Magento – Getting 403 Forbidden response with REST API on CE 1.9.1.0

apice-1.9.1.0magento-1.9rest

I'm using this link as my model for testing the REST API, and I get all the way through the authorize prompt to a "403 Forbidden" response (this is for both the customer and admin examples).

Invalid auth/bad request (got a 403, expected HTTP/1.1 20X or a redirect)
{"messages":{"error":[{"code":403,"message":"Access denied"}]}}

STEP 1 – I access this example URL: http://mywebsite.net/oauth_admin.php

STEP 2 – I see the login prompt and log in, along with seeing the token in the URL: http://mywebsite.net/admin/oauth_authorize?oauth_token=a35aa73f8bda2fce1d5d4db25628129d
enter image description here

STEP 3 – I get the desired authorize prompt:
enter image description here

STEP 4 – I click authorize and I get the above 403 response.

I have setup the REST user and role as according to the instructions at the above link, and believe I have followed all other steps – multiple times. I'm at a loss as to why this fails.

Has anyone else experienced this issue? I've also tried using the Firefox and Chrome API extensions with the same result.

UPDATE:
I found that someone else solved this issue when the request was passed over HTTPS. There is nothing in the tutorials mentioning a prereq SSL. Has anyone else successfully used REST without SSL? See their solution here–> Why do I get unauthorized for REST API

Best Answer

I can give you workable example:

System / Web Services / REST Roles

    Role info: 
Role Name: admin
Password: 123123
    Role API resources:
Resources access: All
    Role Users:
I have assigned admin user

System / Web Services / REST Attributes / Select {Admin}

Resources access: All

System / Web Services / REST OAuth Consumers

My magento url is mg1910.local.dev/

My magento url is http://mg1910.local.dev/

My http://mg1910.local.dev/oauth_admin.php is following:

<?php

/* live server */
$host = 'http://mg1910com.local.dev/';
$consumerKey    = '7e14cd85d05456c3e4de9e3c5c5f61e4';
$consumerSecret = 'f8aab713fa50504f0fac99d564ecaf7a';
/* << live server */


$callbackUrl = "http://mg1910com.local.dev/oauth_admin.php";
$temporaryCredentialsRequestUrl = $host . "oauth/initiate?oauth_callback=" . urlencode($callbackUrl);
$adminAuthorizationUrl = $host . "admin/oauth_authorize";
$accessTokenRequestUrl = $host . "oauth/token";
$apiUrl = $host . "api/rest";

session_start();
if (!isset($_GET['oauth_token']) && isset($_SESSION['state']) && $_SESSION['state'] == 1) {
    $_SESSION['state'] = 0;
}
try {
    $authType = ($_SESSION['state'] == 2) ? OAUTH_AUTH_TYPE_AUTHORIZATION : OAUTH_AUTH_TYPE_URI;
    $oauthClient = new OAuth($consumerKey, $consumerSecret, OAUTH_SIG_METHOD_HMACSHA1, $authType);
    $oauthClient->enableDebug();

    if (!isset($_GET['oauth_token']) && !$_SESSION['state']) {
        $requestToken = $oauthClient->getRequestToken($temporaryCredentialsRequestUrl);
        $_SESSION['secret'] = $requestToken['oauth_token_secret'];
        $_SESSION['state'] = 1;
        header('Location: ' . $adminAuthorizationUrl . '?oauth_token=' . $requestToken['oauth_token']);
        exit;
    } else if ($_SESSION['state'] == 1) {
        $oauthClient->setToken($_GET['oauth_token'], $_SESSION['secret']);
        $accessToken = $oauthClient->getAccessToken($accessTokenRequestUrl);
        $_SESSION['state'] = 2;
        $_SESSION['token'] = $accessToken['oauth_token'];
        $_SESSION['secret'] = $accessToken['oauth_token_secret'];
        header('Location: ' . $callbackUrl);
        exit;
    } else {
        $oauthClient->setToken($_SESSION['token'], $_SESSION['secret']);
        $resourceUrl = "$apiUrl/products?limit=3";
        //$oauthClient->fetch($resourceUrl, array(), 'GET', array('Content-Type' => 'application/json'));
        $oauthClient->fetch($resourceUrl, array(), 'GET', array('Content-Type' => 'application/xml', 'Accept' => '*/*'));
        $productsList = json_decode($oauthClient->getLastResponse());
        echo "<pre>";
        print_r($productsList);
    }
} catch (OAuthException $e) {
    print_r($e->getMessage());
    echo "<br/>";
    print_r($e->lastResponse);
}

As you can see my script receive 3 products.

enter image description here

Related Solutions

Magento 1.7 – How to Integrate Magento REST API with Third Party

You can find a good explanation of the Magento REST API here. There is also an example on how to retrieve the products as a logged in customer. I will reproduce it here, to make the answer longer.

<?php
/**
 * Example of products list retrieve using Customer account via Magento REST API. OAuth authorization is used
 */
$callbackUrl = "http://yourhost/oauth_customer.php";
$temporaryCredentialsRequestUrl = "http://magentohost/oauth/initiate?oauth_callback=" . urlencode($callbackUrl);
$adminAuthorizationUrl = 'http://magentohost/oauth/authorize';
$accessTokenRequestUrl = 'http://magentohost/oauth/token';
$apiUrl = 'http://magentohost/api/rest';
$consumerKey = 'yourconsumerkey';
$consumerSecret = 'yourconsumersecret';

session_start();
if (!isset($_GET['oauth_token']) && isset($_SESSION['state']) && $_SESSION['state'] == 1) {
    $_SESSION['state'] = 0;
}
try {
    $authType = ($_SESSION['state'] == 2) ? OAUTH_AUTH_TYPE_AUTHORIZATION : OAUTH_AUTH_TYPE_URI;
    $oauthClient = new OAuth($consumerKey, $consumerSecret, OAUTH_SIG_METHOD_HMACSHA1, $authType);
    $oauthClient->enableDebug();

    if (!isset($_GET['oauth_token']) && !$_SESSION['state']) {
        $requestToken = $oauthClient->getRequestToken($temporaryCredentialsRequestUrl);
        $_SESSION['secret'] = $requestToken['oauth_token_secret'];
        $_SESSION['state'] = 1;
        header('Location: ' . $adminAuthorizationUrl . '?oauth_token=' . $requestToken['oauth_token']);
        exit;
    } else if ($_SESSION['state'] == 1) {
        $oauthClient->setToken($_GET['oauth_token'], $_SESSION['secret']);
        $accessToken = $oauthClient->getAccessToken($accessTokenRequestUrl);
        $_SESSION['state'] = 2;
        $_SESSION['token'] = $accessToken['oauth_token'];
        $_SESSION['secret'] = $accessToken['oauth_token_secret'];
        header('Location: ' . $callbackUrl);
        exit;
    } else {
        $oauthClient->setToken($_SESSION['token'], $_SESSION['secret']);
        $resourceUrl = "$apiUrl/products";
        $oauthClient->fetch($resourceUrl);
        $productsList = json_decode($oauthClient->getLastResponse());
        print_r($productsList);
    }
} catch (OAuthException $e) {
    print_r($e);
}

Magento REST API – What Populates the api2_acl_attribute Table?

[EDIT]:

In Magento's REST implementation, we have two logical possible actions on each resource’s attributes :

Read action
Write action

Each REST resource can have own attributes and depending on api2.xml configuration for specific resource, for each REST role, we can allow read/write operation for each specific attribute.

To make is simpler to understand:

Example:

Customer address is Resource.

Customer address has attributes:

Street City ZIP Country

In Customer Address extension’s api2.xml file could be defined available options depending on user type like this:

Admin user has option to read and write attributes: Street, City, ZIP and Country from Customer Address resource.
Customer has options to read attributes Street, City, ZIP and Country from Customer Address resource.
Guest has option to read only Street attribute from customer address etc.

This options depending for each role (Administrator, Customer, Guest) will appear in Magento admin area under Attributes configuration screen for specific role and administrator needs to check the attributes and operations (read, write) that he wants to allow on specific resource:

REST Attributes

I wrote three articles about REST web services in Magento and I hope that you will find them useful. Also your question is answered in first one:

http://inchoo.net/ecommerce/magento-rest-and-oauth-intro/ http://inchoo.net/ecommerce/magento/configure-magento-rest-and-oauth-settings/

Best Answer

Related Solutions

Magento 1.7 – How to Integrate Magento REST API with Third Party

Magento REST API – What Populates the api2_acl_attribute Table?

Related Topic