Magento 2 – Where Does the OAuth Verifier Token Come From?

integrationmagento2oauth

Per the developer documentation, when making a request for an access token, you need to include a verifier token

oauth_verifier. The verification code that is tied to the consumer and request token.

However, there's nothing in the documentation that mentions where this verifier token comes from. I would presume it comes from the request for an access token, but the documentation doesn't reflect this.

Hoping somewhere here knows the answer ans saves me the headache of tracing out the oAuth process

Best Answer

Think I've got this one figured out. When you authorize an integration, Magento makes a POST to the integration's callback URL. This information includes the verifier token.

Called Array
(
    [oauth_consumer_key] => 2unvs7ccym............77kvlxx1rp
    [oauth_consumer_secret] => 1skp6............yy842a49xrjkaqb
    [store_base_url] => http://magento-2-0-4.dev/
    [oauth_verifier] => ku8wjnqxuxj98x0ruwf............4
)

Tangentially -- as the client/app owner, you use the consumer key and consumer secret to POST to /oauth/token/request and get a request token and a request token secret. You use the request token along with the oauth verifier when you request a access token from /oauth/token/access. The request token secret is not used directly, but it is used indirectly. The secret is used to sign the request made to /oauth/token/access.

Related Solutions

Magento 2 – Changing Expiration Time for oAuth Token Request in Backend

I think what you're looking for can be found under Admin > Stores > Configuration > Services > OAuth tab:

The interesting thing is that default value is not 3 minutes but actually 5 minutes (300 seconds).

The default values are set under \app\code\Magento\Integration\etc\config.xml:

<default>
    <oauth>
        <cleanup>
            <cleanup_probability>100</cleanup_probability>
            <expiration_period>120</expiration_period>
        </cleanup>
        <consumer>
            <expiration_period>300</expiration_period>
            <post_maxredirects>0</post_maxredirects>
            <post_timeout>5</post_timeout>
        </consumer>
        <authentication_lock>
            <max_failures_count>6</max_failures_count>
            <timeout>1800</timeout>
        </authentication_lock>
    </oauth>
</default>

Another interesting thing is that, on top of this default value, an extra default value is defined under \app\code\Magento\Integration\Helper\Oauth\Data.php:

const CONSUMER_EXPIRATION_PERIOD_DEFAULT = 300;

This value is used in case the expiry is set to a negative number:

public function getConsumerExpirationPeriod()
{
    $seconds = (int)$this->_scopeConfig->getValue(
        self::XML_PATH_CONSUMER_EXPIRATION_PERIOD,
        \Magento\Store\Model\ScopeInterface::SCOPE_STORE
    );
    return $seconds > 0 ? $seconds : self::CONSUMER_EXPIRATION_PERIOD_DEFAULT;
}

NB: the screenshot is from a 2.0.0 install, I reckon an Authentication lock section has been added since.

Magento – Rest api oauth token empty

This seems a problem of mod_rewrite OR SymLinks.

Please enable mod_rewrite :

sudo a2enmod rewrite

Now edit apache config file :

sudo gedit /etc/apache2/apache2.conf

and replace this code :

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride none
Require all granted
</Directory>

with

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>

Note: changed AllowOverride none to AllowOverride All

Now restart apache sudo service apache2 restart and check. This may fix your issue.

Best Answer

Related Solutions

Magento 2 – Changing Expiration Time for oAuth Token Request in Backend

Magento – Rest api oauth token empty

Related Topic