Task is to receive messages and delete messages. Am modeling this in Postman. I can successfully execute the receive messages action, but not the delete message action.
I have tried copying the receipt handle string from the receive messages response and using it in the delete messages request, and also tried url encoding the string. Both returned errors
In Postman I run the aws sqs ReceiveMessage action and get the ReceiptHandle
<ReceiptHandle>AQEBjiliZegyBS/ZO9wta+a/heA/tSx/f6tLFqfH38jEZ2r9zguHAljXhG/B8tXaM+S6MKs/XGyZ206S3NC2V38CUKLO+sPF0mfP47wqu7+nAIwettlxTGQAYuCFqI1CYBYHXxgajB1UEiFz8Kc6v8SlWs/VPLX+IWjckoQOtMRl977sxM5pCLhMNvIwh1RYFvybM0D0WEbJEuYb9JU3DZuRZg/K5rjvNooPqER4FR1JJxpZiJ0tu6481CyePLtEh/J4+Yd2kYRyuqN788oEdSTZIKprA6lHUCiCmeuqCb0yEDsxJcCVX4GmDok5KMHm/E2bgjpRjVRxZ+mrnLqTSwojt0LXg61vv8dNF8QD4sngPXqhmKQ7yp5O6S8ygn4lIPaUGOl5cgX1HsB3Q9Pfv3sg4A==</ReceiptHandle>
Then I run the aws sqs DeleteMessage action
Try #1
Pass the ReceiptHandle with exact copy
Action=DeleteMessage&ReceiptHandle=AQEBjiliZegyBS/ZO9wta+a/heA/tSx/f6tLFqfH38jEZ2r9zguHAljXhG/B8tXaM+S6MKs/XGyZ206S3NC2V38CUKLO+sPF0mfP47wqu7+nAIwettlxTGQAYuCFqI1CYBYHXxgajB1UEiFz8Kc6v8SlWs/VPLX+IWjckoQOtMRl977sxM5pCLhMNvIwh1RYFvybM0D0WEbJEuYb9JU3DZuRZg/K5rjvNooPqER4FR1JJxpZiJ0tu6481CyePLtEh/J4+Yd2kYRyuqN788oEdSTZIKprA6lHUCiCmeuqCb0yEDsxJcCVX4GmDok5KMHm/E2bgjpRjVRxZ+mrnLqTSwojt0LXg61vv8dNF8QD4sngPXqhmKQ7yp5O6S8ygn4lIPaUGOl5cgX1HsB3Q9Pfv3sg4A==&Version=2012-11-05
In the response, Postman shows the ‘+’ being replaced with spaces, so assume this is an encoding problem:
The input receipt handle "AQEBjiliZegyBS/ZO9wta a/heA/tSx/f6tLFqfH38jEZ2r9zguHAljXhG/B8tXaM S6MKs/XGyZ206S3NC2V38CUKLO sPF0mfP47wqu7 nAIwettlxTGQAYuCFqI1CYBYHXxgajB1UEiFz8Kc6v8SlWs/VPLX IWjckoQOtMRl977sxM5pCLhMNvIwh1RYFvybM0D0WEbJEuYb9JU3DZuRZg/K5rjvNooPqER4FR1JJxpZiJ0tu6481CyePLtEh/J4 Yd2kYRyuqN788oEdSTZIKprA6lHUCiCmeuqCb0yEDsxJcCVX4GmDok5KMHm/E2bgjpRjVRxZ mrnLqTSwojt0LXg61vv8dNF8QD4sngPXqhmKQ7yp5O6S8ygn4lIPaUGOl5cgX1HsB3Q9Pfv3sg4A==" is not a valid receipt handle.
Try #2
URL Encode the Receipt Handle:
Action=DeleteMessage&ReceiptHandle=AQEBjiliZegyBS%2FZO9wta%2Ba%2FheA%2FtSx%2Ff6tLFqfH38jEZ2r9zguHAljXhG%2FB8tXaM%2BS6MKs%2FXGyZ206S3NC2V38CUKLO%2BsPF0mfP47wqu7%2BnAIwettlxTGQAYuCFqI1CYBYHXxgajB1UEiFz8Kc6v8SlWs%2FVPLX%2BIWjckoQOtMRl977sxM5pCLhMNvIwh1RYFvybM0D0WEbJEuYb9JU3DZuRZg%2FK5rjvNooPqER4FR1JJxpZiJ0tu6481CyePLtEh%2FJ4%2BYd2kYRyuqN788oEdSTZIKprA6lHUCiCmeuqCb0yEDsxJcCVX4GmDok5KMHm%2FE2bgjpRjVRxZ%2BmrnLqTSwojt0LXg61vv8dNF8QD4sngPXqhmKQ7yp5O6S8ygn4lIPaUGOl5cgX1HsB3Q9Pfv3sg4A%3D%3D&Version=2012-11-05
Error response is:
The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
Does the receipt handle need to be encoded?
Based on SQS DeleteMessage docs, your second attempt with URL encoding the receipt handle is correct.
It looks like you're having a problem with authentication & authorization - you need to sign your requests with auth params - this is what prevents (a) others from making unauthorized requests to your account's resources, and (b) others from intercepting and modifying (or replaying) your requests to your account's resources.
This tutorial provides great details on this how to do this auth via postman:
Postman makes it easy to setup all the necessary authorization using Collections. Configure the AWS authorization in the parent collection with the Access Key and Secret Access Key found in the AWS Console:
Then reference that authorization in each request:
For full information on how to construct the auth params more manually (which AWS API will do for you by the way), see http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Related
When I attempt to make a request to Etrade's Account List endpoint in sandbox (https://apisb.etrade.com/v1/accounts/list), I am getting an HTTP 401 - "Unauthorized request - invalid Consumer key and/or session token".
I don't understand why this request is not working, since I am successfully calling the Get Access Token API, retrieving the oauth_token and oauth_token_secret and using them to sign and make the request to Account List.
To add to my confusion, I downloaded the official Etrade Python Client, put a breakpoint right before the account list is called, and confirmed that my code is generating the exact same oauth_signature given the same request parameters.
Furthermore, I actually copied all of the request parameters generated by the official Python client and pasted them into my web browser, and am still getting the same "Unauthorized request - invalid Consumer key and/or session token" response.
To illustrate, here is a breakpoint I put in the official Python client (I've replaced the first four letters of sensitive keys with "123a"):
Breakpoint 1 at /Users/me/Downloads/EtradePythonClient/venv/lib/python3.9/site-packages/rauth/session.py:210
(Pdb) c
> /Users/me/Downloads/EtradePythonClient/venv/lib/python3.9/site-packages/rauth/session.py(210)request()
-> return super(OAuth1Session, self).request(method, url, **req_kwargs)
(Pdb) pprint.pprint(oauth_params)
{'oauth_consumer_key': '123a01814e407344bc2b385f3954679b',
'oauth_nonce': '8230791e8c0253518a6b2dec8120b643fde93745',
'oauth_signature': '123apxtEaUJmlvKFWv7zz+lfNk4=',
'oauth_signature_method': 'HMAC-SHA1',
'oauth_timestamp': 1614559929,
'oauth_token': '123aMSpwaaWItBDgXQ/Te4M9363WSULWFdeHkh18B8s=',
'oauth_version': '1.0'}
(Pdb) url
'https://apisb.etrade.com/v1/accounts/list.json'
(Pdb) method
'GET'
Using the above, I constructed the following URL and pasted it into my web browser:
https://apisb.etrade.com/v1/accounts/list.json?oauth_consumer_key=123a01814e407344bc2b385f3954679b&oauth_nonce=8230791e8c0253518a6b2dec8120b643fde93745&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1614559929&oauth_token=123aMSpwaaWItBDgXQ/Te4M9363WSULWFdeHkh18B8s=&oauth_version=1.0&oauth_signature=123apxtEaUJmlvKFWv7zz+lfNk4=
but I get an HTTP 401 response - "Unauthorized request - invalid Consumer key and/or session token".
And yet, the request works in the official Python client (as long as I don't try it in my browser first, otherwise I will get a 'Error: oauth_problem=nonce_used' error in the Python client).
One thing I noticed is that the official Python client adds the oauth_version=1.0 parameter, but my requests are still failing whether or not I include that parameter and sign with it.
I also noticed the official Python client adds a .json to the url, but again I am still getting the unauthorized error whether or not I include .json.
I've also tried sending the OAuth parameters as an HTTP Header instead of as URL parameters, but I still get the same error.
I'm also rfc3986-encoding (percent-encoding) the URL parameters in my request, which is working for the Get Access Token request but not the Account List request.
Note that I am using the following URLs for request token, access token, and API for sandbox:
https://apisb.etrade.com/oauth/request_token
https://us.etrade.com/e/t/etws/authorize?key=${oauth_consumer_key}&token=${state.oauth_token}
https://apisb.etrade.com/oauth/access_token
https://apisb.etrade.com/v1/accounts/list
What else I can try to debug this?
Figured it out:
The problem was that, since I'm sending my requests from a web browser (a Chrome extension), my request was including a Cookie, which was causing the API to produce a session error.
I am using the Fetch API.
Setting {"credentials": "omit"} in the init parameter omits the Cookie header and solves the issue.
I am building an oauth app to connect to Basecamp 3 API using PHP and following the documentation here.
https://github.com/basecamp/api/blob/master/sections/authentication.md
The request authorization url works fine
https://launchpad.37signals.com/authorization/new
but the token url produces a page not found
https://launchpad.37signals.com/authorization/token
I contacted Basecamp but didn't get a response. They do say they don't prioritize suppose issues with the API because so few of their customers use it.
Any ideas on what the correct url for getting tokens would be?
There are 4 steps:
Step 1: Choose a webhook service or build your own (which certainly takes more time). This will receive the authentication.
Step 2: Register your app within Basecamp. it'll give you the client key and secret key
Step 3: You need to make a GET call to the .../new address. You need to pass on the client key, secret key and redirect url. The API will send an 8-digit number to the Webhook. You need to retrieve that from the webhook.
Step 4: Make the same GET call to the .../token address. You'll pass the key in addition to all previous information in the header. Then you'll receive an access token.
Supposedly with this access token you should be able to activate all other API. I have not figure this part out.
I am working with the Slack oAuth API.
When I do a GET on https://slack.com/oauth/authorize passing my client_id, and the scope, I get html reponse asking for workspace URL.
After that I need to sign in and provide my password before code is returned which I can use to renew my temporary token
My question is: How can I automate the process of providing workspace URL, username and password? I need to get the code return after authentication (the temporary token) so that I can call https://slack.com/api/oauth.access to renew my token
My reasoning is that if I have access (from the app I created) to: App ID, Client ID, Client Secret, Signing Secret and Verification Token there should be a way for me make simple API call to get code or is my understanding of the slack OAuth flow wrong?
NB: I have taken a look at https://api.slack.com/docs/oauth but I was not able to get it done. I am also aware that I can make the /signin and /checkcookie to get this done but it involves parsing HTML response for parameter values needed to make subsequent calls. I just feel there a simpler way to do it.
This Stackoverflow question is not a duplicate because is it mainly referred to a case of not having an app created; In my case, I have an app created.
I am having some issues with MapMyFitness API. MapMyFitness uses OAuth 1.0
I am able to successfully get a temporary Authorization token/temporary secret Token combination from calling 3.1/oauth/request_token
After that, I am able to successfully direct the user to the Authorization page and get a redirect callback with a authorization verifier.
After that, I am, unfortunately, getting errors when trying to call 3.1/oauth/access_token. (HTTP error 401)
First of all, MMF documentation (http://api.mapmyfitness.com/3.1/oauth/access_token?doc) states: Exchange a request token and an authorization verifier for an access token. However, the list of input arguments in the documentation contains no mention of oauth_verifier. Should oauth_verifier that I have received with the redirect callback be passed to access_token call as an argument?
Secondly, it appears to me that perhaps I am not creating the signature correctly. For the 3.1/oauth/request_token call the key to generate the signature is 'XXX&' where XXX is the Consumer Secret Key assigned to my app by MapMyFitness. This works fine. For the 3.1/oauth/access_token call, I am using 'XXX&YYY' as a signature key where XXX is the Consumer Secret Key assigned to my app by MapMyFitness and YYY is the temporary Secret Token returned to me by the server during the 3.1/oauth/request_token call. Is that correct?
I would greatly appreciate any suggestions.
OK, I got it working. First of all, oauth_verifier DOES need to be included as part of parameters. For some reason, Map My Fitness does not include it in its list of required parameters, but it has to be there. Secondly - very important - according to OAuth 1.0 documentation, all parameters need to be in alphabetical order when creating the signature - otherwise there will be a signature mismatch and you'll get HTTP 401 error. Once I sorted my parameters in alphabetical order, I was able to exchange temporary MapMyFitness credentials to permanent ones.
I'm working with OAuth 2.0 for MVC, found here: http://community.codesmithtools.com/CodeSmith_Community/b/tdupont/archive/2011/03/18/oauth-2-0-for-mvc-two-legged-implementation.aspx
For anyone who's worked with this - I'm confused about the RequestToken. There is a controller implemented that lets you get a request token, which expires in 5 minutes, and you pass that token back in to get an AccessToken. But it never checks the request token for validity - it seems like you can pass in any access token you want to. What is the idea for the RequestToken here - are you supposed to create your own method of storing, referencing, and then deleting that token for those 5 minutes?
Thanks,
Andy
This is all about how OAuth works in conjunction with your application Id, application secret key and valid domains for your application. Here is the process in general
Your application sends a request to the OAuth provider using your application Id and secret along with a callback (return Url).
The OAuth provider gets the request, checks your application Id and secret and validates that the callback url is from a domain that you have specified for your application.
2a. If the callback url is not from a domain that you have specified, then the request is rejected with error.
2b If the callback url is from your domain, it returns a temporary request key to your server.
Given that you received a request key, you send that back to the OAuth provider to get the actual access token for the user.
Now, as to why the request key step is in place, this is to prevent and help protect 'bad people' from attempting to use your application id to falsely authenticate other users. By sending the request token to you (a callback URL that you have approved), the OAuth provider has confidence that the request actually came from your servers.
You most certainly could send any string back instead of the request token, but you would quickly get an error back from the OAuth provider as that request token does not correspond to any existing authentication request from any known application.
Lastly, I am not clear on what you mean by 'validating the request token'? You did not generate the token not probably do not have insight into the algorithm to generate the request token. Given that, I am not sure how you would validate this. If you are concerned about validating the first step, take a look at the Facebook OAuth process. In there, they recommend sending a request key as part of your return Url(as a query string parameter). That request key will come back to your application which you could then use as a validation that, indeed, this is a response to a request that you made. How you store and track that request key is up to you (session, database). In the PHP samples, they use a 'state' variable to track a unique/arbitrary string: Facebook OAuth Server Side Login Example (in PHP)