amzn / selling-partner-api-models

This repository contains OpenAPI models for developers to use when developing software to call Selling Partner APIs.
Apache License 2.0
618 stars 741 forks source link

OAuth Redirect URI issues. #691

Closed charliecode closed 3 years ago

charliecode commented 4 years ago

When registering an application I am unable to add an OAuth Redirect URI, after clicking save they never actual save. Therefore after a user approves the developer, there is no redirect to our website. It's allowing my URI such as https://example.com/sp-api-auth but not actually saving it.

Also, you are not able to add a redirect URI for local development. It will not allow http://localhost:4200/sp-api-auth or the like. This is an inconvenience and not friendly to quick development.

ShivikaK commented 4 years ago

Hello,

Thank you for reaching out and conveying this concern.

It appears you have also logged a case with the Developer Support team regarding this issue.

The error has been reported to the engineering team and it is being looked into.

In the meanwhile, please provide us with requested information via the support case opened for further investigation.

ShivikaK commented 4 years ago

Hello,

The login and redirect URL are both mandatory fields to be filled in the form. If only one field is completed and the form is saved, it does not give an error, but it does not save the changes made to the form.

Can you please confirm that you are able to save the form with changes after filling out both the fields?

Please note only https links are valid for login and redirect URIs.

charliecode commented 4 years ago

@ShivikaK I can confirm I was able to save once adding both parameters, this did not work the other day but it is now. As you said, if only trying to add one it does not give an error and appears to save rather than letting the user know what to do and not allowing it to save, which I believe should be the default functionality.

However, there is nowhere in the documentation nor on the seller central SP-API authorization developer page itself which refers to what is supposed to go in the "OAuth Login URI". In the SP-API docs it simply says "Follow the instructions to register your application." However, when registering your application there are actually no instructions to follow. Please correct me if I'm wrong.

The redirect is def more obvious for a seasoned developer but will not be for others, so at least an info tooltip which says what should go in both of these would be great. As for the "OAuth Login URI" I'm guessing that you want this provided so you can check to see if the request is coming from the proper host, so I added my top level domain there and everything seems to work. However, it is called an "OAuth LOGIN URI" which makes it even more confusing, since there is not any actual logging in that happens if you are indeed just using this to check that the request is coming from the proper host.

Maybe there is some overlap here between the "Marketplace Appstore Workflow" and the "Website workflow" that I'm not aware of but from what I'm reading there is no clear indication on what should go in the "OAuth Login URI". So should I put the login to my app here (which would make no sense)? Or maybe you mean the URI from which the login redirect to Seller Central happens. Again, just confusing. Maybe it's just me, in which event I will gladly accept.

Lastly, you mentioned it's possible to add a redirect to localhost as long as it is https. It is not possible. Please see the attached screenshot. If you plan to make it possible and the "OAuth Login URI" is actually used to confirm which host it's coming from it would be nice to be able to add multiple "OAuth Login URI" for all available staging environments. I had to take an hour to redirect my localhost to a fake uri locally and then setup new certs, a nginx server to handle the redirects and everything for https which I haven't had to do in a long time since most major websites offer the functionality I'm referring to. Thanks much for you hard work guys. Appreciate it a ton, I know you've got tons on your plate right now.

Screen Shot 2020-10-06 at 9 12 23 AM
ShivikaK commented 4 years ago

Thank you for confirming the same.

The engineering team will be adding validation messages on saving the form if only one of the fields are filled and other is left empty. The form will also be updated soon with info tooltips to help understand what is expected for login and redirect URIs fields when filling out the form.

To give a more elaborate description for the two, login URI is the the URI for login page of your website. This is displayed after a seller consents your application as described in "Marketplace Appstore workflow" section - Step 2. The seller consents to authorize your application.

The redirect URI is to redirect the seller to your application which is loaded into the browser as per Step 3. The seller signs into your website Hope this makes it more clear regarding the usage of providing login and redirect URIs for now.

charliecode commented 4 years ago

@ShivikaK Yup, makes perfect sense. So there is some overlap between Marketplace and Website workflows for authorizing your SP-API app. I am using the website route which is why I didn't see that in the docs. Great to hear you guys are making updates to make it all more clear.

Would really love to be able to add https://localhost to both URIs. As well as multiple OAuth Login URIs so a nice multi stage dev - prod environment could be setup much easier. Thanks again for the fast responses.

p-prins commented 4 years ago

Would really love to be able to add https://localhost to both URIs. As well as multiple OAuth Login URIs so a nice multi stage dev - prod environment could be setup much easier. Thanks again for the fast responses.

We'd love this as well!

P.S. Just as @charliecode I'd also like to say thank you to everyone at Amazon. So thank you for your hard work on realizing this API and working with developers to further improve it and its documentation. Much appreciated!

scrussell24 commented 4 years ago

Why can multiple redirect URI's be entered? How would Amazon know which to redirect too? I ask because it might be nice to set up different redirect URI's per region. I'm thinking the only way to know which region the seller was trying to approve would be to associate the region with the generated state parameter (uuid).

charliecode commented 4 years ago

@scrussell24 There are multiple ways Amazon could know which redirect URI to use. It's quite normal for large API's to offer multiple redirects for a majority of use cases. A few of us would like to see them added for CI/CD - staging reasons. The reason this is all confusing is because for the time being, there is some overlap between the "Marketplace Appstore workflow" and the "Website workflow".

The Appstore workflow has you add the redirect URI directly into the URL. Pay attention to step 3. @ShivikaK also said the reason there is an "OAuth Login URI" is related to the "Appstore workflow" and not the "Website workflow". So, things are a little unclear at the moment but as is stated in the comments above, the dev team is taking care of making it more understandable. It would definitely be nice if there could be more separation between the two workflow's when setting things up.

They also have the issue of a missing "Cancel" button (#29) and how that redirect will work once it is in fact available as it's stated to be in the docs.

ShivikaK commented 4 years ago

Hello,

As of now the localhost URLs cannot be used in Oauth URL fields as Amazon won't be able to respond/connect to localhost based Oauth RedirectUrl.

seanevan commented 4 years ago

Hi all,

Thanks for the healthy discussion. Our engineering team has heard this feedback loud and clear, and has added an item to our backlog to address it.

Best regards, Sean Evans Manager, Support Engineering

p-prins commented 3 years ago

@pprbhm please don't close issues without providing a reason why an issue is closed (e.g. a reason why a request is rejected, an issue is invalid, or a reference to a merged PR). This will help everyone involved in the discussion as well as future readers.

In this case, is localhost now supported as a valid callback URL?

pprbhm commented 3 years ago

Hello, Thanks for the feedback- As mentioned by Sean in earlier thread- issue has been added to the backlog item to address it-

charliecode commented 3 years ago

I agree 100% with @p-prins on this one. Hoping this was an oversight? Last time we heard an official response on this was almost 3 months ago, we were told it was put on a backlog. Why has the issue been closed when the issue has not been fixed? Is it still on the backlog or will it no longer be implemented? And why was the conversion locked when @p-prins request was done respectfully and he has a valid point?

pprbhm commented 3 years ago

Hello, If a seller/developer has any technical issue we would glad to help you through the support case which helps organize information and get it to resolve in a timely manner. There are several issues which might overlap and have the same source of information which we want to remove and additional overheads. Thanks for understanding.

sidrafarooq commented 3 years ago

Hi,

After adding Redirect and Login URL, application condition is Eraser what is means?

charliecode commented 3 years ago

Closing this issue as the original issue was fixed and the rest of the requested functionality is being and can be addressed in amzn/selling-partner-api-models#923. In particular the documentation being updated to show the redirect_uri can be added to the OAuth uri so multiple stages for CI/CD and local development can be handled. Only thing left would be adding the ability to save localhost as an OAuth uri for local development as it's super easy. However this not 100% necessary as a more professional route which could be used across development applications would be for the dev to add an additional mapping to their localhost (127.0.0.1) via their hosts file and have it map to a fake local url the dev makes up such as https://dev.app.com, said url would be listened to on 443 via a local running https nginx server which would forward all requests to the devs local development client or alternatively use a service like ngrok as a means to redirect to your local development client. This negates the use of adding localhost as an OAuth redirect uri as Amazon will accept a non registered local running url so long as it supports https. Lastly, the locally running browsers client code will automatically take care of the rest.

younes127 commented 1 year ago

The fields for entering the login and redirect URLs do not appear. When I created the first app, the fields appeared and I was able to enter both URLs, however I had to delete this app. Now I try to create another app, but there is no way to assign the redirect urls.

I believe this is the reason why I am getting the following error during the authorization process that we are developing.

Something went wrong
This developer is currently not eligible to receive new authorizations.
App ID: amzn1.sp.solution.....
Error Code: MD9000

app-registration

kevdevfr commented 1 year ago

The fields for entering the login and redirect URLs do not appear. When I created the first app, the fields appeared and I was able to enter both URLs, however I had to delete this app. Now I try to create another app, but there is no way to assign the redirect urls.

I believe this is the reason why I am getting the following error during the authorization process that we are developing.

Something went wrong
This developer is currently not eligible to receive new authorizations.
App ID: amzn1.sp.solution.....
Error Code: MD9000

Same problem here. We are awaiting news from Seller Central's support.

skrzyh commented 1 year ago

Has anyone found a solution?