I am using Postman Tool and Insomnia(Hurl.eu) Tool to make a Particular webRequest.
I get the Response 200 from Insomnia but i am getting 403 Forbidden error from Postman.Here are the Preview messages from both
Postman:
POST /ccadmin/v1/login HTTP/1.1
Host: ccadmin-test-XXXX.oracleoutsourcing.com:443
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.NlCxWPgJAizSO60YeIBQRjgrYlgUhywr8vmnIca69A=ehkZS1iMzUyLWZkNmE1ODM1ZDM3NSIsImlzcyI6ImFwcGxpY2F0aW9uQXV0aCIsImlyJleHAiOjE1MDU4MzQ5NjIsInN1YiI6ImRiZTYwMGFkLWQwNjYtNDhdCI6MTQ3NDI5ODk2Mn0=.
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
Insomnia(Hurl):
POST /ccadmin/v1/login HTTP/1.1
Host: ccadmin-test-XXXX.oracleoutsourcing.com:443
Accept: */*
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.NlCxWPgJAizSO60YeIBQRjgrYlgUhywr8vmnIca69A=ehkZS1iMzUyLWZkNmE1ODM1ZDM3NSIsImlzcyI6ImFwcGxpY2F0aW9uQXV0aCIsImlyJleHAiOjE1MDU4MzQ5NjIsInN1YiI6ImRiZTYwMGFkLWQwNjYtNDhdCI6MTQ3NDI5ODk2Mn0=.
Content-Length: 29
Both request looks similar ,but i am getting 2 different responses.
I also disabled Postman Settings->
i)Send Postman Token Header
ii)Send no-Cache Header
I hope this will help you.
I have found that sometimes Postman behaves a bit weird when you are using Bearer Authorization, this since they made an update to the app and added the "Authorization" tab.
This has happened to me more than ones, specially on pre existing collection.
Let's give it a shot.
Delete the Authentication key on your header, I can see you wrote that one manually. And lets Postman handle that.
Open the Authorization tab, select the Bearer token type from the dropdown, add your token on the window in the left side.
Click on Preview Request.
Now you should be able to see the token on the headers "greyed out"
Open the console, this will help you checking the request and maybe you will find an adicional error.
On the console you can check the raw request and response, it helps.
Also you should try making a request from your machine using CURL ‘yes you can usit on windows and mac’, this way you can discard that you have a closed port.
Good luck
Related
I'm trying to upload a file with my REST POST request. It is not working out. When i try to look at the request postman give:
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 44262
Content-Type: multipart/form-data; boundary=--------------------------085877645320272030820682
Host: localhost
Why there is a boundry? why postman doesn't return the file that i uploaded?
Adding an attachment as 'binary' would solve the POST request problem in your case.
If you would like to download the same attachment, there should be an GET request towards the API.
If that doesn't solve, you should describe your issue better with some pictures to understand better.
URL :
https://circuitsandbox.net/rest/v2/webhooks
My Headers :
Content-Type : application/x-www-form-urlencoded
Authorization : Bearer ot-xxxxxxxxxxxx
Body :
url - Some URl
filter - CONVERSATION.CREATE
Error I am getting :
"The permission to access this resource is not granted. Scopes ::= [ALL, READ_CONVERSATIONS, READ_USER]"
Plus If i want to send extra filters thn will it be comma separated values?
If you are getting a 403, I would suspect a scope error (as mentioned by Roger) or an authentication problem.
For the first, please show us which scopes are currently selected for the application ; for authentication, can you check if you can make other API calls successfully ?
Here is what it looks like in Postman
Make sure your app registration contains the scopes that your app is asking for. For a simple outgoing webhook registration you would only need the scope READ_CONVERSATIONS.
See https://github.com/circuit/circuit-REST-bot/blob/master/app.js for an example on how to register for a webhook. This example registers for CONVERSATION.ADD, but CONVERSATION.CREATE is very similar.
If you still have problems please post a code example, or even a link to an app on repl.it.
Here is an example HTTP request to register the webhook. Note that the body is sent as text/plain (which is the default and its header can be omitted). Also note that the callback url is http. https is not yet supported.
POST https://circuitsandbox.net/rest/v2/webhooks HTTP/1.1
Host: circuitsandbox.net
Content-Type: text/plain
Authorization: Bearer <token>
url=http://90587c6d.ngrok.io/webhook&filter=CONVERSATION.CREATE
and here is a curl command
curl -X POST https://circuitsandbox.net/rest/v2/webhooks -H "Authorization: Bearer <token>" -d "url=http://90587c6d.ngrok.io/webhook&filter=CONVERSATION.CREATE"
If I fake an OPTIONS preflight CORS request from Postman, I don't get the CORS headers back from my API.
After completely reverse engineering the Microsoft.Owin.Cors library I discovered that the headers weren't on the request!
Which led me to this beauty from the Postman docs:
Restricted headers and cookies
Unfortunately some headers are restricted by Chrome and the
XMLHttpRequest specification. The following headers are blocked:
Accept-Charset Accept-Encoding Access-Control-Request-Headers
Access-Control-Request-Method Connection Content-Length Cookie Cookie
2 Content-Transfer-Encoding Date Expect Host Keep-Alive Origin Referer
TE Trailer Transfer-Encoding Upgrade User-Agent Via
https://www.getpostman.com/docs/requests
Aaaaargh. That's a day of my life I won't get back.
I managed to get it working using Postman Interceptor
The settings I had were as below
I had to check a problem of preflight requests cut by firewall in production environment. I used the Postman to sent the OPTIONS requests. This article explains which headers you must set in OPTIONS request https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request . In my case I added: Origin, Referer, Access-Control-Request-Method and Access-Control-Request-Headers. If you miss some required headers the response returns 405 Method Not Allowed. If all is set correctly the response is 204 No Content and in headers you will find headers Access-Control-Allow-Methods and Access-Control-Allow-Headers. These headers are used by browser to confirm that preflight request is accepted and browser can send main request.
I am testing Facebook Graph API v2.3 with Postman.
While it is possible to get response by putting access token in query string as follow:
https://graph.facebook.com/v2.3/me?access_token=my_access_token
I am wondering whether it's possible to do the same thing with HTTP request headers, which would be something like this:
GET /v2.3/me HTTP/1.1
Host: graph.facebook.com
Authorization: <my_access_token>
Cache-Control: no-cache
Postman-Token: <postman_token>
Based on this similar question (i.e. How should a client pass a facebook access token to the server?) on Stackoverflow, it seems that this should be possible.
Any thoughts on this?
Edit:
What raised my interest is that, when I used the API Graph Explorer provided by Facebook Developers, it seems that there's no query string in that sandbox either. How does that work?
Facebook API Graph Explorer DO use query string for access token. Thanks to #CBroe's response.
Yes it is possible
Authorization: Bearer AccessTokenHere
e.g.
curl --header "Authorization: Bearer CAAC...ZD" https://graph.facebook.com/me
This answer previously recommended using "OAuth" instead of "Bearer" as the token type. Both will work, but "Bearer" is the type that shows up in the standard. Also, on completing Facebook's OAuth flow, the token_type in their response is bearer. So all in all "Bearer" makes more sense.
It's the first time for me to try to get a REST call to work thru POST from Firefox. I generated the token and the Auth strings needed as follows:
oauth_consumer_key
oauth_nonce
oauth_signature
oauth_signature_method
oauth_timestamp
oauth_token
Does the order meter? Because I can't understand if I'm missing anything else. Here is my Request
https://api.twitter.com/1.1/search/tweets.json?q=&geocode=30.0444,31.2357,1km&until=2013-11-30&result_type=mixed&oauth_consumer_key=0xxxQ&oauth_nonce=bcbcxxx8&oauth_signature=pXXXglKjY%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1390221337&oauth_token=2287933520-fuxxxR0&count=100
The Response is:
401 Unouthorized
{"errors":[{"message":"Could not authenticate you","code":32}]}
Could anyone help please?
Thanks,
EDIT 1
As Mike suggested the Console, it actually does work from the console, but the console asks you to login so it manages the authorization, which is fine
Now that I know my request works, how to add these parameters to an $.ajax call? I tried adding the following:
beforeSend : function(req) {
req.setRequestHeader('Authorization', auth);
},
where "auth" is the "OAuth oauth_consumer_key=..." but I get a bad request error 400.
Ideas anyone?
Thanks,
Per Twitter's authorizing a request page, you need to pass in your oAuth parameters via the Authorization header, not in the query parameters.
Example given on that page (put all of the OAuth fields on the same line, no newlines):
POST /1/statuses/update.json?include_entities=true HTTP/1.1
Accept: */*
Connection: close
User-Agent: OAuth gem v0.4.4
Content-Type: application/x-www-form-urlencoded
Authorization:
OAuth oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog",
oauth_nonce="kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg",
oauth_signature="tnnArxj06cWHq44gCs1OSKk%2FjLY%3D",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1318622958",
oauth_token="370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb",
oauth_version="1.0"
Content-Length: 76
Host: api.twitter.com
status=Hello%20Ladies%20%2b%20Gentlemen%2c%20a%20signed%20OAuth%20request%21
Another gotcha. It turns out the default .NET implementation of UrlEncode outputs the percent encoding in lower case. Looks like Twitter expects lowercase encoding, returning a 401 when parameters are lower case.
Here's some code to fix that up:
.net UrlEncode - lowercase problem