getAuthorizationCode error when trying to migrate from MWS token

[chrismeats]

I referenced this in issue amzn/selling-partner-api-models#718 but was not sure you would see it since that issue is closed

@jlevers I am still getting these same error messages on the newest release 4.0.2 if I leave lwaRefreshToken blank I get {"error_description":"The request is missing a required parameter : refresh_token","error":"invalid_request"} If I remove lwaRefreshToken from my Configuration then I get lwaRefreshToken must be specified when calling non-grantless API operations Here is my config I am using:

$config = new Configuration([ "lwaClientId" => env('LWA_CLIENT_ID'), "lwaClientSecret" => env('LWA_CLIENT_SECRET'), // "lwaRefreshToken" => '', "awsAccessKeyId" => env('AMAZON_ACCESS_KEY_ID'), "awsSecretAccessKey" => env('AMAZON_SECRET_ACCESS_KEY'), "endpoint" => Endpoint::NA, // or another endpoint from lib/Endpoints.php "roleArn" => env('SPAPI_ROLE_ARN'), "accessToken" => null, ]); What am I missing here? Any help is GREATLY appreciated!

[gokigoks]

I am also having trouble with the getAuthorizationCode endpoint.. As instructed in the link @chrismeats posted of the older issue, I put a random value on the refresh token parameter; however, I am getting this instead:

Client error: `POST https://api.amazon.com/auth/o2/token` resulted in a `400 Bad Request` response:
{"error_description":"The request has an invalid grant parameter : refresh_token","error":"invalid_grant"}

[chrismeats]

Yes, I get errors seemingly no matter what i set for lwaRefreshToken, I have tried removing it, leaving it blank, setting to "notneeded", null, space, etc and all throw errors.

[chrismeats]

@jlevers Not sure if this helps any, but debugging a bit more I can see it makes the first request of with the "sellingpartnerapi::migration" scope, and get back a "ATC" access token. It is the next request for the refresh token that fails from this line: https://github.com/jlevers/selling-partner-api/blob/main/lib/Authentication.php#L180 Hope that helps save some time.

[jlevers]

Sorry for the delay in responding to this -- I'm looking into it now.

[jlevers]

Give v4.0.3 a try -- this problem should be fixed. Let me know if you run into any more issues!

[chrismeats]

@jlevers Thank you so MUCH!... you ROCK!

However, Now I am getting a new error:

Error executing "AssumeRole" on "https://sts.us-east-1.amazonaws.com"; AWS HTTP error: Client error: `POST https://sts.us-east-1.amazonaws.com` resulted in a `403 Forbidden` response:
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>AccessDeni (truncated...)
 AccessDenied (client): Roles may not be assumed by root accounts. - <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>AccessDenied</Code>
    <Message>Roles may not be assumed by root accounts.</Message>
  </Error>
  <RequestId>41c44973-d329-41b3-8e5e-5f31c1c67668</RequestId>
</ErrorResponse>

I followed your write up here: https://jesseevers.com/selling-partner-api-access/ and I double checked my Policy JSON and it matches what you laid out. From searching briefly online it sounds like maybe I am missing some role definition? Do you know if you original write up on setting this up is still accurate?

Thanks again for all your doing with this library! it is fantastic!!!

[jlevers]

If you set up the config the same way I explain it in my blog post, you shouldn't need to pass a roleArn to the Configuration object. Is the ARN you attached to your SP API the ARN of an IAM user or an IAM role?

[chrismeats]

@jlevers Ah! that makes sense. I was using an ARN of a user. Removing that clears that error.

Thanks again for all the help and work on this!

[gokigoks]

@chrismeats Hi,

How did you remove the ARN of a user from if already set in the app in the partner network?

EDIT:

My case might be a bit different as I attached an IAM role to my SP-API app. However, it doesn't allow me to change this from the edit app section in the partner network -> develop apps.

[chrismeats]

@gokigoks My issue was that I was using a "roleArn" in my Configuration array. on top of that it was a user ARN and obviously not what that feature was intended for and was causing the "Roles may not be assumed by root accounts" error.

[gokigoks]

@chrismeats Thank you for the response.. can you please share a snippet of the getAuthorization process that you used successfully? if possible.. Sorry for the bother.

EDIT: i think I have all the configs correct. However, I'm getting a forbidden error (403)..

[chrismeats]

@gokigoks It is not a working example because for some reason amazon decided to make my app private over the weekend. so I am still working through that with them. You has to be approved and published before get authorization calls will work. Here is my snippet that I believe will work once I am approved!

Pretty much straight from jlevers example here: https://github.com/jlevers/selling-partner-api/blob/main/docs/Api/AuthorizationApi.md#getAuthorizationCode

$config = new Configuration([
            "lwaClientId"        => env('LWA_CLIENT_ID'),
            "lwaClientSecret"    => env('LWA_CLIENT_SECRET'),
            "awsAccessKeyId"     => env('AMAZON_ACCESS_KEY_ID'),
            "awsSecretAccessKey" => env('AMAZON_SECRET_ACCESS_KEY'),
            "endpoint"           => Endpoint::NA,  // or another endpoint from lib/Endpoints.php
            "accessToken"        => null,
        ]);

        $apiInstance = new AuthorizationApi($config);
       $result = $apiInstance->getAuthorizationCode($selling_partner_id, $developer_id, $mws_auth_token);

[misterakko]

@jlevers I also started getting the error "The request has an invalid grant parameter : refresh_token" as soon as I upgraded from v.3.1.5 from the current version (4.0.3).

My config wasn't changed from the one I used in v3

$config = new Configuration([ "lwaClientId" => $params['amzn-spapi-lwaClientId'], // from https://sellercentral-europe.amazon.com/sellingpartner/developerconsole/ref=xx_DevCon_dnav_xx# "lwaClientSecret" => $params['amzn-spapi-lwaClientSecret'], // from the same place "lwaRefreshToken" => $params['amzn-spapi-lwaRefreshToken'], // from "token" in seller central at https://sellercentral-europe.amazon.com/sellingpartner/developerconsole/ref=xx_DevCon_dnav_xx under authorization "awsAccessKeyId" => $params['amzn-spapi-awsAccessKeyId'], // from aws.amazon.com "awsSecretAccessKey" => $params['amzn-spapi-awsSecretAccessKey'], // same place "endpoint" => Endpoint::EU ]);

[jlevers]

@misterakko are you getting that error for the getAuthorizationCode call only?

[misterakko]

@jlevers Nope, I was trying a call to getMarketplaceParticipations()

[jlevers]

If you downgrade back to v3.1.5, does the error go away? I'm not sure what would be causing you to have that error, but I'm able to call getMarketplaceParticipations() fine with the latest version of the library.

[chrismeats]

hey @jlevers I hate to bother you again, but I think there is still an issue with getAuthorizationCode. I am getting the following error now

  "errors": [
    {
      "message": "Access to requested resource is denied.",
     "code": "Unauthorized",
     "details": ""
    }
  ]
}

I was getting this before and assumed it was because my app had not been approved by amazon yet. They approved my app yesterday and the status now shows

Published
Current edit is approved and pending publishing

I can make calls to other spapi authorized endpoints such as getOrders.

Is it possible that the get authorization request has an issue with how it is signed? Or is my issue that it is showing "Current edit is approved and pending publishing" even though the status shows "published"

Thanks again for an amazing package, let me know if you would rather me start a new issue to track this?

Thanks,

Chris

[jlevers]

I think that once your edits have been approved, the getAuthorizationCode call should start working again.

(And no worries, this issue is fine -- I'm pretty sure this is an Amazon issue and not one related to my library, so having it in a closed issue actually works well.)

[gokigoks]

@jlevers

Our app has been in

"Published Current edit is in draft"

state for a long time. What should the status show to indicate we are good to go with SP-API? Our App is a hybrid app by the way. Any help is appreciated..

[misterakko]

@gokigoks I've seen "Current edit is in draft" for as much as two months at a time. Once it got stuck indefinitely, and we had to open a case to unblock it. I may be wrong, but I suspect there's some poor soul somewhere in India who has been tasked to read and approve every change made, to ensure that nobody added curses, insults at mr. Bezos or black magic to their entries.

[jlevers]

@gokigoks as @misterakko said, it's basically going to stay that way until they finally get around to dealing with it or you make a stink (creating a support case, making an issue in their GitHub repo, etc).

[ramsesIII]

@gokigokscome@misterakkodetto, in pratica rimarrà così fino a quando non si occuperanno finalmente di affrontarlo o fai una puzza (creando una richiesta di supporto, creando un problema nel loro repository GitHub, ecc.).

I am going crazy.

I Have App In The State:

• Published
• The current modification is in draft

I have the library in version: 4.3.11 Php 7.3.33

The library works for the calls I tested: getMarketplaceParticipations and getCatalogItem

But, when I use: AuthorizationApi (To convert my client's MWS Token) I get the following error:

Exception when calling AuthorizationApi-> getAuthorizationCode: [500] {"errors": [{"code": "InternalFailure", "message": "We encountered an internal error. Please try again.", "Details": ""} ]}

Can anyone tell me why?

[gokigoks]

@ramsesIII

So far, Amazon error responses have been very unhelpful most of the time. Try dumping the parameters you are sending in your request for that endpoint and check if it looks good. Good luck.

[ramsesIII]

But the absurd thing is that if I put EU_SANDBOX it returns me a token. (not valid but correct payload) If I return to the EU, it gives me an error 500

[jlevers]

I recommend opening a case with Amazon seller support -- a 500 error is unfortunately not something I can do much about. That's an error on their end.

[ruskenberry]

Anyway to allow the getAuthorization() call to point to the version=beta url? I see that as a possible workaround for private sellers to manage multiple seller accounts from one MWS developer profile here. https://github.com/amzn/selling-partner-api-models/issues/1267

[jlevers]

Not that I know of. If you want to manage 10 or fewer seller accounts, and you have the logins for all of them, you can self-authorize them all. If you have 25 or fewer, you can authorize them using the OAuth flow with the version=beta parameter, but you can't convert MWS tokens to SP API tokens.