401 in REST API Even With New Account

Hello,

We are setting up a device in a test environment.
We have successfully setup the device with multiple computers that make REST API calls to particle io.
On April 1st we were running the same API call that worked many times in the past

$ curl https://api.particle.io/oauth/token
-u particle:particle
-d grant_type=password
-d “username=joe@example.com
-d “password=SuperSecret”

With our credentials, but we are new getting an error response:
{“error”:“invalid_grant”,“error_description”:“User credentials are invalid”}

Which indicates that we are not Authenticated.

We created a new garadget account and tried the request again, but got back the same response.

If there is any support that we could get on this issue, it would be appreciated!

Thanks,

-Alex Kohanim

I have a similar issue.
I then created an account on particle.io with the same mail address as on garadget login, but there the device list is empty.

But I stll can access the particle API with a token I generated long time ago.
There I can request the door status and still get a response.

https://api.particle.io/v1/devices/{{garadgetDeviceId}}/doorStatus?access_token={{garadgetToken}}

Then I created a new account at garadget and tried to get an auth token at particle.io

curl https://api.particle.io/oauth/token
-u particle:particle
-d grant_type=password
-d “username=new.mail@notforyou.com
-d “password=xxxxxxx”

{"error":"invalid_grant","error_description":"User credentials are invalid"}

if I use this api with the “old” token
https://api.particle.io/v1/devices?access_token={{garadgetToken}}
I get a vaild response:

[
{
“id”: “{{garadgetDeviceId}}”,
“name”: “Garage”,
“last_app”: null,
“last_ip_address”: “My Public IP”,
“last_heard”: “2020-04-02T18:08:52.278Z”,
“last_handshake_at”: “2020-04-02T17:45:04.147Z”,
“product_id”: 355,
“connected”: true,
“platform_id”: 8,
“cellular”: false,
“notes”: “return from tdboltz@gmail.com”,
“status”: “normal”,
“current_build_target”: “0.6.4”,
“system_firmware_version”: “0.6.4”,
“default_build_target”: “1.5.0”
}
]

But with a strange mail address !!

I have also created a token for the newly created account on particle.io

now i can request both users with the two different tokens:
https://api.particle.io/v1/user?access_token=tokenFromUserCreatedOnParticleIO

{“username":"myemail@aaaa.com”,“tos”:{“accepted”:true,“date”:“2020-04-02T16:02:29.922Z”,“version”:2},“subscription_ids”:[],“account_info”:{“business_account”:false},“mfa”:{“enabled”:false},“memberships”:[],“team_invites”:[],“wifi_device_count”:0,“cellular_device_count”:0}

https://api.particle.io/v1/user?access_token=tokenFromGaradgetUser

{“username":"myemail@aaaa.com”}

It looks like these are two different accounts, but with the same mail address (username).

Particle must have discontinued accepting tokens from their generic accounts for matching product specific accounts. Here’s the alternative process known as OAuth 2.0 Authorization Code Grant:

  1. send user to following URL:

https://www.garadget.com/api/oauth/authorize.php?client_id=public-2879&state=your_secret_string&redirect_uri=https://yourwebsite.com/page

  1. Upon successful submission the page will redirect to:

https://yourwebsite.com/page?state=your_secret_string&code=our_secret_string

  1. Now that you know our_secret_string request:

https://www.garadget.com/api/oauth/token.php?client_id=public-2879&code=our_secret_string

The response will look like:

{
“access_token”:“auth token”,
“expires_in”:7776000,
“refresh_token”:“refresh token”
}

Use long random string for your_secret_string, verify that it matches when receiving redirect at https://yourwebsite.com/page
The first URL also accepts numeric expires_in parameter in seconds. Set it to 0 for non-expiring token.

Thanks for your reply! I have been attempting to follow the OAuth flow and was able to retrieve the “our_secret_string” and match “your_secret_string” to match what I gave. But after sending a GET request to

https://www.garadget.com/api/oauth/token.php?client_id=public-2879&code=our_secret_string 

I would get a 403 using python requests. But the exact same request to the url works through a browser.

I even tried using the same headers that the browser used, but I also got a 403.

After several attempts with my script, My IP was blocked for about and hour.

Any assistance would be appreciated,

-Alex Kohanim

[EDIT] Tested with Curl and it works! We need to rethink our Python Request Logic. I guess that’s what we get for working through the night.

[EDIT2] Looks like Header for user agent is required. We tried it with curl’s user agent and it works now. We might test other user agents and get back to this forum.

1 Like

I get error 404 as it will not go further once i input my credentials

What is the redirect_uri parameter that you provided in the first URL?