amzn / selling-partner-api-models

This repository contains OpenAPI models for developers to use when developing software to call Selling Partner APIs.
Apache License 2.0
612 stars 736 forks source link

The security token included in the request is invalid when using the C# SP-API on GetOrders #730

Closed jbyte2009 closed 3 years ago

jbyte2009 commented 4 years ago

I am trying to get orders from the SP-API. I have followed the documentation and I have downloaded the GitHub projects (AWSSDK.Core, AWSSDK.IdentityManagement, AWSSDK.SecurityToken). I am using the C# project, SellingPartnerAPIAuthAndAuthCSharp - Amazon.SellingPartnerAPIAA that is included in the SP-API GitHub location. I tried adding a security token via the AWSSDK.SecurityToken nuget package to get the x-amz-security-token. But I get the following error message: The security token included in the request is invalid. Any help would be appreciated.

jbyte2009 commented 4 years ago

One more item. I am trying to create a console application in C# using Visual Studio .NET 2017 Professional. If you are going to replace MWS, you will have to consider that programmers will not be doing website applications that are hosted on a web server.

rogersv commented 4 years ago

I would assume that you have an incorrect token :). What steps did you do in the documentation and which information did you send into the functions (not asking for secrets). I might be able to help you. I got the calls to work but I did not use an sdk.

You would at least need to:

jbyte2009 commented 4 years ago

No secrets here. I used the following C# project, https://github.com/amzn/selling-partner-api-models/tree/main/clients/sellingpartner-api-aa-csharp. This gave me the LWA AccessToken. This worked fine. Success! I was reading that you will need a header of "x-amz-security-token" in one of the posts here and that you would need to AssumeRole, This involved "STS". Amazon Web Services gives a Nuget Package called "AWSSDK.SecurityToken" This has a client called, "AmazonSecurityTokenServiceClient", "AssumeRoleRequest" to fill out the properties. I had to pass the "RoleARN" and "RoleSessionName". This resulted in Credentials coming back. Success! Back to the GetOrders request. I added the "version=beta" header to the request due to a new post. Since the AssumeRole returns credentials, I instatntiated an AWSAuthenticationCredentials with those credentials (like you stated above). I sign it with the above selling partner api model C# library. Now, I get the following issue, "Access to requested resource is denied.". LIke the Dude states, "New sh@t has come to light."

rogersv commented 4 years ago

The sounds correct. Not sure that I can help. Did you add both the x-amz-access-token and the x-amz-security-token in the call that gets the order? security-token is the session-token you get from the role and the other one is the access token you get from the refresh token. I think that is how it works. Edit: @charliecode is right the version=beta is not used in the call to get orders.

charliecode commented 4 years ago

@jbyte2009 Are you authenticating with the SP-API or just making a request to it? Maybe I'm missing something but I thought the version=beta is mentioned to be added to the url when authorizing a user with the API, not for making requests. For testing there is the sandbox, who's flow does not mention adding the version=beta param.

jbyte2009 commented 4 years ago

@charliecode `I am authenticating using the code provided in the following location, https://github.com/amzn/selling-partner-api-models/tree/main/clients/sellingpartner-api-aa-csharp. They have a class "LWAClient" that has a method GetAccessToken. This does not have a version property to set. Then, I am using the AWS Nuget Package (AWSSDK.SecurityToken) to get the STS Credentials.

jbyte2009 commented 4 years ago

@rogersv Did you add both the x-amz-access-token and the x-amz-security-token in the call that gets the order? Answer Yes.

charliecode commented 4 years ago

@jbyte2009 Yes, they both get added. I can't speak to the C# library as I haven't used it but it looks like they def have some of the heavy lifting done for you already. If you haven't yet, you may want to go over Connecting to the Selling Partner API really well as it explains the whole process. That may help you find what you're missing at the moment.

jbyte2009 commented 4 years ago

Thanks @rogersv and @charliecode for helping yesterday. I am going through the Connecting to the Seller Partner API to see if there is something I missed.

dsokolowski commented 4 years ago

It may be due to your http client changes your header keys like you set "x-amz-access-token" but "X-Amz-Access-Token" is sent. It looks like header key names are case sensitive.

seanevan commented 4 years ago

Hi @jbyte2009, did you manage to get past this error? Please feel free to open a support case with us if you'd like to deeper assistance.

Thanks, Sean Evans Manager, Support Engineering

voronytskyi commented 4 years ago

Having same error on my end. Did same as described here. Pls advice.

BeeBee234 commented 3 years ago

Greetings,

The C# SDK does not seem to be a working solution at this time (for many users).

However, the sample C# example code in https://github.com/amzn/selling-partner-api-models/issues/31 works for the following sandbox calls on my end:

    var resource = $"/orders/v0/orders";
    IRestRequest restRequest = new RestRequest(resource, Method.GET);
    restRequest.AddParameter("MarketplaceIds", "ATVPDKIKX0DER", ParameterType.QueryString);
    restRequest.AddParameter("CreatedAfter", "TEST_CASE_200", ParameterType.QueryString);

FYI, I encountered many 'Access denied/Unauthorized/Forbidden' responses before finally making a successful sandbox call to the following (which also works):

var resource = $"/vendor/orders/v1/purchaseOrders";
IRestRequest restRequest = new RestRequest(resource, Method.GET);
restRequest.AddParameter("createdAfter", "2019-08-20", ParameterType.QueryString);
restRequest.AddParameter("createdBefore", "2019-09-21", ParameterType.QueryString);

This confirmed to me that my credentials were set up properly and that 'Access denied' is bogus. So even if you get 'Access denied' you might be very close to the correct syntax.

Good luck and have a grand day,

Brian

ShivikaK commented 3 years ago

Hi @jbyte2009, did you manage to get past this error? Please feel free to open a support case with us if you'd like to deeper assistance. If you have reported a case with us please share the case ID and we will help assist you further with this issue.

Thanks, Shivika Khare Selling Partner API Developer Support