Magento2: Magento 2 - OAuth Problem = Consumer Key Has Expired

Hello @itsabe. Thanks for reporting. Please confirm us that You have everything OK with those settings in Your Magento Backend: Stores->Configuration->Servises->OAuth->Consumer Settings section.

Yes, everything looks okay.

@itsabe, then please confirm that Expiration period of 300 sec. for Consumer Settings was enough for You, so that Consumer key/secret You got while creating (activating) the integration was not yet expired when You sent /oauth/token/request. Thank You.

@magento-engcom-team yes, it is enough. I even just created another integration, and send a POST to /oauth/token/request and got the same response of consumer key has expired. This was all done within 2 minutes.

Also, I stumbled upon #12032 from back in Nov 2017, but have not seen any updates on it.

@itsabe , thank you for your report.
We've acknowledged the issue and added to our backlog.

Is there any work around? Or am I unable to connect to the API?

I found the source of my issue. Upon creating the integration and activating it, I get a consumer key, consumer secret, access token, and access token secret. So, technically, I can just skip the "Get Access Token" step of the authentication. I was able to successfully make API calls with the provided access token.

If I created the integration with an Identity link URL, then the access token and access token secret is not supplied. And when I made a request to /oauth/token/request, I got the access token and secret as a response.

If this was the intended process, then my apologies for misinterpreting the documentation.

Hello guys,

I have exactly the same issue on Magento 2.2.3. Many hours trying to understand what's wrong.

@Lapinou42 Are you still experiencing the issue? When you create the integration and activate it through Magento backend, you can use the access token they provide you to make the API calls.

Yes, I do.

Actually, I want to create an integration to use with my Android / iOS application using OAuth1.0a.
I tried in Postman and I have the same issue.

I want to generate an access token by user, so simply use Consumer Key, Consumer Secret, RequestTokenUrl and AccessTokenUrl should be enough to generate an access token.

Maybe I'm wrong. I don't know.

@Lapinou42 When you create the integration on Magento backend (System > Integrations), do you enter a Identity link URL? If you have that field filled in, then you should be able to get the access token by making a request to /oauth/token/request.

@itsabe No. I didn't ! I'll try that and let you know if something wrong ;)

Thank you :)

@itsabe I tried with Identity link URL, still having same issue.

Then I changed Store > Settings > Configuration > Services > OAuth > Consumer Settings > Expiration Period to 1000000000000

Now I am getting the result as
oauth_problem=Invalid+signature

@maniram1804 what if you unchecked the "Add empty parameters to signature" option?

@itsabe still same result.

Did already someone do some bisecting here?

Is this an actual regression (did it work before?) or is it just with the new feature and it is not properly integrated in the code?

is there any updates here?
facing the same problem

Nope. Stopped using Magento.

Same issue here with Magento 2.2.3. Are there any news on this?

Hi,

Anyone Help me to suggest REST API Authentication using oauth 1

I am using OAuth based authentication,

But Its Showing

{“message”:”Consumer is not authorized to access %resources”,”parameters”:{“resources”:”Magento_Customer::customer”}

I am getting above errror, Please try to resolve it

Please resolve it I am using Magento 2.2.3 version, using below code to authenticate it

Same issue with 2.2.4

@magento-engcom-team any updates on this?

Same issue with 2.2.6

The issue still exists, is there any PR or patch for it? a whole year has been elapsed

Our solution was to drop magento entirely

On 10/31/19 3:54 AM, haiwera wrote:
>

The issue still exists, is there any PR or patch for it? a whole year
has elapsed

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/magento/magento2/issues/13961?email_source=notifications&email_token=AJXZ3XK2BDJHSWHMCSJKVQLQRKFL3A5CNFSM4ETTAFH2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECW26BI#issuecomment-548253445,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AJXZ3XI44WYWWI4ODIGTABTQRKFL3ANCNFSM4ETTAFHQ.

Hi @engcom-Echo. Thank you for working on this issue.
In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

• [ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).
  Details

  If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

• [ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

• [ ] 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• [ ] 4. Verify that the issue is reproducible on 2.4-develop branch

  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and _stop verification process here_!

• [ ] 5. Add label Issue: Confirmed once verification is complete.

• [ ] 6. Make sure that automatic system confirms that report has been added to the backlog.

:white_check_mark: Confirmed by @engcom-Echo
Thank you for verifying the issue. Based on the provided information internal tickets MC-30108 were created

Issue Available: @engcom-Echo, _You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself._

Re-opened. This issue was closed without any info written. Please check if it still actual

@sdzhepa this looks really important issue, there was discussion in #appdesign channel in Slack https://magentocommeng.slack.com/archives/CBSL1DF8B/p1588761675119500.
Could you confirm this issue and set the correct prio / severity?

:white_check_mark: Confirmed by @sdzhepa
Thank you for verifying the issue. Based on the provided information internal tickets MC-30108 were created

Issue Available: @sdzhepa, _You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself._

Hello @ihor-sviziev

It seems @KiuNguyen closed this issue by mistake.
I have reopened internal Jira ticket and link with this issue again

@sdzhepa basicall there are multiple issues here, first findings shows that "updated_at" field values are 0000-00-00 00:00:00 in on of oauth tables.

@sdzhepa: Mistakes happen, to everyone...

Although this shows an issue in the process. What actions you guys at CORE are planning to take to mitigate this? Such flow should not happen in the first place and it looks like it can happen in future for any other tickets (yes also to VALID tickets and issues)...

@PiotrKorzeniec95, it was addressed recently. We limited write access to the Magento 2 repository, so it should prevent unintentional issues closing.

@magento give me 2.4-develop instance

Hi @lenaorobei. Thank you for your request. I'm working on Magento 2.4-develop instance for you

Hi @lenaorobei, here is your Magento instance.
Admin access: https://i-13961-2-4-develop.instances.magento-community.engineering/admin_1ab9
Login: 1370780a Password: cc2a7135725d
Instance will be terminated in up to 3 hours.

@PiotrKorzeniec95, it was addressed recently. We limited write access to the Magento 2 repository, so it should prevent unintentional issues closing.

I can confirm, we contributors can not close any issues or PRs anymore so we have to ping someone from the maintainer teams.

I'm unable to reproduce this issue.

There are two possible scenarios for using OAuth for Magento integrations.

Access allowed resources by using generated keys

New integration can be created using the described steps.



Test instance from https://github.com/magento/magento2/issues/13961#issuecomment-624732511 can be used to check that.

OAuth-based authentication - DevDocs

This approach requires to follow the instruction from DevDocs. Callback URL and Identity link URL should be specified in order to ask for a request token.

Example demo script with OAuth client can be found here https://gist.github.com/paliarush/4c2bfa81ebef57305ba4

⚠️ If the isse is not clear message, please feel free to update the issue description and expected result.

@lenaorobei I guess your the comment was for me? :)

The issue was actually encountered by a colleague of mine from different SI (I am just a Messager here :)). @qsolutions-pl maybe you can give some more inputs for Lena?

I'm currently debugging this on my end, 2.3.5 version, will send an update once I finish

@lenaorobei @ihor-sviziev
so basically this feature is a little bit buggy, currently testing on 2.3.2 (current live site) and 2.3.5
Here is my step by step:
1) created integration
2) authorized the application (using the prepared scripts from this URL https://gist.github.com/paliarush/4c2bfa81ebef57305ba4 with some fixes ;))
3) using consumer and access key pairs
I am able to:

• get product details
• get customer details

So... basically I cannot replicate the issue today, even though yesterday it was clear :( In my humble opinion the documentation needs to be updated how oauth_signature is calculated in order to be able to use applications like PostMan (or any other soapUI) so you can prepare oauth_signature required for authentication.

From looks of it, yesterday (and reported problem on github) comes from not clear instructions
in dev docs. Here is what I've done a day ago:

• created an integration, send "Activate" request to dummy URL which only recorded send params.
• Magento did "Authorize" this application even though it didn't get any callback from remote app, information in the database was not update
  

So here is (I belive so) the REAL issue with this:
1) create new integration
2) leave CallBack URL and Identity link URL empty
3) save the integration (magento will generate access token and access token secret)
4) Authorize the appliaction

after you "Authorize" it in backend, field updated_at in database remains empty

and that is causing issues with key validation consumer key has expired

I think Magento should not authorize an application without endpoints and without checks for callback, or a "self-authorization" needs to be fixed on code level to specify "updated_at" with right value.

There is a second issue with this, but it is also related to wrong date calculations. I will get to it with more details once I double check.

@lenaorobei seems the issue is still there and valid. More details were provided. Is there a chance you can check internally the situation? Thank you in advance!

@qsolutions-pl @PiotrSiejczuk
Thank you for reporting. We will triage this issue with product organization and prioritize.
Hopefully you are able to use OAuth-based authentication following DevDocs with non-empty Callback URL and Identity link values.

DevDocs updated with examples on when to use different authorization methods: https://devdocs.magento.com/guides/v2.3/get-started/authentication/gs-authentication.html#web-api-clients-and-authentication-methods

This is still present in Magento 2.3.5 and Magento 2.3.6.

More than 2.5 years of a known bug and it isn't fixed.

If you enter a space into the "callback URL" field, this error will go away. The issue is having a NULL value in the oauth_consumer.callback_url column.

Hi @lylesback2,
According to https://github.com/magento/magento2/issues/13961#issuecomment-658230648 the issue was already solved by updating the docs:
https://devdocs.magento.com/guides/v2.3/get-started/authentication/gs-authentication.html#web-api-clients-and-authentication-methods

Seems this issue is present in 2.4 as well.

Hi @ringwood-dsg,

According to https://github.com/magento/magento2/issues/13961#issuecomment-658230648 the issue was already solved by updating the docs:
https://devdocs.magento.com/guides/v2.3/get-started/authentication/gs-authentication.html#web-api-clients-and-authentication-methods

Seems this issue is present in 2.4 as well.

You are likely generating the key/secret and using that to try and authorize.

The flow of Magento is different from other marketplaces.

Under the store admin > System > Integrations > Add New Authorization
You need to setup the identify and callback URLs to get the consumer key/secret.
Callback URl will be called first, authorize the user on your platform, store the posted credentials (key, secret, verifier, and store url.) you get from this and return HTTP 200 success.

The identify URI will be called next, use the credentials you captured to send a request to store_url.com/oauth/token/request
and in the same script, get your second access token and secret by posting to store_url.com/oauth/token/access

Hope this helps. Let me know if you want me to provide PHP example code.

Seems this issue is present in 2.4 as well.

You are likely generating the key/secret and using that to try and authorize.

The flow of Magento is different from other marketplaces.

Under the store admin > System > Integrations > Add New Authorization
You need to setup the identify and callback URLs to get the consumer key/secret.
Callback URl will be called first, authorize the user on your platform, store the posted credentials (key, secret, verifier, and store url.) you get from this and return HTTP 200 success.

The identify URI will be called next, use the credentials you captured to send a request to store_url.com/oauth/token/request
and in the same script, get your second access token and secret by posting to store_url.com/oauth/token/access

Hope this helps. Let me know if you want me to provide PHP example code.

Thank you for clearing this up for me. I find your explanation regarding the sequence of events a lot helpful than the official manual, to be quite honest. We're integrating our .NET application with Magento, but what I am unsure of is the parameters being passed to the Callback URL? I see the manual references it like this:

• store_base_url
• oauth_verifier
• oauth_consumer_key
• oauth_consumer_secret

Am I correct in saying that when our callback URL is being called, that the parameters will be named exactly as they are referenced above?

-

Seems this issue is present in 2.4 as well.

You are likely generating the key/secret and using that to try and authorize.
The flow of Magento is different from other marketplaces.
Under the store admin > System > Integrations > Add New Authorization
You need to setup the identify and callback URLs to get the consumer key/secret.
Callback URl will be called first, authorize the user on your platform, store the posted credentials (key, secret, verifier, and store url.) you get from this and return HTTP 200 success.
The identify URI will be called next, use the credentials you captured to send a request to store_url.com/oauth/token/request
and in the same script, get your second access token and secret by posting to store_url.com/oauth/token/access
Hope this helps. Let me know if you want me to provide PHP example code.

Thank you for clearing this up for me. I find your explanation regarding the sequence of events a lot helpful than the official manual, to be quite honest. We're integrating our .NET application with Magento, but what I am unsure of is the parameters being passed to the Callback URL? I see the manual references it like this:

• store_base_url
• oauth_verifier
• oauth_consumer_key
• oauth_consumer_secret

Am I correct in saying that when our callback URL is being called, that the parameters will be named exactly as they are referenced above?

Yes, those variables will be posted exactly as that to the callback link.
No data is posted to the indentify URL, that you will need to pull the session data / from the DB and POST that back to the magento store to the oauth/token/request, then make another POST request to the oauth/token/access url

Seems this issue is present in 2.4 as well.

You are likely generating the key/secret and using that to try and authorize.
The flow of Magento is different from other marketplaces.
Under the store admin > System > Integrations > Add New Authorization
You need to setup the identify and callback URLs to get the consumer key/secret.
Callback URl will be called first, authorize the user on your platform, store the posted credentials (key, secret, verifier, and store url.) you get from this and return HTTP 200 success.
The identify URI will be called next, use the credentials you captured to send a request to store_url.com/oauth/token/request
and in the same script, get your second access token and secret by posting to store_url.com/oauth/token/access
Hope this helps. Let me know if you want me to provide PHP example code.

Thank you for clearing this up for me. I find your explanation regarding the sequence of events a lot helpful than the official manual, to be quite honest. We're integrating our .NET application with Magento, but what I am unsure of is the parameters being passed to the Callback URL? I see the manual references it like this:

• store_base_url
• oauth_verifier
• oauth_consumer_key
• oauth_consumer_secret

Am I correct in saying that when our callback URL is being called, that the parameters will be named exactly as they are referenced above?

Yes, those variables will be posted exactly as that to the callback link.
No data is posted to the indentify URL, that you will need to pull the session data / from the DB and POST that back to the magento store to the oauth/token/request, then make another POST request to the oauth/token/access url

Thank you so much for taking the time to assist me here. I'll continue on from here and get our integration completed using your instructions. You are definitely the Magento King and my hero!