Per the developer documentation, when making a request for an access token, you need to include a verifier token
oauth_verifier. The verification code that is tied to the consumer and request token.
However, there’s nothing in the documentation that mentions where this verifier token comes from. I would presume it comes from the request for an access token, but the documentation doesn’t reflect this.
Hoping somewhere here knows the answer ans saves me the headache of tracing out the oAuth process
Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.
Think I’ve got this one figured out. When you authorize an integration, Magento makes a
POST to the integration’s callback URL. This information includes the verifier token.
Called Array ( [oauth_consumer_key] => 2unvs7ccym............77kvlxx1rp [oauth_consumer_secret] => 1skp6............yy842a49xrjkaqb [store_base_url] => http://magento-2-0-4.dev/ [oauth_verifier] => ku8wjnqxuxj98x0ruwf............4 )
Tangentially — as the client/app owner, you use the consumer key and consumer secret to POST to
/oauth/token/request and get a request token and a request token secret. You use the request token along with the oauth verifier when you request a access token from
/oauth/token/access. The request token secret is not used directly, but it is used indirectly. The secret is used to sign the request made to
Magento 2 uses OAuth 1.0 based authentication for web APIs. At the first instance by looking on the documentation you will feel messed up. But if you have somewhat background of OAuth, you will easily guess what is next and why it is !!
Let us understand it step by step (You can skip the steps you have already done or understand to proceed):
Step 1: Login to Admin Panel and Go to Admin Panel -> System -> Integrations -> Add New Integration
Here provide the Integration Details and Check the APIs which you want to be accessible using this integration. Here it is in more detail.
Store the CONSUMER_KEY and CONSUMER_KEY_SECRET. We will use it in next step.
Step 2. Open REST Client (For Example: Postman Rest Client). Send the request
Add the headers Content-Type and Accept with value application/json
And hit [Send].
You will receive a response oauth_token=
This is a temporary token you can use to communicate further.
where this verifier token comes from. I would presume it comes from the request for an access token, but the documentation doesn’t reflect this.
Step 3 [A]. Getting the access token. Here is the twist. The Magento framework relies on three types of requests;
Guest is the least privileged user, and can access only public/anonymous APIs. Let us suppose I am a customer, and I want to get authenticated. There comes a point in sudden Show me you are my customer/Provide credentials. Now customer needs to login.
Move to Body tab and select Raw radio button and JSON(application/json). Fill the login credential payload
Now click on [Send].
Voila !!! Here it is. The response you just received was verifier_key, that you were scratching head for. Now you may be feeling comfortable. And will guess the next step.
Step 3 [B]. The current version of POSTMAN client is unable to set the VERIFIER_KEY in Authorization header. So you will need to use cURL client tool. These steps are some what cumbersome, but currently i felt it is the only way to demonstrate here.
In postmain rest client fill the form same as Step 3 [A]. Now click on [code] as shown in snapshot. From the pop up select cURL and click Copy To Clipboard.
Open online cURL client tool. I have used http://onlinecurl.com/. Update the Authorization header by appending the oauth_verifier as below:
Authorization: OAuth oauth_signature_method=”HMAC-SHA1″, oauth_consumer_key=”your_consumer_key”, oauth_version=”1.0″, oauth_timestamp=”1482575080″, oauth_nonce=”2142790194″, oauth_verifier=”
THE_OAUTH_VERIFIER_YOU_RECEIVED“, oauth_token=”your_oauth_request_token”, oauth_signature=”HMAC-SHA1_SIGNATURE_GENERATED_BY_POSTMAN_CLIENT”
The response will look like this:
Now you can use this token for furgther communication.
Note: Similarly Admin also gets authentication except he uses the integration/admin/token url to login.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0