Orocommerce Oauth2: What Api-endpoints to use?

Hi there,

I am learning to make use of OAuth2-authentication to get access to orocommerce rest api endpoints.

OroOAuth2ServerBundle: https://github.com/oroinc/oauth2-server.
has been installed and works fine.

I am able to create Oauth-applications
– for backend-users: https://doc.oroinc.com/user/back-office/getting-started/user-menu/oauth/#user-guide-my-profile-oauth, and
– frontend-customerUsers: https://doc.oroinc.com/user/back-office/customers/customer-users/#user-guide-customers-customer-users-oauth

and to receive response from the authorization server with a JSON object containing the following properties:
* token_type with the value Bearer
* expires_in = 3600 seconds
* access_token a JSON web token signed with the authorization server’s private key

If I use this access-token to make a request to oro’s web services endpoints:
– backend: http://<hostname_of_my_custom_oro_application>/admin/api/doc
– frontend: http://<hostname_of_my_custom_oro_application>/api/doc

it works for frontend customerUser-Oauth-application with frontend customerusers/*-endpoint, only:

REQUEST (ok):
—
GET /api/customerusers HTTP/1.1
Content-Type: application/vnd.api+json
Authorization: Bearer my-access-token

But not (at all) for backend user-Oauth-application, with frontend-/backend-endpoints. For

REQUEST (should work?! – see OroOAuth2ServerBundle-GitHub-doc):
—
GET /api/users HTTP/1.1
Content-Type: application/vnd.api+json
Authorization: Bearer my-access-token

I got

RESPONSE:
—
“HTTP/1.1 401 Unauthorized
Server: nginx/1.12.2
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.1.33
Cache-Control: must-revalidate, no-cache, no-store, private
Date: Wed, 20 Nov 2019 12:41:01 GMT
WWW-Authenticate: WSSE realm=”Secured Frontend API”, profile=”UsernameToken”
Expires: 0
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

Obviously the api is expecting WSSE-authentication …?

Could you tell me please,

Why I am on the wrong way, and what to do instead?

Thanks a lot
Frank

Topic

[Yurii MuratovParticipant]

Hello, Frank.

To get access to storefront API you should get an auth token with client id and client secret from the storefront OAuth application. This auth token will not grant access to the back-office API.

The same, to get access to back-office API you should get an auth token with client id and client secret from the back-office OAuth application. This auth token will not grant access to the storefront API.

[FrankParticipant]

Hi Yurii,

yes, this is (obviously, and), what I have done!
:-)

No access for backend-outh-application, requesting endpoint /api/users … as above described.

Thanks for any recommandations.

Kind regards
Frank

[Yurii MuratovParticipant]

In this case, please try to make request in dev mode (to index_dev.php/api/users) and see the dev.log file for the reason why your auth token is invalid.

[FrankParticipant]

I am working in dev-mode.

oroapp/var/logs/dev.log is empty.

FRank

[Yurii MuratovParticipant]

Ahh, sorry, for the back-office, you should use your_domain/admin/api/your_resource endpoints.
So, valid endpoint for users will be:

http://<hostname_of_my_custom_oro_application>/admin/api/users

[FrankParticipant]

Aha!

http://<hostname_of_my_custom_oro_application>/admin/api/users

This works!!! Thanks.

—
Another topic in this regards:

Am I right, that the Oauth-application (regardless wether back- or frontend) has the same access-limitations as the user or customerUser respectively?

Example to illustrate my question:
—
* CustomerUser JohnDoe has frontend-access to his order no. 73 (in result of a successfull checkout …).
* I created an Aouth-application for customerUser JohnDoe,
* Used the clientID/Secretof this Aouth-application to request an Aouth-access-token.

Thean I should have access to:
http://<hostname_of_my_custom_oro_application>/api/orders/73

?

I tried that, but it did not work.

Response give me:
{“errors”:[{“status”:”500″,”title”:”error exception”}]}string(466) “HTTP/1.1 500 Internal Server Error

Thanks
Frank

[Yurii MuratovParticipant]

Yes. The limitations are the same.You should have an access to the same order.
Please check the log files for exception description. Another option is to send the request in dev mode (to http://<hostname_of_my_custom_oro_application>/index_dev.php/api/orders/73). In this case, the response will have much more information about exception.

• This reply was modified 4 years, 5 months ago by  Yurii Muratov.
• This reply was modified 4 years, 5 months ago by  Yurii Muratov.

[FrankParticipant]

I looked into dev.log, but I think it will be rather in prod.log due to the prod-endpoint.
Thanks for the urgent help!

—
LAST QUESTION(s) in this concern:

I want to build up a shopping-cart-microservice consuming/based on the web api.

1) Do I have to use the frontend api for that?
2) There a few endpoints only (none for products, cart, checkout …). Do I have to build my own ressources for that? Or can a make use of the existing checkout-workflow in some manner instead?
Do you have some instructions for me, how to realize this with my low skills? :-)

Thanks again & regards
Frank

[FrankParticipant]

I meen instructions concerning the web api (build new ressources …etc.) not the shopping-cart-client-microservice. The last one is another topic. I know.
:-)

—
I found the error
http://<hostname_of_my_custom_oro_application>/index_dev.php/api/orders/73
in dev.log
Useful remark. Thanks a lot.

Frank

[FrankParticipant]

To renew my question as the last post in this thread …

—
FINAL QUESTION(s) in this concern:

I want to build up a shopping-cart-microservice consuming/based on the web api.

1) Do I have to use the frontend api for that?
2) There a few endpoints only (none for products, cart, checkout …). Do I have to build my own ressources for that? Or can a make use of the existing checkout-workflow in some manner instead?

Do you have some instructions ‘how to extend the oro web services api’ for my custom usecase?

Thanks again & regards
Frank

[Dima SorokaKeymaster]

Hi Frank

For customer shopping related services storefront API will work best. You can check our latest master, many more storefront endpoints are coming with 4.1 release including catalog and products information, shopping lists and order creation. Storefront API documentation is coming with the release as well.

[FrankParticipant]

Hi Dima,

thanks a lot.

This (however its obious) helped me really a lot!

Kind regards from Germany
Frank

[Author]

Replies