magento2: Magento 2 - OAuth Problem = Consumer Key Has Expired

Nope. Stopped using Magento.

@lenaorobei @ihor-sviziev so basically this feature is a little bit buggy, currently testing on 2.3.2 (current live site) and 2.3.5 Here is my step by step:

1. created integration
2. authorized the application (using the prepared scripts from this URL https://gist.github.com/paliarush/4c2bfa81ebef57305ba4 with some fixes 😉)
3. using consumer and access key pairs I am able to:

• get product details
• get customer details

So… basically I cannot replicate the issue today, even though yesterday it was clear 😦 In my humble opinion the documentation needs to be updated how oauth_signature is calculated in order to be able to use applications like PostMan (or any other soapUI) so you can prepare oauth_signature required for authentication.

From looks of it, yesterday (and reported problem on github) comes from not clear instructions in dev docs. Here is what I’ve done a day ago:

• created an integration, send “Activate” request to dummy URL which only recorded send params.
• Magento did “Authorize” this application even though it didn’t get any callback from remote app, information in the database was not update

So here is (I belive so) the REAL issue with this:

1. create new integration
2. leave CallBack URL and Identity link URL empty
3. save the integration (magento will generate access token and access token secret)
4. Authorize the appliaction

after you “Authorize” it in backend, field updated_at in database remains empty and that is causing issues with key validation consumer key has expired

I think Magento should not authorize an application without endpoints and without checks for callback, or a “self-authorization” needs to be fixed on code level to specify “updated_at” with right value.

There is a second issue with this, but it is also related to wrong date calculations. I will get to it with more details once I double check.

Hello @ihor-sviziev

It seems @KiuNguyen closed this issue by mistake. I have reopened internal Jira ticket and link with this issue again

@sdzhepa: Mistakes happen, to everyone…

Although this shows an issue in the process. What actions you guys at CORE are planning to take to mitigate this? Such flow should not happen in the first place and it looks like it can happen in future for any other tickets (yes also to VALID tickets and issues)…

Hi @lylesback2, According to https://github.com/magento/magento2/issues/13961#issuecomment-658230648 the issue was already solved by updating the docs: https://devdocs.magento.com/guides/v2.3/get-started/authentication/gs-authentication.html#web-api-clients-and-authentication-methods

@qsolutions-pl @PiotrSiejczuk Thank you for reporting. We will triage this issue with product organization and prioritize. Hopefully you are able to use OAuth-based authentication following DevDocs with non-empty Callback URL and Identity link values.

@PiotrKorzeniec95, it was addressed recently. We limited write access to the Magento 2 repository, so it should prevent unintentional issues closing.

I can confirm, we contributors can not close any issues or PRs anymore so we have to ping someone from the maintainer teams.

I’m encountering the issues described in this Bug Report, but problem seems to be a little bit more complex:

When I’m calling simple endpoints, everything works more-less correct:

However, the same keys used to fetch the Invoices ends up with “The signature is invalid”

But it works completely fine if you don’t use SearchCriteria:

Looks like there’s some mess around calculating request signature 👎🏻

The issue appears when the URL is urlencoded:

Hi @ringwood-dsg,

According to https://github.com/magento/magento2/issues/13961#issuecomment-658230648 the issue was already solved by updating the docs: https://devdocs.magento.com/guides/v2.3/get-started/authentication/gs-authentication.html#web-api-clients-and-authentication-methods

I’m currently debugging this on my end, 2.3.5 version, will send an update once I finish

@sdzhepa this looks really important issue, there was discussion in #appdesign channel in Slack https://magentocommeng.slack.com/archives/CBSL1DF8B/p1588761675119500. Could you confirm this issue and set the correct prio / severity?

Hi,

Anyone Help me to suggest REST API Authentication using oauth 1

I am using OAuth based authentication,

But Its Showing

{“message”:”Consumer is not authorized to access %resources”,”parameters”:{“resources”:”Magento_Customer::customer”}

I am getting above errror, Please try to resolve it

Please resolve it I am using Magento 2.2.3 version, using below code to authenticate it

I found the source of my issue. Upon creating the integration and activating it, I get a consumer key, consumer secret, access token, and access token secret. So, technically, I can just skip the “Get Access Token” step of the authentication. I was able to successfully make API calls with the provided access token.

If I created the integration with an Identity link URL, then the access token and access token secret is not supplied. And when I made a request to /oauth/token/request, I got the access token and secret as a response.

If this was the intended process, then my apologies for misinterpreting the documentation.