I need to get the REST API from magento. I tried many ways but these are not working for me.
Already I got the Consumer Key and Consumer Secret and Oauth token and oauth_verifier but I don't know how to get access Token.
I mentioned the ways are I am getting the oauth token and oauth verifier but I can't get Access Token.
1.Getting an Unauthorized Request Token
URI localhost/magento/oauth/initiate
Method: POST
Return: Sample Response:
oauth_token=xxqw0r7vo0xxxxxxxxx2sqj3vxwr0h&oauth_token_secret=xxg3x3jxxxxxxxxubjwyf9f1l21itrr&oauth_callback_confirmed=true
2.User Authorization
Uri: localhost/magento/oauth/authorize
Method: Get
Sample Response: /callback?oauth_token=xxxxxxx3lagl3o95xnox9xxxxxxpt3&oauth_verifier=xxxxxxlr5huizxxx6wi4l21zf05eb0
now I have Consumer Key , Secret Key, oAuth Token,oAuth verifier
In step 3 I use
Uri: localhost/magento/oauth/token
Method: POST
but I cannot get Access Token. This URL shows oauth_problem=signature_invalid
Related
I use the Postman desktop app for web API testing. I have a lot of controllers and for each need a token. First I get Bearer token and then copy it to other requests. This token have limit time. Can I get token automatically and then automatically set it to all others requests ?
ok, I just used Environments in postman.
1 - create new Environment with token.
2 - add test after auth request like this :
var jsonData = JSON.parse(responseBody);
var token = jsonData._token;
postman.setEnvironmentVariable("token", token);
3 - just set {{token}}
And of course you can set token before request if you use Pre-request Script in one of requests.
Write below code in tests tab in postman for your login request.
if(pm.response.code === 200) {
pm.environment.set('authToken', pm.response.json().token)
}
Then edit your collection and set your env authToken inside.
You can save and re-use the token's using the Token Name from Postman. You can select it from the available token list.
One of the many cases are.
Request for a refresh token using the credentials
Use the refresh token to get an access token
Use the access token to authenticate the API.
The step 1 sometimes requires us to login to an interface of the API provider and get an authentication code to our callback url. Some API provider's allow us to override this by providing the client_secret key and the client_id as an authorization header and the refresh token as the request parameters and by setting prompt as none.
From the documentation.
prompt (optional)
none no UI will be shown during the request. If this is not possible (e.g. because the user has to sign in or consent) an error is returned.
https://identityserver.github.io/Documentation/docsv2/endpoints/authorization.html
All you need to know about the identity servers are here.
https://identityserver.github.io/Documentation/
I am working with a Github Enterprise server. I am using Postman in an attempt to hit the API. No matter what I've tried, I get a "Sign in via LDAP" HTML page returned with a 200 status code. Not exactly what I was hoping for.
Important background:
MFA is enabled
OAuth token is a personal access token with all the scopes
I have attempted passing in the token as a URL parameter:
https://api.github.mycompany.com/repos/MyOrg/myrepo?access_token=MY_OAUTH_TOKEN
I have attempted passing in the token as an Authorization header 3 different ways:
Authorization: MY_OAUTH_TOKEN
Authorization: token MY_OAUTH_TOKEN
Authorization: Bearer MY_OAUTH_TOKEN
From what I glean from the docs, my OAuth token should be sufficient, meaning that I don't need to send any sort of MFA code. Am I wrong? What do I need to do to get real results, rather than the LDAP login page?
I am able to get the oauth_token and oauth_token_secret from linkedin authorization API's.
But, I am not sure how this can be used to generate the "oauth2_access_token" parameter for calling any linkedin API.
Using header : "Authorization : Bearer {access_token}" doesn't work and gives error.
The oauth_token and oauth_token_secret can be leveraged in OAuth 1.0a flows towards LinkedIn e.g. you can now send a user of to the LinkedIn authorization endpoint using:
https://api.linkedin.com/uas/oauth/authorize?oauth_token=" . $oauth_token
If you want to leverage OAuth 2.0 you need to follow a different path that is describe here: https://developer.linkedin.com/docs/oauth2 and you would not use oauth_token and oauth_token_secret, but rather the Consumer Key and the Consumer Secret.
I am reading this blog on how OAuth2 works. It is an excellent source and I guess I have understood the basics of how OAuth2 works.
when reading about Authorization grant, that involves granting access to the Application server (my server) which exchanges the authorization code it received from authorization sever (eg facebook) through the redirect URI registered.
myserver then exchanges this authorization code for access_token and refresh token. when the access token is expired, refresh token is used to get a new access token.
Q1) From this flow, I see that the authorization code given by facebook is used only once from my server to get the access_token. For subsequent requests, this authorization code is not used. Is this correct ?
If the user log-in to my server after 3 days during which the access token has expired, my server will use refresh token to get a new access token and use this access token.
Q2) Does the refresh token expire or each time a refresh token is used to get a new access token, a new refresh token is provided?
Q1) RFC6749, Section 4.1.2 Authorization Response: The client MUST NOT use the authorization code more than once.
Q2) RFC6749, Section 6 Refreshing an Access Token: The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token.
Is there any way that when the OAuth client get the JWT token from identity server is OK or not?
I afraid the when user get the access_token and try to use base64 to decode it then users can modify the token string .
My scenario is :
I have two web portal A and B both of them integrated the Thinktecture identity server.
User A just can access portal A with "role:portalA" claim but couldn't access portal B
if user A try to login portal A and get the access_token then user A add the "role:portalB" into the the access_token then encode with base64 again.
then the modified access_token pass to the Portal B, I afraid that user A could access portal B. so I have to check the access_token to Identity server again. is that any way to validate this access_token ? or this situation will not be happened?
I believe Thinktecture Identity Server has an endpoint for this at (baseurl + "/core/accessTokenValidation?token=" + access_token).
example:
GET request to: http://localhost:3333/core/accessTokenValidation?token=aEdhoi23hlv2khdf2lkhfv4pv....
If the access_token is valid, it should return a 200 response, otherwise it'll return a JSON error message {"error":"invalid_token"} and a 4XX response.
You should wire up a call to this service to validate tokens, then cache the response.
Take a look at the source code: https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/Endpoints/Connect/AccessTokenValidationController.cs
Thinktecture IdentityServer3 has different endpoint.
More details in official documentation:
https://identityserver.github.io/Documentation/docs/endpoints/accessTokenValidation.html
Example:
GET /connect/accesstokenvalidation?token=<token>
A successful response will return a status code of 200 and the associated claims for the token.
An unsuccessful response will return a 400 with an error message.