Pocket API Authorization: Forbidden

Question

I'm testing out RoR by building a Rails app with Pocket API, and I have to authorize the user. For HTTP requests, I'm using https://github.com/rest-client/rest-client library.

The first step, obtaining a request token works fine:

require 'rest_client'
response = RestClient.post 'https://getpocket.com/v3/oauth/request', :consumer_key => @consumer_key, :redirect_uri => @redirect_uri
@code = response.split("=")[1]

But I get a Bad Request error on the second step, which is to get an access token using the request token received on the step above:

access_token = RestClient.post 'https://getpocket.com/v3/oauth/authorize', :consumer_key => @consumer_key, :code => @code

400 Bad Request is what I get on Ruby application error screen. I have also tried the same request with cURL and POSTMan Chrome extension, and the status code I get then is: 403 Forbidden. X-Error Code I get is 158 which translates to X-Error message "User rejects code." on Pocket API docs: http://getpocket.com/developer/docs/authentication.

Since I have tried several different channels to test this request and failed each time, I'm guessing that the problem is not with parsing, but rather I might be missing an important detail or a step (maybe HTTP request headers?). Thanks for your help in advance!

score 11 · Accepted Answer · answered Dec 28 '14 at 05:42

Turns out that I (or we) have been missing an important detail:

Whenever testing out your request for Pocket API in POSTMan or anywhere else, we naturally skip the process of visiting the authorization URL which is in the form of:

https://getpocket.com/auth/authorize?request_token=YOUR_REQUEST_TOKEN&redirect_uri=YOUR_REDIRECT_URI

Now, even though you might have allowed your app to access your account before, on each call, Pocket API doesn't activate a request token before this URL is visited. Only then your request token becomes activated and can be used for 2nd authentication step. It works fine after doing that.

As a side note to anyone who is using Pocket API in Ruby on Rails, there is a nice wrapper gem for it: https://github.com/turadg/pocket-ruby

score 2 · Answer 2 · edited Oct 07 '21 at 11:02

2

I can confirm that you are indeed missing HTTP headers, which will cause the Pocket server to reject the post request you're trying to send.

There are a few ways in which headers can be communicated: sometimes they are communicated through the codes/tokens associated with the server request (which here appears not to be the case). You need to use an "Authorization" header as per your doing this with OAuth with your initial request.

This should help you: notice the "Authorization:" header after the "Content-Type:" header contains the information that's returned.

For some in depth reading, go here.

I might also suggest trying the OAuth2 gem which does most of the requesting for you - it will probably simplify what you're doing quite a bit!!

Here's what it looks like on Postman.

edited Oct 07 '21 at 11:02

Community

1
1

answered Dec 27 '14 at 00:27

ilkahnate

621
3
8

I have tried adding headers, but no luck. If that header was really the key, I guess Pocket would include it in their example request, don't you think? (http://getpocket.com/developer/docs/authentication) By the way, I'm putting Rails out of the equation to abstract my problems and using POSTMan plugin for Chrome. Regardless though - I even tried via cURL - it doesn't seem to work. If you could get a Pocket API account and check real quick, maybe you would be able to see something I've missed? Thanks. – Emir Dec 27 '14 at 01:45
Just tried it and had some success: make sure you're using the "form-data" field for the post request, since the API documentation says that these aren't raw URL Parameter Key - just added an image to the answer detailing what it looks like on Postman. I actually didn't do anything with headers - I'll revise my answer if you're still having problems, because headers weren't necessary after all for their API. – ilkahnate Dec 27 '14 at 17:20
If you read my post carefully, it says the first step for authentication works fine, which is what you have shown in your screenshot. What is problematic is the second step: Using that code generated in the first step to generate an access token. Specifically, the POST /v3/oauth/request. Can you please try that one and show me a screenshot? By the way, you should have chosen the "application/x-www-form-urlencoded" tab for your request as this is what Pocket API accepts, but it works fine with form-data as well. – Emir Dec 28 '14 at 03:58

Pocket API Authorization: Forbidden

2 Answers2