Unathorized Access on Getting Cashbook List

Jerwin Ollica Plaquia
Jerwin Ollica Plaquia Member Posts: 40
edited February 2017 in Reckon API
Hi Guys,

As my title says, I seems to have a difficulty on getting a list of my cashbooks. But when I tried it in the https://reckonproduction.portal.azure-api.net it is working fine. But when i tried it in the application I am working at, I am getting an Unauthorized error. 

I also encouter this issue on the Postman.

The thing is, when I tried the Heartbeat https://api.reckon.com/R1/heartbeat. I am getting an OK response result which is I think means that I am connected. But when I proceed on getting the list of my cashbook the Unauthorized error occurs.

Hope you can enlighten me on this one
Thanks for reading.
Good day.

Comments

  • Simon Hutchinson_8164484
    Simon Hutchinson_8164484 Alumni Posts: 135
    edited February 2017
    Hi Jerwin,

    This sounds like a token problem based on the fact that the heartbeat is working for you. It is the only one that does not require the identity token to be sent.

    Can you confirm that you are getting a token back from the identity server and then sending that within a Authorization: Bearer header?

    Thanks

    Simon

  • Jerwin Ollica Plaquia
    Jerwin Ollica Plaquia Member Posts: 40
    edited February 2017
    Hi Simon,

    Yes I am getting a token back. And I am sending that to the https://api.reckon.com/R1/cashbooks together with that token with "Authorization: Bearer" header.

    Here is my screenshot in the Postman
    1) Response from Postman.
    image
    2) Here the request I sent from Postman.
    image

    Thanks

  • Simon Hutchinson_8164484
    Simon Hutchinson_8164484 Alumni Posts: 135
    edited February 2017
    Hi Jerwin

    We have had a look at the logs and it appears you are setup for authorization code as your Oauth 2.0 process

    Please read the Authorization code documents on this page

    https://reckon.helpdocsonline.com/reckon-api-authorisation-services

    Can you please confirm that you are first obtaining a authoriation code from the service and then using that code to retrieve a access_token from the service

    Thanks

    Simon



  • Jerwin Ollica Plaquia
    Jerwin Ollica Plaquia Member Posts: 40
    edited February 2017
    Hi Simon, 

    Yes I have followed the steps on how to get the tokens as per your documentation under the Authorization Code.

    Yes I am getting an access_token together with the id_token from the https://identity.reckon.com/connect/token.


    EDIT:
    Oh! I just tried using the access_token on the Postman, and I got the cashbook list as expected.
    So that how it is, I will be using the access_token, instead of the id_token, is this correct?

    If yes, then what would really be the use of the id_token?
    Is this for the refreshing of the access_token?

    Is the id_token will be the <<REFRESH TOKEN>> in this https://identity.reckon.com/connect/token when I am going the refresh my access_token to continue using the Reckon One Api?
  • Simon Hutchinson_8164484
    Simon Hutchinson_8164484 Alumni Posts: 135
    edited February 2017
    Hi Jerwin

    The id_token is used when you are using the implicit flow for Oauth 2.0, as you are not using it you do not need to use that.

    To get the refresh token you can use a silent process to request the refresh_token. The process is detailed on this page

    https://reckon.helpdocsonline.com/reckon-api-authorisation-services

    Typical refresh token request call

    To use the refresh token to obtain a new access token, you need to send another call to the service. The typical call is as follows:

     

    URL

    https:&#47;&#47;identity&#46;reckon&#46;com/connect/token

    Type

    POST

    Body

    grant_type=refresh_token&refresh_token=<<REFRESH TOKEN>>&redirect_uri=<<REDIRECT URI>>

    After this call is successfully sent the response will again include a access token (which is used to access the API) and a refresh token which can be used in the future to obtain another access token. The refresh token should always be recorded to ensure that you can get a updated token without the users interaction.

     

    If you do not have a refresh_token, it means you have not requested offline_access as part of the scopes in your initial Oauth 2.0 connection.

    Thanks

    Simon
  • Jerwin Ollica Plaquia
    Jerwin Ollica Plaquia Member Posts: 40
    edited February 2017
    Hi Simon,

    I see.
    Okay okay it makes a lot more sense now.

    Thanks for your help and assistance
    Good day.