Magento2: Rest api getting customer token does not work

looks like the issue occurs inside event Manager.php. Any quick fix?

Hi @sheldonli999 I could not reproduce this, I was able to get the customer token. Please make sure that you are entering the correct email & password to the request because the message you provided is the one that gets returned when an incorrect email or password is entered.

Hello,

I got the same issue. After few successful times (in which I could get token), it starts return above message.

I also got the same issue... keep repeating the correct username and password. Still not getting any.

You guys sure the admin account you're trying to login to is not locked? you can try unlocking it using bin/magento

I confirm the same issue. I can login to admin, unlock says The user account "**" was not locked or could not be unlocked, and the rest api request says {'message': 'You did not sign in correctly or your account is temporarily disabled.'}

this suddenly stopped working on my system. I created a second user to test with same results. I'm testing from the admin so my test is like:
curl -X POST "http://youdomain/index.php/rest/V1/integration/admin/token" \ -H "Content-Type:application/json" \ -d '{"username":"[email protected]", "password":"xxxxxxxx1"}'

same problem

Has no one found a solution to this yet? Why is there no simple way to unlock customer?
For anyone who faces this problem and needed to move ahead first, just head over to
vendor/magento/module-integration/Model/CustomerTokenService.php
Put this
$this->getRequestThrottler()->resetAuthenticationFailuresCount($username, RequestThrottler::USER_TYPE_CUSTOMER);

before
$this->getRequestThrottler()->throttle($username, RequestThrottler::USER_TYPE_CUSTOMER);

And when you have 1 request done, remove that part of code.

Magento community has been very slow in fixing this type of low priority bug.

A lot of comments here. Reopening

As @shoguniphicus hinted, the problem resides with the authentication failure/throttling mechanism that is part of the REST API authentication flow. At least that's what happened in the case I had access to.

It keeps track of failed attempts to get a token with an email and the wrong password (in the oauth_token_request_log table). If the failures_count column reaches the max allowed value (which is 6 by default, and supposed to be configurable in the store configuration, though it doesn't seem to be exposed in the admin panel). then authentication fails. A lock_expires_at timestamp is set to some time in the future (equally configurable, by default a few minutes, it seems).

The problem is the timestamp is not checked by the throttling mechanism, which just checks the failure count. The way a locked email is supposed to be cleaned up is via a cron job defined in:
_module-integration/Cron/CleanExpiredAuthenticationFailures.php_
which, in turn, calls the clearExpiredFailures method in
_module-integration/Model/ResourceModel/Oauth/Token/RequestLog.php_
which deletes all records with lock_expires_at older than the current time.

So this should work as expected, if the cron job was run as intended. I added logging to the above cron job, so I can see that its execute method is not called at all. I don't know how Magento finds what cron jobs to run or why it's not finding this one (some missing registration step perhaps?) , but it seems to me if this problem was fixed, the permanent locking of users from authentication would go away.

A temporary solution would be to run your own cron job that does this cleanup on the database.

{
"message": "You did not sign in correctly or your account is temporarily disabled.",
"trace": "#0 /home/public_html/shop/vendor/magento/module-integration/Model/AdminTokenService.php(81): Magento\Integration\Model\Oauth\Token\RequestThrottler->throttle('admin ', 3)\n#1 [internal function]: Magento\Integration\Model\AdminTokenService->createAdminAccessToken(

I have same issue.

The same issue here. Magento 2.1.1
Manual clearing oauth_token_request_log table helps.

yes
The same issue here. Magento 2.1.1
Manual clearing oauth_token_request_log table fixed my issue

I was facing the issue and clearing out the oauth_token_request_log table helped and now i can get the token.

I can confirm Magento 2.1.2 still not fixed

the same issue here. Magento 2

Hello I can confirm that Magento 2.1.5 still not fixed.

It is a blocking issue when this API call is used to log admin customer to an internal application without the possibility to reactive this account.

Thanks to provide a fix.

I also had same issue. But i found i am using wrong values. May be I am wrong but below is my finding

1. The token api will not work for a customer. Customer and admin accounts are managed separately in magento.
2. For getting token need to use username and password, not email and password.

Having the same issue here, Magento 2.1.5, suddenly unable to authenticate through API with rest/V1/integration/admin/token. Can authenticate through Admin Panel. The user is active, it's not blocked.

Responding {"message":"You did not sign in correctly or your account is temporarily disabled."}

You have to delete the rows on oauth_token_request_log, if you have users with 6 failures they will be blocked

@sheldonli999 Unfortunately, I could not reproduce the issue as you described it. Can you please recheck your problem on the latest version of Magento 2?

According to contributor guide, tickets without response for two weeks should be closed.
If this issue still reproducible please feel free to create the new one: format new issue according to the Issue reporting guidelines: with steps to reproduce, actual result and expected result and specify Magento version.

Internal ticket to track issue progress: MAGETWO-69923

Having the same issue here, Magento 2.1.5, suddenly unable to authenticate through API with customer token. happened to exist customers but new registered customer is fine .

I was having the same issue, clearing the row in the oauth_token_request_log fixed it.

Same with Magento 2.1.9

Why the ticket is closed ?

I had the same issue too and I confirm that clearing oauth_token_request_log fixed it. Magento seems to block Token generation after 6 failed try

Magento 2.2.1, still facing the same issue, guys any update regarding permanent fix?

I also Same issue in version 2.2.3
any one have a solution pls let me know
Thanks

hi im using 2.2.3 magento , i was after this issue for almost 10 days finally i found that website id for customer token is by default is 0 when i checked the store table 0 is for admin and 1 for users, so i just hardcoded fewlines in vendor/magento/module-customer/Model/CustomerRegistry.php

public function retrieveByEmail($customerEmail, $websiteId = null)
{
if ($websiteId === null) {
$websiteId = $this->storeManager->getStore()->getWebsiteId();

    /** hardcode line start */

if($websiteId<1){
$websiteId=1;}
/** hardcoded line end */

    }
    $emailKey = $this->getEmailKey($customerEmail, $websiteId);
    if (isset($this->customerRegistryByEmail[$emailKey])) {
        return $this->customerRegistryByEmail[$emailKey];
    }

    /** @var Customer $customer */

Now its working and returning customer token. The problem is even for customer token the service was checking admin table for users which will obviously fail. So after changing the website id in above code its working fine now.

Please let me know where should i configure the website id for customers so i can remove the hardcode and make the code clean.

I follow this steps:
vendor/magento/module-integration/Model/CustomerTokenService.php
Put this
$this->getRequestThrottler()->resetAuthenticationFailuresCount($username, RequestThrottler::USER_TYPE_CUSTOMER);

before
$this->getRequestThrottler()->throttle($username, RequestThrottler::USER_TYPE_CUSTOMER);

But After sometimes,they did not generate token with correct username and password.Please Tell me any solution.

{
"message": "You did not sign in correctly or your account is temporarily disabled."
}

facing the same issue in both magento 2.1 and 2.2 tried clearing oauth_token_request_log table but no help. Every time API for customer token is hit failuer attempts count increases even if password is correct.
Any help is appreciated.

hi im using 2.2.3 magento , i was after this issue for almost 10 days finally i found that website id for customer token is by default is 0 when i checked the store table 0 is for admin and 1 for users, so i just hardcoded fewlines in vendor/magento/module-customer/Model/CustomerRegistry.php

public function retrieveByEmail($customerEmail, $websiteId = null)
{
if ($websiteId === null) {
$websiteId = $this->storeManager->getStore()->getWebsiteId();

    /** hardcode line start */

if($websiteId<1){
$websiteId=1;}
/** hardcoded line end */

    }
    $emailKey = $this->getEmailKey($customerEmail, $websiteId);
    if (isset($this->customerRegistryByEmail[$emailKey])) {
        return $this->customerRegistryByEmail[$emailKey];
    }

    /** @var Customer $customer */

Now its working and returning customer token. The problem is even for customer token the service was checking admin table for users which will obviously fail. So after changing the website id in above code its working fine now.

Please let me know where should i configure the website id for customers so i can remove the hardcode and make the code clean.

I am also facing the same issue.

Why close this issue? This problem is still persist.

This problem still exist on the Magento 2.2.7

This problem still in Magento 2.3.0. Also check with change CustomerRegistry.php & CustomerTokenService.php files but not working.

Also experienced this sinds last week on 2.1.9.

Still seeing this issue with multiple Magento 2 shops, including 2.2.7.

I was also facing the same issue but it started working for me when I tried to use the STORE CODE in the request rather then using all.

Example:

rest/all/V1/integration/customer/token

REQUEST
{
"username": "[email protected]",
"password": "xyz@123"
}

RESPONSE

{"message":"You did not sign in correctly or your account is temporarily disabled."}

When I tried using store code:

rest//V1/integration/customer/token

REQUEST
{
"username": "[email protected]",
"password": "xyz@123"
}

RESPONSE

"hk4rji2qfcd5docxw21gpnbuhyowba5p"

You have to get the store code. I had default sample data on Luma theme and my store code was "default"

This is still an issue in 2.3. Please re-open.

Ręczne czyszczenie tabeli oauth_token_request_log naprawił mój problem

The same problem occurs in Magento 2.4.0 version. I'm trying to make an API call on this:
http://a24-shop.local/rest/all/V1/integration/admin/token with json body:
{ "username":"adminEmail", "password":"adminPassword" }
And error occurs:
{ "message": "The account sign-in was incorrect or your account is disabled temporarily. Please wait and try again later.", }

And customer login response is the same
A lot of comments above is about cleaning oauth_token_request_log like here: https://stackoverflow.com/questions/41938242/customer-account-is-temporarily-disabled-in-magento/41959142#41959142

But i red that it's only temporary solution to the problem.
Why Magento Developers does not repair this basic solution persistently?

In my Case i just change the URL to
/rest/V1/integration/customer/token
and its working fine now.
Remove "all" from url

The same problem occurs in Magento 2.4.0 version. I'm trying to make an API call on this:
http://a24-shop.local/rest/all/V1/integration/admin/token with json body:
{ "username":"adminEmail", "password":"adminPassword" }
And error occurs:
{ "message": "The account sign-in was incorrect or your account is disabled temporarily. Please wait and try again later.", }

And customer login response is the same
A lot of comments above is about cleaning oauth_token_request_log like here: https://stackoverflow.com/questions/41938242/customer-account-is-temporarily-disabled-in-magento/41959142#41959142

But i red that it's only temporary solution to the problem.
Why Magento Developers does not repair this basic solution persistently?

Remove all from URL