Go to All Forums

Migrating to OAuth 2.0 for Authenticating the Site24x7 REST APIs

Site24x7 offers a comprehensive set of documented REST APIs for your monitoring and reporting needs. To provide a more secured access to your resources, we are migrating to OAuth 2.0 protocol from authtokens for authorizing the APIs.

Why move to OAuth 2.0?

  • Access restrictions can be placed. You can decide the kind of access third party apps/scripts require for its functioning.
  • APIs can be segregated based on scopes. You can select the scopes based on your usage/requirement, and not all the APIs need to be exposed.
  • Provides a delegated access token that has an expiry time (one hour), unlike authtokens that have permanent validity.

Getting Started with OAuth 2.0:

The OAuth token can be created in 3 steps:

  • Registering your Client Application
  • Generating the Grant Token
  • Generating the Access and Refresh Tokens using the Grant Token

When making an API call, the OAuth token is passed in the Authorization header as Zoho-oauthtoken {access_token}, similar to the authtoken (Zoho-authtoken {auth_token}).

Refer our API documentation to get started!

Deprecation of Authtokens:

Creation of new authtokens will be deprecated by 31st August, 2019 and the existing ones will be deprecated by 30th November, 2019. Please update your existing code/script and migrate to OAuth 2.0 within the mentioned period.

 

Happy Monitoring!

Like (25) Reply
Replies (40)

A gentle reminder to migrate to OAuth 2.0. You cannot create new authtokens (deprecated on 31st August, 2019) and the existing ones will be deprecated by 30th November, 2019.

Like (0) Reply

[UPDATE]

Hi,

Please find attached the updated sample implementations (Python & PowerShell scripts) using OAuth 2.0 tokens. Read this article to know more on configuring Postman authorization for Site24x7 APIs.

For any questions, please comment in the below thread.

 

Regards

Mathangi

Attachments
Like (0) Reply

Just as an FYI, there is a bug with the Python script. While refreshing the access token using the refresh token, the refresh token will not be re-saved to the json.

In its current state the script can only generate the access token and the refresh it just one time.

Just adding one line to the refreshAccessToken() method fixed it for me.

Like (0) Reply

[UPDATE]

Hi,

Thanks for pointing it out. Please find attached the updated Python script. Have re-uploaded the Python file in my previous comment as well.

Hope this helps. Let us know for further queries, if any. 

 

Regards

Mathangi 

Attachments
Like (0) Reply

Hello, you wouldn't have an example written in java would you?  Thanks.

Like (0) Reply

Hi,

Thanks for raising this. We are working on this. Will post an update here once the file is ready.

 

Regards

Mathangi

Like (0) Reply

thanks, and sorry i should have said javascript not java... appreciate it.

Like (0) Reply

Hello, 

We have released another sample implementation in Golang. Please find the script attached in this post.

Note: go1.12 is the minimum version required to run this program. 

For any questions, please comment in the below thread.

 

Regards

Mathangi

Attachments
Like (0) Reply

We have been testing with the Powershell script you provided.  We were successful in calling the Get-AccessToken and Sample-GetRequest functions many times. 

But the issue we are running into is we intermittently receive an error that states:
Invoke-WebRequest : The underlying connection was closed: An unexpected error occurred on a send.
.......
WARNING: access_token is missing

We are calling the Sample-GetRequest once every 10 minutes and it will eventually execute successful after a few retries.

Any guidance is welcome

 

Like (0) Reply

We are also getting similar issue, message we get is "Unable to connect to the remote server". I even tried putting sleep command but still the same, seems to be intermittent.

Like (0) Reply

[UPDATE]

Hi,

Please find attached the updated sample implementation in Javascript.

Note: Make sure Node.js and the request library is installed to run this file.

 

Hope this helps. For any questions, please comment in the below thread.

 

Regards

Mathangi

Attachments
Like (0) Reply

Mathangi,

Can you update the Powershell file as well?  We can't use node.js in our environment.

Thanks

Like (0) Reply

Hi Walter,

Sure, our development team is working on it. Will post an update at the earliest.

 

Thanks for understanding.

 

Regards

Mathangi

Like (0) Reply

Any update on this? Its been 4 days and I'm still getting constant failures when calling the api to generate access token from refresh token potion thats in the powershell stanza.

Like (0) Reply

We added loop when using the invoke-request to get API data, we still see timeouts in the logs but the loop will keep trying until successful. Seems to be problem on Site 24x7 API servers

$GetAPM = $null
Do
{$GetAPM = Invoke-RestMethod -Uri $APMuri -UseBasicParsing -Method Get -Headers $headers | ConvertTo-Json}
While ($GetAPM.Length -eq 0)

Like (0) Reply

Hi Walter,

We have shared a powershell script to you via our support mail id. Please let us know whether that resolves the problem.

 

Thillai.

Like (0) Reply

Hi Mathangi

Thank you for your post.

I have now created an OAuth 2.0 Access Token and built a script in Postman to setup an ad-hoc maintenance window. My intention is to automate this process as part of our build and release pipelines in Azure DevOps so that we can carry out a release to a 24x7 monitored application at anytime without triggering alerts, buy calling the Postman or curl script.

The issue I have is that the Access Token only seems to be valid for a very short time (hours) which would mean I couldn't built this in as a step in our automated release framework without generating a new token every day.

Am I missing something here? Is there a way to grant an Access Token (I'm using the Web Based Client) which would last for a year, for example?

Many thanks in advance.

Like (0) Reply

Hi,

Refresh token is a permanent token. You have to use the refresh token to generate new access token after it got expired (in one hour).

Please check "PART 5: GENERATE ACCESS TOKEN FROM REFRESH TOKEN" in API Doc

https://www.site24x7.com/help/api/#authentication

Thillai.

Like (0) Reply

We migrate our scripts to the new method, well this fails all the time, we have cases opened but with no solution, please roll back this until is stable

Like (0) Reply

Is the Token data URL (accounts.zoho.com/oauth/v2/token) same for all data centers?

Please confirm if its the same for Europe.

 

Like (0) Reply

No, the URL changes for each data center. For Europe you have to use https://accounts.zoho.eu/oauth/v2/token

For other data centers, please check API Doc https://www.site24x7.com/help/api/#authentication

Like (0) Reply

How this OAuth 2.0 affect the RESP API Integration with ServiceNow?

as I understand you need to generate an OAuth Token everytime

 

Like (0) Reply

If you are using our out of the box Service Now integration, there is no change in that because of OAuth 2.0. Because only how you call our api has been modified, not how and what we post to Service Now is. Same applies to all third party integrations.

Like (0) Reply

Hi JuanManuel/Sam,

Hope you can make it work now. Let us know, if you need any further help.

Thillai.

Like (0) Reply

Hi,

Greetings from Site24x7!

While generating OAuth refresh token and grant token, the response will not have "expires_in_sec" from now on. Instead, "expires_in" will have the time period depicted in seconds. In the existing responses "expires_in" represented the time period in milliseconds. All those refresh tokens created before Jan 31, 2020 will continue to be in the old format. 

Example for Refresh token response:

Previous response:
{
"access_token":"1000.2deaf8****c85daa2a013a843b10.703ad****8a36cfc5d7b83cf24",
"refresh_token":"1000.18e983526f0ca85****d5bb58.1bd8*****a7e439cc1",
"expires_in_sec":3600,"
api_domain":"https://www.zohoapis.com",
"token_type": "Bearer",
"expires_in": 360000 //in milliseconds
}

New response:
{
"access_token":"1000.be42****33ea3a59dc9864079d2.ccd30****5ed02f1a2e8ee8",
"refresh_token":"1000.feec****4550f75d2398b27d99d.9689eb9****d92ec7cdffc71",
"api-domain":"https://www.zohoapis.com",
"token_type":"Bearer",
"expires_in":3600 //in seconds
}

Example for Access token response:

Previous response:
{
"access_token": "1000.3a1b3*****546d0072f9e46f.b552ef01*****3d6732f2",
"expires_in_sec": 3600
"api_domain": "https://www.zohoapis.com",
"token_type": "Bearer",
"expires_in": 360000 //in milliseconds
}

New response:
{
"access_token": "1000.3a1b3*****546d0072f9e46f.b552ef01*****3d6732f2",
"api_domain": "https://www.zohoapis.com",
token_type": "Bearer",
"expires_in": 3600 //in seconds
}

 

Happy monitoring!

 

Like (0) Reply

Just ran into this issue and took me a while to figure it out (hadn't read the full post), can the example python files ('sample-implementation-scripts') be updated and reposted with the changes so that others don't trip on this as well,

Cheers

Like (0) Reply

Hi Julian,

Thanks for raising this. We have updated the Python, JavaScript, and PowerShell samples. Have attached them in this comment as well as updated the attached zip in my previous comments.

Hope this helps. Please let us know for questions, if any.

 

Regards

Mathangi   

Attachments
Like (0) Reply

Hi Site24x7 team,

We are having some annoying issues obtaining access tokens using refresh token. There seems to be a mismatch between the behaviour and limits described in the API documentation and the actual behaviour.

The documentation section in question is the following:

Each refresh token can have a maximum of 30 active access tokens (non expired). When the user creates the 31st access token, the first created access token is automatically deleted to accommodate the latest one.

The short version of our issue is that the API rejects token requests with "access denied" even before requesting the 31th token. Also, from the documentation I'd assume that requesting the 31th token immediately creates one and deletes the oldest token in flight, but this is not what we are observing. Instead, we are unable to obtain new tokens for several minutes, which -- even with exponential backoff-retry -- makes our automations fail rather often.

For a complete explaination of the issue I prepared the description of the problem and two reproducer scripts as a Github gist which can be found here:

gist.github.com/martinohmann/2a73af2e2f1babab02fee37479937d00

Looking forward to feedback from you.

Thanks and best regards!

Martin

Like (0) Reply

Please note that you can generate only a maximum of five access tokens in a minute similar to refresh tokens as a security measure. In some cases, you will be able to generate 15 access tokens in a minute.

"Each refresh token can have a maximum of 30 active access tokens (non expired). When the user creates the 31st access token, the first created access token is automatically deleted to accommodate the latest one."  The above statement denotes that only 30 active access tokens can be alive at a time, but you can not generate 30 or more access tokens in a minute.

You can have a centralized place to fetch access token, which will generate new access token when an old one expires.

Like (0) Reply

Thank you for your reply! That at least explains the behaviour.

Can you point me to the place in the documentation where the per-minute limits are noted? I do not seem to find it.

Is it possible to fix the API to return a proper 429 Too Many Requests response with a Retry-After header? This would be super helpful for automated systems to properly handle this rate limit. Right now it returns status 200 with message access denied, which is a little confusing.

We are in fact reusing access tokens until they expire if possible, but we have some automated systems that fetch an access token from the same refresh token when they start up which causes problems when multiple of these start up in parallel or quickly one after the other. Proper rate limiting responses would certainly help here.

Best regards

Martin

Like (0) Reply

Thank you for your suggestion, We will check and update the status code. 

"Can you point me to the place in the documentation where the per-minute limits are noted? I do not seem to find it." - We have not explicitly mentioned these for our APIs. It also varies based on the API. The count should be sufficient for typical usage. You can also refer to our community post regarding effective usage.

Regards,

Karthick

Like (0) Reply

Martin, 

   Please share your Client ID to our support via Email:support@site24x7.com. We can change the error code for that Client ID alone, So that it does not break others who are already relying on 200.

 

Regards, 

Karthick

Like (0) Reply

Question,

Is there a way to keep track of clients IDs or something that customers can audit API usage on their account? As it is today, we have no way to track who is using API and as such cannot ensure that as we make changes to our account we are not breaking things.

We had an issue recently where we dropped an account from Admin to Operator and there was an API (OAuth) tied to the account and it broke an important piece of our production release process that creates and maintains monitors in Site24x7. We could not do production releases until the issue was resolved.

Plus there is no way to tell how many things are out there connecting via API.

In other tools we have a central API page where people go to to create new integrations and they have to leave a description of what they are using it for. This page tracks important things like Description, Created Date, Last Used Date and Created By.

Like (0) Reply

Hello,

We've moved to OAuth from authtoken model on 31st August, 2019. The initial plan was to drop support for existing authtokens by 30th November, 2019, but based on a few customer requests we extended the support. It's been a year since we have extended the support, hence from 28th February 2021 we'll not be supporting existing authtokens.

To get started with OAuth 2.0, you can refer our API documentation.

We also have sample scripts for languages:

If you want to check whether you're using an authtoken in your account for any integration or automation, you can navigate to -> Admin -> developer -> API.

If you are receiving a warning message to migrate to OAuth, then it might be that one of the users of your account is making API calls/any automation is based on authtokens from your account.

You can contact support@site24x7.com to get more details of those API calls and move them to OAuth accordingly.

Regards

Bela

Like (0) Reply

At support.site24x7.com/portal/en/kb/articles/create-a-postman-configuration-for-authorizing-requests-with-oauth-2-0 it states: "Provide a name for the client and select the Type as Web-based."

I don't have that type. I have:

Client-based Applications

Server-based Applications

Mobile-based Applications

Non-browser Applications

Self Client

 

Like (0) Reply

Dear Tom,

     Please use Server-based applications as the client type. This will authenticate web-based applications that are built to run in a HTTP server.

Apologies for not updating the KBase. We will update asap.

-Jasper

PM, Site24x7

Like (0) Reply

The result is this:

 

Invalid Redirect Uri
Redirect URI passed does not match with the one configured
Like (0) Reply

Dear Tom, 

   Can you contact us in support@site24x7.com so that we can debug and guide you better. 

Just before you reach us, it would be good to know if you enabled "Authorize using browser" option in Postman?

It should be disabled and you should login via postman's internal browser and authorize.

If this doesn't help please contact us. We will update here with the steps we took to resolve it. 

-Jasper

PM, Site24x7

Like (0) Reply

Hi Jasper,

My reply crossed yours. The error I had was before using the Server-based application. Now all is well!

 

Thanks,
Tom

Like (0) Reply

Hello,

We’ll be stopping all support for existing authtokens from April 26th, 2021. As already communicated, we moved to OAuth from authtoken model on 31st August, 2019.  Although the initial plan was to end support for existing authtokens by 30th November, 2019, we extended the deadline based on a few customer requests . 

To get started with OAuth 2.0, you can refer our API documentation.

If you want to check if you're using an authtoken in your account for any integration or automation, you can navigate to Admin > Developer > API.

Find out whether you're making api calls using authtoken

Please contact support@site24x7.com to get more details of those API calls and move them to OAuth accordingly.

Regards,
Bela

Like (0) Reply

Was this post helpful?