I'm developing an api to connect a site to a new magento store using oauth.
I'm authenticating using the admin/oauth_authorize route and I've managed to get an access token and secret key to request for resources, but it's not working.
I get
Invalid auth/bad request (got a 403, expected HTTP/1.1 20X or a redirect)
when I try to use the token.
I checked the user roles and it's set to a rest admin role I made. I also checked the user apps and it does register that I gave authorization.
Right now I'm testing with api/rest/products while setting access and secret keys that I received after authorizing.
Is there something I might be missing or could someone point me out to some useful magento oauth roles usage information?
I'm using php oauth to make the requests.
Btw, if i give access to Guest it does return product information, just in case.
It turns out I was missing proper oauth construction when I tried to fetch the data, I just needed to add the right auth type.
Related
Previously I generated the auth token based on the user credentials and it was worked fine.
I need to generate the token for guest users in which I did not have the credentials.
So I followed token generation using custom claims in JWT. Using this link I implemented.
When I try to access the apis using the custom claims token I am getting 401 unauthorized error.
I am using the previous auth system in which token is generated using the user credentials and also I need the custom claims token also to work.
Any help would be appreciated.
Check the guard on the middleware that control your route or the resource you are trying to access.
I am using an OAuth plugin for cakephp (thomseddon/cakephp-oauth-server) which am having some issues with at them moment.
I want to be able to allow access to my cakephp Rest with two calls
provision - This just adds in a Client id into my table
auth - using grant_type password I send over grant_type, username, password and client_id and return a access token.
Both these actions seem to be in working order and I am getting an access token back the problem is after I gain access I am still being kicked out by cakephp and redirected to the login page when I try an access one of the rest actions.
For example once I have an access key I send up a request to http://customer-server-2.dev/api/documents.json?access_token=xxxxxxxxxxxxxxxx
At this point I should have access because the access token is correct and works fine - but I don't I get redirected to the login in page.
If anyone can help me with this I would be eternally grateful.
There might be two problems
Your access token may be expired.Get a new access token and check
Check your scope when you are getting access token
I built a RESTful service with authentication mechanism. The authentication works with OAuth protocol (with the library from oauth.net).
My service is for school management. What I have now is only teachers panel. Now I want to add also students panel, wich its almost the same, but I dont want that students be able to edit things, so authorization is required in this case.
When the teacher wants to login, he sends post request to 'authentcation.php' and if the fields are valid, he get back the authentication token from the OAuth. The students login in 'authentication_students.php'
How can I check if the token have privilege to edit things or not with authorization in OAuth?
Token validation is intentionally uncovered by the OAuth 2.0 specification, so the exact implementation is up to you. The server may either provide a custom endpoint where token validity can be checked by protected resources or issue tokens in a format that the client can directly interpret without consulting the server (see e.g. JWS: json web tokens with signatures).
If you're using a library, you can check which approach it supports.
Issuing the token you should request different scopes (analog to user roles) for teachers and students so you can permit or deny access to protected resources based on scopes of the token granted to the client.
The token would need to include a claim with something like "canEdit" = true/false. In your case the authentication is done from two different pages, so it should not be a big problem to populate this claim?
Let me know if I'm totally off here? Am I missing something?
So before I start, I'm a bit of an OAuth2 newbie, so still trying to really wrap my head around the various permission scopes and grants.
I've managed to successfully implement an OAuth2 server using the Laravel OAuth2 Server package.
The current site I'm working on will simply dogfood from the API, using the client_credentials grant type. I've managed to get this successfully working and can make API calls with the provided access token.
However, I'm wondering how I can implement an architecture similar to Instagram, Soundcloud, etc, who don't require an access_token for basic endpoints, just a client_id. How do they do this? Is this a custom grant type?
Preferably, I'd only like to start requiring an access token when accessing private resources, such as those for modifying user information, etc. As far as I'm aware, for these I'd need to use the password grant type, which isn't a problem.
OAuth has a few flows such as 2-legged or 3-legged which basically tells the developer how many requests he needs to make to the server to get the resource he wants.
For example, in a 2-legged flow you send a request with your id and secret (first request), you get back an access_token and using that token you can make other request for the resource you want (second request).
Comming back to your Instagram example, you can think at using just client_id as a 1-legged OAuth flow, because you make only one request to server to get the resource you want.
You can use such a flow for less sensitive resources, like a profile photo or user's nickname for example.
The implementation of a 1-legged flow is simple:
- If the user_id is valid and the application doesn't need user approval to access requested resource, go ahead and show the resource.
So implementing a 1-legged flow consists in checking if the client_id is valid and checking if the requested resource needs user permission. That being said, you can use 1-legged for requesting a user profile photo, but you can't use the same flow for requesting the user's private messages.
You can read more about each OAuth Flow in The OAuth Bible.
You have two different resources on your server - a) Resources that need some access checks b) Resources that are publicly accessible.
Actions on resources that need access checks should require that a user has been identified via the OAuth header in the request. In the context of Laravel - this would be a route with the 'before' key specified as Oauth.
Actions that do not need access could glean context about what user is relevant by building your routes to accept an argument that gives you context about the user. Let's say that you have a profile that a user can see without any sort of access. Your API endpoint for a JSON representation of that could be /api/profile/[user_id], where [user_id] is the ID of the user profile you would like to see. For these routes where you do not care about access, you can leave off the oauth before filter in your route declaration.
I've been trying for a while to use Oauth to connect to the GetGlue API, with no success what so ever.
I've downloaded every library I can find (like oauth-php) and tried every example I could find on the internet. There MUST be an example for an Oauth connection to the GetGlue API somewhere, but I cant seem to find it. Anyone have any experience with this. Maybe some samplecode even?
Note: All I need is a single request for my own account. I've tried to stay clear of DB sollutions because it's not at all neccesary since it's just going to be my account that has data to be saved.
GetGlue is switching/has switched to OAuth 2.0 for authentication. You might be more successful with it. The authentication flow follows RFC 6749 closely.
Once you registered your app on their OAuth 2.0 portal and obtained a client id and secret, do something along the lines of:
Load the authorize URL to let the user authorize your app:
// remove the line breaks!
https://api.getglue.com/oauth2/authorize?response_type=code
&scope=public+read+write
&redirect_uri=http://localhost
&client_id=<your OAuth client id>
Once the user has authorized your app, GetGlue will redirect to the given redirect_uri with a code query parameter you have to intercept, e.g.
http://localhost&code=<auth code>
Pass that code to the token endpoint to get an access token to append as a query parameter when accessing the v3 API:
// get tokens
https://api.getglue.com/oauth2/access_token?client_secret=<OAuth client secret>&grant_type=authorization_code&redirect_uri=ttp://localhost&code=<auth code>&client_id=<OAuth client id>
If successful this will return some JSON. Be aware that they redirect from HTTPS to HTTP there. Some HTTP clients refuse to do this.
{
"token_type":"Bearer",
"access_token":"<an access token>",
"scope":"public read write",
"expires_in":5184000, // in seconds from now
"refresh_token":"<a refresh token>"
}
Pass the access_token as a query parameter when making API calls. If the access_token has expired, call the token endpoint with the refresh_token as auth code to get a new one. If that fails, you have to make the user authorize your app again.
There is also a Java library (getglue-java) for the new API now.
For GetGlue, you have send email to obtain the Consumer Key and Secret and thus, if you have the both then I can easily help you. I will provide you all the details to do..