REST API 2.0 and OAuth Tokens


I have been trying to get my REST API apps working again after the upgrade a few months ago, and the Happy Holidays release.

There was a question in another topic, but I have started a new topic with a better title, as we are talking to posterity.

What I have found is that the old system is still working, with the call. Specifically my VBA Excel implementation is working (links at the bottom) for a token grant but not the token refresh call, and the Java Android implementation does not work for grant or refresh, but the rest of the calls for accessing things and data work when I hardcode a good access token. And sending curl calls with that link above also works fine for the grant, but not the refresh.

The particularly strange thing is that my old Java Android code for synchronous http request for a grant does work, but the same code (with a different http library) for asynchronous calls does NOT work. And you cannot send synchronous http requests in a Android App on the main thread, so I have a little kludge to start a new thread to get the access token. When I use my old code for asynchronous request, it always returns with http 500 Internal Server Error, but the identical calls with synchronous JAVA, with VBA, and with curl all work fine - same link, same username password, same x-www-form-urlencoded. I even rewrote it to send the username/password in a JSON, but I got the 500 Internal Server Error. My theory is that the server is redirecting the call somehow to the new link which is causing problems with the asynchronous call, but the synchronous, curl, and VBA all more accommodating to the redirection, or whatever is happening.

So then I made an attempt to rewrite things according to the new system using /auth/realms/… system, but have had no success. That new system requires a client_id and sometimes a client_secret_id. There is a client_id with each device which is used in the mqtt world, but this client_id / secret_id from the OAuth2 world is different. There is not secret_id on the dashboard or in the mqtt world.

As I understand OAuth2, the client_id and secret is used in the system where I don’t have a cayenne account, and I am using my facebook or google account to log in to cayenne. So my “client” is not one of my mqtt devices, but rather the client is an application what connects the facebook/google with cayenne, so cayenne will let my application access the cayenne data based on my facebook/google credentials.

So the simple test from the new REST API doc …

curl -X POST --header ‘Content-Type: application/x-www-form-urlencoded’ --header ‘Accept: application/json’ -d ‘grant_type=password&’ ‘

which asks client_id, but not client_secret, doesn’t work for me. My mqtt cleint numbers 8x-4x-4x-4x-10x do not work, nor the random number 123456. I think this client_id is a OAuth2 client that is used for this facebook-cayenne connection.

So I’m looking for insight on that matter - what is the client_id? and also on the other matter of why I can get a access grant using curl and old code on the old link, but it all fails with a http 500 when I use my old code with the asynchronous connection? And can I still use the old token refresh system without resolving this new client_id issue with the realms system.

Or correct me wherever I have gone wrong! :grinning:

Problem logging in using Android App

you need to get the APP KEY and APP SECRET from cayenne dashboard by clicking on Create app and Generate API Keys

where APP key == client_id and APP secret == client secret

to get access token:

curl --request POST \
  --url \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'grant_type=password&client_id=<APP key>&client_secret=<APP Secret>&username=<email_id>&password=<password>'

For refresh token:

curl --request POST \
  --url \
  --header 'content-type: application/x-www-form-urlencoded' \
  --cookie AWSALB=wI1Z6ev6AZiVtSkkhFBGv52I7ucgwMKzTo5KFdnXxYRrtQU1z68gqu81nxIkmsxILPkLuibLDf7ugr4hc5Qo5vyJcgk54T5%2Bjek6ssm5rmmrHDDFMTFYslts7dEu \
  --data 'grant_type=refresh_token&client_id=<APP Key> &client_secret=<APP Key>&refresh_token=<refresh_token>'


Success with the curl! Thanks.

Another question: Is there a website link to get (or delete) old App Keys I have generated in the past, or add new whitelisted URI’s. I am afraid to click off that page before I decide on URI’s for experimenting. :grinning:


nope. i dont think it so.