Pocket API Authorization: Forbidden

Question

I'm testing out RoR by building a Rails app with Pocket API, and I have to authorize the user. For HTTP requests, I'm using https://github.com/rest-client/rest-client library.

The first step, obtaining a request token works fine:

require 'rest_client'
response = RestClient.post 'https://getpocket.com/v3/oauth/request', :consumer_key => @consumer_key, :redirect_uri => @redirect_uri
@code = response.split("=")[1]

But I get a Bad Request error on the second step, which is to get an access token using the request token received on the step above:

access_token = RestClient.post 'https://getpocket.com/v3/oauth/authorize', :consumer_key => @consumer_key, :code => @code

400 Bad Request is what I get on Ruby application error screen. I have also tried the same request with cURL and POSTMan Chrome extension, and the status code I get then is: 403 Forbidden. X-Error Code I get is 158 which translates to X-Error message "User rejects code." on Pocket API docs: http://getpocket.com/developer/docs/authentication.

Since I have tried several different channels to test this request and failed each time, I'm guessing that the problem is not with parsing, but rather I might be missing an important detail or a step (maybe HTTP request headers?). Thanks for your help in advance!

Answer 1

Turns out that I (or we) have been missing an important detail:

Whenever testing out your request for Pocket API in POSTMan or anywhere else, we naturally skip the process of visiting the authorization URL which is in the form of:

https://getpocket.com/auth/authorize?request_token=YOUR_REQUEST_TOKEN&redirect_uri=YOUR_REDIRECT_URI

Now, even though you might have allowed your app to access your account before, on each call, Pocket API doesn't activate a request token before this URL is visited. Only then your request token becomes activated and can be used for 2nd authentication step. It works fine after doing that.

As a side note to anyone who is using Pocket API in Ruby on Rails, there is a nice wrapper gem for it: https://github.com/turadg/pocket-ruby

Answer 2

I can confirm that you are indeed missing HTTP headers, which will cause the Pocket server to reject the post request you're trying to send.

There are a few ways in which headers can be communicated: sometimes they are communicated through the codes/tokens associated with the server request (which here appears not to be the case). You need to use an "Authorization" header as per your doing this with OAuth with your initial request.

This should help you: notice the "Authorization:" header after the "Content-Type:" header contains the information that's returned.

For some in depth reading, go here.

I might also suggest trying the OAuth2 gem which does most of the requesting for you - it will probably simplify what you're doing quite a bit!!

Here's what it looks like on Postman.