OroCommerce Forums

Covering OroCommerce topics, including community updates and company announcements.

Forums Forums OroCommerce Orocommerce Oauth2: What Api-endpoints to use?

This topic contains 12 replies, has 3 voices, and was last updated by  Frank 7 months, 1 week ago.

Starting from March 1, 2020 the forum has been switched to the read-only mode. Please head to StackOverflow for support.

  • Creator
    Topic
  • #40940

    Frank
    Participant

    Hi there,

    I am learning to make use of OAuth2-authentication to get access to orocommerce rest api endpoints.

    OroOAuth2ServerBundle: https://github.com/oroinc/oauth2-server.
    has been installed and works fine.

    I am able to create Oauth-applications
    – for backend-users: https://doc.oroinc.com/user/back-office/getting-started/user-menu/oauth/#user-guide-my-profile-oauth, and
    – frontend-customerUsers: https://doc.oroinc.com/user/back-office/customers/customer-users/#user-guide-customers-customer-users-oauth

    and to receive response from the authorization server with a JSON object containing the following properties:
    * token_type with the value Bearer
    * expires_in = 3600 seconds
    * access_token a JSON web token signed with the authorization server’s private key

    If I use this access-token to make a request to oro’s web services endpoints:
    – backend: http://<hostname_of_my_custom_oro_application>/admin/api/doc
    – frontend: http://<hostname_of_my_custom_oro_application>/api/doc

    it works for frontend customerUser-Oauth-application with frontend customerusers/*-endpoint, only:

    REQUEST (ok):

    GET /api/customerusers HTTP/1.1
    Content-Type: application/vnd.api+json
    Authorization: Bearer my-access-token

    But not (at all) for backend user-Oauth-application, with frontend-/backend-endpoints. For

    REQUEST (should work?! – see OroOAuth2ServerBundle-GitHub-doc):

    GET /api/users HTTP/1.1
    Content-Type: application/vnd.api+json
    Authorization: Bearer my-access-token

    I got

    RESPONSE:

    “HTTP/1.1 401 Unauthorized
    Server: nginx/1.12.2
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    X-Powered-By: PHP/7.1.33
    Cache-Control: must-revalidate, no-cache, no-store, private
    Date: Wed, 20 Nov 2019 12:41:01 GMT
    WWW-Authenticate: WSSE realm=”Secured Frontend API”, profile=”UsernameToken”
    Expires: 0
    Pragma: no-cache
    X-Content-Type-Options: nosniff
    X-Frame-Options: DENY
    X-XSS-Protection: 1; mode=block

    Obviously the api is expecting WSSE-authentication …?

    Could you tell me please,

    Why I am on the wrong way, and what to do instead?

    Thanks a lot
    Frank

Viewing 12 replies - 1 through 12 (of 12 total)
  • Author
    Replies
  • #40941

    Yurii Muratov
    Participant

    Hello, Frank.

    To get access to storefront API you should get an auth token with client id and client secret from the storefront OAuth application. This auth token will not grant access to the back-office API.

    The same, to get access to back-office API you should get an auth token with client id and client secret from the back-office OAuth application. This auth token will not grant access to the storefront API.

    #40942

    Frank
    Participant

    Hi Yurii,

    yes, this is (obviously, and), what I have done!
    :-)

    No access for backend-outh-application, requesting endpoint /api/users … as above described.

    Thanks for any recommandations.

    Kind regards
    Frank

    #40943

    Yurii Muratov
    Participant

    In this case, please try to make request in dev mode (to index_dev.php/api/users) and see the dev.log file for the reason why your auth token is invalid.

    #40944

    Frank
    Participant

    I am working in dev-mode.

    oroapp/var/logs/dev.log is empty.

    FRank

    #40947

    Yurii Muratov
    Participant

    Ahh, sorry, for the back-office, you should use your_domain/admin/api/your_resource endpoints.
    So, valid endpoint for users will be:

    http://<hostname_of_my_custom_oro_application>/admin/api/users

    #40949

    Frank
    Participant

    Aha!

    http://<hostname_of_my_custom_oro_application>/admin/api/users

    This works!!! Thanks.


    Another topic in this regards:

    Am I right, that the Oauth-application (regardless wether back- or frontend) has the same access-limitations as the user or customerUser respectively?

    Example to illustrate my question:

    * CustomerUser JohnDoe has frontend-access to his order no. 73 (in result of a successfull checkout …).
    * I created an Aouth-application for customerUser JohnDoe,
    * Used the clientID/Secretof this Aouth-application to request an Aouth-access-token.

    Thean I should have access to:
    http://<hostname_of_my_custom_oro_application>/api/orders/73

    ?

    I tried that, but it did not work.

    Response give me:
    {“errors”:[{“status”:”500″,”title”:”error exception”}]}string(466) “HTTP/1.1 500 Internal Server Error

    Thanks
    Frank

    #40950

    Yurii Muratov
    Participant

    Yes. The limitations are the same.You should have an access to the same order.
    Please check the log files for exception description. Another option is to send the request in dev mode (to http://<hostname_of_my_custom_oro_application>/index_dev.php/api/orders/73). In this case, the response will have much more information about exception.

    • This reply was modified 7 months, 2 weeks ago by  Yurii Muratov.
    • This reply was modified 7 months, 2 weeks ago by  Yurii Muratov.
    #40953

    Frank
    Participant

    I looked into dev.log, but I think it will be rather in prod.log due to the prod-endpoint.
    Thanks for the urgent help!


    LAST QUESTION(s) in this concern:

    I want to build up a shopping-cart-microservice consuming/based on the web api.

    1) Do I have to use the frontend api for that?
    2) There a few endpoints only (none for products, cart, checkout …). Do I have to build my own ressources for that? Or can a make use of the existing checkout-workflow in some manner instead?
    Do you have some instructions for me, how to realize this with my low skills? :-)

    Thanks again & regards
    Frank

    #40956

    Frank
    Participant

    I meen instructions concerning the web api (build new ressources …etc.) not the shopping-cart-client-microservice. The last one is another topic. I know.
    :-)


    I found the error
    http://<hostname_of_my_custom_oro_application>/index_dev.php/api/orders/73
    in dev.log
    Useful remark. Thanks a lot.

    Frank

    #40960

    Frank
    Participant

    To renew my question as the last post in this thread …


    FINAL QUESTION(s) in this concern:

    I want to build up a shopping-cart-microservice consuming/based on the web api.

    1) Do I have to use the frontend api for that?
    2) There a few endpoints only (none for products, cart, checkout …). Do I have to build my own ressources for that? Or can a make use of the existing checkout-workflow in some manner instead?

    Do you have some instructions ‘how to extend the oro web services api’ for my custom usecase?

    Thanks again & regards
    Frank

    #40962
    Dima Soroka
    Dima Soroka
    Keymaster

    Hi Frank

    For customer shopping related services storefront API will work best. You can check our latest master, many more storefront endpoints are coming with 4.1 release including catalog and products information, shopping lists and order creation. Storefront API documentation is coming with the release as well.

    #40987

    Frank
    Participant

    Hi Dima,

    thanks a lot.

    This (however its obious) helped me really a lot!

    Kind regards from Germany
    Frank

Viewing 12 replies - 1 through 12 (of 12 total)

The forum ‘OroCommerce’ is closed to new topics and replies.

You will be redirected to [title]. Would you like to continue?

Yes No