ssossossosso

Forums

Covering OroCRM topics, including community updates and company announcements.  Subscribe

Open-Source CRM software Forums OroPlatform OroPlatform – How do I? Questions How to access REST API using API Key

This topic contains 6 replies, has 2 voices, and was last updated by  seddonm1 3 years, 3 months ago.

  • Creator
    Topic
  • #1233

    seddonm1
    Participant

    Hi,
    I have installed the OroCRM suite and am able to generate an API key (in the User configruation).

    I can see that there are multiple pre-defined REST interface routes for example:

    Route Name: oro_api_get_contactgroups
    Route: /api/rest/{version}/contactgroups.{_format}

    I can call the route (and can see in the debugger that the route is being matched) using the Chrome Advanced Rest Client Application which results in a 401 Unauthorized with this command:
    http://localhost/api/rest/current/contactgroups?api_key=df85fd9ebbb94c4a89319f4736322ee4d8c2a121

    Can you give advice on how to call the Oro REST interfaces with the API key for authentication?

    Cheers

Viewing 6 replies - 1 through 6 (of 6 total)
  • Author
    Replies
  • #1234

    Alexandr Smaga
    Participant

    Hello,

    We decided to use WSSE authorization for REST and SOAP APIs, so you have to generate WSSE header.

    You can user app/console oro:wsse:generate-header command for this.
    If you want to dive deeper, this article will be useful.

    #1242

    seddonm1
    Participant

    Thanks asmaga.

    I have used an online javascript wsse generator and used Chrome Advanced Rest Client to call them.

    I have done some testing and found if I call this one (for example):
    http://localhost/api/rest/current/contacts.json

    If I pass a malformed X-WSSE I get a 401 Unauthorised response: ‘Response does not contain any data.’ This is the correct behaviour.

    If I call the same interface with a correctly formatted X-WSSE header e.g.:
    UsernameToken Username=”admin”, PasswordDigest=”ku+0N+DYrfnY6RntxilDPQ8kzwA=”, Nonce=”NTBiYTNhZDk5ZjRiNGM2MQ==”, Created=”2013-10-29T17:05:11Z”

    I receive this warning back:
    <b>Warning</b>: Missing argument 5 for Escape\WSSEAuthenticationBundle\Security\Core\Authentication\Provider\Provider::validateDigest() on line 45

    Argument 5 is:
    $this->getSecret($user)

    Which calls:
    protected function getSecret($user)
    {
    return $user->getPassword();
    }

    When I look at the code I can see that my IDE (PhpStorm) thinks that the getPassword() method is not defined.

    Have you managed to actually call one of these interfaces?

    Cheers

    #1244

    Alexandr Smaga
    Participant

    Please update you CRM/Platform version to latest (current is BETA 2), and make sure that your composer up to date. If not please run

    This issue already fixed.

    Cheers

    #1257

    seddonm1
    Participant

    Thanks asmaga.

    I have just completely rebuilt my environment from the latest git (BETA 2).

    I am still struggling to use the REST API.

    Today, whilst playing with a semi-upgraded OroCRM, I managed to get one response by sending a null nonce.

    With the upgraded installation and using this site to generate the WSSE header it is still not working.
    http://www.teria.com/~koseki/tools/wssegen/

    Maybe that site is generating incompatible headers (changed algorithm). Are you able to generate a WSSE header and successfully retrieve /api/rest/current/contacts.json with it?

    I have also tried setting: nonce_dir: “%kernel.root_dir%/cache/nonce” and can see the nonce files in that path so it is receiving the data correctly just failing authentication.

    Cheers,
    Mike

    #1261

    Alexandr Smaga
    Participant

    Hey, I’ve just tried to generate header using console command

    and tried to retrieve data from bash using

    It works as expected!

    After that I tried to generate using http://www.teria.com/~koseki/tools/wssegen/
    and it works for me as well.

    Whence you get “password” in ORO database ? It should comes from oro_user_api table…

    #1262

    seddonm1
    Participant

    Thanks asmaga.

    I have got it working. I was sending the user password which, in hindsight, makes no sense because it could (relatively) easily be brute force attacked if a hacker captured the messages. The API Key is much more complex and offers very good security. I had also forgotten to regenerate the API Key after the reinstall.

    Thanks for your help and great work.

    Cheers,
    Mike

Viewing 6 replies - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.