0

I'm in the middle of finishing a Magento 2 store for a client. The last I had on my to-do list, was connect Magento to their accounting software through the REST API.

However, apparently there's some serious issue when it comes to the REST API in the Magento installation. No matter what I do I'm always given a "Consumer is not authorized to access %resources" error, such as:

{
 "message": "Consumer is not authorized to access %resources",
 "parameters": {
 "resources": "Magento_Sales::sales"
 }
}

POSTMAN Settings:enter image description here

I'm using an Access Token created through Admin > System > Integrations. The created Integration has resource access set to ALL.

System:

  • CentOS 7
  • WHM/cPanel
  • PHP 7.3.27
  • PHP Handler SuPHP
  • Magento 2.4.1
  • Webserver: Apache (port 8080)
  • Cache: Varnish (port 80)
  • SSL: Nginx as reverse proxy for SSL (port 443)

Things I've tried based on similar questions:

  • Change PHP handler from CGI to SuPHP (source)
  • Enable individual API resource access instead of setting to 'ALL' (source)
  • Tested without Varnish between client and server
  • Tested without Nginx proxy between client and server

I really can't seem to figure out what I'm doing wrong here. Does anybody have an idea what might be causing this? An option would be to do a fresh installation, but that'd be my very last option as I've been working on this Magento environment (theme, thouuuusands of products, ...) for many months.

Edit 1: Been digging into this a bit more. Seems like the error is being caused in: /vendor/magento/module-webapi/Model/Authorization/TokenUserContext.php

(Don't worry, I won't edit vendor files directly ;-))

Lines:

 $authorizationHeaderValue = $this->request->getHeader('Authorization');
 if (!$authorizationHeaderValue) {
 $this->isRequestProcessed = true;
 return;
 }

Looks like the Authorization header is missing. They are being set, so I guess something is causing them to be unset or not really being passed to the actual webserver?

asked Mar 2, 2021 at 17:36
0

2 Answers 2

4

Took me two days, but I've finally figured out (two hours after posting this question -_-). The issue isn't in Magento, Varnish nor Nginx, but is in Apache.

Apparently Apache does not pass the Authorization header by default (for security reasons?). I never knew that was the default behaviour.

Issue solved by adding these lines to my .htaccess

RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

Source: https://stackoverflow.com/a/26791450/1849527

answered Mar 2, 2021 at 20:11
2
  • 1
    It took me two days to find this answer. All the dozens of other things you can tweak in Magento itself are pointless without this. Bravo Jason. Commented Jul 20, 2022 at 12:17
  • Glad to hear it helped you @Daz! Commented Jul 21, 2022 at 13:07
2

In Magento 2.4.4 I had to enable oauth/consumer/enable_integration_as_bearer (Allow OAuth Access Tokens to be used as standalone Bearer tokens)

answered Jun 30, 2022 at 14:43
1
  • 1
    Thank you! Worked for me! Commented Jan 9, 2023 at 14:13

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.