Apr 16, 2022 05:28:26 AM Edited Apr 16, 2022 05:30:57 AM by Jan Z
Hi,
I am implementing OAuth2 API access to Upwork. I am using your PHP library to generate initial authorization link and to send me to Upwork to confirm. But for some reason, instead of the confirmation prompt, Upwork always greets me with an error "Missing or invalid redirect_uri parameter value".
I tried all formats of the URL parameter I could think of in the browser, like the exact copy from api docs:
&redirect_uri=https://a.callback.url
I tried url-encoded:
&redirect_uri=https%3A%2F%2Fcallback.com
and regular existing:
&redirect_uri=https://google.com,
or something stupid like
&redirect_uri=abc
No matter what I put there, I still get the error, it just won't go away. Only time when it works and I got the prompt is when I omit the redirect_uri parameter completely. But whenever I put the parameter there, I get the error, whatever I put as the parameter value.
What am I missing here? Please note that I have several environments (local, staging, production), so I absolutely NEED this parameter, I cannot rely on the single domain Callback URL which I have filled in my API key. Can you give me a working example of how to format the URL in the browser so your validation accepts that?
Solved! Go to Solution.
Apr 16, 2022 06:07:46 PM by Alper D
Hi Jan, you have figured out that, due to security needs, one should specify their possible redirect urls first in the oauth client configuration page before being able to actually use it. This is due to security needs and it works the same way for all oauth providers like google microsoft etc.
Unfortunately it seems that upwork oauth client settings page allows you to have a single callback url while it is very common for other providers to allow multiple entries. I believe this is something they would need to improve. Otherwise you can just create new oauth client for each environment you're looking to utilize.
Apr 16, 2022 06:13:09 AM by Jan Z
Oh, that's interesting, you have the same format I had.. So that got me thinking, and it just looks like the URL has to start with whatever I have configured as Callback URL in my API key.
I set the Callback URL to https://mysite.com/upwork-callback , so indeed the redirect_uri parameter works for mysite.com/upwork-callback and mysite.com/upwork-callback/test ... BUT it doesn't work for mysite.com/upwork, and what's much worse, it doesn't work for staging.mysite.com/upwork-callback or mysite.test/upwork-callback.
So the question is - is there a way to avoid this limitation and allow passing a different domain? As currently I don't think so, and the "Callback URL" parameter in my domain key cannot be empty either.
So how shall I deal with mutliple environments? Please just don't tell me I have to register another two applications and wait another month for their approval *screeching teeth*
Apr 16, 2022 06:59:45 AM by Esad R
I hope you know that the next step is where you will get access_token and refresh_token which I think are valid for 24 hours.
Maybe it's best for you to cache token data on your Callback URL, which later can be called from your different environments.
Apr 16, 2022 10:25:27 AM by Jan Z
Sure, I know I will get the tokens, but I am not sure I follow the other half.
Imagine I have one app running on my local on http://site.test , and one on server https://site.com. I send the user to Upwork to authorize, but I need to specify where did he come from so she gets redirected to the correct domain. If I am authenticating from site.test, what good is to redirect user to site.com with the tokens? That won't authenticate me on site.test...
So far I just see ugly options, like somehow manually copy the tokens, or log them somwhere and then manually copy to other environments, but that's ugly.. So how do I do it? Or do I really need to sign up for another app just to be able to insert another Callback domain?
Apr 16, 2022 10:36:42 AM by Jan Z
Wouldn't it be at least possible to allow local domains like .test for the callback outside of the main Callback URL parameter? As seriously I am running out of ideas how to efficiently develop/test this outside of production server
Apr 16, 2022 03:54:33 PM by Esad R
I haven't really tested the options you mention so I can't say for sure (I only have access for a couple of weeks). I think that as long as you have a valid token, then you can make API calls from wherever you want.
Why is it an ugly option to save a token to some database or log file and retrieve that data from another environment?
Apr 16, 2022 05:34:04 PM by Jennifer M
I don't know if I'm understanding you properly, but can you add a querystring value to the callback url and then redirect based on that value?
Apr 17, 2022 09:51:59 PM by Jan Z
Yes, you can, but apparently this URL has to be within the domain defined on your Upwork application key. So this parameter is somewhat useless - it serves the same purpose as the "Callback URL" field on your key, and cannot be changed to another domain like staging.yoursite.com.
Apr 19, 2022 07:01:55 AM by Jan Z
Actually you might be right, that could be an option. But that means there has to be one main environment that will be handling the redirects, some extra code to harvest the tokens and set up the redirect, again this feels pretty ugly to spoil the codebase unnecessarily. Also, considering how sensitive the tokens are, I don't really feel like going this way. I will probably just set up multiple application, each one with callback tailored to one environment, hopefully Upwork will approve them.
Apr 16, 2022 06:07:46 PM by Alper D
Hi Jan, you have figured out that, due to security needs, one should specify their possible redirect urls first in the oauth client configuration page before being able to actually use it. This is due to security needs and it works the same way for all oauth providers like google microsoft etc.
Unfortunately it seems that upwork oauth client settings page allows you to have a single callback url while it is very common for other providers to allow multiple entries. I believe this is something they would need to improve. Otherwise you can just create new oauth client for each environment you're looking to utilize.
Apr 17, 2022 09:57:06 PM by Jan Z
Hi Alper,
thanks, that pretty much confirms my thoughts. So I will just apply for another application key for my staging environment, and until it is approved, I will just be switching the domain on my single key as I need to. Fortunately at least this change is instant and I don't have to wait for any more approvals.
I am not happy about this, I would feel better having the same Upwork application key, that could be used from all environments properly using the redirect_uri parameter (which is imo kind of useless in its current form where it has to match the URL set on the api key). But well, if this is the best we can get, I can probably live with that.
Jun 22, 2022 09:19:58 PM by Jason R
Hello,
I know I'm adding a question to a thread that's been closed for 2 months, but I'm also trying to use the API and have a question building off of this. I'm trying to create a script to regularly gather information from my own individual account (transaction history, etc). As this is ideally running as a background job and in no way web-based, I've created the project as project type "desktop" which shows the Callback URL as optional. Is the callback URL actually optional, or is the Upwork API Key request form inaccurate when it says optional and it's actually required to be provided and to match as specified in the above answer?
Jason
Jun 23, 2022 09:04:49 AM by Jan Z
Honestly I am not sure. As far as I've used OAuth2 (even in the case described above), the authentication flow always happened through the browser - sending user to upwork, let her confirm the connection if not already authenticated, send back and store keys in cache. Then whenever my app sees expired keys or connection not authenticating anymore, it just shows a message like like "Upwork disconnected" and a button that sends the visitor back to upwork to confirm again.
This reconfirmation doesn't require any mouseclicks or interaction on upwork, because Upwork already sees the app has been approved, so just gives me the keys and sends me back. But how I would do it without the browser I am not sure. There are refresh tokens, which I am using on daily basis to update my keys, but still occasionally the app reports as disconnected, so I just use this as a fallback. Not sure if there is anything better, but certainly would be nice.
Jun 23, 2022 02:27:27 PM by Esad R
I think you will need to go through the browser to authenticate your application on the Upwork server.
I'm also not sure about the desktop project type, I'm using a web project. I use refresh tokens and it has never happened to me that I have to re-authenticate the application.
By the way, has anyone noticed that the buyer.op_tot_charge attribute is limited to 50,000 max. I’m not sure why there is a limit and how to get how much a client has spent on the Upwork platform if it's over $ 50K.
Jun 23, 2022 08:28:25 PM by Pradeep H
Hi Jason,
Thank you for your message. I will need to verify this information with our technical team. I'll have one of our customer support agents reach out to you directly to assist you further.
Thank you,
Pradeep
User | Count |
---|---|
432 | |
287 | |
236 | |
158 | |
149 |