is "access token invalid", it automatically requests a new access token and runs the previous request again.
I think certainly correct solution is solution 2,and i think its clear enough.
and for using solution 2 you need somthing like wrapper function,yes its intelligently.
so you should use interceptor:
what is interceptor ?
You can intercept requests or responses before they are handled by then or catch.
in link below there is a good example of implementing refresh token in axios interceptor:
https://gist.github.com/Godofbrowser/bf118322301af3fc334437c683887c5f
I agree that Solution 2 is the best, each time you do a request you can check to see if the Access Token has expired, and if it has then you can request a new Access Token using the Refresh Token as you mentioned and then make your request, in my own project I do this in a FormatRequestHeadersAsync method which calls a CheckAndRenewTokenAsync method where I perform the following check, here shown in C#:
if(AccessToken?.Refresh != null && (AccessToken.Expiration < DateTime.UtcNow))
{
AccessToken = await GetRefreshTokenAsync(
AccessToken.Refresh,
AccessToken.TokenType,
cancellationToken);
}
You can store the Access Token and the Refresh Token and then use something similar to this before you make each request to the API this will refresh your token and then you can store the new Access Token and the existing Refresh Token.

How to automatically send JWT token collected in previous request in Postman

I'm creating REST API (Symfony 4, FOS Rest bundle) and for testing I'm using Postman app. Problem is that at login request I get JWT token and later, in every other request I have to pass it back as part of Authorization header, as Bearer token. And since this token changes with every login I have to manually copy/paste token value after every login (when token expires).
Can that be avoided somehow and done automatically?
First, after successful authorization - login call returned the JWT token it has to be stored into some variable. When editing login request, there is a "Tests" tab.
Here we can put JavaScript code that will be executed after request is executed, so we will enter the code like this there:
var jsonData = JSON.parse(responseBody);
if(jsonData.token) {
pm.globals.set("jwt-token", jsonData.token);
}
Or, shorter version, as #Danny Dainton suggested:
pm.globals.set("jwt-token", pm.response.json().token)
We are collecting response and storing "token" value to global variable called "jwt-token".
If you use older version of Postman this code should look a bit different - storing variable should look like:
postman.setEnvironmentVariable("jwt-token", jsonData.token);
(Here storing as environmental variable vs. global variable in example above - both types should work. Use what you need).
So now, token value will be stored. Then we have to use it with other requests.
Edit all other request that must pass JWT token. Go to "Authorization" tab, select "Bearer Token" authorization type and for value just enter {{jwt-token}} .
Again if you are using older version of Postman and don't have that "Bearer Token" type go to "Headers" tab instead, add new header with key "Authorization" and for it's value set Bearer {{jwt-token}}
That's it. Now you have to execute login request only once and JWT token will automatically be used in all other request.
And if you face some issue, you can use console to print debug info. Add in you code i.e.:
console.log(jsonData.token);
And from main menu go to View -> Show Postman Console to open console window where will you get console.log output.

Twitter GET users/search client_credentials: Your credentials do not allow access to this resource

I have a static list of music artists and i want to get the id or screen_name of each one of them in Twitter.
I found this api endpoint: users/search which allows to run a query on Twitter and get all the accounts that match with the query. For example:
https://api.twitter.com/1.1/users/search.json?q=muse
will return all the accounts that match the query "muse".
I need to call this endpoint in client_credentials flow, i don't need any permission by the user (which is only me in any case). The problem is that Twitter returns the following response when i try to access the endpoint in client_credentials flow:
"message": "Your credentials do not allow access to this resource", "code": 220
I have tested other API endpoints such users/show, statuses/retweets, statuses/user_timeline and they all works in client_credentials, just the one i need doesn't work.
Is there anything i can do about that? Or i must change the OAUth flow?
mentioned error,
"{"errors":[{"message":"Your credentials do not allow access to this resource","code":220}]}"
comes when requesting an end point which requires a user context (such as statuses/home_timeline) using application only token.
You can verify whether or not same error comes for end points like statuses/home_timeline or statuses/retweets_of_me. These end points work only in some twitter user context. The end point that you want, users/search, also requires user context.
I am suspecting some issue in obtaining oauth token and secret. How are you getting authorized tokens for a given twitter user account?

Authentication on Instagram to get the access_token using the API

I'm using the Instagram API and want to get the access_token in order to throw api requests over my own account. When I try to follow the first step and get the authorization code programmatically using RestTemplate I can't get it work.
String AUTHORIZE_URL = "https://api.instagram.com/oauth/authorize/?client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URI>&response_type=code";
String url = String.format(AUTHORIZE_URL, clientId, redirectUri);
String o = restTemplate.getForObject(url, String.class);
The response is the html code of the login page because Instagram requires the user to be logged in to check if the app is authorized (of course it is, since the app an the user belongs to my own account).
How can I authenticate before throwing that request so they return the code to my redirectUri and not complain about login?
Note: I tried simulating the request to their login form but it returned a 403 Forbidden.
NOTE: I already got a valid access_token, manually generated, and it works perfectly but I want to implement also a process to re-generate a new access_token automatically since they may invalidate it at any time in the future.
Even though our access tokens do not specify an expiration time, your app should handle the case that either the user revokes access, or Instagram expires the token after some period of time. If the token is no longer valid, API responses will contain an “error_type=OAuthAccessTokenError”. In this case you will need to re-authenticate the user to obtain a new valid token.
In other words: do not assume your access_token is valid forever.
Instagram is upgrading their APIs and the flows. Earlier we needed access token to bypass forced login screen. Since yesterday, they have removed that.
Now if you call this code, it will check if you are already logged in or not. If so, it will call the AUTHORIZE_URL of yours and will send a response code. The format will be either:
On success validation - http://your-redirect-uri?code=CODE
On error - http://your-redirect-uri?error=access_denied&error_reason=user_denied&error_description=The+user+denied+your+request
Now what I'm doing is I'm directly calling the above URL of yours every time. Now if the user is logged in, a response code will be sent to you, else user will be asked to login and validate your app and then the code will be sent. Technically, you are eliminating the possibility of the error case! So no need of overhead of storing access token in your database or verifying its validity.
Just try and check now what happens.
PS: If you want to check API behavior, simply type the URL on the browser and check what it returns! It helped me a lot while coding and debugging! :)