I can RingOut successfully requesting:
https://platform.ringcentral.com/restapi/v1.0/account/~/extension/~/ring-out
But when I want to add the extension id I get a CMN-102 error (Resource for parameter [extensionId] is not found) see request example below:
https://platform.ringcentral.com/restapi/v1.0/account/~/extension/279580017/ring-out
I'm pretty certain I have the correct id as I'm grabbing the extensionId from the request below successfully:
https://platform.ringcentral.com/restapi/v1.0/account/~/extension
If anyone has run into this or can point out any potential pitfalls I would very much appreciate some pointers.
From your post and the error you are receiving, I'm assuming you are attempting to perform a RingOut with an extensionId that did not authorize your app. Attempting to do this will result in the error you received. Here's more information on this.
RingOut ExtensionId Scope
The RingOut API only supports using extensionId path parameter for the authorizing user extension. Because of this, all you ever need to call is the following endpoint for RingOut:
POST /restapi/v1.0/account/~/extension/~/ring-out
If you want to use the explicit extensionId, it needs to be the extensionId returned in the following endpoint:
GET /restapi/v1.0/account/~/extension/~
If you call the endpoint with a path extensionId parameter that did not authorize the access token being used, then you will receive the:
Non-Matching ExtensionId Error
If you attempt to perform a RingOut with a path extensionId value that is not the authorizing user, you will receive a HTTP status 404 error with the following body:
HTTP/1.1 404 Not Found
{
"errorCode": "CMN-102",
"message": "Resource for parameter [extensionId] is not found",
"errors": [
{
"errorCode": "CMN-102",
"message": "Resource for parameter [extensionId] is not found",
"parameterName": "extensionId"
}
],
"parameterName": "extensionId"
}
How to Perform RingOut for Many Users
To perform RingOut for many users at this time, you will need to do either of the following:
each user will have to perform an authorization with your app, either through a login pop-up via OAuth 2.0 authorization code or implicit grant.
alternately, you can ask them for their passwords to perform OAuth 2.0 password grant authorization.
A number of OAuth 2.0 demo apps are available on our GitHub accounts:
https://ringcentral.github.io/tutorials/
https://github.com/ringcentral/ringcentral-demos-oauth
Enhancement Request
If you would like the ability to RingOut to any user without an active session, let us know and we can consider it as a feature enhancement. The best way is to login to our Community with your RingCentral account and post a request here:
https://devcommunity.ringcentral.com/ringcentraldev
Related
Here are the seemingly clear instructions from Amazon.
Simply send the following: sellingPartnerId, developerId, and mwsAuthToken
I do this with httparty like so:
query = {
sellingPartnerId: "A3Kxxxxx",
developerId: "753xxxx",
mwsAuthToken: "amzn.mws.8abxxxxx-xxxx-xxxx-xxxx-xxxxxx",
}
and then
send = HTTParty.get("https://sellingpartnerapi-na.amazon.com/authorization/v1/authorizationCode",
query: query
)
This returns the following error:
{"errors"=>
[{"message"=>"Access to requested resource is denied.",
"code"=>"MissingAuthenticationToken"}]}
I've adjusted the call everyway I've seen. I've read the following articles:
This
This
Paged through the 695 issues on github for this API and still no luck.. I've adjusted my query to this with no luck either:
query = {
grant_type: "client_credentials",
sellingPartnerId: "A3K98Oxxxxxx",
developerId: "753xxxxxxxx",
mwsAuthToken: "amzn.mws.8abxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx",
client_id: "amzn1.application-oa2-client.xxxxxxxxxxxxxxxxxxxxxxxx",
client_secret: "a473e76XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
scope: "sellingpartnerapi::migration"
}
Nothing I've tried has worked.. Any suggestions? Has anyone actually migrated their MWS to SP-API credential successfully?
Unfortunately the specific Amazon docs that you link to don't tell the whole story. There are a few other requirements you'll need in order to get the authorizationCode response that you're looking for:
Amazon OAuth Token
You'll need an access token from Amazon's OAuth API (an entirely different API). You can use the grantless workflow for this, since in your case the user hasn't actually authorized the SP-API yet:
POST https://api.amazon.com/auth/o2/token
body: {
grant_type: 'client_credentials',
scope: 'sellingpartnerapi::migration',
client_id: 'amzn1.application-oa2-client.xxxxxxxxxxxxxxxxxxxxxxxx',
client_secret: 'a473e76XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
}
This will return an access_token that you'll need for your actual migration request to https://sellingpartnerapi-na.amazon.com/authorization/v1/authorizationCode. The response will look something like:
{
"access_token": "Atc|xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"scope": "sellingpartnerapi::migration",
"token_type": "bearer",
"expires_in": 3600
}
Important: Take the access_token value from that response and add it as an x-amz-access-token header to your /authorization/v1/authorizationCode request.
Sign Your Request
This is the actual reason behind the error you're receiving. An unsigned request will not include the "authorization token" that you're being prompted for.
You'll need to sign your request using Amazon's SigV4 signing mechanism. It looks like you're using Ruby (HTTParty), so you can use the aws-sdk's Aws::Sigv4::Signer for this. You'll need to have setup IAM credentials as documented in the generic developer guide, and those credentials being provided to your Aws::Sigv4::Signer somehow (hardcoding, env vars, Aws::SharedCredentials, etc.)
Request signing will result in a few proprietary headers being added to your request. Once this is done, you should have all that you need to make the request successfully.
I'm providing an external-facing REST GET API service in a kubernetes pod on AWS EKS. I had configured an ALB Ingress for this service which enforces Cognito user pool authentication. Cognito is configured with Authorization code grant with the openid OAuth scope enabled.
If I invoke my REST API from the browser, I get redirected to the Cognito login page. After a sucessful authentication on the form here, I can access my REST GET API just fine. This works, but this is not what I'd like to achieve.
Instead of this, I would need to use a Bearer token, after getting successfully authenticated. So first I invoke https://cognito-idp.ap-southeast-1.amazonaws.com using Postman with the request:
"AuthParameters" : {
"USERNAME" : "<email>",
"PASSWORD" : "<mypass>",
"SECRET_HASH" : "<correctly calculated hash>"
},
"AuthFlow" : "USER_PASSWORD_AUTH",
"ClientId" : "<cognito user pool id>"
}
and I get a successful response like:
"AuthenticationResult": {
"AccessToken": "...",
"ExpiresIn": 3600,
"IdToken": "...",
"RefreshToken": "...",
"TokenType": "Bearer"
},
"ChallengeParameters": {}
}
In the last step I'm trying to invoke my REST API service passing the Authorization HTTP header with the value Bearer <AccessToken> but I still get a HTML response with the login page.
How can I configure Cognito to accept my Bearer token for this call as an authenticated identity?
Quoting AWS support on this topic: "the Bearer token can not be used instead of the session cookie because in a flow involving bearer token would lead to generating the session cookie".
So unfortunately this usecase is not possible to implemented as of today.
STANDARD BEHAVIOUR
I would aim for a standard solution, which works like this:
API returns data when it receives a valid access token, or a 401 if the token is missing, invalid or expired - the API never redirects the caller
UIs do their own redirects to the Authorization Server when there is no token yet or when a 401 is received from the API
If it helps, my OAuth Message Workflow blog post demonstrates the 3 legged behaviour between UI, API and Authorization Server.
API GATEWAY PATTERN
It is perfectly fine to use an API Gateway Design Pattern, where token validation is done via middleware before hitting your API.
However that middleware must return a 401 when tokens are rejected rather than redirecting the API client.
IMPACT OF APIs REDIRECTING THE CLIENT
This may just about work for web UIs, though user experience will be limited since the UI will have no opportunity to save the user's data or location before redirecting.
For mobile / desktop apps it is more problematic, since the UI must redirect using the system browser rather than a normal UI view - see the screenshots on my Quick Start Page.
CHOICES
Any of these solutions would be fine:
Possibly the middleware you are using can be configured differently to behave like a proper API Gateway?
Or perhaps you could look for alternative middleware that does token validation, such as an AWS Lambda custom authorizer?
Or do the OAuth work in the API's code, as in this Sample API of mine
MY PREFERENCE
Sometimes I prefer to write code to do the OAuth work, since it can provide better extensibility when dealing with custom claims. My API Authorization blog post has some further info on this.
There is documentation for test users in the Facebook Developer online documentation but how do you delete actual users where the application doesn't show in their app list anymore? This is with the knowledge of the access_token and facebook_user_id.
Used to delete Test Users:
https://graph.facebook.com/893450345999?method=delete&access_token=A2ADI1YMySweBABBGrWPNwKMlubZA5ZCrQbxwhtlEd9FIQUrOVjsGD3mnIWEbUhzDz7dkuBekMFdHvjvJ9CZAU7EMSSaZBsgN60FkMCi3AAZDZD
Running the test user link produces the following error:
"error": {
"message": "(#100) Can only call this method on valid test users for your app",
"type": "OAuthException",
"code": 100
}
You seek for application de-authorization:
You can de-authorize an application or revoke a specific extended permissions on behalf of a user by issuing an HTTP DELETE request to PROFILE_ID/permissions with a user access_token for that app.
permission - The permission you wish to revoke. If you don't specify a permission then this will de-authorize the application completely.
To achieve this issue request to:
https://graph.facebook.com/me/permissions?method=delete&access_token=...
Once application de-authorized it will not appear in the list of user's applications.
Update December 2021
Follow the reference for Requesting & Revoking Permissions:
To remove single permission issue a DELETE request to /{user-id}/permissions/{permission-name} passing user access token or an app access token
To de-authorize an app completely issue similar request to the /{user-id}/permissions endpoint
Real users 'delete' themselves from your app when they remove your app from their account, you don't have to do anything.
If you would like to know when users de-authorize your app like this, you can specify a Deauthorize Callback URL in your app's settings. As described in the docs at https://developers.facebook.com/docs/authentication/:
Upon app removal we will send an HTTP POST request containing a single parameter, signed_request, which, once decoded, will yield a JSON object containing the user_id of the user who just deauthorized your app. You will not receive an user access token in this request and all existing user access tokens that were previously issued on behalf of that user will become invalid.
UPDATE: To remove your own app from the user's authorized applications, issue an HTTP DELETE to https://graph.facebook.com/[userid]/permissions?access_token=... as per https://developers.facebook.com/docs/reference/api/user/.
Typically Graph API calls also support doing an HTTP POST with an extra parameter, method=DELETE, in case DELETE calls are not possible/supported.
To do it:
You must have the user access token.
Visit https://developers.facebook.com/tools/debug/accesstoken/ and debug the user access token.
Copy App-Scoped User ID
Via API call HTTP DELETE to https://graph.facebook.com/[App-Scoped User ID]/permissions?method=delete&access_token=[YOUR-APP-ACCESS-TOKEN]
Following the Ads API docs for reachestimate (http://developers.facebook.com/docs/reference/ads-api/reachestimate/), I received a "false" response when calling
https://graph.facebook.com/act_0000000000000000/reachestimate?currency=EUR&targeting_spec={'countries':['US']}&access_token=___
(Note: act_0000000000000000 is my user Id and _ is my access token - these tokens work correctly for other Ads API calls).
Using the Graph API Explorer tool, I receive the following response on this API call
{
"error": {
"message": "(#10) Application does not have permission for this action",
"type": "OAuthException",
"code": 10
}
}
However, when I call
https://graph.facebook.com/1111111111111111/reachestimate?currency=EUR&targeting_spec={'countries':['US']}&access_token=___
where 1111111111111111 is an adgroup, I get a valid data structure.
Has anyone come across this elsewhere? Is there a "magic" setting somewhere that enables this capability on the user account (enabled for ads_management, offline_access)?
Any thoughts very welcome.
Thank you.
Thanks #Igy - just confirmed that my issue was indeed the misuse of my UserID in account field - have since migrated these queries to use the designated account ID and works as expected.
I'm trying to post a score from my server.
I have my app set up as a game.
I've got my app access token.
I'm POSTing to https://graph.facebook.com/USER_ID/scores
I have authorized and given publish_stream and publish_actions permissions to my app for the USER_ID (which is me).
However, an error is telling me that I need a user access token for that action, which I don't as Facebook states here: https://developers.facebook.com/docs/score/
Create or update a score for a user
You can post a score or a user by issuing an HTTP POST request to
/USER_ID/scores with the app access_token as long as you have the
publish_actions permission.
I've seen a similar question but it was unanswered: Facebook Graph API Explorer won't POST scores (they've ended up creating a new app, which is not a real solution)
To verify that it's not me who is incorrectly using the API, I went to Graph API explorer and tried it also there with the same access token, no luck:
Funny, that if I follow what it says and try the same with my user access token, it then says: This method must be called with an app access_token.
Is there something that I'm missing or is there a bug with the Graph API?
Thanks,
Can.
It looks like you have everything correct, but there's one relatively little-known case which will produce that error message.
Check the 'App Type' field in the Advanced Settings:
If this is set to 'Native/Desktop' instead of 'Web' in the Advanced settings, it's assumed that your app's binary/native distribution contains the app secret.
In this configuration, API calls made with the app access token are untrusted, effectively the token is completely ignored.
Change the app settings back to 'Web' and you should be able to post or delete Scores and/or Achievements with the App Access Token
If this is the issue, you can quickly verify if with a call to
https://graph.facebook.com/app?fields=migrations&access_token=[APP ACCESS TOKEN HERE]
In 'Web' mode, the response contains the migration settings for the app, something like:
{
"migrations": {
"secure_stream_urls": false,
"expiring_offline_access_tokens": false,
"requires_login_secret": false,
//etc
}
In 'Native/Desktop' mode, the app access token is untrusted, so you can't access the app's private data, and the response is:
{
"error": {
"message": "An unknown error has occurred.",
"type": "OAuthException",
"code": 1
}
}