API setup and example

TheLittleDuke · 16 August 2020 15:38

Progress! Looks like you need to split out the three fields in there separated by dot (’.’) THEN you can base64 decode to get the field:

Explode access_token
Array
(
    [0] => eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6IjA2YjBmMjUyYjM0ZWI2ZmYyZTc5MGM0MTUwYTk0MjY0MDM5MGQzYjE3YjU1YzY0NGE2MGFiODNjOWQzMjI3N2U4M2E4ODU4YzI5M2Y2ZjhkIn0
    [1] => eyJhdWQiOiJkNDM1MWI4Mi1kOTJjLTVlZTMtMzAwOC01ZGUyZThhN2YwZjYiLCJqdGkiOiIwNmIwZjI1MmIzNGViNmZmMmU3OTBjNDE1MGE5NDI2NDAzOTBkM2IxN2I1NWM2NDRhNjBhYjgzYzlkMzIyNzdlODNhODg1OGMyOTNmNmY4ZCIsImlhdCI6MTU5NzU5MjI1OCwibmJmIjoxNTk3NTkyMjU4LCJleHAiOjE1OTc1OTU4NTgsInN1YiI6IiIsInNjb3BlcyI6W119
    [2] => BxzLJEqdPVJgYpwIi8HmainFZ3xtmJLEfmiFDvqa_XIVXHoSRFd2xJLGqWGqrdBmqlwLSWkAW1Y5ewe9PVNdVwPp_UiYU0msnKTHMX2Egchd0XFgF0KU7-OUtp-L7itEs4lHI_ya5B2ZKIzn4xfE3d-EfKEo1HpTp8__PMMT88l_s0aaGDmdUFqpK1DQxRiTOdKXw7NjYTegF2eH6sxecj0tbRj3XUr921JmhjxqPu9piN5bg02ylsOLzO3C5ERZfUl1HjweDY8wgycvperpx6igBX2cKB_32WEk2DsWbrRZcuqK5ERdQjYOffRKHHI8v23hs-E6B1o1SkFQFMaPxw
)
base64_decode
{"typ":"JWT","alg":"RS256","jti":"06b0f252b34eb6ff2e790c4150a942640390d3b17b55c644a60ab83c9d32277e83a8858c293f6f8d"}Decoding bearer
stdClass Object
(
    [typ] => JWT
    [alg] => RS256
    [jti] => 06b0f252b34eb6ff2e790c4150a942640390d3b17b55c644a60ab83c9d32277e83a8858c293f6f8d
)
JTI = 06b0f252b34eb6ff2e790c4150a942640390d3b17b55c644a60ab83c9d32277e83a8858c293f6f8d

NOTE: still unable to decrypt refresh token – not sure what I should be passing in – tried both the base64 version and the jti

Thoughts?

-dvd

PS: found this site that can decode the entire response https://jwt.io/ and it verifies the signature using the public key so i know the server is sending a valid token

yevgtan · 18 August 2020 17:36

If you want to refresh token you get, than you should use grant_type password.
When getting the token with grant_type client_credentials, you get only API token, without refresh token.

I am using this code in Codeigniter library to get refreshable token:

		$url = $this->CI->config->item('crmapi_url')."Api/access_token";
		$ch = curl_init($url);
		$headers = [
			'Accept: application/vnd.api+json',
			'Content-Type: multipart/form-data',
			'cache-control: no-cache'
		];
		curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
		curl_setopt($ch, CURLOPT_POST, 1);
		curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
		curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
		curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
		curl_setopt($ch, CURLOPT_VERBOSE, true);
		curl_setopt($ch, CURLOPT_HEADER,true);
		$post = array(
			"grant_type" => 'password',
			"client_id" => $this->CI->config->item('crmapi_client_id'),
			"client_secret" => $this->CI->config->item('crmapi_oauth_secret'),
			"username" => $this->CI->config->item('crmapi_username'),
			"password" => $this->CI->config->item('crmapi_password')
		);

		curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
		$response = curl_exec($ch);

		$header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
		$header = substr($response, 0, $header_size);
		$body = substr($response, $header_size);

		curl_close($ch);

		$res_arr = json_decode($body);
		$this->save_token($res_arr);

		return $res_arr->access_token;

TheLittleDuke · 18 August 2020 17:54

Thanks for the hint! I don’t really understand why username/password is required in the first place – literally every other API I use can work with simple API key + secret.

crmspace · 18 August 2020 18:05

I personally like this approach, because it allows people to use third party apps (mobile applications/browser extensions and such) without having specific/new passwords.

yevgtan · 18 August 2020 18:09

What are you getting as a response?
Did you tried to set up a local domain and using this domain in url of your request instead of “localhost/newCRM”?
Did you set up a domain in your suitecrm while installation?

TheLittleDuke · 18 August 2020 20:03

I’m getting both keys with the username/password pull and then can use refresh on it’s own after that with just the client_id version so it’s all good.

(I just cloned the virtual machine of our production instance and spun up a new VM to test against)

TheLittleDuke · 18 August 2020 20:07

I like the approach of giving tools only api keys without having first class user account access to my systems. Like I said, this is probably the first API I’ve encountered that required getting a refreshable key from a set of user credentials versus just being able to use an api-key/secret to manage the access.

In a perfect world your api-keys might have “read-only” access for some cases where you don’t want to allow writes to happen…

Just thinking outloud really – appreciate you guys jumping in!

-dvd

hoshang · 19 August 2020 04:43

Hi Everyone Here,

I have worked on the issue. If anybody is facing similar kind of issue Please check this link for the solution.

Thank You

sundar.anupindi · 29 July 2023 02:36

Why the API configuration is so much difficult for SuiteCRM? I worked with so many APIs, but this looks like not an easy task.
Is anyone having step-by-step configuration with screenshots on Linux Environment? I want to use Postman to get the APIs information.

pstevens · 2 September 2023 18:39

In the documentation you’ll find a link to a Postman configuration file. It has everything you need and works right out of the box after you import it into Postman. V8 API was like the first API I ever did and it was pretty straight forward with the config file already done.