Magento oAuth authorisation failed

Question

I got a problem with oAuth authentification in magento.

I used following guide to create connection: http://www.magentocommerce.com/api/rest/authentication/oauth_authentication.html

First of all I granted all privileges for all accounts in magento / System / WebServices / REST ... Also I created oAuth Consumer. I got with it two variables (key and secret).

According the guide (Getting an Unauthorized Request Token) I configured RESTClient for Firefox. Selected oAuth 1.0 option, inserted data from magento and added them to headers.

And now I have something like that:

http://www.mg19.local/oauth/initiate

OAuth oauth_version="1.0",
oauth_signature_method="PLAINTEXT",
oauth_nonce="pzmp8IZuroEP6gf",
oauth_timestamp="1410271763",
oauth_consumer_key="9ad2067e70a4c3b799ab2799203b3e3b",
oauth_signature="a37633084e79432568181ef00410140e%26"

Then if I submit this, I will get following error:

Status Code: 400 Bad Request

oauth_problem=parameter_absent&oauth_parameters_absent=oauth_callback

I don't know the main purpose of the callback link, therefore I used random link. For example: http://www.mg19.local

When i submit

http://www.mg19.local/oauth/initiate/?oauth_callback=http://www.mg19.local

I got following result:

oauth_token=e00fc8386ba523bdd1d79a2fe61d59cb&oauth_token_secret=ca0d999010b2b149e2d51feefc328722&oauth_callback_confirmed=true

According the guide I moved to the 2nd step (User Authorization):

I copied data from the response to request. And forward the link:

http://www.mg19.local/oauth/authorize

I redirected to the following page:

Authorize application Postman requests access to your account

After authorization application will have access to you account.

Authorize | Reject

And when I select Authorize I'm getting the following error:

An error occurred. Your authorization request is invalid.

Using xDebug I have found that the problem is near:

/**
 * Load token object, validate it depending on request type, set access data and save
 *
 * @return Mage_Oauth_Model_Server
 * @throws Mage_Oauth_Exception
 */
protected function _initToken()
{
....
        } elseif (self::REQUEST_AUTHORIZE == $this->_requestType) {
            if ($this->_token->getAuthorized()) {
                $this->_throwException('', self::ERR_TOKEN_USED);
...

I'm not sure, but I think, once autorization finished successfully, then I moved from index to account area page and when authorization start again - it fail and I move on index again.

Please give any advice.

Answer 1

I'm using Guzzle and had a real hard time with it. In my case it was failing because I was using oauth_callback instead of callback, it worked when I changed it to:

    use GuzzleHttp\Client;
    use GuzzleHttp\HandlerStack;
    use GuzzleHttp\Subscriber\Oauth\Oauth1;

    $stack = HandlerStack::create();

    $middleware = new Oauth1([
        'consumer_key'    => $key,
        'consumer_secret' => $secret,
        'token'           => null,
        'token_secret'    => null,
        'callback'    => 'https://callback.co.uk'
    ]);
    $stack->push($middleware);

    $client = new Client([
        'base_uri' => $magentoCredentials->shopUrl,
        'handler' => $stack
    ]);

    $res = $client->post('/oauth/initiate?oauth_callback', ['auth' => 'oauth']);

Answer 2

For what I see, the callback URL is the one that is messing up the whole thing. Callback is the most important link in OAuth. The callback should be a valid URL pointing to you site.

Once the user logs in auth server (Magneto in your case) Magneto will do a callback to the Callback URI you provided with the oauth_verifier. Like below:

/callback?oauth_token=tz2kmxyf3lagl3o95xnox9ia15k6mpt3&oauth_verifier=cbwwh03alr5huiz5c76wi4l21zf05eb0

Then your server should all the token API /oauth/token with the all the required Authorization headers below. Pasted from Magneto document link you provided

oauth_consumer_key - the Consumer Key value provided after the registration of the application.
oauth_nonce - a random value, uniquely generated by the application.
oauth_signature_method - name of the signature method used to sign the request. Can have one of the following values: HMAC-SHA1, RSA-SHA1, and PLAINTEXT.
oauth_signature - a generated value (signature).
oauth_timestamp - a positive integer, expressed in the number of seconds since January 1, 1970 00:00:00 GMT.
oauth_token - the oauth_token value (Request Token) received from the previous steps.
oauth_verifier - the verification code that is tied to the Request Token.
oauth_version - OAuth version.

Hope this makes it clear. Please read the sections User Authorization and Getting Access Token sections of the link you pasted.