I agree @PAFB -- it could not possibly be correct on the server side.
I have an identical situation, but using C#.
I have no issue getting a bearer token:
Code: Select all
using (var client = new HttpClient())
{
string baseAddress = @"https://ops.epo.org/3.2/auth/accesstoken";
client.DefaultRequestHeaders.Add("Authorization", $"Basic {bearerToken}");
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/x-www-form-urlencoded"));
// These headers should not be needed but I added them in trying to see where I could be going wrong.
// They won't break anything
client.DefaultRequestHeaders.Add("User-Agent", "PostmanRuntime/7.30.0");
client.DefaultRequestHeaders.Add("Accept", "*/*");
client.DefaultRequestHeaders.Add("Accept-Encoding", "gzip, deflate, br");
client.DefaultRequestHeaders.Add("Connection", "keep-alive");
var form = new Dictionary<string, string>
{
{ "grant_type", "client_credentials" }
};
HttpResponseMessage tokenResponse = await client.PostAsync(baseAddress, new FormUrlEncodedContent(form));
var headers = tokenResponse.Headers;
foreach (var header in headers)
{
Console.WriteLine($"{header.Key} = {header.Value.FirstOrDefault()}");
}
var jsonContent = await tokenResponse.Content.ReadAsStringAsync();
var tok = JsonConvert.DeserializeObject<Token>(jsonContent);
return tok; // SUCCESS -- THE Reponse has the token object at this point
}
Then I try to apply that access token in the header...
If it was a raw header it would be like "Authorization: Bearer ABDEFGHhijklmnoPqRsTUvWxYz123"
Code: Select all
using (var client = new HttpClient())
{
string baseAddress = $"https://ops.epo.org/rest-services/published-data/publication/epodoc/EP1000000";
client.DefaultRequestHeaders.Add("Authorization", $"Bearer {accessToken}");
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
// These won't make any difference... but trying to diagnose the issue
client.DefaultRequestHeaders.Add("Accept-Encoding", "gzip, deflate, br");
client.DefaultRequestHeaders.Add("Connection", "keep-alive");
client.DefaultRequestHeaders.Add("Accept", "*/*");
// Adding this to see if it makes any difference
client.DefaultRequestHeaders.Add("User-Agent", "PostmanRuntime/7.30.0");
using HttpResponseMessage response = client.GetAsync(baseAddress).Result;
// Trying to see why I keep getting 403 here. The X-Rejection-Reason is always set to "AnonymousQuotaPerDay",
// which is incorrect, as the Authorization Header is set to Bearer + accessToken.
var headers = response.Headers;
foreach (var header in headers)
{
Console.WriteLine($"{header.Key} = {header.Value.FirstOrDefault()}");
}
response.EnsureSuccessStatusCode();
var jsonContent = response.Content.ReadAsStringAsync().Result;
return jsonContent;
}
There is a header in the 403 response...
X-Rejection-Reason = AnonymousQuotaPerDay
I can reproduce the exact same response if I remove the Authorization header....
So, removing this line:
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
... makes no difference. Response and headers are the exact same.
Bizarrely, if I grab the accessToken from my first code block to get the token, and apply it in Postman, I have no issue getting a reply.
So there has to be something over-zealous going on in the code, I imagine the developers are trying to stop abuse of the API so some super-validation is going on, so good that it in fact is stopping perfectly OK API calls.