I have to implement the oAuth2 bearer access token method for a twitter feed. I followed correctly the details on the twitter developper website but i keep getting "Unable to verify your credentials twitter"...
If i copy my credentials over to my dev server (5.3.10 machine) i can actually login, get the token, retrieve the tweets, but on another client's server (5.2.17 machine) i can't get it to work with the exact same code.
Anything strikes you in the code below about the PHP differences? I believe it must have to be something to do with the file_get_content https stream wrapper options, but i can't find anything in the doc about it. (Openssl support is installed on the client server)
$twitter_bearer_access_token = get_option('twitter_bearer_access_token', null);
if($twitter_bearer_access_token == null)
{
//Request a bearer access token
$encodedAccessToken = base64_encode(TWITTER_CONSUMER_KEY.':'.TWITTER_CONSUMER_SECRET);
//Setup the stream context options and create the stream to POST to twitter
$options = array(
'http' => array(
'method' => 'POST',
'header' => 'Authorization: Basic '.$encodedAccessToken,
'content' => 'grant_type=client_credentials',
),
);
$context = stream_context_create($options);
$result = json_decode(#file_get_contents('https://api.twitter.com/oauth2/token', false, $context));
if(isset($result->token_type) && $result->token_type == 'bearer')
{
$twitter_bearer_access_token = $result->access_token;
update_option('twitter_bearer_access_token', $twitter_bearer_access_token);
}
else
{
$twitter_bearer_access_token = false;
}
}
Edit #1
I confirm in advance that all variables are the same on both servers, i've outputted and compared them. Only the file_get_contents return a different result.
Also, I tried copying the bearer access token gotten on the 5.3 server to the 5.2 server and the values still match but i keep getting errors about invalid authentication...
Edit #2
More info, it doesn't seem to have anything to do with the headers i send, i added practically all headers except the ones that don't pertain to me such as proxy header. It doesn't have anything to do with PHP being 5.2 or 5.3, tested on our staging server host and switch to 5.2 and still works...
Seems that using cURL works fine. Considering we want to limit our dependencies, we'll just have to resort to having two versions of the code (or eventually use a swapable component to retrieve the distant data)
//Init curl
$request = curl_init();
curl_setopt($request, CURLOPT_SSLVERSION, 3);
curl_setopt($request, CURLOPT_URL, 'https://api.twitter.com/1.1/statuses/user_timeline.json?screen_name='.TWITTER_ACCOUNT.'&count=100');
curl_setopt($request, CURLOPT_HTTPHEADER, array('Authorization: Bearer '.$twitter_bearer_access_token));
curl_setopt($request, CURLOPT_RETURNTRANSFER, true);
$result = json_decode($content = curl_exec($request));
curl_close($request);
Thats it folks
PS: There still isn't any reason for this to fail, this is just a fallback!
Related
I'm sitting here working on making a post request in a rest api in php using curl. For this purpose I have the api key and an auth key, which I am currently including as post values in the request. But I keep getting HTML back in my response instead of JSON data (which its supposed to be) giving me a 401 unauthorized error.
I've noticed often you need to make custom headers to authorize yourself in these cases (I'm guessing I need to use my auth key for that, in the header somehow).
This is my code:
$post = [
'apikey' => $apiKey,
'authkey' => $authKey,
'name' => $reknr,
'description' => $opgave,
'clientId' => $clientId,
'orderTypeId' => $typeId,
'contactAddressId' => $addressId,
'theirref' => $ref,
'reqno' => $reknr
];
// Set api link
$ch = curl_init('https://app.minuba.dk/api/1/Order');
// Set return value to true
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
// Configure header
curl_setopt($curl, CURLOPT_HTTPHEADER, array(
'Authorization: Basic '.$authKey,
'Content-Type: application/json')
);
// Add post fields
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
// execute!
$response = curl_exec($ch);
// close the connection, release resources used
curl_close($ch);
The API docs doesn't say anything about how you authorize yourself when making post request, during get requests its fairly easy you just include the apikey and authkey as normal parameters and it works fine.
My question is, how do I know how to configure my header so the API authorizes me? The docs say nothing about it or offers any explanation as to how except mentioning you need both the apikey and authkey to gain access.
I admit my understand of the http headers are limited, but how do I know how to configure it for this particular api?
UPDATE:
Found out the header response gives me this line:
WWW-Authenticate: Basic realm="Minuba REST API"
This tells me that the method I'm using to authenticate should be correct right? So why am I still getting a 401?
I'm trying to create an application on LinkedIn that's using OAuth2 for authentication and am running into some errors. The client runs on an iOS device and uses an oAuth library to make a call to LinkedIn's servers. My iOS client successfully gets the authorization_code. The client application then passes that authorization_code to my server, which attempts to connect to linkedIN again and get the access_token. This step consistently fails, I get the following error from LinkedIn: {"error":"invalid_request","error_description":"missing required parameters, includes an invalid parameter value, parameter more than once. : client_id"}
My POST method to LInkedIN does contain the client_id, it only contains it once, and I've triple checked the values for all the parameters, they are correct. I've also reset the access multiple times from https://www.linkedin.com/secure/settings and I've even created additional applications on LinkedIn, I keep getting the same result.
I've checked other responses, such as this one: unable to retrieve access token linkedin api and tried the suggestions: revoke keys, request new keys etc, nothing seems to be working.
Here is my server code:
$tokenURL = 'https://www.linkedin.com/uas/oauth2/accessToken';
$redirectURL = 'https://staging.textsuggestions.com';
$clientId = '75a4ezqh741sup';
$clientSecret = 'XXXXXXXX';
$tokenArguments = array("grant_type" => "authorization_code",
"code" => $code,
"redirect_uri" => $redirectURL,
"client_secret" => $clientSecret,
"client_id" => $clientId);
// send the request to the server getting data
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $tokenURL);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $tokenArguments);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = json_decode(curl_exec($ch), true);
curl_close($ch);
if (!empty($response["error"])) {
error_log("Error is: " . $response["error"]);
exit (0);
} else {
// no error, get the access_token and do stuff with it
$timeout = $response["expires_in"];
$access_token = $response["access_token"];
}
Ok I realized what I was doing wrong, the client application library that I was using was generating the full access token (not the auth code). So I was trying to pass in the access token in the place of the auth code. The error that I was getting from Linked In was certainly misleading and I should have checked the client library I was using more carefully.
Have you tried to check your code against this code sample?
https://developer.linkedin.com/documents/code-samples
Check that the POST headers include "Content-Type": "application/x-www-form-urlencoded".
I'm a bit confused. I have a GCM PHP server side app server that uses a key from Google Developer Console. I can create Android key as per the instructions given in getting started guide here, or I can create a browser key, server key or OAuth key.
Can somebody tell which key I should use on the server side PHP when sending messages via GCM to Android devices?
This is the function that sends the message to GCM
public function send_notification($registatoin_ids, $message) {
// include config
include_once './config.php';
// Set POST variables
$url = 'https://android.googleapis.com/gcm/send';
$fields = array(
'registration_ids' => $registatoin_ids,
'data' => $message,
);
$headers = array(
'Authorization: key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
'Content-Type: application/json'
);
// Open connection
$ch = curl_init();
// Set the url, number of POST vars, POST data
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
// Disabling SSL Certificate support temporarly
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($fields));
// Execute post
$result = curl_exec($ch);
if ($result === FALSE) {
die('Curl failed: ' . curl_error($ch));
}
// Close connection
curl_close($ch);
echo $result;
}
Obviously the XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX string is replaced by my API_KEY in the original code.
p.s: My android is registering fine with the GCM, I have the registration id sent to server as well, it's the send message post request that always returns 401 Unauthorized, I'm afraid I'm using a wrong key?
p.s2: I've tried all 3 sort of API_KEYs without success.
Solved
I was concentrating on Android or Server API_KEY but I actually had to use browser key.
Moreover, to test initially I removed all IP addresses from white listing to make sure that's not the factor playing it's role.
Now I have the push service working with above code using Browser API Key and IP restriction in place for white listing.
Cheers :)
Be sure you include the 'Authorization' header with value 'key=APIKEY'.
ApiKey can be either server key or browser key.
If you define IP whitelist for server key, you can only send messages from the specified IPs.
I have written a very simple application to update my twitter status on a given condition. I have used the twitter documentation to understand the requirements of creating the OAuth signature and also how to structure the Authorization header. I then send the request with cURL in PHP.
Using the OAuth Tools on the twitter dev site, I compared both my signature base string and authorization header, and both are exactly the same:
Signature Base String
POST&https%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fupdate.json&oauth_consumer_key%3DYNxxxxxxxxxxxWnfI6HA%26oauth_nonce%3D31077a3c7b7bee4e4c7e2b5185041c12%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1340729904%26oauth_token%3D2991771-4csoiO2fxmWgSxxxxxxxxxxDjWj2AbyxATtiuadNE%26oauth_version%3D1.0%26status%3Dblah%2520test%2520blah.
Authorization header
Authorization: OAuth oauth_consumer_key="YN4FLBxxxxxxxxxxI6HA", oauth_nonce="31077a3c7b7bee4e4c7e2b5185041c12", oauth_signature="M2cXepcxxxxxxxxxxAImeAjE%2FHc%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1340729904", oauth_token="2991771-4cxxxxxxxxxxSmRvjzMoooMDjWj2AbyxATtiuadNE", oauth_version="1.0"
Obviously I've replaced some characters with x to hide my data, but comparing the two character for character yields exactly the same result. For reference, I hard-code the timestamp and nonce that the OAuth Tool generates so that my values can be the same for checking. My access level is set to Read and write. On that same page there is a final example - the command to run with cURL on the command line. When I run this command, it works perfectly and posts to my twitter feed with no issue.
With that in mind I believe everything I've created so far is fine, and don't think there's much point me posting the code that generates the details mentioned previously. However the code that I use to make the call, using cURL, I think is the culprit, but can't tell why:
<?php
// ...
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $baseUrl);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_HTTPHEADER, array("Authorization: $header"));
curl_setopt($curl, CURLOPT_POSTFIELDS, array('status' => $status));
$result = json_decode(curl_exec($curl));
curl_close($curl);
var_dump($result);
Note that $baseUrl, $header and $status are the same variables used in generating the signature base string and authorization header, which matched just fine.
The output of the page when run is:
object(stdClass)#1 (2) { ["error"]=> string(34) "Could not authenticate with OAuth." ["request"]=> string(23) "/1/statuses/update.json" }
I hope there are enough details here for someone to point me in the right direction!
After much more searching, testing with apache_request_headers() and sticking to the notion that my data was fine and it was cURL where the problem laid, I realised that cURL was setting the Content-type of the request as multipart/form-data; and adding boundary information, obviously with a longer Content-Length field too. This meant that the status wasn't getting sent correct, I presume because of a malformed multipart/form-data; request.
The solution was to send it as a string. For instance, this works:
curl_setopt($curl, CURLOPT_POSTFIELDS, 'status='. rawurlencode($status));
But I found that there's an even nicer way (especially with multiple values, when I want to use an array):
$postfields = array('status' => $status);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($postfields));
which looks much nicer IMHO.
I think it's your nonce. From the docs: "The oauth_nonce parameter is a unique token your application should generate for each unique request" (emphasis mine).
Caveat: I'm more familiar with OAuth 2 + Java or JavaScript rather than OAuth 1 + PHP.
If that's not it (or not the only thing), you could compare your actual HTTP request (e.g. using WireShark) to the sample request they document on that page. The note there on "Building the header string" may help too.
What I am trying to do: Connect to the Tumblr API v2 via PHP and be able to create new posts
The problem: The API response is always something similar to Invalid OAuth credentials. Unable to get info
The strange part is that I am able to connect to the API (http://www.tumblr.com/docs/en/api/v2) with no problems when I do a GET request but there must be something I must be doing wrong with my signature when I try to create a POST.
Here is my code:
$params = array("type" => "quote", "quote"=>"test" );
$consumer = new OAuthConsumer($consumer_key, $consumer_secret, null);
$token = new OAuthConsumer($access_token['oauth_token'], $consumer_secret);
$req_req = OAuthRequest::from_consumer_and_token($consumer, $token,
"POST", 'http://api.tumblr.com/v2/blog/MY_URL/post', $params);
$req_req->sign_request(new OAuthSignatureMethod_HMAC_SHA1(),
$consumer, $token, null);
$result = $req_req->to_postdata();
$ch = curl_init('http://www.tumblr.com/api/write');
curl_setopt($ch, CURLOPT_URL, 'http://www.tumblr.com/api/write');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $result);
A var_dump of $result echoes the following
oauth_consumer_key=xxxxxxxx&oauth_nonce=xxxxxxx&oauth_signature=xxxxxx
&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1325033502&oauth_token=xxxxxx
&oauth_version=1.0"e=test&type=quote
I am not sure the curl_init must be calling http://www.tumblr.com/api/write but I also tried with api.tumblr.com/v2/blog/{base-hostname}/post with no luck
I also checked all the variables to see if the tokens are OK and they seem to be working fine.
Any hint in the right direction will be appreciated as I have went to page 30 of Google and I just see people with the same issue as myself.
I've been having success with this library, which was written around a year ago.
I checked the dump of the result before the curl and it looks more or less the same as yours, so i'm not sure what the difference is.