Accessing user data with oAuth

[La Jobe]

Hi everyone,

I am trying to connect my website to my forum, therefore I want to use the logins of my forum on my website.

When my user logs in, he enters his forum credentials, and I go through an oAuth system to check if those credentials are good.

I manage to retrieve a custom access token, but when I request GET with the bearer authorization, where I enter the retrieved access_token, the system returns :
 
{
    "errorCode": "2S291/3",
    "errorMessage": "NO_PERMISSION"
}

Does anyone know why the system is denying me access?

Thanks in advance.

 

Sorry, I made a mistake, the error code is 2S291\/7 and not 2S291/3

Thanks.

[Daniel F]

Make sure that the key has access for this endpoint.

[La Jobe]

I have configured, in my oAuth client, my endpoint. However, when I make a GET request, I give it my access token. But to configure my endpoint, I had to create a key with my desired endpoint. Do I have to give this key too? Or the access token is enough.

[La Jobe]

Does anyone know how to resolve this ?

Thanks in advance.

[Stuart Silvester]

Quote

Just like with API Keys, the client will need to be configured to which endpoints it can access, however with OAuth, the different endpoints are tied to scopes. For example, you might set up one scope which allows access to the GET /profile endpoint to get basic information about the authenticated user, and a separate scope which allows access to the POST /forums/topics which allows topics to be posted. The scopes you set up and which endpoints they can access will depend on how you intend the API.

https://invisioncommunity.com/developers/rest-api

Go to AdminCP → System → REST & OAuth → OAuth Clients, click edit next to your OAuth client and then click on the 'Scope' tab.

You will need to either create a new scope depending on your needs, or add endpoint permissions to an existing scope. If you add a new scope, you will also need to add it to your OAuth authentication code.

[La Jobe]

I have already created a key with well defined endpoints. Do I have to give the name of this key in my GET request?

[Stuart Silvester]

If you are using OAuth authentication, the endpoints must be configured via the OAuth client scopes, sending the users access token as a bearer as detailed in our documentation.

API Key authentication and OAuth authentication are not interchangeable, you would use one or the other for your requests.

[La Jobe]

But this field to be filled in is only a title? Don't I have to give it as a key?

[Stuart Silvester]

You would need to check those boxes on the right for the endpoints you want that scope to have access to.

The scopes, as part of the OAuth standard, you pass when you authenticate the user - https://aaronparecki.com/oauth-2-simplified

[La Jobe]

Ok I found how to make this, thanks for your patience.

[Stuart Silvester]

2 hours ago, La Jobe said:

Ok I found how to make this, thanks for your patience.

No problem! I'm glad to see that you've got it working.

[Schaken]

After spending 2 whole days on this same topic, I am at a loss. No matter what I do i keep getting "Invalid Token"

I am trying to get the basic /core/hello

I am using C# as I am building an application using Unity. There is many tutorials out there but they are all old and unity updates their code so much, all of it is redundant already.

in your documents, there is a /ips4 in there, when i use that, I always get an invalid address. 


So I am using (reqbin.com) to test this. I enter my address (https://XXXXXXX.com/api/core/hello

 

then, for the token, Im going to enter... well my token.

(Im just screenshotting Zapier because we are all familiar with it)

but this is where i always get invalid token.

and lastly, the endpoint is enabled.

 

So I cross checked all this info using C# using many different premade API tools made for Unity, which is what I am using. And i also get invalid token there as well.

I am sure it is something super small that I am overlooking, but if you could point me in the right direction, I would appreciate it. Thank you.

[Martin A.]

Not easy to say without seeing your C# code.

Remember that when using a REST API key the auth is done using basic "user:password" authentication on the HTTP request. You can also add the key to the URL using "?key=<key>".

(Based on the docs, I have never used the API system myself)

[Schaken]

4 hours ago, Martin A. said:

Not easy to say without seeing your C# code.

Remember that when using a REST API key the auth is done using basic "user:password" authentication on the HTTP request. You can also add the key to the URL using "?key=<key>".

(Based on the docs, I have never used the API system myself)

Hey! Thank you very much for responding @Martin A.!

Based off of what you said, Im going to show you my now edited version of the code. All the failed attempts made system ban me and then it messed up something in the database... I dont know much about server stuff, I have a good friend I pay to manage it all for me. anyway, here is the code, as I can not test it at the moment due to him updating the database.

 

	StartCoroutine(getRequest("https://XXXXXXX.com/api/core/hello?key=12AB34CD56EF78GH"));
	//// My API + ?key= + API Key

	IEnumerator getRequest(string uri)
	{
		Debugger("GET Function Started");
		UnityWebRequest uwr = UnityWebRequest.Get(uri);
		yield return uwr.SendWebRequest();
			if (uwr.result == UnityWebRequest.Result.ConnectionError)
		{
			Debugger("Error While Sending: " + uwr.error);
		}
		else
		{
			Debugger("Received: " + uwr.downloadHandler.text); // Jest to post the information, from here i can do whatever with it
		}
	}

With this being said, I plan on working with the Oauth next. do you have any experience with that? I would love to bounce some ideas and thoughts off you if you have the time and dont mind.

[Schaken]

Cool news, that was the trick. I appreciate it. I will be playing with this for a few days and then I will be making the app have a Login, then the hard part will begin...

[Schaken]

So now im working on making a user:Password for Oauth. I really thought this would work. lol.

 

	IEnumerator GetForumArray()
	{
		Dictionary<string, string> content = new Dictionary<string, string>();
		//Fill key and value
		content.Add("grant_type", "UserEMail:Password");
		content.Add("client_id", "ab1c0a4383a8ca2XXXXXXXXbe111111116");
		content.Add("client_secret", "7b5040ce3eecdaXXXXXXX7f161e4f43011111113b2ba3a");

		UnityWebRequest www = UnityWebRequest.Get("https://XXXXXXXXXX.com/oauth/token/", content);
		//Send request
		yield return www.Send();

		if (!www.isNetworkError)
		{
			string resultContent = www.downloadHandler.text;
			TokenClassName json = JsonUtility.FromJson<TokenClassName>(resultContent);

			//Return result
	
			Debugger(json.access_token);
		}
		else
		{
			//Return null
			Debugger("failed");
		}
	}

I got part of the information from looking at someone elses. 

Im trying to get the token, and then I assume I pass the token in an API to get information, or post.

As of right now I get a error on compile telling me " No overload for method 'Get' takes 2 arguments" which it should be post. So I change Get to Post and I get nothing returned

PS "Debugger" is basically Debug.Log, I just have a on/off switch for it for when I am debugging.

[Schaken]

I just thought i would update this in case anyone else needs it. I finally got it.

This is to get OAuth2:

// This part, you are just sending the user to the Login page.
public void LoginTest1() {

	string MyClientID = "1234";
	string MyRandomNumber = "4321";// <-- This is your own made up code, you will use this 
									//again, make it anything you want. it gets sent back to you again to let you know it was a secure connection
	string MyRedirectURI = "https://MySite.com/URIPage/";// <-- This i made a custom page with an input field and make it 
														//capture the code from the URL.
	string MyScope = "Files?";

	string uri = "https://MySite.com/oauth/authorize?client_id="+MyClientID+"&response_type=code&state="+MyRandomNumber+"&redirect_uri="+MyRediectURI+"&scope="+MyScope+""; // <-- I has to put quotes at the end. Dont know why..
	Application.OpenURL (uri);
}

// once they login, the "Code" will be displayed in the URL of "https://MySite.com/URIPage/" you will see a code, and the random number you made. 
// you will need to make a way for them to enter this into your app.
private IEnumerator GetAccessToken()
{
	Dictionary<string, string> content = new Dictionary<string, string>();

	content.Add("grant_type", "authorization_code");
	content.Add("code", RequestToken); // <-- I used a variable for this, but your "Code" in the URL goes here.
	content.Add("redirect_uri", "https://MySite.com/URIPage/";
	content.Add("client_id", "123456789");
	content.Add("code_verifier", "432151");// <-- This is the random code you made up at the very start

		UnityWebRequest www = UnityWebRequest.Post("https://MySite.com/oauth/token/", content);
		yield return www.Send();
		if (!www.isNetworkError) {
			string resultContent = www.downloadHandler.text;
			Debug.Log("Response: "+resultContent); <-- This will show you your Token you are looking for. :)
		} else {
			// This needs to show an error, saying something went wrong. Found i had a disabled scope.
		}
	} else {
		Debug.Log("Failed: "+www.error);// <-- displayes the error, if you have any. :)
	}
}

 

This is to get information:

public void CallForSomething(uri) {
	string Bearer = "1234567890";// <- Your Bearer ID

	var httpRequest = (HttpWebRequest)WebRequest.Create(uri);
	httpRequest.Headers["Authorization"] = "Bearer "+Bearer;

	HttpWebResponse httpResponse;
	try {
		httpResponse = (HttpWebResponse)httpRequest.GetResponse();
	}
	catch (WebException ex) {
		httpResponse = (HttpWebResponse)ex.Response;
	}
	using (var streamReader = new StreamReader(httpResponse.GetResponseStream())) {
		var result = streamReader.ReadToEnd();
		string FullTXT = result.Replace(@"\", string.Empty);
		Debug.Log(FullTXT); // <-- This is what comes back :)
		
	}
}