search

soundcloud / api

A public repo for our Developer Community to engage about bugs and feature requests on our Public API
148 stars 24 forks source link

Unable to interact with API after receiving access token. #86

Closed marekw closed 3 years ago

marekw commented 3 years ago

Title: Unable to interact with API after receiving access token.

Issue found of: July 29th, 2021

Endpoint(s):

Scope(s):

Steps to reproduce:

curl --request GET \
--url 'https://api.soundcloud.com/me/tracks?limit=1' \
--header 'Authorization: OAuth 1-2345-auth_token_received_from /oauth2/token'

Expected behaviour:

A list of tracks as described at https://developers.soundcloud.com/docs/api/explorer/open-api#/me/get_me_tracks.

Actual behaviour:

{"code":401,"message":"","link":"https://developers.soundcloud.com/docs/api/explorer/open-api","status":"401 - Unauthorized","errors":[],"error":null} (consistently)

Summary: Using server side integration (https://developers.soundcloud.com/blog/security-updates-api) and receiving auth_token from /oauth2/token but any attempt to interact with resources results with 401 Unauthorized.

dasha-kobzeva commented 3 years ago

HI @marekw,

to access user resources you should use Authorization Code flow and get a token associated with a current user. Client credentials work only for public resources (like search for instance).

You can find more information in our guide: https://developers.soundcloud.com/docs/api/guide#server-side

Let me know if you have more questions.

marekw commented 3 years ago

Hello @dasha-kobzeva,

My integration is purely backend/server side without any client side/webpage involvement. For example:

based on docs in order for me to interact with POST /tracks endpoint I need to first obtain access_token from /oauth2/token then add access_token to request header along with track data.

Apologies if my examples were confusing or misleading.

Also, my previous (working) integration used (username pass and client secret/client id) but stopped working few weeks ago which coincides with API changes.

Am I missing something?

Please advise. Thanks

dasha-kobzeva commented 3 years ago

Yes, the password grant was deprecated, so this is not a possible option anymore.

Unfortunately, the only means to get a token associated with a user session is through Soundcloud Connect which goes through a browser as a user has to allow your app to act on their's behalf.

So for /tracks endpoint client_credentials are enough, for /tracks/:id, /me, /like and so on it has to be Authorization Code flow..

You can see spec here: https://developers.soundcloud.com/docs/api/explorer/open-api#/oauth/post_oauth2_token

marekw commented 3 years ago

Hello @dasha-kobzeva,

Thank you for clarification and my focus is now on POST /tracks endpoint.

I attempted following:

Step 1 obtain auth token:

curl --request POST \ --url https://api.soundcloud.com/oauth2/token \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data client_id=CLIENT_ID \ --data client_secret=SECRET \ --data grant_type=client_credentials

Step 2 use auth token from previous step:

curl -X POST "https://api.soundcloud.com/tracks" -H "Authorization: OAuth 2-1234--auth token obtained from Step 1" -H "accept: application/json; charset=utf-8" -H "Content-Type: multipart/form-data" -F "track[tag_list]=tag tag2" -F "track[downloadable]=false" -F "track[description]=Test" -F "track[sharing]=private" -F "track[asset_data]=" -F "track[title]=TEST Song"

Still getting 401: {"code":401,"message":"","link":"https://developers.soundcloud.com/docs/api/explorer/open-api","status":"401 - Unauthorized","errors":[],"error":null}

In /tracks endpoint according to API there are no required fields, so I am just picking few and leave other fields empty.

dasha-kobzeva commented 3 years ago

Once again, client_credentials flow is only for public resources. Uploading a track requires a user session.

Please use the following authentication method for getting a token:

curl --request POST --url https://api.soundcloud.com/oauth2/token --header 'Content-Type: application/x-www-form-urlencoded' --data client_id=CLIENT_ID --data client_secret=SECRET --data grant_type=authorization_code --data code= <code you received from calling /connect endpoint> --redirect_uri=APP_REDIRECT_URI

API Guide states:

401 Unauthorized This means that we were not able to authenticate you based on the information provided in the request. Make sure you're sending an Authorization header.

Our public endpoints will work with an access token acquired through the Client Credentials flow. Acting on behalf of another user is different. The Authentication section gives a detailed explanation of how this works.

If you're connecting using OAuth, don't forget that tokens can expire. These will need to be refreshed. Not doing so can also result in getting a 401 error.

marekw commented 3 years ago

Hi @dasha-kobzeva,

Using /connect but getting (redirect_uri_mismatch). I do not remember and I was unable to find by browsing account settings.

Please advise. Thanks

dasha-kobzeva commented 3 years ago

Hi @marekw, you should be able to see information about your registered apps under https://soundcloud.com/you/apps When you provide redirect_uri in the connect request it has to match the redirect_uri you have created your app with.

marekw commented 3 years ago

Hi @dasha-kobzeva,

curl --request POST \ --url https://api.soundcloud.com/oauth2/token \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data client_id=CLIENT \ --data client_secret=SECRET \ --data grant_type=authorization_code \ --data code=3-1123-12344565666-OTHER-CHARACTERS<code from calling /connect endpoint>\ --data redirect_uri=

{"code":400,"message":"invalid_grant","link":"https://developers.soundcloud.com/docs/api/explorer/open-api","status":"400 - Bad Request","errors":[{"error_message":"invalid_grant"}],"error":null,"error_code":"invalid_grant"}%

I am using blank redirect_uri because that is what I see when visiting https://soundcloud.com/you/apps

Please advise. Thanks

dasha-kobzeva commented 3 years ago

@marekw you are getting invalid_grant because you have no redirect_uri provided for your app, so we cannot redirect you anywhere. Redirect_uri is mandatory and your application should have one provided in the app credentials.

marekw commented 3 years ago

Hi @dasha-kobzeva,

First, thank you very much and your help is much appreciated.

As for redirect_ur, I have blank redirect_uri being displayed when I visit https://soundcloud.com/you/apps (also no edit option)

Since redirect_uri is blank I tried to use arbitrary url but every time I do so I get 401 Unauthorized.

Please advise. Thanks

dasha-kobzeva commented 3 years ago

Hi @marekw, yes, the redirect_uri cannot be empty. We can update it for you. Could you please provide the user id the app is registered to, the email address of that SC user and redirect_uri?

marekw commented 3 years ago

Hi @dasha-kobzeva,

Before we make update, I have following concern: So far I have been using browser to obtain code but my planned implementation is to 100% run on a server without user/browser interaction.

My use case is to programmatically interact with only 1 endpoint POST /tracks.

My question is: Is Soundcloud Connect flow (/ connect and then oauth2/token ) the only option?

Again, apologies if my question is unclear or redundant but I am not confident I will be able to upload track the same way I was doing it before new security updates beginning July 2021.

Please advise Thanks

dasha-kobzeva commented 3 years ago

Hey @marekw, you are correct, with new security changes Soundcloud Connect flow (/ connect and then oauth2/token) is the only option. The previous mechanism you were using was not safe as you were exposing the user id/password in the request.

Also note, you cannot upload a track to SC with a specific user, so unfortunately you cannot do it as you have used to before.

marekw commented 3 years ago

Hi, @dasha-kobzeva,

Thanks again for your help.

Are there any plans in the future to support API functionality ( programmatically interact with endpoints )? Or How other SC customers who used this functionality are approaching this matter.

Thanks

dasha-kobzeva commented 3 years ago

Hi @marekw, if you are talking about password grant support, we are not planning on supporting it as it's unsafe.

I believe other customers are migrating to using different authorization flows.

marekw commented 3 years ago

Hi @dasha-kobzeva,

Could you please point me to a place where "different authorization flows" are being implemented/documented.

Thanks

dasha-kobzeva commented 3 years ago

You could refer to our guide: https://developers.soundcloud.com/docs/api/guide#authentication There are different sections for different flows.

You can also check our spec: https://developers.soundcloud.com/docs/api/explorer/open-api#/oauth/post_oauth2_token

simshaun commented 1 year ago

yes, the redirect_uri cannot be empty. We can update it for you. Could you please provide the user id the app is registered to, the email address of that SC user and redirect_uri?

So sorry for reviving this old issue but I'm unsure what other avenue to take for support.

I'm having the exact same problem as above where my Redirect URI is blank in https://soundcloud.com/you/apps, so when I try to start the authorization code process, I get the "The redirection URI provided does not match a pre-registered value" error.

Since I can't edit the Redirect URI from the "Your Apps" page, I'm here.. is there anybody I could send a DM to with our information to get this fixed?