ETrade api - invalid Consumer key and/or session token - oauth

When I attempt to make a request to Etrade's Account List endpoint in sandbox (https://apisb.etrade.com/v1/accounts/list), I am getting an HTTP 401 - "Unauthorized request - invalid Consumer key and/or session token".
I don't understand why this request is not working, since I am successfully calling the Get Access Token API, retrieving the oauth_token and oauth_token_secret and using them to sign and make the request to Account List.
To add to my confusion, I downloaded the official Etrade Python Client, put a breakpoint right before the account list is called, and confirmed that my code is generating the exact same oauth_signature given the same request parameters.
Furthermore, I actually copied all of the request parameters generated by the official Python client and pasted them into my web browser, and am still getting the same "Unauthorized request - invalid Consumer key and/or session token" response.
To illustrate, here is a breakpoint I put in the official Python client (I've replaced the first four letters of sensitive keys with "123a"):
Breakpoint 1 at /Users/me/Downloads/EtradePythonClient/venv/lib/python3.9/site-packages/rauth/session.py:210
(Pdb) c
> /Users/me/Downloads/EtradePythonClient/venv/lib/python3.9/site-packages/rauth/session.py(210)request()
-> return super(OAuth1Session, self).request(method, url, **req_kwargs)
(Pdb) pprint.pprint(oauth_params)
{'oauth_consumer_key': '123a01814e407344bc2b385f3954679b',
'oauth_nonce': '8230791e8c0253518a6b2dec8120b643fde93745',
'oauth_signature': '123apxtEaUJmlvKFWv7zz+lfNk4=',
'oauth_signature_method': 'HMAC-SHA1',
'oauth_timestamp': 1614559929,
'oauth_token': '123aMSpwaaWItBDgXQ/Te4M9363WSULWFdeHkh18B8s=',
'oauth_version': '1.0'}
(Pdb) url
'https://apisb.etrade.com/v1/accounts/list.json'
(Pdb) method
'GET'
Using the above, I constructed the following URL and pasted it into my web browser:
https://apisb.etrade.com/v1/accounts/list.json?oauth_consumer_key=123a01814e407344bc2b385f3954679b&oauth_nonce=8230791e8c0253518a6b2dec8120b643fde93745&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1614559929&oauth_token=123aMSpwaaWItBDgXQ/Te4M9363WSULWFdeHkh18B8s=&oauth_version=1.0&oauth_signature=123apxtEaUJmlvKFWv7zz+lfNk4=
but I get an HTTP 401 response - "Unauthorized request - invalid Consumer key and/or session token".
And yet, the request works in the official Python client (as long as I don't try it in my browser first, otherwise I will get a 'Error: oauth_problem=nonce_used' error in the Python client).
One thing I noticed is that the official Python client adds the oauth_version=1.0 parameter, but my requests are still failing whether or not I include that parameter and sign with it.
I also noticed the official Python client adds a .json to the url, but again I am still getting the unauthorized error whether or not I include .json.
I've also tried sending the OAuth parameters as an HTTP Header instead of as URL parameters, but I still get the same error.
I'm also rfc3986-encoding (percent-encoding) the URL parameters in my request, which is working for the Get Access Token request but not the Account List request.
Note that I am using the following URLs for request token, access token, and API for sandbox:
https://apisb.etrade.com/oauth/request_token
https://us.etrade.com/e/t/etws/authorize?key=${oauth_consumer_key}&token=${state.oauth_token}
https://apisb.etrade.com/oauth/access_token
https://apisb.etrade.com/v1/accounts/list
What else I can try to debug this?

Figured it out:
The problem was that, since I'm sending my requests from a web browser (a Chrome extension), my request was including a Cookie, which was causing the API to produce a session error.
I am using the Fetch API.
Setting {"credentials": "omit"} in the init parameter omits the Cookie header and solves the issue.

Related

LinkedIn - Getting Access Token Error invalid_redirect_uri

has anyone succeeded in connecting to Linkedin API here?
I followed the instructions on the docs but failed to retrieve the Authorization Code.
Here's the result of my POST request to get the access_token
{
"error": "invalid_redirect_uri",
"error_description": "Unable to retrieve access token: appid/redirect uri/code verifier does not match authorization code. Or authorization code expired. Or external member binding exists"
}
I'm using the https//airbyte.io as a redirect_uri
My GET get request to obtain the authorization token is the following:
https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id=78oy2gu644mxz2&redirect_uri=https%3A%2F%2Fairbyte.io&scope=r_ads,r_ads_reporting,r_organization_social
I followed a couple advices in the different thread in SO
double checked my client_id and client_secret
encoded the URI in GET request
added scope parameters to the redirect_url at the POST request
Tested the request with the code within 20 seconds window.
Couple of things:
Ensure your redirect URI is also defined within your app's configuration as an allowed redirect URI. See https://learn.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin%2Fmarketing%2Fcontext&view=li-lms-2022-11&tabs=HTTPS1#step-1-configure-your-application. The documentation specifies a certain URL to use when testing with Postman.
In your authorization call, your scopes are comma-delimited. They should be space-delimited and URL-encoded. See https://learn.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin%2Fmarketing%2Fcontext&view=li-lms-2022-11&tabs=HTTPS1#step-2-request-an-authorization-code.

SmartSheet - I am trying to get access token using Oauth

I am trying to integrate Power Automate (Workflow service) with SmartSheet using OAuth 2.0
I have got the auth code successfully and when I finally try to get the token, it throws the message - 'You are not authorized to perform this action.' with error code 1004
I tried in Postman with the same result.
I believe the problem is that you're specifying all 5 values via the Request Header. Only Content-Type is specified via the Header -- the other four parameters (client_id, client_secret, code, and grant_type) should be specified via the query string. You're getting the not authorized error because Smartsheet is looking for the value of client_id etc. in the query string but not finding it there.
For example, here are screenshots from Postman that show setting Content-Type via the Headers and the other four parameters via the Params:

DeleteMessage Action - Invalid Receipt Handle

Task is to receive messages and delete messages. Am modeling this in Postman. I can successfully execute the receive messages action, but not the delete message action.
I have tried copying the receipt handle string from the receive messages response and using it in the delete messages request, and also tried url encoding the string. Both returned errors
In Postman I run the aws sqs ReceiveMessage action and get the ReceiptHandle
<ReceiptHandle>AQEBjiliZegyBS/ZO9wta+a/heA/tSx/f6tLFqfH38jEZ2r9zguHAljXhG/B8tXaM+S6MKs/XGyZ206S3NC2V38CUKLO+sPF0mfP47wqu7+nAIwettlxTGQAYuCFqI1CYBYHXxgajB1UEiFz8Kc6v8SlWs/VPLX+IWjckoQOtMRl977sxM5pCLhMNvIwh1RYFvybM0D0WEbJEuYb9JU3DZuRZg/K5rjvNooPqER4FR1JJxpZiJ0tu6481CyePLtEh/J4+Yd2kYRyuqN788oEdSTZIKprA6lHUCiCmeuqCb0yEDsxJcCVX4GmDok5KMHm/E2bgjpRjVRxZ+mrnLqTSwojt0LXg61vv8dNF8QD4sngPXqhmKQ7yp5O6S8ygn4lIPaUGOl5cgX1HsB3Q9Pfv3sg4A==</ReceiptHandle>
Then I run the aws sqs DeleteMessage action
Try #1
Pass the ReceiptHandle with exact copy
Action=DeleteMessage&ReceiptHandle=AQEBjiliZegyBS/ZO9wta+a/heA/tSx/f6tLFqfH38jEZ2r9zguHAljXhG/B8tXaM+S6MKs/XGyZ206S3NC2V38CUKLO+sPF0mfP47wqu7+nAIwettlxTGQAYuCFqI1CYBYHXxgajB1UEiFz8Kc6v8SlWs/VPLX+IWjckoQOtMRl977sxM5pCLhMNvIwh1RYFvybM0D0WEbJEuYb9JU3DZuRZg/K5rjvNooPqER4FR1JJxpZiJ0tu6481CyePLtEh/J4+Yd2kYRyuqN788oEdSTZIKprA6lHUCiCmeuqCb0yEDsxJcCVX4GmDok5KMHm/E2bgjpRjVRxZ+mrnLqTSwojt0LXg61vv8dNF8QD4sngPXqhmKQ7yp5O6S8ygn4lIPaUGOl5cgX1HsB3Q9Pfv3sg4A==&Version=2012-11-05
In the response, Postman shows the ‘+’ being replaced with spaces, so assume this is an encoding problem:
The input receipt handle "AQEBjiliZegyBS/ZO9wta a/heA/tSx/f6tLFqfH38jEZ2r9zguHAljXhG/B8tXaM S6MKs/XGyZ206S3NC2V38CUKLO sPF0mfP47wqu7 nAIwettlxTGQAYuCFqI1CYBYHXxgajB1UEiFz8Kc6v8SlWs/VPLX IWjckoQOtMRl977sxM5pCLhMNvIwh1RYFvybM0D0WEbJEuYb9JU3DZuRZg/K5rjvNooPqER4FR1JJxpZiJ0tu6481CyePLtEh/J4 Yd2kYRyuqN788oEdSTZIKprA6lHUCiCmeuqCb0yEDsxJcCVX4GmDok5KMHm/E2bgjpRjVRxZ mrnLqTSwojt0LXg61vv8dNF8QD4sngPXqhmKQ7yp5O6S8ygn4lIPaUGOl5cgX1HsB3Q9Pfv3sg4A==" is not a valid receipt handle.
Try #2
URL Encode the Receipt Handle:
Action=DeleteMessage&ReceiptHandle=AQEBjiliZegyBS%2FZO9wta%2Ba%2FheA%2FtSx%2Ff6tLFqfH38jEZ2r9zguHAljXhG%2FB8tXaM%2BS6MKs%2FXGyZ206S3NC2V38CUKLO%2BsPF0mfP47wqu7%2BnAIwettlxTGQAYuCFqI1CYBYHXxgajB1UEiFz8Kc6v8SlWs%2FVPLX%2BIWjckoQOtMRl977sxM5pCLhMNvIwh1RYFvybM0D0WEbJEuYb9JU3DZuRZg%2FK5rjvNooPqER4FR1JJxpZiJ0tu6481CyePLtEh%2FJ4%2BYd2kYRyuqN788oEdSTZIKprA6lHUCiCmeuqCb0yEDsxJcCVX4GmDok5KMHm%2FE2bgjpRjVRxZ%2BmrnLqTSwojt0LXg61vv8dNF8QD4sngPXqhmKQ7yp5O6S8ygn4lIPaUGOl5cgX1HsB3Q9Pfv3sg4A%3D%3D&Version=2012-11-05
Error response is:
The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
Does the receipt handle need to be encoded?
Based on SQS DeleteMessage docs, your second attempt with URL encoding the receipt handle is correct.
It looks like you're having a problem with authentication & authorization - you need to sign your requests with auth params - this is what prevents (a) others from making unauthorized requests to your account's resources, and (b) others from intercepting and modifying (or replaying) your requests to your account's resources.
This tutorial provides great details on this how to do this auth via postman:
Postman makes it easy to setup all the necessary authorization using Collections. Configure the AWS authorization in the parent collection with the Access Key and Secret Access Key found in the AWS Console:
Then reference that authorization in each request:
For full information on how to construct the auth params more manually (which AWS API will do for you by the way), see http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html

Desktop application with custom uri schema, "Missing scheme" on token request

I'm writing a desktop application in Delphi and trying to sync it with Google calendar (windows only, win 7 and newer). I've registered a custom uri schema in my system registry, so eu.myapp:test will run my program or pass a message to an already running instance of the program.
I've managed to get the first step of authentication going - I open the default browser, asking the user for permission to modify their calendars, I get the authentication code back into my software without a hitch. The oauth client is registered as an iOS app,
However when I try to request an actual token, the request is denied (400 - Bad request) with the following response body:
{
"error": "invalid_request",
"error_description": "Invalid parameter value for redirect_uri: Missing scheme: eu.myapp",
"error_uri": ""
}
My request body looks like this:
POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded
code=XXX&
client_id=YYY&
redirect_uri=eu.myapp&
grant_type=authorization_code
According to the documentation, I am supposed to include the redirect URI obtained from the API Console, but I found no such URI there. Found some older answers, but the developer console has apparently been changed since they were given so they are no longer relevant. What am I missing?
Edit: Added some more information
I built a simple nodejs server and put it up with a SSL certificate and nginx, so I could see what actually gets sent across. I then used both my app and the example C# app to send the token request to it and monitor the request body.
The only discernible difference was that delphi url encoded the code automatically (4%2Fhky... instead of 4/Fhky... for example). Other than that they seemed identical.
I also tried rewriting the app to listen to a localhost port but ended up with the same results. There is a delphi demo where they demonstrate the use of google api by using an embedded browser for the user to log in (and it works), but according to the api documentation, it's deprecated and will go away soon. Besides, it seems like I can manage the first redirect just fine, but getting the actual tokens fails.
Found my error. I noticed that the parameters were getting encoded automatically by the delphi component responsible for making the requests. I manually encoded the redirect uri before setting it as a parameter on the token request. Then the component encoded it again, which caused it to be different to the url given on the code request, which caused the uri_mismatch error.
The uris also need to be identical on both requests, as even though the second request does not redirect, it still uses the redirect_uri as a validation parameter.

MapMyFitness API OAuth questions

I am having some issues with MapMyFitness API. MapMyFitness uses OAuth 1.0
I am able to successfully get a temporary Authorization token/temporary secret Token combination from calling 3.1/oauth/request_token
After that, I am able to successfully direct the user to the Authorization page and get a redirect callback with a authorization verifier.
After that, I am, unfortunately, getting errors when trying to call 3.1/oauth/access_token. (HTTP error 401)
First of all, MMF documentation (http://api.mapmyfitness.com/3.1/oauth/access_token?doc) states: Exchange a request token and an authorization verifier for an access token. However, the list of input arguments in the documentation contains no mention of oauth_verifier. Should oauth_verifier that I have received with the redirect callback be passed to access_token call as an argument?
Secondly, it appears to me that perhaps I am not creating the signature correctly. For the 3.1/oauth/request_token call the key to generate the signature is 'XXX&' where XXX is the Consumer Secret Key assigned to my app by MapMyFitness. This works fine. For the 3.1/oauth/access_token call, I am using 'XXX&YYY' as a signature key where XXX is the Consumer Secret Key assigned to my app by MapMyFitness and YYY is the temporary Secret Token returned to me by the server during the 3.1/oauth/request_token call. Is that correct?
I would greatly appreciate any suggestions.
OK, I got it working. First of all, oauth_verifier DOES need to be included as part of parameters. For some reason, Map My Fitness does not include it in its list of required parameters, but it has to be there. Secondly - very important - according to OAuth 1.0 documentation, all parameters need to be in alphabetical order when creating the signature - otherwise there will be a signature mismatch and you'll get HTTP 401 error. Once I sorted my parameters in alphabetical order, I was able to exchange temporary MapMyFitness credentials to permanent ones.

Resources