REST API OAuth access token 401
I'm building a small app with Angular2 (hosted locally via lite-server), to summarise time captured in YouTrack, and show an overview thereof, so my team can see what they've captured time for in the last few days and on which projects. I've set up a Service on our Hub, marked it as trusted, set up my redirect_uri, and followed the OAuth 2.0 Login procedure for Implicit login. Here's my request:
GET: https://<my company>.myjetbrains.com/hub/api/rest/oauth2/auth?response_type=token&request_credentials=default&client_id=<my app's service id from the hub>&redirect_uri=http://localhost:3000/dashboard/&scope=<my YouTrack service id>
Obviously substituting as necessary.
I am then taken to the YouTrack login page, I log in, and I get redirected back to my redirect_uri with an access token. The url looks something like this:
http://localhost:3000/dashboard/#access_token=<my access token>&scope=<my YouTrack service id>&token_type=Bearer&expires_in=3600
Just as expected, right?
Now I strip off the access token in my JS client app, and make a new request to YouTrack, as follows:
Accept: 'application/json'
Authorization: 'Bearer <my access token>'
GET: https://<my company>.myjetbrains.com/youtrack/rest/project/all
And I get back a 401: Unauthorized.
But why? What am I doing wrong here?
I've also tried following this flow in my browser, and also from the popular Chrome App, PostMan, to no avail.
Please sign in to leave a comment.
Hello Jacques,
could you tell us the name of your instance? We would like to check the logs to find the reason of this error.
You can submit a request into our support system if you like it better.
Thank you!
Hi Liubov,
Our instance is https://sapient.myjetbrains.com/
Our license is under "sapient". That is what you're referring to, correct?
Do you need the guid ID's for the services?
Hi Jackues,
Sure, license name is enough.
From what I can see from the log files requests are rejected due to token being malformed.
Would you mind recording a har file with the entire login sequence?
Hi guys,
Thanks, that pointed me in the right direction. As I was inspecting the traffic, I noticed the access_token was url-encoded, so I have to decode it first before sending it along - my mistake. Just having some trouble with JavaScript not wanting to decode it now. I've tried using decodeURIComponent(access_token), but it only works when debugging and running that code manually in my browser's JS-console, but it won't work otherwise. Do you have any advice?
Otherwise, thanks!
Hi Jacques.
It sounds really weird, because we use same decodeURIComponent in our Web products and it works absolutely OK. Could you try verbose logging your variables during this decoding?
Also, you could try any library which performs query string parsing easyly and reliable. For example, we've tested https://www.npmjs.com/package/qs and it parses redirect URL pretty well.
Hi guys,
Thanks for the help. I managed to solve the problem by just nesting three calls to decodeURIComponent. I'll take a look at that qs package for future reference.
Thanks
Glad to hear this!
You could also take a look at YouTrack Mobile implementation for examples of API usage:
https://github.com/JetBrains/youtrack-mobile/blob/master/src/components/auth/auth.js
https://github.com/JetBrains/youtrack-mobile/blob/master/src/components/api/api.js
Thanks Andrey, I'll be sure to take a look.