I have registered in FITBIT.
I am making a request to fitbit api(POST /oauth/request_token) with consumer key. I have referred https://wiki.fitbit.com/display/API/OAuth+Authentication+in+the+Fitbit+API
My request is:
POST /request_token HTTP/1.1
Host: oauth
Authorization: OAuth realm="https:/api.fitbit.com/oauth/request_token",oauth_consumer_key="XXXXXXXXXXXX",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1399958922",oauth_nonce="H8xxW0",oauth_version="1.0",oauth_signature="80M1tag6%2FYk2JV%2FQdQ%2BucxxDrLA%3D"
Cache-Control: no-cache
I am getting invalid signature error with below json object:
{
"errors": [
{
"errorType": "oauth",
"fieldName": "oauth_signature",
"message": "Invalid signature: 80M1tag6/Yk2JV/QdQ+ucxxDrLA="
}
],
"success": false }
We have Consumer Key and Consumer Secret Key. Don't have Token Secret at this stage. please give me a solution to get this API working.
Thanks,
Kalyan
Like WestDiscGolf mentioned, you need to make sure that your callback URL matches the callback URL in the application you are writing. Usually when you sign up for a developer account to access API's, they ask for a callback URL, and the callback URL has to match what you put in when you request an access token.
If you're getting an invalid signature error, though, then the callback URL probably isn't the issue. You need to make sure that the signature matches exactly what they specify in the API documentation. Signatures can be tricky, and there are a number of libraries that are available to help with that. I use Java primarily, and for Java the Scribe library is great (https://github.com/fernandezpablo85/scribe-java).
Related
All,
I am facing authentication issues that I see others have also complained about. Following official documentation I was able to get the client id and client secret but when I try to get Access Token I am getting this error:
{
"error": "invalid_request",
"error_description": "A required parameter \"client_id\" is missing"
}
I am using POSTMAN to get the access token. After getting the Access Token I intend to work with LinkedIn REST APIs with other software that could consume REST. I am not sure why I am getting this error, I wonder is it not possible to get the token from POSTMAN and have to use Python script?
Also, redirect_uri in step 2 is not a functional callback uri, it's an imaginary URL. Do I need a valid callback URL?
Since you are getting this error
{
"error": "invalid_request",
"error_description": "A required parameter \"client_id\" is missing"
}
This is giving a hint that you might need to change the Client Authentication drop-down value to Send client credential in body instead of Send as Basic auth header
This is because when client_id and client_secret are sent in the header, they are combined and converted to base64
Authorization: Basic base64($client_id + ':' $client_secret)
So, no separate client_id is ever sent. But if you choose to send the credentials in body then they are sent separately.
For more info, you can refer the offical RFC here https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1
I solved this issue by adding keys/values in the Params.
I am developing RESTful APIs, I have implemented token-based authentication, where token digest is prepared using time-stamp. Now when request comes to API server, I am checking if the supplied time-stamp is invalid ( i.e. date-time from future/past is specified) then am throwing error message indicating that "future token detected" or "token has expired". I need to attach HTTP status code I am confused about which status code is suitable for this situation?
I have gone through the status codes available (ref1, ref2) so far, I think, using 400 'bad request' will be suitable here instead of 401 'Unauthorized' and 403 'forbidden' status codes.
what do you think guys?
As the timestamp is invalid, I think the token is invalid. So the client is not authenticated anymore. So I would throw a 401 Unauthorized. You're free to add extra data of the context as HTTP header with the X- prefix, or to add a response body encoded according to the Accept request header (json, text, etc.). Like:
{
"error": {
"status": 401,
"details": {
"code": "401.3",
"description": "The timestamp provided must not be in the future."
}
}
}
It is not a 403 Forbidden : 403 means "the client is authenticated but does not have the right to send this request". In your case, I think the client is not authenticated any more.
Works Around... Thinking about expired password (not exactly expired credencial)
I found this from https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
403 Forbidden
The client does not have access rights to the content; that is, it is unauthorized,
so the server is refusing to give the requested resource.
Unlike 401, the client's identity is known to the server.
//- - - -
Well I think the better is response with 403 with description or custom content header, and so the client need to call the endpoint with your auth + param with new password.
Now, about expired credencial (yet thinking about user and password, not token), 403 I think good too, because "the client's identity is known to the server" but unauthorized.
About token and your timestamp, 401 with description is good I think, because one of first steps is the server see the timestamp, and the timestamp will fail before checking any credentials..
I use OAuth 2 in a REST API and I my API returns a 401 error, if my access token is invalid.
My 401 response isn't meaningful right now and I wonder if I could place my authentication URI in my response? Something like
{
"error": 401,
"authentication_uri": "https://example.com/login?client_id=123&response_type=token&redirect_uri=http://example.com/app/"
}
Can I do that? Is this secure? (It seems that all these params are exposed in the URL anyway...) Are there other common methods to get a meaningful response from 401? I couldn't find something useful about this topic.
I am not a security expert, but I don't see a problem with doing this. I'm not aware of any value in hiding how to authenticate, and I don't see you exposing anything that they don't already have (assuming client_id and redirect_uri were in the original request).
To answer my own question: While it is certainly possible to do this and has benefits as you don't need to know the authentication URI beforehand, it has some pitfalls.
Say you develop multiple apps separately at http://localhost and you want to communicate the same REST API. The REST API can't deduce your client_id just from your Referer or Origin header field as it is always http://localhost. You could develop "App 1" or "App 2" and each has a different client_id. Therefor you would need to support URI templates. E.g.:
{
"error": 401,
"authentication_uri": "https://example.com/login?redirect_uri=http://localhost&response_type=token{&client_id}"
}
See here for more examples about URI templates.
I've created a Private App (got the API Key, Password, and Secret) but it's not allowing me access for some reason. I'm issuing the GET request without any parameters... should I be using something in the request? Thanks! Josh
{"response":
"Error message:
GET
https://58b135637023de04edb493880e25XXXX:2d6982192cdc0ea753ba6a729c9dXXXX#ellabing-com.myshopify.com/admin/products.json? returned a response status of 401 Unauthorized
"Server response": {
"errors":"[API] Invalid API key or access token (unrecognized login or wrong password)"
},
"remoteServiceStatus":1,
"success":false
}
Hmm… can you check the request that’s coming from your machine using a web debugging proxy like Charles or Fiddler and see if an Authorization header is really being passed in the request?
The format that https://58b135637023de04edb493880e25XXXX:2d6982192cdc0ea753ba6a729c9dXXXX#ellabing-com.myshopify.com/admin/products.json is in works for browsers and some clients, but is an unofficial shorthand, and not always supported.
When I send a request to https://graph.facebook.com/me/home?access_token=(access code goes here) Facebook gives me this error message:
{
"error": {
"type": "OAuthException",
"message": "An unknown error has occurred."
}
}
Every other API call works. If anybody knows anything about this issue, please help me.
Facebook does not have very good error messages...
Apparantly, "An unknown error has occurred" means that I did not have valid permissions to access the user's news feed.
You have to include "read_stream" in your scope, or else facebook will reject your request with an ambiguous error message.
I <3 you facebook API
In addition to the other answers provided here...
In our production app (working with thousands of access tokens for several years), it appears that we occasionally get this error due to a temporary glitch in the API. I'm still not sure what the root cause is, but simply retrying the API call a few minutes later seems to consistently resolve the issue for us.
I get this error when the access token is the application's token. With the user-specific token, the api calls succeed.
Before the oauth upgrade, the application's token worked. The user-specific token worked and usually returned even more data.
Of course with facebook there's no way of knowing whether the current behavior (fails when using application token) is a bug or just the new way.
According to http://developers.facebook.com/docs/reference/api/, the parameter is access_token, not access.
I had this same issue and fixed it. For me, I was passing a single JSON object in the "batch" field, but Facebook wanted a JSON array.
For example, this will work, because it has a JSON array denoted by square brackets:
POST /v2.11 HTTP/1.1
Host: graph.facebook.com
Content-Type: application/json
Cache-Control: no-cache
{
"access_token":"YOUR_ACCESS_TOKEN",
"batch":[{"method":"GET", "relative_url":"me/friends?limit=50"}]
}
This will not, because there is no JSON array denoted by square brackets:
POST /v2.11 HTTP/1.1
Host: graph.facebook.com
Content-Type: application/json
Cache-Control: no-cache
{
"access_token":"YOUR_ACCESS_TOKEN",
"batch":{"method":"GET", "relative_url":"me/friends?limit=50"}
}