Forum Discussion

6magics's avatar
6magics
Contributing User
3 years ago

MYOB API Authentication Not Working

Hi, I've been struggling on and off for several weeks trying to get API access working outside of a postman environment using python scripts. I managed to get the initial token refresh request (to https://secure.myob.com/oauth2/v1/authorize/)  working fine and my scripts recieve valid access tokens with every request. 

 

My issue is when performing any other request other than refreshing the token, I am met with an unauthorized error and no additional information.

 

For a standard get request from the api, my request headers are as follows:

"Authorization": "Bearer " + cache["MYOB_ACCESS_TOKEN"],
"Cache-Control": "no-cache",
"Accept": "*/*",
"Accept-Endoding": "gzip, deflate",
"Connection": "keep-alive",
"x-myobapi-cftoken": cache["BASE64_CREDENTIALS"],
"x-myobapi-version": "v2",
"x-myob-api-key": cache["MYOB_API_KEY"]

These headers are exactly the same as those used in the postman environment (except for the cftoken) so I'm absolutely baffled as to what the issue with the authentication processes is. 

 

An example of the requests attempting is as follows:

URL: {{company_file_uri}}/{{company_file_id}}/Sale/Invoice/Service

r = requests.get(url, headers=get_headers())

 Interestingly, I've noticed that the refresh token response for my python requests is missing several attributes that are described in the API docs. My response only includes 'access_token' and 'scope', while the docs specify 'access_token', 'token_type', 'expires_in', 'refresh_token', 'user':{ 'uid', 'username'}; it is worth noting that these attributes do exist in the postman response for the refresh token request. 

 

I have also noticed that this request does not work in postman or python.

https://secure.myob.com/oauth2/v1/Validate?scope="CompanyFile"

 

  • kjm's avatar
    kjm
    Trusted Cover User

    unauthorised seems to suggest it is well formed but has something to do with key or token...have you encoded it correctly..I recall I had a similar issue and needed to escape data string to get it going...sorry dont recall exactly what I did

     

    what the url you are querying? put in the full route

     

    here is my get request from the NET SDK from a trace in Fiddler. This works. 
    I would;

    1. Get rid of Cache control header

    2. Get rid of Accept header

    3. Modify Accept-Encoding to only include gzip 

    4. Get rid of Connection header

    I can't promise that will make any difference but I have had issues where otherwise harmless headers have prevented me fro getting it working. As you can see this is from the .NET SDK. I have a restsharp client that contructs it as well but I dont have the trace for it here. If you are still stuck afte rthis then reply and I'll get it to you and you can compare then

    GET https://arl2.api.myob.com/accountright/f173[TRUNCATED]aa/Payroll/PayrollCategory/Wage/ HTTP/1.1
    Authorization: Bearer AAEAAEX[TRUNCATED]CclRjZRxLZM
    Accept-Encoding: gzip
    User-Agent: MYOB-ARL-SDK/2022.6.425 (+http://developer.myob.com/api/accountright/v2/)
    x-myobapi-key: xdf[TRUNCATED]dye
    x-myobapi-version: v2
    x-myobapi-cftoken: QWRt[TRUNCATED]N0Wjgj
    Host: arl2.api.myob.com

     

    • 6magics's avatar
      6magics
      Contributing User

      I just tried removing those headers but had no luck.

      I have not personally encoded any of the keys or tokens except for the x-myobapi-cftoken containing the credentials which is b64 encoded. I'm not sure if the python requests module automatically applies and encoding scheme but I haven't run into any issues with that when requesting other APIs.

       

      An example request that I've been using is:

      GET: https://ar1.api.myob.com/accountright/{{company_file_id}}/Sale/Invoice/Service

       

      • kjm's avatar
        kjm
        Trusted Cover User

        Asking the obvious: have you actually got permission to login to the file online using the user credentials you are sending??

        install Fiddler and capture your request and see what is getting sent exactly. Your example is your call from your code. Capture the actual request and examine that. From there you can start to see what is going wrong. My example is capture from Fiddler and shows a successful call
        6magics 

        Here is a call from RestSharp .NET library which is just a lib around a httpclient to simplify calls to API 

        GET https://api.myob.com/accountright//f173ad4{TRUNCATED}aaa/Sale/Invoice HTTP/1.1
        authorization: Bearer AA{TRUNCATED}3TWg-WJ
        x-myobapi-cftoken: QWRt{TRUNCATED}Wjgj
        x-myobapi-key: xd{TRUNCATED}ye
        x-myobapi-version: v2
        Accept: application/json, text/json, text/x-json, text/javascript, application/xml, text/xml
        User-Agent: RestSharp/108.0.2.0
        Host: api.myob.com
        Accept-Encoding: gzip

        I am Base64Encoding the cftToken