Comments on: Introduction to the Magento REST APIs with oAuth in Version 1.7

By: karen baker

karen baker — Mon, 13 May 2013 22:56:29 +0000

I found issues with using curl due to the requirement for Authorization: oAuth in the header and problems with the signature showing as invalid. I used the script here: http://stackoverflow.com/questions/15541952/create-product-using-oauth-curl and works fine after the authorisation has been done. Also repeated here:

$nonce = substr(md5(uniqid('nonce_', true)),0,16);
$temprealm="http://www.localhost.com/magento/api/rest/products";
$realm=urlencode($temprealm);
$oauth_version="1.0";
$oauth_signature_method="HMAC-SHA1";
$oauth_consumer_key="ngn4vt1vxw8asd5viximgr0hbc2rbvcd";
$oauth_access_token="9zsfaxfdwktcuxhqa3w5pk88fut61my2";
$oauth_method="GET";
$oauth_timestamp=time();
$algo="sha1";
$key="xyvhm65nwr12939y0g0t288seqhzm780&c5ajpmrxyuvxlron7o1dk07sbl8zgy5a"; //consumer secret & token secret //Both are used in generate signature
$data="oauth_consumer_key=".$oauth_consumer_key."&oauth_nonce=".$nonce."&oauth_signature_method=".$oauth_signature_method."&oauth_timestamp=".$oauth_timestamp."&oauth_token=".$oauth_access_token."&oauth_version=".$oauth_version;

$send_data=$oauth_method."&".$realm."&".urlencode($data);
$sign=hash_hmac($algo,$send_data,$key,1); // consumer key and token secrat used here
$fin_sign=base64_encode($sign);
$curl = curl_init();

curl_setopt($curl,CURLOPT_HTTPHEADER,array('Authorization : OAuth realm='.$realm.', oauth_version="1.0", oauth_signature_method="HMAC-SHA1", oauth_nonce="'.$nonce.'", oauth_timestamp="'.$oauth_timestamp.'", oauth_consumer_key='.$oauth_consumer_key.', oauth_token='.$oauth_access_token.', oauth_signature="'.$fin_sign.'"'));

curl_setopt ($curl, CURLOPT_URL,$temprealm);
$xml=curl_exec($curl);

By: Pleased

Pleased — Wed, 17 Apr 2013 14:10:45 +0000

Thank you. This is the most useful post I have come accross related to Magento REST API for 1.7.

By: Aaron

Aaron — Fri, 15 Feb 2013 22:19:57 +0000

Anybody know how to get the a configurable products associated simple products (and options for the configurable) via the api?

By: Roger North-Row

Roger North-Row — Thu, 17 Jan 2013 17:52:15 +0000

SOLVED: port is stripped from hostname by the underlying Zend signature creation utility and therefore the signatures no longer match.

I did exactly the same but without port 10001 (and instead port 80) and it now works.

Had to dig deep to find the answer 🙂

By: Roger North-Row

Roger North-Row — Thu, 17 Jan 2013 12:20:36 +0000

Magento 1.7.0.2 fresh install
OAuth for Ruby 0.4.7

Set up REST consumer key and secret as below through Admin plus permissions. Can’t get past initiate/auth!
I can see that the signatures do not match if I print out the one generated by Magento in app/code/core/Mage/Oauth/Model/Server.php line 545. Am I doing something silly?

$ oauth –verbose –query-string –consumer-key dbyf8fm41rc3m6r7ubfz02esx6hfei99 –consumer-secret ey4r833r35z08jpfek1rzga5gmk3oitz –access-token-url http://magento.north-row.com:10001/oauth/token –authorize-url http://magento.north-row.com:10001/admin/oauth_authorize –request-token-url http://magento.north-row.com:10001/oauth/initiate authorize
A problem occurred while attempting to authorize:
401 Authorization Required
oauth_problem=signature_invalid&debug_sbs=TVXjIJdJWQDCsRyir4PCaXeqYK4=

By: Shraddha

Shraddha — Fri, 04 Jan 2013 07:37:27 +0000

Is there a way to pass login credentials from code instead of entering credentials everytime in the popup for login authorization in Magento REST API?

By: Ashley

Ashley — Wed, 19 Dec 2012 03:27:55 +0000

Thanks for the continued follow ups on this Kalen, I think there’s not too many devs really pushing this functionality in the wild yet so it’s really good to have some real world feedback to go alongside the tutorial.

Can you share what you’re working on or your use case?

By: Kalen

Kalen — Wed, 19 Dec 2012 00:23:32 +0000

Want to throw up another weird thing I’m noticing. If I don’t specify the –method as a parameter to the oauth command, it defaults to “post”. Actually at one point it was defaulting to “get”. At any rate, the request method is case sensitive. Unless I specify –method GET (all caps), I get an invalid signature response.

Noticed that because I popped over to this oauth validation tool:
http://quonos.nl/oauthTester/

Which will tell you that the method is case sensitive if you paste in the Signature Base String.

By: Kalen

Kalen — Mon, 29 Oct 2012 19:17:14 +0000

Figured it out. It doesn’t seem to accept the OAuth parameters as query string parameters. I tried sending them as HTTP headers instead and it’s going through.

For example: (new keys, etc. b/c I set this up on a new install to be safe 🙂 )

Authorization:OAuth realm=”http://m.dev/”,oauth_consumer_key=”0npq6crnxe0vo3iuwrdeg2x31pxjy91n”,oauth_token=”03mbcsplycit0uy77f0fk8sl23amkmk3″,oauth_nonce=”LsSLJpBZ6Xp1zQ6CkAnG2MDYYkHMQhSVOwgU3T7Jw”,oauth_signature_method=”HMAC-SHA1″,oauth_timestamp=”1351537874″,oauth_version=”1.0″,oauth_signature=”VPIVV0wltKt7LHJC2UDVVMUj5i0%3D”

By: Kalen

Kalen — Mon, 29 Oct 2012 18:32:29 +0000

Hey Ashley!

Thanks for the sweet article – you’ve laid it all out beautifully. I’m hitting a weird access denied snag.

1. Using the ruby oauth client.

2. REST Role – Created a new REST Role (“Admin Consumer”). Initially gave it access to *all* resources, when that didn’t work, changed it to custom, selecting all checkboxes.

Initially, under Role Users, it didn’t show any. When I started hitting access denied issues, I went in here and searched for my admin user (username: ‘admin’) and assigned them to the role.

3. REST Attributes – not totally clear to me still how the attribute set is getting associated to the role or consumer, but I’ve set attributes to all for both Admin and Customer User Types. As with role, I tried “all” as well as Custom with all checkboxes checked.

4. Consumer – created.

5. Got the oauth tokens using the command-line call to the oauth ruby client. Only difference is that I used the /admin/oAuth_authorize endpoint. The oauth flow went through just fine, got the verification token, got the the copy-pastable request URI from the oauth debug call.

But I get access denied when I make the call to get products

Request:
curl http://m.dev/mc1700/api/rest/products?oauth_consumer_key=klr6t0h7egq7xwqbzqj1tjn0dt2dhb0g&oauth_nonce=oh7GQNO5exzZn1PkUJUjmr9zJyAEsvd7DUkhj0W4dgU&oauth_signature=niJ07g3c8MhA6BLqvYIyy6cM3c0%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1351533398&oauth_token=i35hybaai3wraexr3fzly7vxtjg83463&oauth_version=1.0

Response:
{“messages”:{“error”:[{“code”:403,”message”:”Access denied”}]}}

I’m gonna start debugging the Mage_Api2 module to see where it’s breaking, but thought I’d throw this comment up here in case you had any ideas!

Thanks again for the awesome article!