For years I've been using Spotify's search API for various projects. It has always been available to use without authentication.
Example:
https://api.spotify.com/v1/search?q=kanye%20west&type=track
Now starting just today it is responding with the following
{
"error": {
"status": 401,
"message": "No token provided"
}
}
I can't find anything stating that they've changed their search API, but the docs now say authentication is required.
It has previously stated that requests without an auth token would be rate limited. Now it says a token is required. Does anyone know if they've updated their API, or if this is a permanent thing? I find it hard to believe they would make such a drastic change to their API without notice.
They did update their API. Bummer.
https://developer.spotify.com/news-stories/2017/01/27/removing-unauthenticated-calls-to-the-web-api/
You can find details on how to migrate your unauthorized calls here:
https://developer.spotify.com/migration-guide-for-unauthenticated-web-api-calls/
Related
I'm fighting with the identity parts of ASP.NET Core 2.2 again. This time its Facebook login. Google and Microsoft work with some small tweaks but Facebook has me stumped.
Here's my config.
"Facebook": {
"ClientId": "See secrets.json",
"ClientSecret": "See secrets.json",
"AuthorizationEndpoint": "https://www.facebook.com/v5.0/dialog/oauth",
"TokenEndpoint": "https://graph.facebook.com/oauth/access_token",
"UserInformationEndpoint": "https://graph.facebook.com/me?fields=id,name,first_name,email",
"CallbackPath": "/oauth2/facebook",
"Scope": [ "public_profile", "email" ]
}
Using Fiddler I cannot see any attempt to call the /me resource to get the profile. I can see the backchannel call out to get the access token and I see the response looks like good JSON to me and the token works; I can call the Facebook Graph API manually and get my profile.
I had Fiddler trace a working Google login and I see a token come back with what appears to be the same JSON schema as Facebook uses, and then another clear request/response on the backchannel to get my Google profile.
Facebook returns { "access_token", "token_type", "expires_in" } while
Google return { "access_token", "expires_in", "scope", "token_type", "id_token" }.
Sadly, because I'm using the Microsoft framework and didn't roll my own OAuth code this time, I am unable to see what's happening internally and I think Microsoft chose not to log anything for fear of leaking secrets into logs.
I'm out of ideas.
Exact same issue after setting up LinkedIn. Token comes back looking fine but it doesn't even try to call to get the profile.
What a severely costly nightmare the Identity framework is.
I have the Facebook login working. I was looking at why the Microsoft and Google ones work and saw that they use their own extension methods, like AddGoogle and not the vanilla AddOAuth.
Looking at the code on GitHub reveals that each of the named ones uses a custom handler.
This tells me that each OAuth provider is incapable of following a standard and so custom code is needed for each one! Lovely job everyone. Top marks.
I'll try using the Google (etc) handlers for LinkedIn and see if any are "compatible".
My current team has developed an application that interfaces with Microsoft Graph APIs in order to interact with Outlook emails from our enterprise portal.
Ultimately the REST API's has returned an unexpected amount of errors to multiple users, mentioning "ErrorQuotaExceeded" as the error code.
That's an extremely ambiguous message since none of the involved users has space quota issues. Also, this error only appears when calling some specific REST endpoints.
For instance, the following request always works, returning a payload with HTTP 200 response status, as expected:
GET https://graph.microsoft.com/v1.0/me/mailFolders/Inbox/messages
However, if we try to synchronize the user emails adding /delta to the aforementioned GET request (as mentioned by the official docs), we get the following error, with HTTP 403 status code:
GET https://graph.microsoft.com/v1.0/me/mailFolders/Inbox/messages/delta
{
"error": {
"code": "ErrorQuotaExceeded",
"message": "Mailbox has exceeded maximum mailbox size.",
"innerError": {
"request-id": "13c686c6-5d4d-4a9b-8594-3b34482d6805",
"date": "2018-11-13T08:09:12"
}
}
}
It should be noted that I have 3.27GB occupied out of 50GB, so it wouldn't make any sense to me that the ErrorQuotaExceeded error gets triggered.
The official Microsoft Graph Support page explicitly recommends asking this kind of questions to StackOverflow, since they don't seem to offer an official support to their API. Thanks in advance for your help.
I used this guide to built a showcase - sign in with LinkedIn into a specific site.
Everything worked perfectly until I demonstarted it in front of a wide audience and it broke down :-( It was a great FAIL and I want to know why. Here is what I do:
1.On the sign in page the user may click a Sign in with LinkedIn button and is redirected to similar link:
https://www.linkedin.com/oauth/v2/authorization?redirect_uri=[my_callback]&client_id=[my_client_id]&response_type=code&state=[securely_random]&scope=r_basicprofile%20r_emailaddress
2.The user allows the application and is sent back to my_callback
3.In my_callback I make a POST to https://www.linkedin.com/oauth/v2/accessToken in order to obtain an access token. I use the code sent by LinkedIn, correct client ID and secret. Everything is OK, e.g the response might be:
{
"access_token": [access_token],
"expires_in": 5184000
}
4.I make authenticated requests to fetch the profile data from endpoint https://www.linkedin.com/v1/people/~:(firstName,lastName,email_address)
Headers:
x-li-format: json
Authorization: Bearer [access_token]
I started to get an error 401 occasionally, e.g.:
{
"errorCode": 0,
"message": "Unable to verify access token",
"requestId": "YX21AN6NZG",
"status": 401,
"timestamp": 1483732371224
}
It seems that some of the requests randomly passed nevertheless...
Additional details:
The user is logged in LinkedIn
The user is administrator for the LinkedIn application
I have checked the limitations (throttle limits) at in the application. Available at https://www.linkedin.com/developer/apps. Everything which can be seen is green.
I have tried all advices and hacks from this question
My app is not live
I'm puzzled!
Question: Any obvious mistake?
Question: Is there any hidden throttle limits (or security instruments) for the limitation of the number of access tokens for specific user/app combination? (I'm always using the same user and I tested pretty aggressively before the big FAIL)
UPDATE: In the next two days the Sign in started working smoothly again as described above. No 401-s anymore... :-X I've made no changes to the code base. So is this some kind of throttle limit or just LI was in a bad mood on Friday?
In case someone is curious I got an answer to my problem from LI support:
Unfortunately, we really can't assist with API issues and 3rd party apps. My guess is that there was a hiccup on Friday and you were the victim of bad timing.
I accept the explanation that I was a victim so this answers my question...
I have an access-token that worked to get data through the API, however now it has stopped working. I've carefully read LinkedIn's documentation: https://developer.linkedin.com/docs/oauth2 and have come up with why this can happen.
The docs state, that the user's session is linked with the access-token. Therefore, logging out of the session means the access-token is invalidated. This makes sense because it's exactly what I see happening.
The oauth2 expired-at is just a timestamp of the ultimate time this access-token will be valid. But it can be invalidated at any moment apparently.
Other oauth2 implementations show features for refreshing the access-token, Linkedin does not provide such feature. Therefore a user has to refresh it manually every time. Not sure if this is by design or they haven't got around to it yet. Overall their API feels pretty out-dated.
Friends,I got a question,and I have googled it,but I didn't find the answer.
I create an iOS twitter app,and apply for a twitter API.
I used my API key in my app,Xcode returns error.
Just like this: http://tinypic.com/r/262ksnk/8
("Failed to validate oauth signature and token")
and this picture is my twitter api status
(sorry,I do not have enough coin to upload a pic,so post my pic here. )
what is wrong with my twitter api,can anyone help me?
Thanks very much.
What is wrong?
Best regards.
This error message relates to a HTTP 401 response.
Please make sure you are properly signing your OAuth requests. This guide will help you with the common pitfalls: Troubleshooting OAuth 1.0A.
In particular, if you are using valid keys and properly signing your OAuth requests but still receiving 401 errors, please check your system time. Since the OAuth signature relies on the current time, it must be in sync with the one from Twitter servers (exposed in all Date response headers from the Twitter API).
The "performance issues" described on the Twitter API status page apply to Twitter as a whole, and have nothing to do with your application. If you are having issues interacting with the Twitter API, we cannot diagnose those from the information provided ("error 3").
** UPDATE **
It truly seems that Google has just screwed every single person on the planet by absolutely requiring user interaction to upload a video. Of course I know, they are free. Exactly what I warned the client years ago about, so I don't need to be reminded. Thank You.
So I would like to try to take this in a different direction and just find a loophole and a workaround to still keep doing what we are doing in spite of Google's complete lack of support or caring in any way about the developers and what they have to deal with.
It would be different if you can actually call a phone number and talk to a human being about YouTube Partner access, but you can more quickly get access to the Illuminati.
OAuth 2.0 is now the only supported authentication method period. It does require user interaction.
But what about that token? Does anybody know how long the token lasts?
If I can obtain a token just once using user interaction and place it in the database, I can automate possibly hundreds or thousands of interactions afterwards.
In other words, I'm trying to turn the user interaction into a speed bump instead of a concrete wall.
If anybody has any examples of obtaining that token, caching it, and using it afterwards, that would be a godsend to me right now.
Thanks for the comments and the help. I'm not surprised that the YouTube Developers Forum just folded and said to come here instead :)
It seems that Google has completely pulled the plug on the existing dashboard.
https://code.google.com/apis/youtube/dashboard/gwt/index.html
That link is now 404'd. Tried from several different browsers on different systems.
Registered under the new Google APIs Console already, but still get the problem.
// Set the authentication URL for this connection object
$authenticationURL= 'https://www.google.com/youtube/accounts/ClientLogin';
// Try to connect to YouTube with the channel credentials passed
try {
$httpClient =
Zend_Gdata_ClientLogin::getHttpClient(
$username = $channelfields['EMAIL_ADDRESS'],
$password = $channelfields['PASSCODE'],
$service = 'youtube',
$client = null,
$source = 'Redacted Data',
$loginToken = $channelfields['CACHED_TOKEN'],
$loginCaptcha = '',
$authenticationURL);
} catch (Zend_Gdata_App_HttpException $httpException) {
$update_error['response_body'] = $httpException->getRawResponseBody();
$update_error['error'] = 1;
} catch (Zend_Gdata_App_Exception $e) {
$update_error['message'] = $e->getMessage();
$update_error['error'] = 1;
}
This code has worked perfectly fine before, but does not work with the older API key, or the newer one generated inside the Google APIs console.
I'm attempting a simple upload and this concerns me greatly:
"The service account flow supports server-to-server interactions that do not access user information. However, the YouTube Data API does not support this flow. Since there is no way to link a Service Account to a YouTube account, attempts to authorize requests with this flow will generate a NoLinkedYouTubeAccount error."
From all reports it seems that Google has forced YouTube uploads to become interactive in all cases precluding all possibility of platforms that automatically upload generated content from working at all.
Any help or insights into the process is appreciated.
P.S - Ohhh, it's been awhile since I looked at that system and Google shut down the YouTube Developer Forums and said "YOU" were responsible for their support now :)
OAuth2 does support the ability to avoid user interaction through the offline access type parameter (ie, using access_type=offline). Check out Google documentation for details.
The solution is really rather simple. Your app needs to use oauth to request offline access. It will be given an access cide which you convert to a refresh token, which is the thing you store in your database. This doesn't expire. Well actually it sometimes does, but that's another story. Whenever you need to access the api, use the stored refresh token to request an access token which you include in each api call.
See https://developers.google.com/accounts/docs/OAuth2WebServer for details.
I don't know what you did but https://code.google.com/apis/youtube/dashboard/gwt/index.html works perfectly fine for me. Maybe it was a temporary issue. If you want no user interaction you HAVE to use YouTube API v2 OR you have to use v3 with methods that don't require authentification OR you have to provide your own youtube account credentials which is not recommended and probably not appropriate for you situation.
Several issues to respond here, I think.
1) The older API console has not been removed, but I've noticed intermittent outages to it and to the newer API console while Google is rolling out their new "cloud console."
2) ClientLogin was officially deprecated in April of 2012, not just 48 hours ago. Jeff Posnick has detailed all the changes over the months (and related ones, such as AuthSub, Youtube Direct, etc.) at his blog (apiblog.youtube.com).
3) You're right that, with v3 of the APIs, you cannot do automatic uploads across the board, as the oAuth2 flow requires user interaction. However, given the limited description of your use case, using refresh tokens is probably your best bet. If the content is user generated, somewhere they must be logging into your app, correct? (so that your app knows which credentials to leverage to do the uploads). At the point they're logging into your app, and you're starting the oAuth2 flow, you just have to hit the first oAuth endpoint and pass it the parameter access_type=offline (along with any other parameters). This will ensure that, when they grant that initial permission, you're returned a refresh token instead of an access token. With that refresh token, you can exchange it for multiple access tokens as needed (an access token lives for about an hour. I don't know how long a refresh token lives, but I've never had one expire before my own login cookies did, and then I just get a new one when my users re-login to my app).
Here's some more info on how to use the refresh token; note, too, that the various google api client libraries make it pretty smooth.
https://developers.google.com/accounts/docs/OAuth2WebServer#refresh
Also, this video tutorial from a Google Developers Live broadcast a couple of months ago might help illustrate the point: http://www.youtube.com/watch?v=hfWe1gPCnzc -- it's using the oAuth playground rather than a client library, but the concept is the same.
The answer is to use google-api-php-client, create an interactive auth page, and set up YouTube API v3 correctly with the new API console.
You can create a very simple page that will authenticate for the supplied channel and then store the correct token in your database. Is already working and uploading hundreds of videos on one channel. You do need to remember to fully activate yourself under the new API console and add the services required. Just keep authenticating and adding the services it says it needs. After that, the regular v3 upload process works just fine. On failure send a group an email and they can get a new token in 10 seconds.
Not the most elegant solution, but the documentation from Google is far from elegant anyways that Stack Overflow is now their front line support.
Just hang in there, a solution is always found. Don't give up!
I didn't get here by myself either, the other answers on this page helped me get all the way to this point. Thanks guys.
P.S - Don't forget the scopes
$client->setScopes("https://www.googleapis.com/auth/youtube https://www.googleapis.com/auth/youtube.upload");