question

jeff-davies avatar image
jeff-davies asked jeff-davies commented

401 Unauthorized error requesting token

I have a simple web app defined. I am not using the sandbox. When I start the app via my clover dashboard it directs to my php page that I defined in my app settings. I have also specified my domain in the CORS field of the app settings.

When my php page loads, I can see that it is receiving the merchantid, employeeid, client_id and code query parameters correctly. The error occurs in my $(document).ready() function. Here is a copy of the function:

$( document ).ready(function() {
      merchant_id =  getParameterByName('merchant_id');
      employee_id =  getParameterByName('employee_id');
      client_id =  getParameterByName('client_id'); // aka the application ID
      code =  getParameterByName('code');

      $data = "<p>merchant_id = " + merchant_id + "<br/>" + 
        "employee_id = " + employee_id + "<br/>" +
        "client_id = " + "<br/>" + 
        "code = " +  code + "</p>";
    $("#clover").html($data);

    // Get the autorization code from clover:
    var cloverAuthcodeURL = "https://www.clover.com/oauth/token?client_id=" + client_id + "&client_secret=" + appSecret + "&code=" + code;
    alert("Clover Authcode URL = " + cloverAuthcodeURL);
    $("#xact").text(cloverAuthcodeURL);

    $.ajax({
          method: "GET",
          url: cloverAuthcodeURL,
          dataType: "json",
          beforeSend: function( xhr ) {
              xhr.setRequestHeader('Access-Control-Allow-Origin', '*');
          }
        }).done(function( data ) {
            alert(JSON.stringify(data));
            access_token = data.access_token;
            // Now get the latest order
            getLatestOrder(access_token);
          }).fail(function( jqxhr, textStatus, error ) {
              var err = textStatus + ", " + error;
              alert("request failed: " + err);
              console.log( "Request Failed: " + err );
          });
  });

Looking at the Developer console in Chrome (latest version on a Mac) I see 2 errors:

Error 1:

Failed to load resource: https://www.clover.com/oauth/token?client_id=REDACTED&client_secret=REDACTED&code=7efcf4cd-ea12-349a-ae5b-a8140f2b4684  
the server responded with a status of 401 (Unauthorized)

Error 2:

XMLHttpRequest cannot load https://www.clover.com/oauth/token?client_id=REDACTED&client_secret=REDACTED&code=7efcf4cd-ea12-349a-ae5b-a8140f2b4684. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://www.bleucafecarson.com' is therefore not allowed access. The response had HTTP status code 401.

Usually, I would address this cross domain problem by defining jsonp in the ajax call, but according to the CORS page, jsonp is not supported. https://docs.clover.com/build/cors/

As I said, I do have my domain defined in the CORS field of the application. Any idea what I am doing wrong? Thanks in advance!

  • Jeff
OAuth
5 comments
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Bryanne Vega avatar image Bryanne Vega commented ·

Hide your client secret

0 Likes 0 ·
jeff-davies avatar image jeff-davies commented ·

Redacted - Thanks Bryanne!

0 Likes 0 ·
Bryanne Vega avatar image Bryanne Vega commented ·

Sure, I haven't worked with CORS so I'm not able to help, hopefully one of the devs will see the post : ]

0 Likes 0 ·
jeff-davies avatar image jeff-davies commented ·

I have tried this with my CORS site set to both http://www.bleucafecarson.com/ and http://www.bleucafecarson.com (trailing backslashes changed) as some of my research showed this might be the source of the trouble. However, the problem still remains. Someone at clover must know the answer to this. I'm doing a pretty rudimentary function just trying to get an OAuth token.

0 Likes 0 ·
Bryanne Vega avatar image Bryanne Vega commented ·

Is it cause it's not HTTPs?

Are you getting an oauth code or token?

0 Likes 0 ·

1 Answer

brokenoval avatar image
brokenoval answered jeff-davies commented

Jeff - I did this a long time ago so not too sure there isn't a better way, however I suspect its more of a design issue - the client needs to be physically redirected to the OAuth url in their browser e.g. using a

header('Location: '.$cloversOAuthURL?yourparameters) //PHP version or window.location for JS

rather than just hitting it with a GET request - when they get there they are required to enter their email and password (same as when we log in to the Clover dashboard) - when authorised it will be returned to your specified URL (you can specify your return URL in the parameters of the OAuth url) and you can read the access_token when they return to your site.

1 comment
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

jeff-davies avatar image jeff-davies commented ·

Thanks BrokenOval, but your info is not quite correct. You are correct about the redirect, and I have that in place. If I try to access the page without having logged into Clover first, I am appropriately redirected to the login page. Then my page is opened after the login stage and it does contain the ?code=xxx query parameter. If I copy the resulting URL and paste it into my browser (performing a GET by default), I do see the access_token returned to the browser. The docs do explicitly say to perform a GET operation (see https://docs.clover.com/build/oauth-2...).

0 Likes 0 ·

Welcome to the
Clover Developer Community