I'm following the SODA documentation about authorization using OAuth to query a restricted datasets (that my account has access to). I have successfully received and stored an access token using my client secret. Now I'm trying to make an AJAX request with it. Here is my code:
var api_access_token = "OAuth " + stored_access_token;
jQuery.ajax({
url: "https://url/to/dataset.json",
type: "GET",
headers: {
'Authorization': api_access_token,
'X-App-Token': my_app_token
}
})
.done(function( data ) {
console.log(data);
});
But this doesn't seem to be working. I've also tried with jQuery's "beforeSend" property with the same result. Here is what I receive:
{
"error" : true,
"message" : "You must be logged in to access this resource"
}
If I try this request using cURL:
$headers = array(
'Content-Type: application/json',
sprintf('Authorization: OAuth %s', $access_token)
);
$curl = curl_init("https://url/to/dataset.json");
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($curl);
$response_data = json_decode($response, TRUE);
var_dump($response_data);
Then I get the following (different) error:
"Bad OAuth token"
Any thoughts?
EDIT
Application callback prefix: https://example.org
https://example.org/dashboard Here I have an anchor tag that looks like this:
<a href="https://soda.demo.socrata.com/oauth/authorize?client_id=' . $app_id . '&response_type=code&redirect_uri=https://example.org/dashboard">Authorize DOIT here.</a>
This gets me to the SODA page that asks to allow access
I'm redirected here:
https://example.org/dashboard/?code=CODE_HERE
And then a server side script uses curl to post a request for the access code (shown above), which I successfully receive and store as a cookie.
From the same page (https://example.org/dashboard/?code=CODE_HERE) I try to request the private dataset, which fails as detailed above.
Is that the issue, that I request the authorization code from https://example.org/dashboard and then query the data from https://example.org/dashboard?code=CODE_HERE
To answer your first question, assuming you're trying to do authentication on the client side in the user's browser with JavaScript, even if you get that OAuth token you won't be able to use it via CORS or JSONP. For security, we drop all authentication headers on cross-domain requests, as that's a vector for XSS attacks. More here: https://dev.socrata.com/docs/cors-and-jsonp.html
As for what's happening with your PHP libcurl requests, I'm not sure what's going on there. It looks like your authentication token is getting into the system, based on the error you're getting, but my guess is that there's something corrupted about your OAuth token, or that it was expired by the time you tried it. The tokens have about a one hour expiration window.
Edit with answer for your OAuth token error question: Change your /oauth/authorize URL to reflect the domain you're trying to authenticate with, not soda.demo.socrata.com. Tokens are tied to the domain on which they are issued. I'll update the docs to make that more clear.