Restricted Data Token help

[grath90]

I'm having trouble understanding how to request a RDT after reading through the documentation. I'm assuming I need to go through the process of requesting a LWA token and then using that in a signed call like I'm doing for non restricted calls?

Once i do this I get a 403 error saying my signature doesn't match.

The documentation is vague on this. Any help would be appreciated.

[ShivikaK]

Hello @grath90

Thank you for raising this issue.

The request to get RDT token is similar to a normal SP API request where you add LWA access token to the request.

Below is the summarized workflow to use RDT token for Restricted APIs -

1. Generate LWA Access token
2. Make a request to Tokens API signed with the LWA token (the way a normal SP API request is constructed). Add the restricted API path and method as part of the request body parameters.
3. The response should give you the RDT token. You then use this RDT token instead of LWA Access Token in your Restricted API operation.

Please feel free to open a support case with us if you'd like deeper assistance with this issue.

Thanks, Shivika Khare Selling Partner API Developer Support

[alpodz]

The invalid signature is the token for the AWS signing that is occurring after this. AWS signature apparently doesn't match something being expected. One possibility is I'm thinking AWS is percieving the OrderAddress perhaps as a different API? (since it would technically on the Amazon side might be? Also, you do not need to use the restricted data token right now, the address will still return successfully using the traditional method.

[alpodz]

What are you calling with it btw, are you using their SDK? you calling OrderAddress by any chance? Or any of the parameterized rest calls?

[glukoid]

hi could you please help me to understand what I am doing wrong here. on try to receive RDT by the same way as ShivikaK (I passed PII application) I received: response: { "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] }

could it be something wrong with my AWS user permissions ?

[alpodz]

Is it getting the token or using the token? I got it using the token.. however... The sandbox version does return that error message... Also.. Amazon does not allow you to use the newer versions of their apis yet... I forget if token has multiple versions or not

On Fri, Jun 4, 2021, 8:50 AM glukoid @.***> wrote:

hi could you please help me to understand what I am doing wrong here. on try to receive RDT by the same way as ShivikaK (I passed PII application) I received: response: { "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] }

could it be something wrong with my AWS user permissions ?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/amzn/selling-partner-api-models/issues/1255, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQFKB5C66HPYTZVVWO4BHYDTRDDX5ANCNFSM43LEVMDA .

[glukoid]

the failure happens on try to get the token.

[ShivikaK]

Hello @glukoid

Are you able to make a request to other APIs successfully? If you can provide the request details for RDT request, I can further investigate the issue.

Thanks, Shivika Khare Selling Partner API Developer Support

[glukoid]

"Are you able to make a request to other APIs successfully?"

• yes.

[alpodz]

If someone is actively looking at this.. a) how do you know your application for pii access was successful.

B) if your self authorized does it change this at all?

C) there is a behavior difference between the sandbox API and the nonsandbox API.. the sandbox fails to allow access to rdt but the nonsandbox rdt works but the call to the nonsandbox orderaddress API returns less pii data.

On Fri, Jun 4, 2021, 9:16 PM glukoid @.***> wrote:

"Are you able to make a request to other APIs successfully?"

• yes.

[image: image] https://user-images.githubusercontent.com/7331200/120875439-72077600-c571-11eb-8070-d5dd9a5ca808.png

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/amzn/selling-partner-api-models/issues/1255, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQFKB5FRTMIHSY4YKLA3ZNLTRF3GDANCNFSM43LEVMDA .

[glukoid]

"how do you know your application for pii access was successful"

• I got confirmation from Amazon support

"if your self authorized does it change this at all?" I am self authorized and the process of getting RDT token did not work for me.

"sandbox API/nonsandbox API" I am using product DB and trying to get RDT using the following link I got from Amazon support team: https://github.com/amzn/selling-partner-api-docs/blob/548d815eb32c899aa4b7520c49baee008f3687e3/guides/en-US/use-case-guides/tokens-api-use-case-guide/tokens-API-use-case-guide-2021-03-01.md#tutorial-get-an-rdt-and-call-restricted-operations.

[alpodz]

Product/Catalog Item doesn't require the rdt btw.. hence you would get an error anyway using the rdt there.

This was actually a question to the support person on this thread. I was questioning them about their APIs.

On Mon, Jun 7, 2021, 3:10 PM glukoid @.***> wrote:

"how do you know your application for pii access was successful"

• I got confirmation from Amazon support

"if your self authorized does it change this at all?" I am self authorized and the process of getting RDT token did not work for me.

"sandbox API/nonsandbox API" I am using product DB and trying to get RDT using the following link I got from Amazon support team:

https://github.com/amzn/selling-partner-api-docs/blob/548d815eb32c899aa4b7520c49baee008f3687e3/guides/en-US/use-case-guides/tokens-api-use-case-guide/tokens-API-use-case-guide-2021-03-01.md#tutorial-get-an-rdt-and-call-restricted-operations .

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/amzn/selling-partner-api-models/issues/1255, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQFKB5GXJELJLIWPAANCJ3TTRUKSPANCNFSM43LEVMDA .

[glukoid]

I got an update I was able to receive RDT token, but when I used it to retrieve buyer address or buyerInfo the response did not include PII information.

do you have any idea how to solve it ?

[ccarnivore]

Hi,

I'm facing a similar issue. I can create a (seems to be) valid restrictedAccessToken. Then I'm using this in further request, I always get an 403 not authorized exception. I'm not using the Sandbox.

$restrictedToken = $tokenClient->createRestrictedDataToken([
    'restrictedResources' => [
        'method' => 'GET',
        'path' => '/orders/v0/orders/303-XXXXXXX/buyerInfo'
    ]
]);

//response is like
// ['expiresIn' => 3600, 'restrictedDataToken' => 'Atz.sprdt|XXXXXX']

Now i change my access token (refresh_token from self authorization) to this restrictedDataToken. This results in this 403 error.

Has anyone an idea? Thanks.

[PureIllusionCo]

I have been going through the same problem with the RDT concept in the Amazon SP-API. Amazon please improve your documentation on RDT usage. The documentation is pretty bad actually when it comes to RDT.

Here is my contribution to this thread. I need assistance on the exact same issue; however, I am able to get an RDT and construct a custom call via OKHTTP. The issue is using it with the generated swagger sp-api client side code. There is no documentation beyond, "Apply the RDT." Not useful. Any help would be great. Below is my summary of the same issue being experienced....

---

I'm trying to follow the SP-API Dev Guide so I can make RESTful calls to OrdersV0 api -> getOrders. I'm running into issues applying RDT rather than LWA to the generated swagger client code. Following Tokens API Use Case Guide I can make calls to retrieve a specific order, but this documentation has us manually building the Call by specifying the URL and DataElements. Ultimately, following the RestrictedDataTokenWorkflow.java executes an OKHTTP call in a different way than I see in the generated swagger client code. This ends up making the documentation from the Tokens API Use Case Guide very hard to follow because the instructions end with "Step 2: Include the RDT with a call to the getOrders." The reader is left saying to themselves, "Sure, but how?!"

Is the generated swagger client code an incomplete implementation for the RESTful calls requiring Restricted Data Tokens rather than LWA tokens? If not is there any way you could help point me to some more documentation or examples of how to properly override the LWA token with the RDT. Currently, I've gone through the generated client code and I dont see a good way of using the SP-API java generated swagger client if it requires RDTs.

I dont want to have to write custom (un)marshalling code for the returned json. Any help or pointers in the right direction would be great. Not even sure you guys get these notifications, but there is really nothing online I've seen anywhere that addresses Java SP-API usage.

[PureIllusionCo]

As far as I can tell there is no way to apply the RDT to the header of any OrdersV0Api operation. Even when applying the RDT to apiclient header it is overwritten within the generated OrdersV0Api.

I've added a header to the APIClient from OrdersV0Api using ApiClient apic = api.getApiClient().addDefaultHeader("x-amz-access-token", rdt) and discovered that it is just overwritten when a Request is built in the generated client codebase. The client just applies the lwaAuthorizationSigner signature as the last step before signing the request. This overwrites the x-amz-access-token. So it looks like every operation requiring a restricted data token is unusable with the generated java sdk client code.

See OrdersV0Api.getOrdersCall()->getOrdersCall(...)->apiClient.buildCall(...)->apiClient.buildRequest(...)->Line 1064 "request = lwaAuthorizationSigner.sign(request);"

Has Amazon tested the generated client code to validate operations requiring RDT actually work?

[dnErf]

Hi, I am having same issue as well, I can get our RDT but when i used it on orders endpoint and replacing LWA token to RDT im getting denied.

Is there any update on this issue? or is there a work around to get the shipping address? Thanks for any help.

[rohitdobariya]

I have been going through the same problem with the RDT concept in the Amazon SP-API. Amazon please improve your documentation on RDT usage. The documentation is pretty bad actually when it comes to RDT.

Here is my contribution to this thread. I need assistance on the exact same issue; however, I am able to get an RDT and construct a custom call via OKHTTP. The issue is using it with the generated swagger sp-api client side code. There is no documentation beyond, "Apply the RDT." Not useful. Any help would be great. Below is my summary of the same issue being experienced....

I'm trying to follow the SP-API Dev Guide so I can make RESTful calls to OrdersV0 api -> getOrders. I'm running into issues applying RDT rather than LWA to the generated swagger client code. Following Tokens API Use Case Guide I can make calls to retrieve a specific order, but this documentation has us manually building the Call by specifying the URL and DataElements. Ultimately, following the RestrictedDataTokenWorkflow.java executes an OKHTTP call in a different way than I see in the generated swagger client code. This ends up making the documentation from the Tokens API Use Case Guide very hard to follow because the instructions end with "Step 2: Include the RDT with a call to the getOrders." The reader is left saying to themselves, "Sure, but how?!"

Is the generated swagger client code an incomplete implementation for the RESTful calls requiring Restricted Data Tokens rather than LWA tokens? If not is there any way you could help point me to some more documentation or examples of how to properly override the LWA token with the RDT. Currently, I've gone through the generated client code and I dont see a good way of using the SP-API java generated swagger client if it requires RDTs.

I dont want to have to write custom (un)marshalling code for the returned json. Any help or pointers in the right direction would be great. Not even sure you guys get these notifications, but there is really nothing online I've seen anywhere that addresses Java SP-API usage.

@ShivikaK Any help here ? we are struggling with RDT to call getOrders there is way to use swagger-generated code (getOrders) with RDT ? can you please provide example ?

[PureIllusionCo]

We have RDTs working now but it took a large development effort to make it work correctly.  Correctly means the usage of RDT based services in a way that the engineer doesn’t have to distinguish between a service call based on refresh tokens or restricted tokens.    

We have considered selling a licensed version of our software actually.  That’s the development effort that went into making this concept work well.  

Some tips are to really rely on the json service definitions.  They will define what type of Restricted data tokens needs to be generated based in what data you’re trying to access.  Also, the api is rate limited so once you have things working you’ll need to make sure you handle the rate limiting (but that’s not an RDT specific issue).

Amazon never replied to any of our messages; git or email.  It’s too bad because Java is a better language than python for core enterprise software.  No runtime surprises at the wrong moment for a company. 

If you’re not looking for an implementation nightmare I’d say just use the Python API.  You can find it documented here: https://sp-api-docs.saleweaver.com/

If you do decide to go with Java the easiest route will be to get make your RDT for the service and data you want and then make your own call with your own headers.  This isn’t something I’d recommend doing for a lot of the api but let’s say you just wanted to do one thing.  You could probably make that work quickly with this approach. 

Finally, it looks like the service definitions are in development because they're just beginning to introduce mutator functionality (updating orders).  That is a work in progress without a completed service definition; let alone documentation.

Personally I'm looking forward to a way more comprehensive implementation that includes a lot of the stuff we implemented on our side. I'm sure Amazon will need it if they want to sunset their MWS api in favor of requiring SP-API with RDT.

Hey @amzn you looking to hire a principal engineer to make this stuff happen? Message us. :-)

[rohitdobariya]

@PureIllusionCo I reviewed the client code for and seems like we must have to develop our own component that can sign with RDT. The second thing is if we get the nextToken in this case we have to generate the RDT again? because API URL change and we must have to sign.

[PureIllusionCo]

@rohitdobariya Use RestrictedDataTokenWorkflow.java as your example to create an RDT for a given service call. This was my first time looking at this example for a few months and it has been substantially updated. Way more information in this example then when we wrote our code. That is good news for you.

For instance one of the Restricted Resources they want data from has a path of "/orders/v0/orders/123-7654321-1234567". So they want PII for Order 123-1234567-1234567 and require an RDT that grants temporary authorization to read "buyerInfo" and "shippingAddress".

If you look at the service definition for OrdersV0 you can trace through the object definitions to figure out which calls require which RDT categories. Generate the RDT based on the path given in OrdersV0 and the RDT categories you find necessary. It will return a status code other than 200 to let you know you did or did not do something correctly. So there is a some trial and error for each operation you want to perform.

This all then brings you to the actual call to the service. This is where the generated Swagger has a problem. You'll need to modify the swagger code (many many ways you could go about this). Potentially, there is some way that I have not found to use this as-is but I actually looked through many repos of people all running into this problem and making their own hacks to solve the issue. Some very brutal and some not so bad.

Now when you are performing an operation against the OrdersV0 api you're just calling a service. In the exact same way that was done to get the restricted data token. So you could just make a call in the same way but replace: (A) the refresh token string with the RDT string in the header, and (B) Replace the service endpoint (path) with the corresponding web service you want to invoke. This is where I was when I first posted in October and it is why I was saying you could just write something quickly if you want to only perform one or two calls.

For the nextToken issue it depends on how elegant of a solution you want to engineer. If I remember correctly, the generation of an RDT will give you the lifetime of the token (or maybe it was documented somewhere). Short answer is that you do not need to regenerate the RDT for every call. If you are making a call to the same endpoint for the same restricted data just replace the orderid and make the next call. Eventually your token will expire and you will need to generate a new one based on the service return code feedback.

Hope that helps.

[rohitdobariya]

Hey @PureIllusionCo I customize SDK and I was successfully able to call the API with RDT and without RDT as well. Let me know if you need any help with that

[PureIllusionCo]

Awesome! Glad we could help. If you are able to make an RDT call with a modified client then it’s just a matter of time and thought on how to make it work for RDT and refresh token calls. But it’s possible. Just depends on how seamless you want the solution to be.

On Jan 9, 2022, at 3:12 AM, rohitdobariya @.***> wrote:

 Hey @PureIllusionCo I customize SDK and I was successfully able to call the API with RDT and without RDT as well. Let me know if you need any help with that

— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you were mentioned.

[alpodz]

Ironically I made a slight mod to the Amazon provided base class to pass an external token string before signing..so when the generated client is a rdt.. need to make the rdt call and populate the property

On Sun, Jan 9, 2022, 10:00 AM PureIllusion @.***> wrote:

Awesome! Glad we could help. If you are able to make an RDT call with a modified client then it’s just a matter of time and thought on how to make it work for RDT and refresh token calls. But it’s possible. Just depends on how seamless you want the solution to be.

On Jan 9, 2022, at 3:12 AM, rohitdobariya @.***> wrote:

 Hey @PureIllusionCo I customize SDK and I was successfully able to call the API with RDT and without RDT as well. Let me know if you need any help with that

— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you were mentioned.

— Reply to this email directly, view it on GitHub https://github.com/amzn/selling-partner-api-models/issues/1255, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQFKB5AFU4GBYF5RC3AXQOLUVGPJTANCNFSM43LEVMDA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you commented.Message ID: @.***>

[alpodz]

I could have gone farther and modifed the base to check for the inherited API on top and call rdt API for me. I gave the work to another haha. Another thing was they didn't understand how restclient for .net worked.. they signed the token before adding the some parameters. It would bomb because the signature didn't match.. the token.

On Sun, Jan 9, 2022, 10:19 AM Albert Podzunas @.***> wrote:

Ironically I made a slight mod to the Amazon provided base class to pass an external token string before signing..so when the generated client is a rdt.. need to make the rdt call and populate the property

On Sun, Jan 9, 2022, 10:00 AM PureIllusion @.***> wrote:

Awesome! Glad we could help. If you are able to make an RDT call with a modified client then it’s just a matter of time and thought on how to make it work for RDT and refresh token calls. But it’s possible. Just depends on how seamless you want the solution to be.

On Jan 9, 2022, at 3:12 AM, rohitdobariya @.***> wrote:

 Hey @PureIllusionCo I customize SDK and I was successfully able to call the API with RDT and without RDT as well. Let me know if you need any help with that

— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you were mentioned.

— Reply to this email directly, view it on GitHub https://github.com/amzn/selling-partner-api-models/issues/1255, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQFKB5AFU4GBYF5RC3AXQOLUVGPJTANCNFSM43LEVMDA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you commented.Message ID: @.***>

[PureIllusionCo]

Precisely. This is what we were telling Amazon in our October comment. It will always sign with a refresh token just before the call in the swagger generated code. The approach you’ve taken is what I’ve seen others do in the past as well. We took a different approach but this works for just getting things done. Hopefully this thread will be seen in the future and help someone else too.

On Jan 9, 2022, at 10:19 AM, alpodz @.***> wrote:

 Ironically I made a slight mod to the Amazon provided base class to pass an external token string before signing..so when the generated client is a rdt.. need to make the rdt call and populate the property

On Sun, Jan 9, 2022, 10:00 AM PureIllusion @.***> wrote:

Awesome! Glad we could help. If you are able to make an RDT call with a modified client then it’s just a matter of time and thought on how to make it work for RDT and refresh token calls. But it’s possible. Just depends on how seamless you want the solution to be.

On Jan 9, 2022, at 3:12 AM, rohitdobariya @.***> wrote:

 Hey @PureIllusionCo I customize SDK and I was successfully able to call the API with RDT and without RDT as well. Let me know if you need any help with that

— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you were mentioned.

— Reply to this email directly, view it on GitHub https://github.com/amzn/selling-partner-api-models/issues/1255, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQFKB5AFU4GBYF5RC3AXQOLUVGPJTANCNFSM43LEVMDA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you commented.Message ID: @.***>

— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you were mentioned.

[Mike-the-one]

@rohitdobariya @PureIllusionCo I am having issues getting RDT using generated java client code, I am able to call other non PII apis, but I always get InvalidSignature when I call tokensApi.createRestrictedDataToken, I have details here

https://github.com/amzn/selling-partner-api-models/issues/2236

Any ideas?

[rohitdobariya]

Yes I had to create wrapper for rdt.

On Sat, 5 Feb 2022, 5:04 pm Mike-the-one, @.***> wrote:

@rohitdobariya https://github.com/rohitdobariya @PureIllusionCo https://github.com/PureIllusionCo I am having issues getting RDT using generated java client code, I am able to call other non PII apis, but I always get InvalidSignature when I call tokensApi.createRestrictedDataToken, I have details here

amzn/selling-partner-api-models#2236 https://github.com/amzn/selling-partner-api-models/issues/2236

Any ideas?

— Reply to this email directly, view it on GitHub https://github.com/amzn/selling-partner-api-models/issues/1255, or unsubscribe https://github.com/notifications/unsubscribe-auth/AINIHDG2HAMVWTQM6AMXL73UZUDN7ANCNFSM43LEVMDA . You are receiving this because you were mentioned.Message ID: @.***>

[rohitdobariya]

@Mike-the-one you can join me here I created the wrapper for that and its working fine with SDK as well. https://zoom.us/j/5424961335?pwd=WTJFTy8wUVIyWEhuVHJlZi9LOXVXUT09

[rohitdobariya]

@rohitdobariya @PureIllusionCo I am having issues getting RDT using generated java client code, I am able to call other non PII apis, but I always get InvalidSignature when I call tokensApi.createRestrictedDataToken, I have details here

amzn/selling-partner-api-models#2236

Any ideas?

Hi, @Mike-the-one are you joining the zoom?

[Mike-the-one]

@rohitdobariya Just sent you an email. Thanks!

[Dwarfer06]

Hello there,

I've been looking into using the RDT with the Swaggergen code generated here: https://github.com/amzn/selling-partner-api-docs/blob/main/guides/en-US/developer-guide/SellingPartnerApiDeveloperGuide.md#generating-a-java-sdk-with-lwa-token-exchange-and-authentication

However I can't see a way to pass this in using the generated code, I've been able to modify the code to pass it in but is there a provided way to do this?

[rohitdobariya]

Hello there,

I've been looking into using the RDT with the Swaggergen code generated here: https://github.com/amzn/selling-partner-api-docs/blob/main/guides/en-US/developer-guide/SellingPartnerApiDeveloperGuide.md#generating-a-java-sdk-with-lwa-token-exchange-and-authentication

However I can't see a way to pass this in using the generated code, I've been able to modify the code to pass it in but is there a provided way to do this?

There is no option for RDT in the generated code, you have to modify the generated code in order to support RDT call.

[PureIllusionCo]

The code must be modified.

On Mar 25, 2022, at 3:11 PM, rohitdobariya @.***> wrote:

 Hello there,

I've been looking into using the RDT with the Swaggergen code generated here: https://github.com/amzn/selling-partner-api-docs/blob/main/guides/en-US/developer-guide/SellingPartnerApiDeveloperGuide.md#generating-a-java-sdk-with-lwa-token-exchange-and-authentication

However I can't see a way to pass this in using the generated code, I've been able to modify the code to pass it in but is there a provided way to do this?

There is no option for RDT in the generated code, you have to modify the generated code in order to support RDT call.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.

[alpodz]

Actually.. I managed to change the base class that Amazon had and injected the rdt when needed..allowed me to regenerate the clients without worry

On Fri, Mar 25, 2022, 4:41 PM PureIllusion @.***> wrote:

The code must be modified.

On Mar 25, 2022, at 3:11 PM, rohitdobariya @.***> wrote:

 Hello there,

I've been looking into using the RDT with the Swaggergen code generated here: https://github.com/amzn/selling-partner-api-docs/blob/main/guides/en-US/developer-guide/SellingPartnerApiDeveloperGuide.md#generating-a-java-sdk-with-lwa-token-exchange-and-authentication

However I can't see a way to pass this in using the generated code, I've been able to modify the code to pass it in but is there a provided way to do this?

There is no option for RDT in the generated code, you have to modify the generated code in order to support RDT call.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.

— Reply to this email directly, view it on GitHub https://github.com/amzn/selling-partner-api-models/issues/1255, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQFKB5EGB3BMZLYNSQA25LTVBYQHBANCNFSM43LEVMDA . You are receiving this because you commented.Message ID: @.***>

[mohit11115]

Hi,

We have a private application running under hybrid mode. It is self-authorized, and it is a private app, it can not be published. We access order details through it currently.

One of the github pages says that private applications do not need to migrate to SP-API yet, that private apps will continue to function.

We are so confused with the RDT token. We were able to generate the LWA token and LWA refresh token, but RDT returns an error. Is it because we have a non-published private app?

What are we supposed to do?

Please help.

Thanks.

[tlappe]

@mohit11115 perhaps you should open a new issue. this one is too old and too general.

[danielecr]

Hi, I ran into the same problem here, with an application in testing mode.

I solved by specifying targetApplication: "....&version=beta", yes, I added '&version=beta' at the end of the string and it works

let appid = "amzn1.sp.solution......."
...
body: {
            targetApplication: `${appid}&version=beta`,
            restrictedResources: [
                {
                    "method": "GET",
                    "path": "/orders/v0/orders",
                    "dataElements": ["buyerInfo", "shippingAddress"]
                }
            ]
        },

response:

{
  expiresIn: 3600,
  restrictedDataToken:  ....
}

Ok, now the problem is that that returned restrictedDataToken does not work for the call I need.

@mohit11115 can you use it this way?

[mohit11115]

Hi, I ran into the same problem here, with an application in testing mode.

I solved by specifying targetApplication: "....&version=beta", yes, I added '&version=beta' at the end of the string and it works

let appid = "amzn1.sp.solution......."
...
body: {
            targetApplication: `${appid}&version=beta`,
            restrictedResources: [
                {
                    "method": "GET",
                    "path": "/orders/v0/orders",
                    "dataElements": ["buyerInfo", "shippingAddress"]
                }
            ]
        },

response:

{
  expiresIn: 3600,
  restrictedDataToken:  ....
}

Ok, now the problem is that that returned restrictedDataToken does not work for the call I need.

@mohit11115 can you use it this way?

HI,

Thanks for the reply.

Yes, adding "&version=beta" works, but I just wonder if it will continue to work after Amazon closes access to MWS... I mean, I recreated the app in SP-API, but it is unpublished.

[mohit11115]

I have a weird issue now, I am able to retrieve order details and everything works fine, but only in few systems. I tried running the same code, everything same on another computer and it gave a forbidden error.

As soon as this is executed orderV0Api.getOrderwithHttpInfo (OrdersV0Api.java), it gives a forbidden error.

What could be wrong? Please help.

[alpodz]

You might have exceeded the threshold..or you might have not gotten a token before using it.. since it's async it could complicate like that

On Mon, Jun 20, 2022, 4:47 PM mohit11115 @.***> wrote:

I have a weird issue now, I am able to retrieve order details and everything works fine, but only in few systems. I tried running the same code, everything same on another computer and it gave a forbidden error.

As soon as this is executed orderV0Api.getOrderwithHttpInfo (OrdersV0Api.java), it gives a forbidden error.

What could be wrong? Please help.

— Reply to this email directly, view it on GitHub https://github.com/amzn/selling-partner-api-models/issues/1255, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQFKB5B2PHG4CMM7BZJMQIDVQDKFBANCNFSM43LEVMDA . You are receiving this because you commented.Message ID: @.***>

[mohit11115]

What does exceeding the threshold mean? How do I check it or resolve it?

On one of my non-working systems, when I upgraded JDK to 1.8, it started working, but followed same thing on other system and doesn't work.

Refresh token is already generated before and it works on one similar spec computer, but not on the other.

[alpodz]

Check this to make sure your signing with a recent stamp. https://stackoverflow.com/questions/44017410/signature-expired-is-now-earlier-than-error-invalidsignatureexception

On Mon, Jun 20, 2022, 5:07 PM mohit11115 @.***> wrote:

What does exceeding the threshold mean? How do I check it or resolve it?

On one of my non-working systems, when I upgraded JDK to 1.8, it started working, but followed same thing on other system and doesn't work.

Refresh token is already generated before and it works on one similar spec computer, but not on the other.

— Reply to this email directly, view it on GitHub https://github.com/amzn/selling-partner-api-models/issues/1255, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQFKB5D75SSJEDHGHYK2UT3VQDMSHANCNFSM43LEVMDA . You are receiving this because you commented.Message ID: @.***>

[mohit11115]

Timestamp shouldn't be an issue, because it is working on other system at the same time. I tried on 10 of my local systems now, 4 work, 6 don't!

All have same configs, same Windows.

[mohit11115]

Check this to make sure your signing with a recent stamp. https://stackoverflow.com/questions/44017410/signature-expired-is-now-earlier-than-error-invalidsignatureexception … On Mon, Jun 20, 2022, 5:07 PM mohit11115 @.> wrote: What does exceeding the threshold mean? How do I check it or resolve it? On one of my non-working systems, when I upgraded JDK to 1.8, it started working, but followed same thing on other system and doesn't work. Refresh token is already generated before and it works on one similar spec computer, but not on the other. — Reply to this email directly, view it on GitHub <#639 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQFKB5D75SSJEDHGHYK2UT3VQDMSHANCNFSM43LEVMDA . You are receiving this because you commented.Message ID: @.>

Hi,,

Not sure if you meant the Windows system time or not, but your timestamp thing got me to check that...and yes, Windows system time was off by few minutes on the systems on which the code was not working!

Thank you so much for the help! You are a legend.

[alpodz]

Yes that was what I meant

On Tue, Jun 21, 2022, 5:34 PM mohit11115 @.***> wrote:

Check this to make sure your signing with a recent stamp. https://stackoverflow.com/questions/44017410/signature-expired-is-now-earlier-than-error-invalidsignatureexception … <#m7655890832317587143> On Mon, Jun 20, 2022, 5:07 PM mohit11115 @.> wrote: What does exceeding the threshold mean? How do I check it or resolve it? On one of my non-working systems, when I upgraded JDK to 1.8, it started working, but followed same thing on other system and doesn't work. Refresh token is already generated before and it works on one similar spec computer, but not on the other. — Reply to this email directly, view it on GitHub <#639 (comment) https://github.com/amzn/selling-partner-api-models/issues/1255>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQFKB5D75SSJEDHGHYK2UT3VQDMSHANCNFSM43LEVMDA https://github.com/notifications/unsubscribe-auth/AQFKB5D75SSJEDHGHYK2UT3VQDMSHANCNFSM43LEVMDA . You are receiving this because you commented.Message ID: @.>

Hi,,

Not sure if you meant the Windows system time or not, but your timestamp thing got me to check that...and yes, Windows system time was off by few minutes on the systems on which the code was not working!

Thank you so much for the help! You are a legend.

— Reply to this email directly, view it on GitHub https://github.com/amzn/selling-partner-api-models/issues/1255, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQFKB5ELFOR3GN4XKSJ6TQDVQIYO7ANCNFSM43LEVMDA . You are receiving this because you commented.Message ID: @.***>

[smargoli2]

@alpodz , can you share the code that you modified to inject an RDT when the request is signed? Can anybody post links to working examples that they've found? I'm using C# generated code.

[alpodz]

okay, it's been a long long time, I've actually switched jobs since then and I didn't save my solve for this.

If you look at: https://github.com/amzn/selling-partner-api-models/blob/553de9fa0e4d05a82abbb674a830de082f383702/clients/sample-code/DelegatedRestrictedDataTokenWorkflowForDelegatee.java

you need to follow this example but we need to modify the C# client to make it work a little bit: (this is java below - notice in this code, it's NOT calling LWA for a token.)

private static Response

buildAndExecuteDelegatedRestrictedRequest(String method, String path, String restrictedDataToken, RequestBody requestBody) throws IOException {

    Request signedRequest = new Request.Builder()
            .url(sellingPartnerAPIEndpoint + path)  // Define the

URL for the request, based on the endpoint and restricted resource path. .method(method, requestBody) // Define the restricted resource method value, and requestBody, if required by the restricted operation. .addHeader("x-amz-access-token", restrictedDataToken) // Sign the request with the RDT by adding it to the "x-amz-access-token" header. .build(); // Build the request.

    // Initiate an AWSSigV4Signer instance using your AWS

credentials. This example is for an application registered using an AIM Role. AWSSigV4Signer awsSigV4Signer = new AWSSigV4Signer(awsAuthenticationCredentials, awsAuthenticationCredentialsProvider);

    /*
    // Or, if the application was registered using an IAM User,

use the following example: AWSSigV4Signer awsSigV4Signer = new AWSSigV4Signer(awsAuthenticationCredentials); */ // Sign the request with the AWSSigV4Signer.

    signedRequest = awsSigV4Signer.sign(signedRequest);

    // Execute the signed request.
    OkHttpClient okHttpClient = new OkHttpClient();
    Response response = okHttpClient.newCall(signedRequest).execute();

    return response;
}

C# 'version: var resource = $"/vendor/directFulfillment/orders/v1/purchaseOrders"; IRestRequest restRequest = new RestRequest(resource, Method.GET);

        var client = new

RestClient("https://sellingpartnerapi-na.amazon.com"); var credentials = new SellerAPICredentials();

-- we don't actually have to request a new LWA token.. we are going to use the restricted access token in it's place.

    string AccessTokenHeaderName = "x-amz-access-token";

restRequest.AddHeader(AccessTokenHeaderName, unrestrictedaccesstoken);

/// restRequest = SignWithAccessToken(restRequest, credentials.ClientId, credentials.ClientSecret, credentials.RefreshToken);

        restRequest =

SignWithSTSKeysAndSecurityTokenn(restRequest, client.BaseUrl.Host, credentials.RoleARN, credentials.AWSKey, credentials.AWSSecret);

        var response = client.Execute(restRequest);

        Console.WriteLine("");
    }

I've not tested this, but if you look at the Java example you can see it should work.

On Tue, Nov 8, 2022 at 1:54 PM smargoli2 @.***> wrote:

@alpodz https://github.com/alpodz , can you share the code that you modified to inject an RDT when the request is signed? Can anybody post links to working examples that they've found? I'm using C# generated code.

— Reply to this email directly, view it on GitHub https://github.com/amzn/selling-partner-api-models/issues/1255, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQFKB5BIP6FFPIMVK26MTPDWHKOWZANCNFSM43LEVMDA . You are receiving this because you were mentioned.Message ID: @.***>

[smargoli2]

Thanks @alpodz! I submitted a PR to update the mustache template for the ApiClient, so that the LWA signer only signs the request if there isn't already an x-amzn-access-token header on the request. I add the header when making restricted calls. I do this before making the call:

ordersApi.Configuration.DefaultHeader.Add("x-amz-access-token", createTokenResponse.RestrictedDataToken);

And here's the modified lines in the ApiClient:

if (request.Parameters.Where(p => p.Name.Equals("x-amz-access-token")).ToList().Count() == 0) { lwaAuthorizationSigner.Sign(request); }

[alpodz]

I did something similar.. figured I'd borrow the one they did with java. It's how I figured out it originally.. it's painfully obvious Amazon are java focused. There was a bug in the adding of the parameters after signing the request too.. I need to look at the code again to see if they fixed that.

On Sun, Nov 13, 2022, 4:21 AM smargoli2 @.***> wrote:

Thanks @alpodz https://github.com/alpodz! I submitted a PR to update the mustache template for the ApiClient, so that the LWA signer only signs the request if there isn't already an x-amzn-access-token header on the request. I add the header when making restricted calls. I do this before making the call:

ordersApi.Configuration.DefaultHeader.Add("x-amz-access-token", createTokenResponse.RestrictedDataToken);

And here's the modified lines in the ApiClient:

if (request.Parameters.Where(p => p.Name.Equals("x-amz-access-token")).ToList().Count() == 0) { lwaAuthorizationSigner.Sign(request); }

— Reply to this email directly, view it on GitHub https://github.com/amzn/selling-partner-api-models/issues/1255, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQFKB5FS2ONATJDCGFOYBSDWICXLLANCNFSM43LEVMDA . You are receiving this because you were mentioned.Message ID: @.***>

[github-actions[bot]]

This is a very old issue that is probably not getting as much attention as it deserves. We encourage you to check if this is still an issue after the latest release and if you find that this is still a problem, please feel free to open a new issue and make a reference to this one.