Which settings and options to use for oAuth to use GraphQL and REST API?

[The Old Man]

When creating an oAuth there is a bewildering array of options which change depending on which previous options you have checked. Once I have tried a few times to connect and tweak the settings on the client side, IPS blocks me but there is no reset option in the AdminCP.

Please can you confirm which settings and options I need to generate an oAuth to be able to connect externally to access the GraphQL and REST API features?

 

[Daniel F]

It's really up to you and the way how your client works.

E.g. a CLI application/script will probably not be able to use the first 2 options, so you'll want one of the latter two.

 

What exactly is being blocked?
Do you see any errors in the API log?
Is the Token expiring? Are you trying to refresh it?

[The Old Man]

Thanks I’ll have another go. (Sorry the code button isn’t showing in this forum on tablet, only quote).

re errors, I get:

Quote

RESPONSE

{ "errorCode": "3S290\/9", "errorMessage": "INVALID_ACCESS_TOKEN" }

and

{
  "error": "invalid_client"
}

I’m just trying connecting with API Tester app on my iPad which seems really good with lots of examples to get you going. It also supports both REST and GraphQL, so I figured I would try to create an oAuth for it rather than simple API URL key as I’ve done in past for connecting via Wordpress. I tried to use the oAuth page options that don't prompt a login screen because I want to eventually run the code as a script both within IPS and externally.

If I go to the IPS API key page, I see the message:

Quote

Your server does not support authentication headers. As you will need to pass the API key in the URL, we recommend you set up IP address restriction.

However I know my server does as far as Wordpress’ health check tool is concerned.

I’ve tried everything to get authentication headers works for IPS. I’ve tried the various suggestions found online about adding CGIAuthPass to htaccess, allowing Authconfig to be used via AllowOveride in htaccess via adding this to post_virtualhost_global.conf 

Quote

 

<Directory "\/public_html\/">
AllowOverride AuthConfig
</Directory>

<IfModule mod_headers.c>
Header merge Access-Control-Allow-Headers *,Authorization
Header merge Access-Control-Expose-Headers *,Authorization
Header set Access-Control-Allow-Credentials true
Header set Access-Control-Allow-Methods "GET,POST,PUT,HEAD,OPTIONS"
</IfModule>

<IfModule mod_headers.c>
  <IfModule mod_setenvif>
   SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$0   
  </IfModule>
</IfModule>

 

but so far IPS always reports that message so I thought oAuth would be better. 

I realise that selfhosted server config is beyond support’s realm, but I just want to make sure I’m at least trying with the correct oAuth settings, given there are so many and the help docs don’t say which options to configure for use with the API and GraphQL.

[balazsp]

1 hour ago, The Old Man said:

Thanks I’ll have another go. (Sorry the code button isn’t showing in this forum on tablet, only quote).

re errors, I get:

I’m just trying connecting with API Tester app on my iPad which seems really good with lots of examples to get you going. It also supports both REST and GraphQL, so I figured I would try to create an oAuth for it rather than simple API URL key as I’ve done in past for connecting via Wordpress. I tried to use the oAuth page options that don't prompt a login screen because I want to eventually run the code as a script both within IPS and externally.

If I go to the IPS API key page, I see the message:

However I know my server does as far as Wordpress’ health check tool is concerned.

I’ve tried everything to get authentication headers works for IPS. I’ve tried the various suggestions found online about adding CGIAuthPass to htaccess, allowing Authconfig to be used via AllowOveride in htaccess via adding this to post_virtualhost_global.conf 

but so far IPS always reports that message so I thought oAuth would be better. 

I realise that selfhosted server config is beyond support’s realm, but I just want to make sure I’m at least trying with the correct oAuth settings, given there are so many and the help docs don’t say which options to configure for use with the API and GraphQL.

AFAIK Directory expects a full path... Like 

<Directory "/usr/local/httpd/htdocs">
  Options Indexes FollowSymLinks
</Directory>

If your code applies to all user's internal public_html folders, you may want to use DirectoryMatch: https://httpd.apache.org/docs/2.4/mod/core.html#directorymatch

If your full path is /public_htm/ from / , please ignore the above. 

 

 

[The Old Man]

Thanks for the suggestion. I’ve modified it to:

Quote

<DirectoryMatch "^/home/(.*)/public_html$">
AllowOverride AuthConfig
</DirectoryMatch>

to match all users public_html directories but the warning message about authentication headers in IPS AdminCP API Key settings hasn’t gone away.

Also modified:

   SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$0

to 

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

Using an API key via URL query works okay on the core hello endpoint, but no luck using a header instead, I still get:

REQUEST DATA

[]

RESPONSE

{ "errorCode": "3S290\/9", "errorMessage": "INVALID_ACCESS_TOKEN" }

Edited March 15, 2023 by The Old Man

[Daniel F]

10 hours ago, The Old Man said:

I’m just trying connecting with API Tester app on my iPad

This one https://apps.apple.com/us/app/api-tester-rest-http-client/id1575521212 ?  Just want to test it myself.

[The Old Man]

Yes, thats the one!

[The Old Man]

After double-checking this regex found I needed to change this:

<DirectoryMatch "^/home/(.*)/public_html$">
AllowOverride AuthConfig
</DirectoryMatch> 

to:

<DirectoryMatch "^\/home\/(.*)\/public_html$">
AllowOverride AuthConfig
</DirectoryMatch>

in order to get a valid regex match on my hosts public_htmls, but after restarting Apache the AdminCP warning still shows the server doesn't support Authentication headers.

Edited March 15, 2023 by The Old Man

[The Old Man]

I finally got the POST request to get the oAuth token to work using API-Tester and it shows as successful in the AdminCP log, however I can’t seem to make an actual GET request using the generated access token.

If I try using the workaround X-Authorization header with Bearer Access Token, it returns the source code of a 500 error page.

If I try using the standard Authorization header I get:

Quote

{
  "errors": [
    {
      "message": "INVALID_API_KEY",
      "id": "3S290_graphql/7"
    }
  ]
}

 

I have a lot of errors in the system log, but that may be as a result of my failures during trying to get it to work:

 

I also noticed some small errors in the documentation help guide. It says that the Access Tokens are 97 characters long, mine is actually 98.

The oAuth (Advanced) demo code for making a request with the supplied token is actually using an API key which led to some confusion on my part because the generated access token is much longer and includes the key.

<?php
      $communityUrl = 'https://www.example.com/ips4/';
      $accessToken = 'c7a349a1629f02cd2855a58d77646f6d';
      $endpoint = '/core/hello';

      $curl = curl_init( $communityUrl . 'api' . $endpoint );
      curl_setopt_array( $curl, array(
          CURLOPT_RETURNTRANSFER	=> TRUE,
          CURLOPT_USERAGENT		=> "MyUserAgent/1.0",
          CURLOPT_HTTPHEADER	=> array( "Authorization: Bearer {$accessToken}" ),
      ) );
      $response = curl_exec( $curl );

Edited March 17, 2023 by The Old Man