When I try to access rest API using iPhone I have passed following parameter in URL and used both methods POST and GET but it displays Access Denied.
oauth_version="1.0",
oauth_signature_method="HMAC-SHA1",
oauth_nonce="B0dlzkfMWCAn0TJ",
oauth_timestamp="1366280813",
oauth_consumer_key="klkjylsiozbv6vfdsqtuheqo3kmqqzv2",
oauth_token="t9pefrwylmg7webyepsqepotlhzbytkp",
oauth_signature="NeOwbCLUPbIyF9ErnHoFQOl9%2Bwo%3D"
I have worked with REST Client plugin available for Firefox and Chrome, REST API is work well using REST Client plugin but not accessible in iPhone.
I am generating a random value for oauth_timestamp, oauth_signature and oauth_nonce then also REST API is displaying Access Denied.
Please provide suggestions.
//here final_sign is signature generated from following procedure.
$nonce = substr(md5(uniqid('nonce_', true)),0,16);
$temprealm="http://magentohost/api/rest/products";
$realm=urlencode($temprealm);
$oauth_version="1.0";
$oauth_signature_method="HMAC-SHA1";
$oauth_consumer_key="dfddfgdgdfgddf6qgygmyvw7e3";
$oauth_access_token="fdgdfgfdgdfg357gimpdnuejvcbtk51ni";
$oauth_method="GET";
$oauth_timestamp=time();
$algo="sha1";
$key="sb88hfdihyg25ipt1by559yzbj2m3861&s7uhaheu8nrx961oxg6uc3os4zgyc2tm"; //consumer secret & token secret //Both are used in generate signature
$data="oauth_consumer_key=".$oauth_consumer_key."&oauth_nonce=".$nonce."&oauth_signature_method=".$oauth_signature_method."&oauth_timestamp=".$oauth_timestamp."&oauth_token=".$oauth_access_token."&oauth_version=".$oauth_version;
$send_data=$oauth_method."&".$realm."&".urlencode($data);
$sign=hash_hmac($algo,$send_data,$key,1); // consumer key and token secrat used here
$fin_sign=base64_encode($sign);
echo $fin_sign;
From your question I understand that you use a random value for the signature and the nonce.
The latter would be fine, but a random signature would lead the receiver not to trust you as a legitimate client.
So, actually, you get the response you requested (;-)). But that does not solve your problem.
You have to generate a valid signature for the magento system.
Related
I have attempted to use the provided test data from the Cybersource documentation to create a token for a test PAN. However, when attempting to do so (assuming it was a REST Api) it results in a "403 - Forbidden" error. The documentation is limited, as it doesn't give much information on the API other than the following:
(Test) Endpoint: https://testsecureacceptance.cybersource.com/silent/token/create
Request to create a standalone payment token:
reference_number=123456789
transaction_type=create_payment_token
currency=usd
amount=100.00
locale=en
access_key=e2b0c0d0e0f0g0h0i0j0k0l0m0n0o0p3
profile_id=0FFEAFFB-8171-4F34-A22D-1CD38A28A384
transaction_uuid=02815b4f08e56882751a043839b7b481
signed_date_time=2013-07-11T15:16:54Z
signed_field_names=comma separated list of signed fields
unsigned_field_names=comma separated list of unsigned fields
signature=WrXOhTzhBjYMZROwiCug2My3jiZHOqATimcz5EBA07M=
payment_method=card
card_type=001
card_number=4111111111111111
card_expiry_date=12-2022
card_cvn=005
bill_to_forename=Joe
bill_to_surname=Smith
bill_to_email=joesmith#example.com
bill_to_address_line1=1 My Apartment
bill_to_address_city=Mountain View
bill_to_address_postal_code=94043
bill_to_address_state=CA
bill_to_address_country=US
Is this a REST or SOAP API? How can this be tested in Postman? I tested to check if either works, and was unsuccessful. There is no information on what to include in the header either, so this is a bit puzzling.
Example POST test I am attempting:
POST https://testsecureacceptance.cybersource.com/silent/token/create
Content-Type:application/json
Accept:application/json
{
reference_number:123456789
transaction_type:create_payment_token
currency:usd
amount:100.00
locale:en
access_key:e2b0c0d0e0f0g0h0i0j0k0l0m0n0o0p3
profile_id:0FFEAFFB-8171-4F34-A22D-1CD38A28A384
transaction_uuid:02815b4f08e56882751a043839b7b481
signed_date_time:2019-03-07T06:16:54Z
signed_field_names:profile_id,access_key,transaction_uuid,signed_field_names,unsigned_field_names,signed_date_time,locale,transaction_type,reference_number,auth_trans_ref_no,amount,currency,card_type,card_number,card_expiry_date,card_cvn,payment_method,bill_to_forename,bill_to_surname,bill_to_email,bill_to_address_line1,bill_to_address_city,bill_to_address_postal_code,bill_to_address_state,bill_to_address_country
unsigned_field_names:
signature:WrXOhTzhBjYMZROwiCug2My3jiZHOqATimcz5EBA07M=
payment_method:card
card_type:001
card_number:4111111111111111
card_expiry_date:12-2022
card_cvn:005
bill_to_forename:Joe
bill_to_surname:Smith
bill_to_email:joesmith#example.com
bill_to_address_line1:1 My Apartment
bill_to_address_city:Mountain View
bill_to_address_postal_code:94043
bill_to_address_state:CA
bill_to_address_country:US
}
"Is this a REST or SOAP API?"
The URL, https://testsecureacceptance.cybersource.com/silent/token/create, is used for Secure Acceptance Checkout API. Secure Acceptance Checkout API is neither a SOAP API or a REST API. It is designed to be used as an HTML form POST from a customers browser.
If your goal is to use a REST API from the browser then you will want to use Secure Acceptance Flexible Token documented here.
If your goal is to use Secure Acceptance Checkout API the full documentation for that is here.
"How can this be tested in Postman?"
Since this is not meant to be a REST API call but an HTML form POST and HTML response you may have limited success with Postman. For example even if you get the request to work successfully the response will be an HTML document not JSON.
One problem I see is that you are using the example signature, and that will not work for you. Ensure that you follow the documentation on how to create your signature as well as set the signed and unsigned fields.
#J.J. - the error you encountered -- "This field is invalid or missing.Please contact Customer Support.: ots_profileid' ". Is telling you that you are missing (or have an invalid) profileID in your request payload. The system doesn't know what profile to use when processing this request.
All,
I am facing authentication issues that I see others have also complained about. Following official documentation I was able to get the client id and client secret but when I try to get Access Token I am getting this error:
{
"error": "invalid_request",
"error_description": "A required parameter \"client_id\" is missing"
}
I am using POSTMAN to get the access token. After getting the Access Token I intend to work with LinkedIn REST APIs with other software that could consume REST. I am not sure why I am getting this error, I wonder is it not possible to get the token from POSTMAN and have to use Python script?
Also, redirect_uri in step 2 is not a functional callback uri, it's an imaginary URL. Do I need a valid callback URL?
Since you are getting this error
{
"error": "invalid_request",
"error_description": "A required parameter \"client_id\" is missing"
}
This is giving a hint that you might need to change the Client Authentication drop-down value to Send client credential in body instead of Send as Basic auth header
This is because when client_id and client_secret are sent in the header, they are combined and converted to base64
Authorization: Basic base64($client_id + ':' $client_secret)
So, no separate client_id is ever sent. But if you choose to send the credentials in body then they are sent separately.
For more info, you can refer the offical RFC here https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1
I solved this issue by adding keys/values in the Params.
I'm trying to use the Firefox Rest client extension to test out my Magento REST API. I followed this guide but I keep getting the "signature_invalid" error when making the final request to receive the access token.
Guide: http://devdocs.magento.com/guides/m1x/api/rest/testing_rest_resources.html
The URL I use for the final request is:
http://mymagento/oauth/token?oauth_callback=http://httpbin.org/get&oauth_token=99e48f7d46d3a2f8fef704865fe2f4e4&oauth_secret=eda948ee46250f335146f6f4c5f7d622&oauth_verifier=1d977f0b96f3ae07fff515c590ec6709
And these are the readers:
OAuth oauth_version="1.0", oauth_signature_method="HMAC-SHA1",
oauth_callback="http%3A%2F%2Fhttpbin.org%2Fget",
oauth_token="99e48f7d46d3a2f8fef704865fe2f4e4",
oauth_secret="eda948ee46250f335146f6f4c5f7d622",
oauth_verifier="1d977f0b96f3ae07fff515c590ec6709",
oauth_nonce="OmOzMMy2Z60m5sV", oauth_timestamp="1495611445",
oauth_consumer_key="abc77ce5a53e67333af04807dea1356b",
oauth_signature="tE6xzRXZIc4BPQ3Dxc80ddoitLg%3D"
The nonce, timestamp and signature are automaticly refreshed each request.
I'm using Magento CE 1.9.2.2.
I have also tried Postman, but that tool gives me a nonce_used error with every request, even though it's automaticly refreshed... Permissions are correctly set up as explained here: http://inchoo.net/magento/configure-magento-rest-and-oauth-settings/
Everything goes fine using the Rest client extension untill the final request where I want to receive the access token.
I found the solution... The local browser had cached the oauth responses...
I have a specificaiton for a project that accesses a third party service -RESTfully and requires oAuth authentication. [It accepts only GET method, and no access token is required since I will be trying to access the protected resources using consumer key and consumer secret values along with the oauth parameters.]
I am using SoapUI-Pro 4.6.1 and tried sending a GET request with oauth parameters as authorization header using signpost method, but my project accepts only when the oauth parameters are sent in the URL.
So, when I generate oauth signature, nonce and timestamp values manually using this link- http://oauth.googlecode.com/svn/code/javascript/example/signature.html and update it in my request URL, it is working fine.
Sample URL: http://sample.com/content/?oauth_consumer_key=abc&oauth_nonce=FUINSzmeoDh&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1384436218&oauth_version=1.0&oauth_signature=ISAsa2LJt3tVhgCnbL/GQszcZbc=
Instead of this manual step, is there a way to generate oauth_signature, oauth_timestamp & oauth_nonce values automatically and then use it in the request URI as an input parameter?
Thanks in advance!
In the version SoapUI Version 5.0.0 and above, you have an option to add query parameters.
On clicking the text box on parameters, we get a window with options to add parameters. Refer to the image.
Via the Magento OAuth API i have managed to obtain an access_token and access_token_secret.
The call to acquire these requires a valid signature. Since i'm using the plainOAuth library and I'm able to sign the authorize request valid I'm I suspect the library is not the issue.
Issue:
Once Im making a REST call "test.magentohost.com/api/rest/products" using the tokens and consumer token's, i get the response invalid signature. The sig is signed using consumer/access token secret via the library and (i think) all params are in the header.
I hope anyone can see a mistake in my header, it's driving me nuts!
This is my "Authorization" header.
oauth_realm="",
oauth_timestamp="1340011522",
oauth_nonce="ff5c167677069d9770d5cfc1dba12e0fc1d924f9",
oauth_signature_method="HMAC-SHA1",
oauth_consumer_key="ic88q1nq0iitd9tmowz6bs3dzg2d07ng",
oauth_version="1.0",
oauth_token="uye05e0pb0f8dap1ovglecxoq6ziee35",
oauth_signature="G%2Frl7S%2Bw57pjCk8xk1DMpOLkjxI%3D"
I think there is a bug inside Magento Core. I just filed a bug report here: http://www.magentocommerce.com/bug-tracking/issue?issue=14307 (unfortunately you have to be logged in magento site to see it).
Basically they include clients signature in calculating server signature and then comparing both of them which always fails.
Please let me know how you solved this?
I had this issue and I got working version after make these steps. But before, example request token signature
POST&http%3A%2F%2Fmagento.test.com%2Foauth%2Ftoken%2Frequest%2F&oauth_consumer_key%3Duaa3romggcur5yrjjm85ydiunfxfyuxx%26oauth_nonce%3D1479663271%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1479663271%26oauth_version%3D1.0
Take a note, that between method and url and other params, they use & without apply urlencode. This is for split arguments with params, I think.
During request token we should not put oauth_token into params.
All parameters must be sorted in alphabetical order and the characters must be escaped with function like the urlencode:
this
http%3A%2F%2Fmagento.test.com%2Foauth%2Ftoken%2Frequest%2F
instead this:
http://magento.test.com/oauth/token/request
and this
oauth_consumer_key%3Duaa3romggcur5yrjjm85ydiunfxfyuxx%26oauth_nonce%3D1479663271%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1479663271%26oauth_version%3D1.0
instead this
oauth_consumer_key=uaa3romggcur5yrjjm85ydiunfxfyuxx&oauth_nonce=1479663271&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1479663271&oauth_version=1.0