REST API documentation

#Troubleshooting guide

This guide describes the most common errors you can experience when using the API and the solutions to fix them.

#Missing client id

Two problems can be the cause of the following response when authenticating to the API:

  "code": 422,
  "message": "Parameter "client_id" is missing or does not match any client, or secret is invalid"

#Base 64 not correctly encoded

You are not correctly encoding client and secret in base 64. We encourage you to use the Postman collection or the PHP client, that handle it automatically for you.

If you use the command line to generate the base 64, please ensure that you do it this way:

echo -n "client_id:secret" | base64

Do note the option -n to avoid to print the trailing newline character and encode it.

If you still experience the same error, please follow the second solution.

#Apache strip the authentication header

If you are sure to provide the correct base 64 of the client and secret, it probably means that Apache is not correctly set up.
Various Apache modules can strip the authorization header “Authorization: Basic base64client_id:secret”.

Add the following line in your virtual host file:

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

#Redirection on connection page

When requesting the API, you are redirected to the API, with any endpoints.

This problem occurs when the project has been updated from version 1.6.
It is coming from the security file app/config/security.yml in the PIM project.

The declaration order of the keys is important in this file.
If the key security.firewalls.main is before the keys security.firewalls.token, security.firewalls.api_index and security.firewalls.api, you will be redirected on requesting page when using the API.

Please check that the keys under security.firewalls are in this following order:

  pattern:                        ^/api/oauth/v1/token
  security:                       false

  pattern:                        ^/api/rest/v1$
  security:                       false

  pattern:                        ^/api
  fos_oauth:                      true
  stateless:                      true

    pattern:                        ^/
    provider:                       chain_provider
        csrf_token_generator:       security.csrf.token_manager
        check_path:                 oro_user_security_check
        login_path:                 oro_user_security_login
        path:                       oro_user_security_logout
        secret:                     "%secret%"
        name:                       BAPRM
        lifetime:                   1209600   # stay logged for two weeks
    anonymous:                      false

Found a typo or a hole in the documentation and feel like contributing?
Join us on Github!