Magento 2 - OAuth Problem = Consumer Key Has Expired

[itsabe]

Preconditions

1. Magento Version 2.4
2. Set up and activated API Integration with full access

Steps to reproduce

1. Create integrations
2. Make POST call to /oauth/token/request

Expected result

1. Get request token

Actual result

1. oauth_problem=Consumer+key+has+expired

I tried it with two different integrations, both are activated, and both return the same response of "consumer key has expired"

[magento-engcom-team]

Hello @itsabe. Thanks for reporting. Please confirm us that You have everything OK with those settings in Your Magento Backend: Stores->Configuration->Servises->OAuth->Consumer Settings section.

[itsabe]

Yes, everything looks okay.

[magento-engcom-team]

@itsabe, then please confirm that Expiration period of 300 sec. for Consumer Settings was enough for You, so that Consumer key/secret You got while creating (activating) the integration was not yet expired when You sent /oauth/token/request. Thank You.

[itsabe]

@magento-engcom-team yes, it is enough. I even just created another integration, and send a POST to /oauth/token/request and got the same response of consumer key has expired. This was all done within 2 minutes.

[itsabe]

Also, I stumbled upon #12032 from back in Nov 2017, but have not seen any updates on it.

[magento-engcom-team]

@itsabe , thank you for your report.
We've acknowledged the issue and added to our backlog.

[itsabe]

Is there any work around? Or am I unable to connect to the API?

[itsabe]

I found the source of my issue. Upon creating the integration and activating it, I get a consumer key, consumer secret, access token, and access token secret. So, technically, I can just skip the "Get Access Token" step of the authentication. I was able to successfully make API calls with the provided access token.

If I created the integration with an Identity link URL, then the access token and access token secret is not supplied. And when I made a request to /oauth/token/request, I got the access token and secret as a response.

If this was the intended process, then my apologies for misinterpreting the documentation.

[Lapinou42]

Hello guys,

I have exactly the same issue on Magento 2.2.3. Many hours trying to understand what's wrong.

[itsabe]

@Lapinou42 Are you still experiencing the issue? When you create the integration and activate it through Magento backend, you can use the access token they provide you to make the API calls.

[Lapinou42]

Yes, I do.

Actually, I want to create an integration to use with my Android / iOS application using OAuth1.0a.
I tried in Postman and I have the same issue.

I want to generate an access token by user, so simply use Consumer Key, Consumer Secret, RequestTokenUrl and AccessTokenUrl should be enough to generate an access token.

Maybe I'm wrong. I don't know.

[itsabe]

@Lapinou42 When you create the integration on Magento backend (System > Integrations), do you enter a Identity link URL? If you have that field filled in, then you should be able to get the access token by making a request to /oauth/token/request.

[Lapinou42]

@itsabe No. I didn't ! I'll try that and let you know if something wrong ;)

Thank you :)

[maniramav]

@itsabe I tried with Identity link URL, still having same issue.

Then I changed Store > Settings > Configuration > Services > OAuth > Consumer Settings > Expiration Period to 1000000000000

Now I am getting the result as
oauth_problem=Invalid+signature

[itsabe]

@maniram1804 what if you unchecked the "Add empty parameters to signature" option?

[maniramav]

@itsabe still same result.

[DanielRuf]

Did already someone do some bisecting here?

Is this an actual regression (did it work before?) or is it just with the new feature and it is not properly integrated in the code?

[mohammedsalem]

is there any updates here?
facing the same problem

[Lapinou42]

Nope. Stopped using Magento.

[DanielRuf]

@PiotrKorzeniec95, it was addressed recently. We limited write access to the Magento 2 repository, so it should prevent unintentional issues closing.

I can confirm, we contributors can not close any issues or PRs anymore so we have to ping someone from the maintainer teams.

[lenaorobei]

I'm unable to reproduce this issue.

There are two possible scenarios for using OAuth for Magento integrations.

Access allowed resources by using generated keys

New integration can be created using the described steps.



Test instance from #13961 (comment) can be used to check that.

OAuth-based authentication - DevDocs

This approach requires to follow the instruction from DevDocs. Callback URL and Identity link URL should be specified in order to ask for a request token.

Example demo script with OAuth client can be found here https://gist.github.com/paliarush/4c2bfa81ebef57305ba4

⚠️ If the isse is not clear message, please feel free to update the issue description and expected result.

[PiotrSiejczuk]

@lenaorobei I guess your the comment was for me? :)

The issue was actually encountered by a colleague of mine from different SI (I am just a Messager here :)). @qsolutions-pl maybe you can give some more inputs for Lena?

[qsolutions-pl]

I'm currently debugging this on my end, 2.3.5 version, will send an update once I finish

[qsolutions-pl]

@lenaorobei @ihor-sviziev
so basically this feature is a little bit buggy, currently testing on 2.3.2 (current live site) and 2.3.5
Here is my step by step:

1. created integration
2. authorized the application (using the prepared scripts from this URL https://gist.github.com/paliarush/4c2bfa81ebef57305ba4 with some fixes ;))
3. using consumer and access key pairs
   I am able to:

• get product details
• get customer details

So... basically I cannot replicate the issue today, even though yesterday it was clear :( In my humble opinion the documentation needs to be updated how oauth_signature is calculated in order to be able to use applications like PostMan (or any other soapUI) so you can prepare oauth_signature required for authentication.

From looks of it, yesterday (and reported problem on github) comes from not clear instructions
in dev docs. Here is what I've done a day ago:

• created an integration, send "Activate" request to dummy URL which only recorded send params.
• Magento did "Authorize" this application even though it didn't get any callback from remote app, information in the database was not update
  

So here is (I belive so) the REAL issue with this:

1. create new integration
2. leave CallBack URL and Identity link URL empty
3. save the integration (magento will generate access token and access token secret)
4. Authorize the appliaction

after you "Authorize" it in backend, field updated_at in database remains empty

and that is causing issues with key validation consumer key has expired

I think Magento should not authorize an application without endpoints and without checks for callback, or a "self-authorization" needs to be fixed on code level to specify "updated_at" with right value.

There is a second issue with this, but it is also related to wrong date calculations. I will get to it with more details once I double check.

[PiotrSiejczuk]

@lenaorobei seems the issue is still there and valid. More details were provided. Is there a chance you can check internally the situation? Thank you in advance!

[lenaorobei]

@qsolutions-pl @PiotrSiejczuk
Thank you for reporting. We will triage this issue with product organization and prioritize.
Hopefully you are able to use OAuth-based authentication following DevDocs with non-empty Callback URL and Identity link values.

[xmav]

DevDocs updated with examples on when to use different authorization methods: https://devdocs.magento.com/guides/v2.3/get-started/authentication/gs-authentication.html#web-api-clients-and-authentication-methods

[phpandrew]

This is still present in Magento 2.3.5 and Magento 2.3.6.

More than 2.5 years of a known bug and it isn't fixed.

If you enter a space into the "callback URL" field, this error will go away. The issue is having a NULL value in the oauth_consumer.callback_url column.

[ihor-sviziev]

Hi @lylesback2,
According to #13961 (comment) the issue was already solved by updating the docs:
https://devdocs.magento.com/guides/v2.3/get-started/authentication/gs-authentication.html#web-api-clients-and-authentication-methods

[ringwood-dsg]

Seems this issue is present in 2.4 as well.

[ihor-sviziev]

Hi @ringwood-dsg,

According to #13961 (comment) the issue was already solved by updating the docs:
https://devdocs.magento.com/guides/v2.3/get-started/authentication/gs-authentication.html#web-api-clients-and-authentication-methods

[phpandrew]

Seems this issue is present in 2.4 as well.

You are likely generating the key/secret and using that to try and authorize.

The flow of Magento is different from other marketplaces.

Under the store admin > System > Integrations > Add New Authorization
You need to setup the identify and callback URLs to get the consumer key/secret.
Callback URl will be called first, authorize the user on your platform, store the posted credentials (key, secret, verifier, and store url.) you get from this and return HTTP 200 success.

The identify URI will be called next, use the credentials you captured to send a request to store_url.com/oauth/token/request
and in the same script, get your second access token and secret by posting to store_url.com/oauth/token/access

Hope this helps. Let me know if you want me to provide PHP example code.

[ringwood-dsg]

Seems this issue is present in 2.4 as well.

You are likely generating the key/secret and using that to try and authorize.

The flow of Magento is different from other marketplaces.

Under the store admin > System > Integrations > Add New Authorization
You need to setup the identify and callback URLs to get the consumer key/secret.
Callback URl will be called first, authorize the user on your platform, store the posted credentials (key, secret, verifier, and store url.) you get from this and return HTTP 200 success.

The identify URI will be called next, use the credentials you captured to send a request to store_url.com/oauth/token/request
and in the same script, get your second access token and secret by posting to store_url.com/oauth/token/access

Hope this helps. Let me know if you want me to provide PHP example code.

Thank you for clearing this up for me. I find your explanation regarding the sequence of events a lot helpful than the official manual, to be quite honest. We're integrating our .NET application with Magento, but what I am unsure of is the parameters being passed to the Callback URL? I see the manual references it like this:

• store_base_url
• oauth_verifier
• oauth_consumer_key
• oauth_consumer_secret

Am I correct in saying that when our callback URL is being called, that the parameters will be named exactly as they are referenced above?

[phpandrew]

Seems this issue is present in 2.4 as well.

You are likely generating the key/secret and using that to try and authorize.
The flow of Magento is different from other marketplaces.
Under the store admin > System > Integrations > Add New Authorization
You need to setup the identify and callback URLs to get the consumer key/secret.
Callback URl will be called first, authorize the user on your platform, store the posted credentials (key, secret, verifier, and store url.) you get from this and return HTTP 200 success.
The identify URI will be called next, use the credentials you captured to send a request to store_url.com/oauth/token/request
and in the same script, get your second access token and secret by posting to store_url.com/oauth/token/access
Hope this helps. Let me know if you want me to provide PHP example code.

Thank you for clearing this up for me. I find your explanation regarding the sequence of events a lot helpful than the official manual, to be quite honest. We're integrating our .NET application with Magento, but what I am unsure of is the parameters being passed to the Callback URL? I see the manual references it like this:

• store_base_url
• oauth_verifier
• oauth_consumer_key
• oauth_consumer_secret

Am I correct in saying that when our callback URL is being called, that the parameters will be named exactly as they are referenced above?

Yes, those variables will be posted exactly as that to the callback link.
No data is posted to the indentify URL, that you will need to pull the session data / from the DB and POST that back to the magento store to the oauth/token/request, then make another POST request to the oauth/token/access url

[ringwood-dsg]

Seems this issue is present in 2.4 as well.

You are likely generating the key/secret and using that to try and authorize.
The flow of Magento is different from other marketplaces.
Under the store admin > System > Integrations > Add New Authorization
You need to setup the identify and callback URLs to get the consumer key/secret.
Callback URl will be called first, authorize the user on your platform, store the posted credentials (key, secret, verifier, and store url.) you get from this and return HTTP 200 success.
The identify URI will be called next, use the credentials you captured to send a request to store_url.com/oauth/token/request
and in the same script, get your second access token and secret by posting to store_url.com/oauth/token/access
Hope this helps. Let me know if you want me to provide PHP example code.

Thank you for clearing this up for me. I find your explanation regarding the sequence of events a lot helpful than the official manual, to be quite honest. We're integrating our .NET application with Magento, but what I am unsure of is the parameters being passed to the Callback URL? I see the manual references it like this:

• store_base_url
• oauth_verifier
• oauth_consumer_key
• oauth_consumer_secret

Am I correct in saying that when our callback URL is being called, that the parameters will be named exactly as they are referenced above?

Yes, those variables will be posted exactly as that to the callback link.
No data is posted to the indentify URL, that you will need to pull the session data / from the DB and POST that back to the magento store to the oauth/token/request, then make another POST request to the oauth/token/access url

Thank you so much for taking the time to assist me here. I'll continue on from here and get our integration completed using your instructions. You are definitely the Magento King and my hero!

[lbajsarowicz]

I'm encountering the issues described in this Bug Report, but problem seems to be a little bit more complex:

When I'm calling simple endpoints, everything works more-less correct:

However, the same keys used to fetch the Invoices ends up with "The signature is invalid"

But it works completely fine if you don't use SearchCriteria:

Looks like there's some mess around calculating request signature 👎🏻

The issue appears when the URL is urlencoded:

[DEHAINI]

secret

can u please gie me a clear example? i have the same issue and i can not resolve it

[shenoyaditya11]

I found the source of my issue. Upon creating the integration and activating it, I get a consumer key, consumer secret, access token, and access token secret. So, technically, I can just skip the "Get Access Token" step of the authentication. I was able to successfully make API calls with the provided access token.

If I created the integration with an Identity link URL, then the access token and access token secret is not supplied. And when I made a request to /oauth/token/request, I got the access token and secret as a response.

If this was the intended process, then my apologies for misinterpreting the documentation.

I tried creating Integration with the Identity link, it still creates access token and token secret on activation. and before activation if I try to hit /oauth/token/request, it throws Consumer+key+expired, how to fix this issue, please help.

[qsolutions-pl]

Look at my comment here: #13961 (comment)

[jmwill86]

It's been almost 6 years since this was created, it's been marked as closed even though the issue was never actually resolved. The lack of care Magento have for their codebase is second to none.

I'd normally be happy to try and help fix things like this, but if you can't be bothered after 6 years, why should I.