Migrating a Token

[sparkweb]

I've been able to successfully get connected and now I wanted to test migrating an existing MWS auth token so that I can look at some real data. So here's the workflow I did:

1. Create an MWS auth token for myself, authorizing my developer ID for my store.
2. Call the token endpoint with a migration scope. Get back a grantless token.
3. Make a call to /authorization/v1/authorizationCode using that grantless token.

Now I'm getting back this error: A published application with the provided app-id not found.

This begs the question: am I not allowed to migrate any tokens until my new app is published? The docs do not make any mention of this and it would make transitioning quite a bit more complex since I won't be able to test any real-world scenarios before going completely live.

[AmericanY]

@sparkweb you need to regenerate the refresh token and authorize your app again.

[diegocvazquez]

@sparkweb you need to regenerate the refresh token and authorize your app again.

I am having the same issue I am testing a way to Assume the role there is a post here, with some example,

https://github.com/amzn/selling-partner-api-models/issues/713

Thanks for your help, Regards

[AmericanY]

@diegocvazquez delete your application and build it again with follow those steps carefully https://github.com/amzn/selling-partner-api-docs/blob/main/guides/en-US/developer-guide/SellingPartnerApiDeveloperGuide.md#registering-your-selling-partner-api-application

[sparkweb]

@AmericanY I'm unsure how the refresh token plays into it. I am trying to use a previously-received MWS token with the migration endpoint to get a new refresh token for my client. It seems to be complaining that I'm doing this on an unpublished app.

So my questions are:

1) Is this really true that you can't migrate any mws_auth_tokens on an unpublished app?

2) If so, how in the world are we expected to build for all the real-world problems we'll find with only sandbox data?

[AmericanY]

@sparkweb

For developers with existing Amazon MWS credentials and roles, we have backfilled access to SP-API using fine grained roles; these developers can update their existing integrations to use both API suites. Developers may request additional access by updating their developer profile and providing any additional required information.

[diegocvazquez]

@diegocvazquez delete your application and build it again with follow those steps carefully https://github.com/amzn/selling-partner-api-docs/blob/main/guides/en-US/developer-guide/SellingPartnerApiDeveloperGuide.md#registering-your-selling-partner-api-application

The application is in productuction there are a hundred of sellers using it, I can be just deleted, if there is no option to change the ARN I need to make the AssumeRole work, untill now no success!

[AmericanY]

@diegocvazquez your current ARN is unable to see it because your auth is actually act on the previous configuration. what's your ARN configuration JSON ?

[AmericanY]

@diegocvazquez also confirm if you able to communicate with https://api.amazon.com/auth/o2/token or not.

[diegocvazquez]

@AmericanY

@diegocvazquez also confirm if you able to communicate with https://api.amazon.com/auth/o2/token or not.

yes I am able to get a token, and I am alos able to call AssumeRoleRequest an I am obtaining a sessionToken

This is the code I am using, I have generated the code with swagger-codegen

private static AssumeRoleResponse GetAssumeRoleTokenDetail() { var accessKey = "AKIARL........."; // get from users access key id from first step var secretKey = "fC9cmiRo7ZIBijF..."; // get from users secret key from first step var credentials = new Amazon.Runtime.BasicAWSCredentials(accessKey, secretKey); var client = new AmazonSecurityTokenServiceClient(credentials); var assumeRoleRequest = new AssumeRoleRequest() { DurationSeconds = 3600,
RoleArn = "arn:aws:iam::........", RoleSessionName = DateTime.Now.Ticks.ToString() };

    return client.AssumeRole(assumeRoleRequest);
}

static void connect()
{
    var role = GetAssumeRoleTokenDetail();

    string resource = "/sellers/v1/marketplaceParticipations";
    IRestRequest restRequest = new RestRequest(resource, Method.GET);

    LWAAuthorizationCredentials lwaAuthorizationCredentials = new
   LWAAuthorizationCredentials
    {
        ClientId = "amzn1.applicat....",
        ClientSecret = "7baa991aa49....",
        RefreshToken = "Atzr|IwEBIEt4....",
        Endpoint = new Uri("https://api.amazon.com/auth/o2/token")
    };

    restRequest = new LWAAuthorizationSigner(lwaAuthorizationCredentials).Sign(restRequest);

    AWSAuthenticationCredentials awsAuthenticationCredentials = new AWSAuthenticationCredentials
    {
        AccessKeyId = role.Credentials.AccessKeyId,
        Region = "eu-west-1",
        SecretKey = role.Credentials.SecretAccessKey

    };

    RestClient restClient = new RestClient("https://sellingpartnerapi-eu.amazon.com/");            
    restRequest = new AWSSigV4Signer(awsAuthenticationCredentials).Sign(restRequest, restClient.BaseUrl.Host);
    IRestResponse response = restClient.Execute(restRequest);       
}

The results are { "errors": [ { "message": "The security token included in the request is invalid.", "code": "InvalidInput" } ] }

[diegocvazquez]

@AmericanY

@diegocvazquez your current ARN is unable to see it because your auth is actually act on the previous configuration. what's your ARN configuration JSON ?

My current role ARN is: arn:aws:iam::094018382763:role/Waadby_sp-api

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::094........" } ] }

[AmericanY]

https://github.com/amzn/selling-partner-api-docs/blob/main/guides/en-US/developer-guide/SellingPartnerApiDeveloperGuide.md#step-1-request-a-login-with-amazon-access-token

You mentioned that you were able to communicate with https://api.amazon.com/auth/o2/token but that's not correct.

As you getting The security token included in the request is invalid.

You've to send a POST request with the following data:

data = {
            'grant_type': 'refresh_token', # <-- it's a string DON'T TOUCH.
            'refresh_token': Refresh_Token,
            'client_id': Client_Id,
            'client_secret': Client_Secret
        }
        return req.post('https://api.amazon.com/auth/o2/token', data=data).json()['access_token']

Let me know if it's success @diegocvazquez

[diegocvazquez]

@AmericanY I am using Postman and I ableto get a token as I mentioned before

Is that what you mean?

[AmericanY]

You are able to get it via Postman but not from your client. You've to check your current code and match it according to Postman headers.

[diegocvazquez]

@AmericanY

You are able to get it via Postman but not from your client. You've to check your current code and match it according to Postman headers.

I am using the swagger-codegen, the problem that I have is that I registred my application with role ARN, and a new application to test with the user ARN. In the new application it works okay in the old aplication with the role ARN I not able to login but not able to call any other ser service. I understand that I need to AssumeRole and then make the calls, is that right?

[diegocvazquez]

@AmericanY I am now using the code from https://github.com/amzn/selling-partner-api-models/issues/31 and seems to work!

[diegocvazquez]

@AmericanY, Now that I have the code working I am getting this error when calling /authorization/v1/authorizationCode do I need to do something ? { "errors": [ { "code": "InvalidInput", "message": "Developer ID xxxxxxx is not associated with the application id.", "details": "" } ] }

I have created an issue and case https://github.com/amzn/selling-partner-api-models/issues/1202

[github-actions[bot]]

This is a very old issue that is probably not getting as much attention as it deserves. We encourage you to check if this is still an issue after the latest release and if you find that this is still a problem, please feel free to open a new issue and make a reference to this one.