Having recently finished the process of having created the script that retrieves permissions from a account holder I now find that I have to convert the retrieved access token and token secret (from the GetAccessToken response) to the API signature in order to create a X-PAYPAL-AUTHORIZATION header.
The X-PAYPAL-AUTHORIZATION header contains:
A timestamp
The access token from the GetAccessToken response
A signature generated from the following information:
Your API username
Your API password
The access token from the GetAccessToken response
The token secret from the GetAccessToken response
The endpoint for the PayPal API operation's request, such as https://api.paypal.com/nvp
HTTPS delivery method, such as POST
Request parameters associated with the request
The problem is I can't find how to generate the signature. There are no guides in PHP (JAVA and Ruby).
I did however note the line in the guide I followed (first link) to retrieve the permissions:
PayPal provides SDKs that you can use to generate authentication header signatures for Java, PHP, and .NET. When you use the SDK, you will get two values, such as the following:
But what followed was the JAVA guide and I could not find anything amongth Paypal's SDKs.
Any help would be greatly appreciated!
This documentation actually cuts out the function from their PHP SDK that should do it for you.
private function generateAuthString($apiCred, $accessToken, $tokenSecret, $endpoint)
{
$callerUid = $apiCred->getUserName();
$callerPswd = $apiCred->getPassword();
$auth = new AuthSignature();
$response = $auth->genSign($callerUid,$callerPswd,$accessToken,$tokenSecret,'POST',$endpoint);
$authString =
"token=".$accessToken.
",signature=".$response['oauth_signature'].
",timestamp=".$response['oauth_timestamp'];
return $authString;
}
Related
I have to integrate a web application with an API. The API uses OAuth 1.0 to authorize the requests. I have gone through the documentation at http://oauth.net/core/1.0a/. I have followed all the steps to generate the signature But the server always returns the message "invalid signature".
However, if I put my consumer key, consumer secret, access token and access token secret in POSTMAN. Then the signature that is generated by the POSTMAN is accepted by the server.
That means there is nothing wrong with the server. The problem is in the code that I am using to generate the signature.
Here is the code that I have written after reading the documentation to generate the tokens.
$consumer_key = '__MY_CONSUMER_KEY__';
$secret = '__MY__SECRET_KEY__';
$url = 'http://oauth.example.com/oauth/initiate';
$parameters = 'oauth_callback=oob&oauth_consumer_key='.$consumer_key.'&oauth_nonce='.dechex(time()).'&oauth_signature_method=HMAC-SHA1&oauth_timestamp='.time().'&oauth_version=1.0';
$signature = base64_encode(hash_hmac('sha1', 'GET&'.rawurlencode($url).'&'.rawurlencode($parameters), $secret, true));
$signed_request = $url.'?'.$parameters.'&oauth_signature='.$signature.PHP_EOL;
I know there are some predefined the packages available for this But I want to know what is the actual logic to generate the signature for OAuth 1.0.
Hi am trying to call an API from Postman.
The framework used is : Laravel
The website has browser authentication (using .htacess)
And The API has user authentication (Laravel Passport) (user must be logged in)
Now,
I need to call an API and include both the headers, i.e.
I added Basic Auth with username/pwd as browser credentials
Basic Auth : username/pwd
And in Headers I added
Authorization : Bearer oauthtoken
(where oauthtoken is the key retreived from an API call https://servername/auth and Basic Auth : username/pwd)
Now when I send the API call,
The Authorization Header changes to :
Authorization : Basic some_key
And thus I get Unauthorized in response.
Is there some way I can send browser creds and user auth header together?
Your OAuth token retrieved after authentication is not the same as the token attached by Postman for Basic Authentication.
If you wish to use your OAuth token in request I recommend looking at Postman variables and store that token in there.
Here is an article that helped me build my Postman collection using JWT
But some of the script in there is out of date.
I would start by creating an environment (local) in which you add a key to store the token (oauth_token) with value empty.
In the auth endpoint while in Postman you can check the Tests tab in which you can place a script to update the oauth token:
pm.test("Logged in successfully", function () {
var jsonData = pm.response.json();
pm.environment.set('oauth_token', jsonData.token);
});
After this you can add Authorization Bearer with value {{oauth_token}} to an endpoint that is using OAuth token.
If you wish to learn more about Postman variables this is a great post variables
To recap:
Send username and password to the auth endpoint
Store oauth token in Postman variable returned from step 1
Use your new token as Postman variable using {{VARIABLE_NAME}} notation
I would advise to use Guzzle Library
$http = new \GuzzleHttp\Client;
$response = $http->request('POST', 'http://quotible.web3box.com/oauth/token', [
'headers' => [
//you headers here
],
'form_params'=>[
//your browser based parameters here
]
]);
I am having account in sandbox.coinbase and I have used oauth2 where I have add new app.
It'll provide me :
clientid = 'xxxxxxxx'
clientsecreateid = 'xxxxxxxxxxxxxxxx'
authredirecturl = 'xxxxxxx'
But when I am configure it using below code
$configuration = Configuration::oauth($accessToken);
$client = Client::create($configuration);
I need $accessToken, I go through the document file but I can't find anywhere so any one have idea where to find or how to get accessToken..?
As the documentation states:
This library does not handle the handshake process, and assumes you
have an access token when it's initialized. You can handle the
handshake process using an OAuth2 client such as league/oauth2-client.
So you have to use the oauth2 client first, configure it with the coinbase server (using clientId, clientSecret and redirectUrl that you have) and pass the authorization process (much like "Login with facebook"). At the end of the oauth2 authorization coinbase will send you both access token and refresh token. They are generated on-the-fly.
Alternatively as I can see you can use the apiKey/apiSecret mode. This is essentially like having login/password.
I want to get valid link https://bitbucket.org/{username}/rss/feed?token={token} (this is main problem) and then get valid response from this link in CLI.
I know my required parameters, e.g. consumer_key, consumer_secret, request_token_url, authenticate_url, access_token_url.
I tried to use StudioIbizz\OAuth\OAuth1, but is seems to be designed for Browser, not for CLI.
I tried to run:
$this->OAuth = new \StudioIbizz\OAuth\OAuth1($this->consumer_key,$this->consumer_secret);
$requestToken = $this->OAuth->getRequestToken($this->request_token_url,$this->authenticate_url);
$token = $requestToken['oauth_token_secret'];
and paste this $token to my RSS link, but then I see message You must have read access to access the RSS feed. from Bitbucket.
I need Step by Step instructions for serious dummies.
Edit: I tried this:
$accessToken = $this->OAuth->getAccessToken($this->access_token_url,$requestToken['oauth_token_secret'],$requestToken['oauth_token']);
But then I get this:
Fatal error: Uncaught exception 'StudioIbizz\OAuth\OAuthException' with message 'Unexpected HTTP status #400'
I don't see any function related with that on official documentation. Maybe that feature not exists.
For more information, you could use this link:
https://confluence.atlassian.com/bitbucket/use-the-bitbucket-cloud-rest-apis-222724129.html
You could use stevenmaguire's Bitbucket OAuth 2.0 support for the PHP League's OAuth 2.0 Client.
$provider = new Stevenmaguire\OAuth2\Client\Provider\Bitbucket([
'clientId' => '{bitbucket-client-id}',
'clientSecret' => '{bitbucket-client-secret}',
'redirectUri' => 'https://example.com/callback-url'
]);
$token = $_GET['code'];
To get an RSS token for Bitbucket via PHP CLI, you will need to use the OAuth 1.0a protocol to authenticate your request. Here are the steps you can follow:
Install an OAuth library for PHP that can be used in CLI, such as the league/oauth1-client package.
Create a new instance of the OAuth client by passing in your consumer key and consumer secret.
$client = new League\OAuth1\Client\Server\Bitbucket($consumerKey, $consumerSecret);
Get the request token by calling the getTemporaryCredentials method and passing in the callback URL.
$temporaryCredentials = $client->getTemporaryCredentials();
Get the authorization URL by calling the getAuthorizationUrl method and passing in the temporary credentials.
$authorizationUrl = $client->getAuthorizationUrl($temporaryCredentials);
Use this URL to authenticate the request via the browser.
After successful authentication, you will get a verifier code.
Get the access token by calling the getTokenCredentials method and passing in the temporary credentials and the verifier code.
$tokenCredentials = $client->getTokenCredentials($temporaryCredentials, $verifier);
$tokenCredentials = $client->getTokenCredentials($temporaryCredentials, $verifier);
Get the RSS token by calling the getRssToken method and passing in the token credentials
$rssToken = $client->getRssToken($tokenCredentials);
You can use this token to construct your RSS feed link:
https://bitbucket.org/{username}/rss/feed?token={$rssToken}
Note that, this is just a general idea of how to use the OAuth library and it may vary depending on the library you are using. It's also important to check the documentation of that library for more details.
I had an implementation of OAuth working with Fitbit to pull data from fitbit's service. However they recently updated their service and now the request is failing whenever I try to get an access token.
They have made the following statement about the new requirement:
The solution is to OAuth sign the requests to <https://api.fitbit.com/oauth/request_token> and <https://api.fitbit.com/oauth/access_token> in a similar manner that all other calls to the Fitbit API are signed.
Requests to <https://api.fitbit.com/oauth/request_token> need to be signed with your application's consumer key and secret.
Requests to <https://api.fitbit.com/oauth/access_token> need to be signed with your application's consumer key and secret and the oauth_token and oauth_verifier received from the authorization callback.
I am using the PHP PECL OAuth library for OAuth requests. However I can't find a way to add additional parameters to the signature. I am trying the following but I'm not sure that this is the correct way to update the OAuth Signature:
$params['consumer_key'] = $this->consumer_key;
$params['consumer_secret'] = $this->consumer_secret;
$params['oauth_token'] = $this->oauth_token;
$params['oauth_verifier'] = $_REQUEST['oauth_verifier'];
$this->signature = $this->oauth->generateSignature('GET', $this->access_url, $params);
$this->access_token = $this->oauth->getAccessToken($this->access_url, $this->signature, $_REQUEST['oauth_verifier']);
The OAuth error I get is:
401
Invalid auth/bad request (got a 401, expected HTTP/1.1 20X or a redirect)
oauthoauth_signatureInvalid signature: FfvYDv5MSOfwcOwLZBJa0TlKS4Q=false
The signature which is stored from the code above shows that the proper signature should be:
[signature] => wlfzqPs4aEkTkHfqyaO65D/RW6o=
This is the "Headers Sent" piece of the debug information:
[headers_sent] => Authorization: OAuth oauth_session_handle="Frdnxw8oHe3BgNVi0Fy4jBXrZko%3D",
oauth_verifier="ss6nmke8elf3so66jg3auued49",
oauth_consumer_key="(my key)",
oauth_signature_method="HMAC-SHA1",
oauth_nonce="30463910852ea5cc2d04e60.71895372",
oauth_timestamp="1391090882",
oauth_version="1.0",
oauth_token="2cabd6beab341e332bdf8e522b6019ef",
oauth_signature="hULwWcQOl%2F8aYjh0YjR843iVXtA%3D"
I can't find anything in the documentation which explains how I can set the signature for OAuth to use with it's request. Any Help would be greatly appreciated!!!
Please let me know if you need more information!
I have found the issue.
It turns out I was not saving the oauth_token_secret being handed back and I was instead using the consumer secret.
Once I updated this, the process ran as expected.