The REST API basics

#Troubleshooting guide

This guide describes the most common errors you can experience when using the REST API and the solutions to fix them.

#Missing client id

Two problems can be the cause of the following response when authenticating to the REST API:

      "code": 422,
      "message": "Parameter "client_id" is missing or does not match any client, or secret is invalid"

#Base 64 not correctly encoded

You are not correctly encoding client and secret in base 64. We encourage you to use the Postman collection that you will find in this tutorial or the PHP client, that handle it automatically for you.

If you use the command line to generate the base 64, please ensure that you do it this way:

echo -n "client_id:secret" | base64

Do note the option -n to avoid to print the trailing newline character and encode it.

If you still experience the same error, please follow the second solution.

#Apache strip the authentication header

If you are sure to provide the correct base 64 of the client and secret, it probably means that Apache is not correctly set up.
Various Apache modules can strip the authorization header “Authorization: Basic base64client_id:secret”.

Add the following line in your virtual host file:

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

#Redirection on connection page

When requesting the REST API, you are redirected to the REST API, with any endpoints.

This problem occurs when the project has been updated from version 1.6.
It is coming from the security file app/config/security.yml in the PIM project.

The declaration order of the keys is important in this file.
If the key security.firewalls.main is before the keys security.firewalls.token, security.firewalls.api_index and security.firewalls.api, you will be redirected on requesting page when using the REST API.

Please check that the keys under security.firewalls are in this following order:

      pattern:                        ^/api/oauth/v1/token
      security:                       false
      pattern:                        ^/api/rest/v1$
      security:                       false
      pattern:                        ^/api
      fos_oauth:                      true
      stateless:                      true
        pattern:                        ^/
        provider:                       chain_provider
            csrf_token_generator:       security.csrf.token_manager
            check_path:                 oro_user_security_check
            login_path:                 oro_user_security_login
            path:                       oro_user_security_logout
            secret:                     "%secret%"
            name:                       BAPRM
            lifetime:                   1209600   # stay logged for two weeks
        anonymous:                      false