[API] OAuth1.0 request token request failing / Consumer key has expired

[nyov]

While trying to go the long route and get an OAuth1.0 request token via POST /oauth/token/request (as explained in the devdocs) I'm having these issues.

I tested these with both (and getting the same results)

• a freshly created "Integration" without activating it (only Consumer Key & Secret exist)
• an activated "Integration" (through the backend) with (unused) Accress Token & Secret

Variant 1, using POST body:

The server returns a HTTP/1.1 500 Internal Server Error.

tcpdump:

POST /oauth/token/request HTTP/1.1
Host: magento2.local
Content-Length: 250
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.4.3 CPython/2.7.8
Connection: keep-alive
content-type: application/x-www-form-urlencoded

oauth_version=1.0&oauth_nonce=6b3dcfe588fcc4c6fceefdc10024a41d680f3779&oauth_timestamp=1418902037&oauth_signature=CdC6L9j8NWK6TZwCaI%2Fmevusqcg%3D&oauth_consumer_key=vdowjpsll6bmob27416mw0yx26a00obd&oauth_signature_method=HMAC-SHA1&oauth_callback=oob

HTTP/1.1 500 Internal Server Error
Date: Thu, 18 Dec 2014 11:27:17 GMT
Server: Apache/2.4.10
Set-Cookie: private_content_version=bd03c1e60f365f81666c2093da991bc0; expires=Sun, 15-Dec-2024 11:27:17 GMT; Max-Age=315360000; path=/
Set-Cookie: PHPSESSID=vc9fsu4id7t8fuvia8jjrpa264; expires=Thu, 18-Dec-2014 12:27:17 GMT; Max-Age=3600; path=/; domain=magento2.local; HttpOnly
Set-Cookie: X-Magento-Vary=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Expires: Wed, 18 Dec 2013 11:27:17 GMT
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

d0
oauth_problem=internal_error%26message%3DNotice%3A+Undefined+index%3A+oauth_version+in+%2Fthis%2Fis%2Fsome%2Fprivate%2Fpath%2Fmagento2.git%2Flib%2Finternal%2FMagento%2FFramework%2FOauth%2FOauth.php+on+line+63
0

Unquoted:
oauth_problem=internal_error&message=Notice:+Undefined+index:+oauth_version+in+/this/is/some/private/path/magento2.git/lib/internal/Magento/Framework/Oauth/Oauth.php+on+line+63

https://github.com/magento/magento2/blob/master/lib/internal/Magento/Framework/Oauth/Oauth.php#L63
That line checks for $params['oauth_version'], but as the dump should show the param is included.

I concluded that Magento2 is now exclusively checking Authorization headers instead.

Variant 2, using Authorization Headers:

The server returns a HTTP/1.1 401 Unauthorized message.

tcpdump:

POST /oauth/token/request HTTP/1.1
Host: magento2.local
Content-Length: 0
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.4.3 CPython/2.7.8
Connection: keep-alive
content-type: application/x-www-form-urlencoded
Authorization: OAuth realm="",oauth_nonce="74b6b19dfc80aaa84bf4faf4c548b509cf92a71c",oauth_timestamp="1418903145",oauth_consumer_key="vxklyge1xp45q2o3afwyyjtg8ga15i58",oauth_signature_method="HMAC-SHA1",oauth_version="1.0",oauth_signature="cA84%2Bt0O2ym3cVHE%2FdXz1Pwwn8E%3D"

HTTP/1.1 401 Unauthorized
Date: Thu, 18 Dec 2014 11:45:45 GMT
Server: Apache/2.4.10
Set-Cookie: private_content_version=8a7cda19058a4697834d07a7c0f4c1d4; expires=Sun, 15-Dec-2024 11:45:45 GMT; Max-Age=315360000; path=/
Set-Cookie: PHPSESSID=c9i34gpd023q8h37ogc9b6k0p4; expires=Thu, 18-Dec-2014 12:45:45 GMT; Max-Age=3600; path=/; domain=magento2.local; HttpOnly
Set-Cookie: X-Magento-Vary=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Expires: Wed, 18 Dec 2013 11:45:45 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

26
oauth_problem=Consumer+key+has+expired
0

(Consumer key has expired)
This seems to be the real issue here, the expiration time check.

Of course I verified that I'm actually sending the consumer key&secret as displayed in the backend.

As an aside, the library used to build the OAuth requests is mature (and working with magento1).

[nyov]

Digging into this I found the following.
The expiration period seems to be relatively small (300 seconds).

So I went as fast as possible, creating a new integration, copy&pasting the credentials, and testing.

This is what I got from some debug prints in https://github.com/magento/magento2/blob/master/app/code/Magento/Integration/Model/Oauth/Token/Provider.php#L68:

timestamp: 1418958698 (2014-12-19T03:11:38)
consumerTS: 1418954902 (2014-12-19T02:08:22)
expiry: 300
timestamp - consumerTS > expiry ?: 3796
oauth_problem=Consumer+key+has+expired

This seems to be partially a timezone offset issue at some stage here,
system time is UTC in both client and magento (same hardware clock);
magento's installation timezone is UTC+1.

If I'm seeing this correctly, this means the OAuth API user always needs to know and use the server's timezone. it looks like $consumerTS = strtotime($consumer->getCreatedAt()); and $this->_date->timestamp() functions disagree on which timezone to use.

[nyov]

Setting the expiration time in the backend sufficiently high to account for the timezone offset,
the check succeeds.
The next message, when the Integration was not activated via the backend, is:

oauth_problem=A+token+with+consumer+ID+3+does+not+exist

IF the Integration is activated, has an access token + secret already, the message is this:

oauth_problem=Cannot+create+request+token+because+consumer+token+is+not+a+verifier+token

I really do not know what this one is trying to tell me (consumer token??).

Thank you for reporting the issue. We are currently looking into it and will get back as soon as we have any updates.

[nyov]

Some additional notes:
The backend settings in Store Configuration > Oauth, for the Consumer Settings have this note about the Expiration Period:
"Disable consumer key/secret credentials if not used within X seconds."

This is not true at present, if it is the intended behavior. The consumer credentials will expire whether used or not.

Also, if the timeout value is increased by enough time, after a key has already expired, it will be active again. That's probably unexpected behavior.
But it also may not be a big issue (How often does one increase this value by another day).

Thanks for looking into it.

[anupdugar]

@nyov Please check out the latest code. We have pushed fixes to mitigate the Oauth consumer expiry issue. There are additional fixes for returning the correct HTTP response codes for Oauth related failures as well.
Let us know if this resolves the issue you reported.

We have noticed some discrepancy in devdocs and are working on fixing it.
Meanwhile here's a gist to demo the Oauth flow : https://gist.github.com/anupdugar/2870f28a5c108cc43df9

[muasir]

Closing based on @anupdugar comment.

[paul-sidd]

I tried the same thing,

1. created new integration in magento 2 through admin console.
2. Activated the new integration created in first step.
3. copied the consumer key and consumer secret.
4. using scribe framework, tried to access the request token key , but getting error

Exception in thread "main" org.scribe.exceptions.OAuthException: Response body is incorrect. Can't extract token and secret from this: 'oauth_problem=Cannot+create+request+token+because+consumer+token+is+not+a+verifier+token'

Can someone help to identify the root cause and the possible rectification?

[Lapinou42]

Hello,

After many hours of searching, I couldn't find a solution to get it working. I have the exactly same issue as @nyov . I'm using Magento 2.2.3. I created a freshly integration, copie/paste my consumer key/secret and tried to get an access token. I get all the time a 401 error with : oauth_problem=Consumer+key+has+expired.

Is it fixed in 2.2.3 ? I guess yes. I don't understand what's wrong.

Thank you for your feed-back.