I'm using Twitter OAuth provider to login to my site. This works great; I can login, and get the access token. I want to make an additional request to the server to grab some user information. Using the 1.1 API, I do:
var request = HttpWebRequest.Create("https://api.twitter.com/1.1/users/show.json?screen_name=name");
var response = request.GetResponse(); //400 bad request error
Again, I've successfully logged in, and at this point, I have not made any successful requests, so I'm not being rate limited. Any idea what my problem is?
I can make the previous API work fine, using the URL: http://api.twitter.com/1/users/show.json?screen_name=name. But not the new URL.
Thanks.
According to the Twitter Developers Documentation for response codes, you get a 400 in this case :
The request was invalid. An accompanying error message will explain
why. This is the status code will be returned during version 1.0 rate
limiting. In API v1.1, a request without authentication is considered
invalid and you will get this response.
Seeing your code (your URL is right and you use the 1.1 version of the API) I think that you forgot to authorize the request.
Related
I am attempting to use the endpoint https://firestore.googleapis.com/v1/{parent=projects/*}/databases with more data needed per the documentation on Google's docs.
The goal is to be able to make this request with a standard http utility such as cURL.
I have attempted performing the request manually through the GUI with the Chrome network tab open, and I saw a request being made: https://firebasedatabase.clients6.google.com/v1beta/projects/XXXXXXXXXX/locations/us-central1/instances?databaseId=my-database&validateOnly=true&alt=json&key=secretkey
Per trial and error on another endpoint, I have found that the key parameter can be replaced with a Bearer Auth token in the header. Other than that I am at a dead end.
I have a problem with the x-csrf-token validation with regard to a HTTPS-Post-Request. The request comes from a Lambda function triggered by an Amazon Alexa skill and is sent to a XSO Data file running on the SAP Cloud Platform in an SAP HANA Database. I use Javascript/Node.js.
A valid token is set in the request header (see code in the first picture below) but the response header shows for the x-csrf-token "required" (see code in the second picture below). So there is an error with the validation. The same post request with POSTMAN works correctly, but when I try it via a JS File as a Lambda function (in the first picture) there it comes this error with HTTP status code 403 (see code in the second picture below). The POST request itself does work, but the token validation not. GET requests work fine.
Does anybody know a possible solution?
Thank you very much!
1.picture: request
2.picture: response
Please try to get the csrf token first before setting it to the request body. CSRF token changes from device to device as well as the timeframe. I also had a similar issue, and upon implementing the above solution, it started working perfectly.
I am writing this as a separate answer as I had an issue in Spring Boot RestTemplate call. I could arrive at a solution after going through this article.
SAP CSRF Issue
Basically the "set-cookie" header is instructing the browser to set the "Cookie" header. All one has to do (apart from x-csrf-token) is to replace the comma in the string of the cookie with a semicolon. Then set the header "Cookie" to this replaced value;
I followed the Quick Start Guide on Marketo's site for their REST API. This went well. I was able to get a successful response from their website.
Request:
curl https://ABC-DEF-123.mktorest.com/rest/v1/lists.json?access_token=123:ab
Response:
{"requestId":"123#abcf7aff","result":[],"success":true}
However, when I tried the same request the next day, I received:
{"requestId":"123#abc6731ab6f","success":false,"errors":[{"code":"601","message":"Access token invalid"}]}
I logged into the Marketo admin and noticed that the token I copied and pasted out of the dialog box was different. I tried this new one and it worked.
(This is taken from the guide)
I came across another guide on their site that describes a different authentication process. Marketo Authentication Guide
This guide mentions the token that is returned from the API endpoint has an expiration so I suspect that all Marketo tokens expire (or I need to disable this). However, I have not been able to successfully make requests to this endpoint with my client ID and client secret.
Request:
curl https://ABC-DEF-123.mktorest.com/identity/oauth/token?grant_type=client_credentials&client_id=ACLIENTID&client_secret=ACLIENTSECRET
Response:
{"error":"unauthorized","error_description":"An Authentication object was not found in the SecurityContext"}
Any help in the right direction would be appreciated. Thanks in advance.
REST API tokens expire. So you typically will need to request a token for each session.
from your specific installed URL, like: MARKETOURL/identity/oauth/tokengrant_type=client_credentials&client_id=abc&client_secret=xyz
Which will result in (example):
{
"access_token": "1234",
"token_type": "bearer",
"expires_in": 3599,
"scope": "email#email.com"
}
You will need to start out your sessions with this request to do subsequent calls. I have code that runs this first and then requests a new token if it expires. The expires_in field is in seconds.
Source: http://developers.marketo.com/documentation/rest/authentication/
I was not able to figure out why my curl requests were failing, but I was able to successfully call the Marketo API with mrkt, a Ruby Gem for Marketo.
I've looked through the logs of what the gem is generating for requests and they appear to be exactly the same. But at least I now successfully calling Marketo.
You need to use following sequences.
grant_type= client_credentials
client_id =you will get Marketo admin where you generate token
client_secret=you will get Marketo admin where you generate token
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
GET <Identity URL>/oauth/token?grant_type=client_credentials&client_id=<Client Id>&client_secret=<Client Secret>
Your first call failed because your token expires every hour currently, according to Marketo's docs.
Your curl call to get a new token failed because curl (or something) was stripping off the auth arguments. Try wrapping the url in quotes.
curl "https://ABC-DEF-123.mktorest.com/identity/oauth/token?grant_type=client_credentials&client_id=ACLIENTID&client_secret=ACLIENTSECRET"
You can get more information about what curl is sending with the -v flag. Running this would have given you enough information to at least know that your entire url wasn't being passed down to the request.
curl -v https://ABC-DEF-123.mktorest.com/identity/oauth/token?grant_type=client_credentials&client_id=ACLIENTID&client_secret=ACLIENTSECRET
I am new to Web Api 2. I am trying to build a project to explore token authorization. I created a new project in VS 2013 and selected the WebApi2 template and used Fiddler to emulate http requests. I didn't change anything in the template, just ran it as it was and tried to play with it with Fiddler. I successfully created a user by issuing request to /api/account/register but I can't login by issuing a POST request to the /Token endpoint. The request is:
http://localhost:YYYY/token?grant_type=password&password=admin123456&username=admin
(i also tried to pass the parameters as a json object in the request body).
I get back this:
{"error":"unsupported_grant_type"}
From other posts such as ASP.NET WEB API 2 OWIN Authentication unsuported grant_Type I learned that I needed to enable CORS for web api and at the token endpoint, but that hasn't worked for me.
Are you sure that you are sending POST request message and not GET?
If you simply go to the URL with query string (or open connection to this URL from your code) you are sending GET message by default. It's not what WebAPI with "/token" path is listening for.
If you are calling web service from same place, CORS is not needed. The error "unsupported_grant_type" could be in the format of the data you are passing server in post action.
Try sending with Content-Type application/x-www-form-urlencoded
I have a web application that uses RESTful url patterns. Currently if a users tries to access a page where they need to be authenticated it just returns nothing. Is it good practice to return the HTTP status code in this case? Would I use 403 or a different one?
You should send a response with the HTTP status code.
I wouldn't send a 403 Forbidden back though as the spec specifies for this status code :
The server understood the request, but
is refusing to fulfill it.
Authorization will not help and the
request SHOULD NOT be repeated
Return a 401 Unauthorized status code instead. See this for more info on the status codes:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
The way I do this with Jersey is to send a response with the status and then include a String entity which contains a human readable message, e.g.
Response response = Response.status(Status.PRECONDITION_FAILED).entity(
new String("Incorrect " + id + " [" + id + "]")).build();
This will be displayed to the client. I throw a Jersey WebApplicationException which wraps this response.
If they don't have permissions return 401 to give them the chance to respond to the authentication challenge or 403 if you don't want them to.
Restlet 1.1 onwards return 403, while earlier versions return 401. 403 seems to be regarded as more correct, if not necessarily more helpful.
It depends. You really ought to return something, of course, just to have a decent client experience. If you'd like to give them opportunity to authenticate at that moment, you can return a 401 and the client will know to pass credentials using standard authentication. If, however, you'd prefer that they authenticate through some other mechanism (some login URL and then set a cookie or somesuch), then returning a 403 is probably the way to go.
lol... in the REST API implementation I just built I returned a 401 status code with a response body that read "goodbye". Was the first thing complained about by guy interacting with API. I still think "goodbye" said it all ; )