I'm trying to set up a subscription on the Withings API. (all other calls to the API are authenticated and produce valid returns). The subscription always returns "293 - the callback URL is either absent or incorrect. I've searched existing questions and everything seems to check out; tried http and https, my URL exists and testing in Postman shows it returns 200 - Ok and responds in 263 ms.
What am I missing here?
Related
When I attempt to make a request to Etrade's Account List endpoint in sandbox (https://apisb.etrade.com/v1/accounts/list), I am getting an HTTP 401 - "Unauthorized request - invalid Consumer key and/or session token".
I don't understand why this request is not working, since I am successfully calling the Get Access Token API, retrieving the oauth_token and oauth_token_secret and using them to sign and make the request to Account List.
To add to my confusion, I downloaded the official Etrade Python Client, put a breakpoint right before the account list is called, and confirmed that my code is generating the exact same oauth_signature given the same request parameters.
Furthermore, I actually copied all of the request parameters generated by the official Python client and pasted them into my web browser, and am still getting the same "Unauthorized request - invalid Consumer key and/or session token" response.
To illustrate, here is a breakpoint I put in the official Python client (I've replaced the first four letters of sensitive keys with "123a"):
Breakpoint 1 at /Users/me/Downloads/EtradePythonClient/venv/lib/python3.9/site-packages/rauth/session.py:210
(Pdb) c
> /Users/me/Downloads/EtradePythonClient/venv/lib/python3.9/site-packages/rauth/session.py(210)request()
-> return super(OAuth1Session, self).request(method, url, **req_kwargs)
(Pdb) pprint.pprint(oauth_params)
{'oauth_consumer_key': '123a01814e407344bc2b385f3954679b',
'oauth_nonce': '8230791e8c0253518a6b2dec8120b643fde93745',
'oauth_signature': '123apxtEaUJmlvKFWv7zz+lfNk4=',
'oauth_signature_method': 'HMAC-SHA1',
'oauth_timestamp': 1614559929,
'oauth_token': '123aMSpwaaWItBDgXQ/Te4M9363WSULWFdeHkh18B8s=',
'oauth_version': '1.0'}
(Pdb) url
'https://apisb.etrade.com/v1/accounts/list.json'
(Pdb) method
'GET'
Using the above, I constructed the following URL and pasted it into my web browser:
https://apisb.etrade.com/v1/accounts/list.json?oauth_consumer_key=123a01814e407344bc2b385f3954679b&oauth_nonce=8230791e8c0253518a6b2dec8120b643fde93745&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1614559929&oauth_token=123aMSpwaaWItBDgXQ/Te4M9363WSULWFdeHkh18B8s=&oauth_version=1.0&oauth_signature=123apxtEaUJmlvKFWv7zz+lfNk4=
but I get an HTTP 401 response - "Unauthorized request - invalid Consumer key and/or session token".
And yet, the request works in the official Python client (as long as I don't try it in my browser first, otherwise I will get a 'Error: oauth_problem=nonce_used' error in the Python client).
One thing I noticed is that the official Python client adds the oauth_version=1.0 parameter, but my requests are still failing whether or not I include that parameter and sign with it.
I also noticed the official Python client adds a .json to the url, but again I am still getting the unauthorized error whether or not I include .json.
I've also tried sending the OAuth parameters as an HTTP Header instead of as URL parameters, but I still get the same error.
I'm also rfc3986-encoding (percent-encoding) the URL parameters in my request, which is working for the Get Access Token request but not the Account List request.
Note that I am using the following URLs for request token, access token, and API for sandbox:
https://apisb.etrade.com/oauth/request_token
https://us.etrade.com/e/t/etws/authorize?key=${oauth_consumer_key}&token=${state.oauth_token}
https://apisb.etrade.com/oauth/access_token
https://apisb.etrade.com/v1/accounts/list
What else I can try to debug this?
Figured it out:
The problem was that, since I'm sending my requests from a web browser (a Chrome extension), my request was including a Cookie, which was causing the API to produce a session error.
I am using the Fetch API.
Setting {"credentials": "omit"} in the init parameter omits the Cookie header and solves the issue.
When a user calls my number, Twilio makes a request of the format https://username:password#www.myserver.com/my_secure_document to my servers, which are protected by HTTP Basic Auth. This works great - Twilio logs in, sees an Enqueue verb, and remains logged in as it follows the waitURL.
However, after the user is dequeued by the other person hanging up (in this case, a Twilio Client), the Enqueue action URL is getting 401 Not Authorized responses. Is this a bug in Twilio? The docs say that "Twilio will authenticate to your web server using the provided username and password and will remain logged in for the duration of the call". Shouldn't following the action of an Enqueue count as part of the call?
Well, here's the workaround that worked for me: convert the action URL from a relative path to an absolute path, and provide the HTTP basic auth credentials again.
I am having some issues with MapMyFitness API. MapMyFitness uses OAuth 1.0
I am able to successfully get a temporary Authorization token/temporary secret Token combination from calling 3.1/oauth/request_token
After that, I am able to successfully direct the user to the Authorization page and get a redirect callback with a authorization verifier.
After that, I am, unfortunately, getting errors when trying to call 3.1/oauth/access_token. (HTTP error 401)
First of all, MMF documentation (http://api.mapmyfitness.com/3.1/oauth/access_token?doc) states: Exchange a request token and an authorization verifier for an access token. However, the list of input arguments in the documentation contains no mention of oauth_verifier. Should oauth_verifier that I have received with the redirect callback be passed to access_token call as an argument?
Secondly, it appears to me that perhaps I am not creating the signature correctly. For the 3.1/oauth/request_token call the key to generate the signature is 'XXX&' where XXX is the Consumer Secret Key assigned to my app by MapMyFitness. This works fine. For the 3.1/oauth/access_token call, I am using 'XXX&YYY' as a signature key where XXX is the Consumer Secret Key assigned to my app by MapMyFitness and YYY is the temporary Secret Token returned to me by the server during the 3.1/oauth/request_token call. Is that correct?
I would greatly appreciate any suggestions.
OK, I got it working. First of all, oauth_verifier DOES need to be included as part of parameters. For some reason, Map My Fitness does not include it in its list of required parameters, but it has to be there. Secondly - very important - according to OAuth 1.0 documentation, all parameters need to be in alphabetical order when creating the signature - otherwise there will be a signature mismatch and you'll get HTTP 401 error. Once I sorted my parameters in alphabetical order, I was able to exchange temporary MapMyFitness credentials to permanent ones.
How can I get all followers(friends) of a user who is authenticated by my twitter app. I had tried below one as per twitter docs
https://api.twitter.com/1.1/friends/ids.json?cursor=-1&screen_name=<user_screen_name>
But the result was:
{"errors":[{"message":"Bad Authentication data","code":215}]}
Your call needs to be made with oAuth, a plain URL call won't work, even if the screen name has authorised your Twitter app.
You need to construct an HTTP GET to the URL you have shown, but with a properly formed authorisation header (oAuth).
It is effectively a web request header with a key of "Authorization" and a generated value which looks like this:
OAuth realm="<name of realm, e.g. Twitter API>",
oauth_consumer_key="<your app key, you'll know this already from your twitter app>",
oauth_nonce="<this is basically a random alphanumeric string which your app should generate>",
oauth_timestamp="<number of seconds since 1/1/1970 00:00:00",
oauth_signature_method="HMAC-SHA1",
oauth_version="1.0",
oauth_signature="<this is the trickiest part, you basically have to hash the request + two secret params through a signing algorithm using the signature method above>"
See here for more info:
https://dev.twitter.com/docs/auth/authorizing-request
When going through the Intuit technical review, Intuit has indicated that we need to check within our app to make sure the OAuth token is still valid.
So far I've found at least two different return codes that can happen when an OAuth token is invalid - are there more than just two? What other return codes should we be looking for?
Found so far:
HTTP 401 Unauthorized
HTTP 200 OK + a ErrorCode 3200
The only HTTP status that should be used is 401 Unauthorized. Any other response status is either a bug or a faulty implementation of the specification on Intuit's side.
It may be that the token is valid, just not for the resource that you are trying to access. In these cases it is good to be pragmatic and really specify for the API consumer WHY they get a 401. It is perhaps this scenario that Intuit covers with a 200 + error code. But this is just a guess.
Keith,
keep in mind you should not have to check to see if a token is invalid, you should always know. If the customer disconnects then they are sent to an OpenId endpoint with the realm where you can find them on your side and disconnect them.
Alternatively if you disconnect, then you know its invalid.
But yes this is a bug it should only be unauthorized. I just wanted to pointout that you should know the state before calling under normal use cases.
Jarred