I've searched all over (including here on Stackoverflow) for how to use the Magento REST API. I need help on getting an Unauthorized Request Token (the first step)
On the Magento setup I'm using the REST API is working for GET Products for Guests so I know that is not [the problem][1]
I have setup an OAuth Consumer for the above URL and have both the consumer key and secret. I can't figure out what URL to use for the Callback URL.
First, I'm stuck and don't know what I should use as the Callback URL when setting up the consumer. It is an optional field in Magento
I'm testing with the Firefox REST Client as per http://www.magentocommerce.com/api/rest/testing_rest_resources.html
Next with the Firefox REST client I can't get started by getting an Unauthorized Request Token. According the above URL I should have the oauth_callback URI in the header.
The following request parameters should be present in the Authorization header:
oauth_callback - an URI to which the Service Provider will redirect the resource owner (user) after the authorization is complete.
oauth_consumer_key - the Consumer Key value, retrieved after the registration of the application.
oauth_nonce - a random value, uniquely generated by the application.
oauth_signature_method - name of the signature method used to sign the request. Can have one of the following values: HMAC-SHA1, RSA-SHA1, and PLAINTEXT.
oauth_signature - a generated value (signature).
oauth_timestamp - a positive integer, expressed in the number of seconds since January 1, 1970 00:00:00 GMT.
oauth_version - OAuth version.
What is the oauth_callback URI when using the above URL?
When I try a POST to Endpoint: /oauth/initiate
I get:
oauth_problem=parameter_absent&oauth_parameters_absent=oauth_callback
I'm lost and don't know what else to try. I'm a novice programmer and new to the Magento REST API...so keep that mind. It may be that I'm just missing the obvious.
Anyone who is interested in helping me figure this out here are the Consumer key and the secret.
key: d2f4a7cc63715f98d12db2c6db63cfba
secrect: 8347474102cbf2d40b06f9d76f281e73
The URL is: http://temp.pramier.com
This is from a test install so I'm not worried about giving out the key and secrect
Pass the oauth_callback like http://temp.pramier.com/admin.
You is in this step:
Getting an Unauthorized Request Token
The first step to authenticate the user is to retrieve a Request Token from Magento. This is a temporary token that will be exchanged for the Access Token.
Endpoint: /oauth/initiate
Description: The first step of authentication. Allows you to obtain the Request Token used for the rest of the authentication process.
Method: POST
Returns: Request Token
Sample Response: oauth_token=4cqw0r7vo0s5goyyqnjb72sqj3vxwr0h&oauth_token_secret=rig3x3j5a9z5j6d4ubjwyf9f1l21itrr&oauth_callback_confirmed=true
You should continue to get the token.
This is the best (and official) tutorial:
http://devdocs.magento.com/guides/m1x/api/rest/authentication/oauth_authentication.html#OAuthAuthentication-UsingOAuth
I am not sure what programming language you are using, but the API lists the code for authenticating and retrieving products in php on the bottom.
I just started working on this in ruby using the code here.
#consumer=OAuth::Consumer.new auth["consumer_key"],
auth["consumer_secret"],
{:site=>"your-site-here"}
#request_token = #consumer.get_request_token
Let me know if I misunderstood your question or wasn't clear in my explanation.
Please follow those instructions here:
http://inchoo.net/magento/configure-magento-rest-and-oauth-settings/
After that, follow these steps:
http://www.aschroder.com/2012/04/introduction-to-the-magento-rest-apis-with-oauth-in-version-1-7/
At the beginning of the article, the writer asks to use a Ruby program called oAuth. If you are using Linux, put these commands into the command line to install Ruby and oAuth:
sudo apt-get install ruby
and
sudo gem install oauth
Beware, if you put exactly this:
--authorize-url http://www.yourstore.com/magento/oauth/authorize \
You'll get a permissions error when you'll want to login. You should replace this by:
--authorize-url http://www.yourstore.com/magento/admin/oauth_authorize \
Everything should go smoothly.
Related
As per the documents received writing down the flow of authorization for version 4.0:
1. call authorize service to get the authorization code back.
2. read the 'code' value for the authorization_code.
3. use this authorization_code to get 'access_token' using '4.0/oauth/token'.
4. for the subsequent calls use 'access_token'.
Please confirm if my understanding above is correct.
My question:
- What will happen when access_token expires? Do we need to go to above flow again?
- the URLs are https does it need certificates?
- what will be the redirect_uri if i want to test in my dev?
I suggest reading a bit about OAuth 2.0 flow. Here's a decent article/example that I would start with from Digital Ocean: https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
But to answer your specific questions:
when the access_token expires you need to make an additional request to Social Tables with the refresh_token -- here's an example: click here. In short, yes you need to use the refresh token to get a new access token which you'll use for subsequent requests
No, you do not need to configure any certificates on your end. These are done via SSL+HTTPS and are ready to go.
The redirect_url for local development can be set to your local running server. You can set it to http://localhost:<port> and that will work just fine.
magento REST API, how i will get token and token secret to be fill in
Postman REST resquest. I have only consumer key and consumer secret.
Please provide me the steps to follow.
First, you want to request a valid OAuth token and secret. Do this by hitting the /oauth/initiate URL of your Magento store with a GET parameter for oauth_callback. We're going to use httpbin so that we can echo anything that is passed to our callback. Make sure you have "Auto add parameters" checked on the OAuth 1.0 settings for Postman.
That will give you an oauth_token and oauth_token_secret, which are only temporary. These are referred to as a "request token" and secret. Save these values somewhere because you will need them later.
Now, assemble a new regular HTTP request to the /admin/oauth_authorize URL of your Magento store. This will return a login form where you can accept the oauth token and authorize your app, however since we're using Postman we aren't able to interact with the form.
Instead, view the source and pull out the form_key hidden input value. Then assemble a new HTTP request to fake the submission of the authorization form. Make sure it is a POST request. Your new HTTP request should look like this.
Now, you need to actually confirm the authorization. Simply issue a GET to the /admin/oauth_authorize/confirm URL of your Magento store with the oauth_token as your parameter. When you send this request it will redirect to your oauth_callback from the first step. Now, you can see why we used httpbin as our callback in the first step.
OK. So, we're almost home. The last piece of the puzzle is to use the oauth_token, oauth_secret, and oauth_verifier all together to get a valid and persistent "access token". So, take the oauth_token_secret from the first step, and combine and assemble a new OAuth request like so.
You should get a returned token and secret. These will never expire! You can use them to query products and stuff.
Now, you can assemble your OAuth requests like this. Edit: Note, you must check the "Add params to header" checkbox in order for Magento REST calls to work properly.
I am trying to connect to Google Cloud from an embedded device so I have no access to OAuth authentication. The documents show that I can use simple API key for connecting. I have created a simple API key but I am having problems using it.
I can test the API functions successfully on https://developers.google.com/apis-explorer/?hl=en_US#p/pubsub/v1/ but on this developer's site I don't enter my API key (maybe one is generated automatically in the background).
When I try the same command using curl I get a 401 error:
"Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", "status": "UNAUTHENTICATED"
But I am copying the GET or POST command directly from the online API tester and adding my key at the end:
curl -X POST -d '{"policy":{"bindings":[{"role":"roles/editor","members":["serviceAccount:charge...."]}]}}' https://pubsub.googleapis.com/v1/projects/pl..../subscriptions/arriveHomeSub:setIamPolicy?key=AIz....
What am I missing?
With the limited information you have provided, it is tough to identify the root cause but these are some of the possible ones:
You have not used quotes for the URL argument to curl. This could lead to some characters which are part of the URL to be interpreted by your shell in a different manner. Characters like & are usual culprits although they don't seem to be part of the URL you pasted.
curl -X POST -d '{"policy":{"bindings":[{"role":"roles/editor","members":["serviceAccount:charge...."]}]}}' 'https://pubsub.googleapis.com/v1/projects/pl..../subscriptions/arriveHomeSub:setIamPolicy?key=AIz'
You have not described how you're generating your API key and hence I feel that could be one of the possible issues.
You can go over the steps for using Google OAuth 2.0 from Google, it covers a lot about client secrets, access tokens and refresh tokens.
As long as you have your client ID and secret, you can call Google OAuth APIs to generate an access token.
You pass in the current access token as the key argument to your REST API.
Access tokens have very limited lifetime and might need refreshing periodically. If your application needs to periodically refresh access tokens, consider storing the refresh token in your application in a secure manner.
I'm, trying to get content of this URL
https://www.google.com/m8/feeds/contacts/default/full?oauth_token=XXXX.XXXXXXXXXXXXXXXXXXXXXXXX&v=3.0&max_result=500
but received error code 401 with description : There was an error in your request. That's all we know.
Two things to point.
A successful Oauth authentication needs to be implemented first before you are able to make a HTTP request. Be sure to use the correct scope that you need; In your case, you're using the read/write scope.
Refer to this LINK as an example on implementing OAuth on PHP.
Second, v and oauth_token are not valid URL parameters for HTTP requests. Check this Google Contacts API documentation for more information.
Hope this helps.
I'm developing a youtube upload application and have some troubles with a specific part of authentication. ClientLogin so far, works and uploads are received by Youtube. However I have to redirect my users logged in to the Youtube-Frontpage. I've noticed that there's a possibility to login to gmail via a url: accounts.google.com/TokenAuth?auth=....
This should be possible in the exact same way for youtube. A login at "gmail" will include the cookies I'd need for youtube login.
However, I'm not getting it to work. Which auth token do I have to use? I tried many, the one provided in the clientlogin response. I queried www.google.com/accounts/IssueAuthToken url (which gives me a token back, but I cannot login with it).
For example what I've tried:
https://accounts.google.com/TokenAuth?auth=token-received-by-issueAuthToken&service=youtube&continue=http://youtube.com&source=googletalk
And:
https://accounts.google.com/TokenAuth?auth=token-received-by-issueAuthToken&service=mail&continue=http://mail.google.com/mail&source=googletalk
None of these seem to work. The Clientlogin authentication was done with "service=youtube" - is that the mistake?
I'd appreciate any information that can clarifiy my problem.
Regards,
Dennis Fischer
So - well - I got this working finally. It took me some time because there is no real documentation.
I'll explain how the requests work, you'll need to do 3 requests:
1st: Do a default clientLogin at google.com/accounts/ClientLogin
Provide Email=emailadress&Passwd=Password&service=gaia as data, as well as any other parameter you want to add to clientLogin.
You'll receive 3 Tokens, SID, LSID and Auth - you'll need SID and LSID only!
2nd: Do a request to google.com/accounts/IssueAuthToken
Add paramters SID="Extracted SID"&LSID="Extracted LSID"&service=gaia to the URL.
You'll receive an AuthToken which should start with these characters: "APh-...."
If this is not the case your this request failed due to wrong parameters (most likely missing "service=gaia").
This token will be needed in your 3rd request.
3rd: Do a request to google.com/accounts/TokenAuth?auth="token received in step 2"&service="service where you want to authenticate, e.g. mail"&source="for example googletalk"&continue="the url where you're redirected to, this is http://mail.google.com/mail for service mail"
This 3rd request is most likely done in a browser.
Congratulations, you logged in a user into his google account with 2-Step Auth. You don't need the "real password", the application specific password is enough to generate these tokens.
Regards,
Dennis Fischer