After you've obtained an Authorisation Code, you must use it almost immediately. Authorisation Codes will expire after a few minutes, so you've probably run your Postman query too late. |
 ★ HTCPCP/1.0 ★ MetaMAL ★ Picture credits: Kieed & 1041uuu |
Fribbtastic said: I am pretty much taking the vanilla PKCE Challenge example on GitHub below to create everything I need and then request the authorization endpoint to get the authorization code that then my users can use to add to their plugins. https://github.com/aaronpk/pkce-vanilla-js The GitHub example you've linked uses a different OAuth schema where the Code Challenge is a hashed version (SHA-256) of the Code Verifier. Instead, MAL requires that both the Code Challenge and the Code Verifier must be the exact same string. Similarly, there're some other parameters that need to be altered (e.g. "code_challenge_method"). Fribbtastic said: Maybe you have some Idea where I can look? Before I suggest you something different, can you try testing your application using a fixed and pre-generated Code Verifier/Code Challenge? For instance, you can use the string given by repeating 'A' × 128 times, which you can copy-paste it from here. |
| ★ HTCPCP/1.0 ★ MetaMAL ★ Picture credits: Kieed & 1041uuu |
Fribbtastic said: I will send you a message with the actual running code so that we are on the same page. We solved this issue via PMs, but I thought that sharing the cause of the problem might help someone else. @Fribbtastic's problem was that the Redirect URL he registered in the API panel matched the one he specified in the Authorisation URL except for the letter case. Technically speaking, domain names are not case sensitive. For instance, both myanimelist.net and MYanimeLIST.nEt correspond to the same domain and DNS entries. However, this equivalence is ignored by the API back-end. For this reason, using a Redirect URL with a different casing than the one defined in the API panel will result in an error (or, rather, in a weird response from MAL servers). Please, double-check your Redirect URLs if you've encountered a similar problem. Pending slashes will also result in the same error (e.g. myanimelist.net ≠ myanimelist.net/). |
| ★ HTCPCP/1.0 ★ MetaMAL ★ Picture credits: Kieed & 1041uuu |
quake_01 said: Hi, I'm having a hard time getting a request to get an anime list from the API server in python. Is there any chance I could see an example of it? Sure thing! I wrote a minimal Python programme covering both the OAuth authorisation procedure (which is a one-time step) and the use of the API (using the "Get my user information" endpoint). You can find it here: gitlab.com/-/snippets/2039434. |
| ★ HTCPCP/1.0 ★ MetaMAL ★ Picture credits: Kieed & 1041uuu |
quake_01 said: So, to use a get request to get an anime list would be similar to when you tested the API to request your profile information? Yes, the code is very similar. Take a look at the official documentation to find all the info you might need: Get user anime list. For example, here's a function which prints some data about the first 10 entries of the user's anime list: |
| ★ HTCPCP/1.0 ★ MetaMAL ★ Picture credits: Kieed & 1041uuu |
bakugo411 said: I am getting the unsupported grant type error and it seems that I am not generating a token at all. I was able to get it in my http simulator, but I keep getting invalid in my code. You misspelt "header" inside the "option" object, the right version is "headers". Also, I don't know the content of the "process_stream" function, so there might be a bug in there as well. Either way, I slightly altered your code to make it work. Here's the snippet: |
| ★ HTCPCP/1.0 ★ MetaMAL ★ Picture credits: Kieed & 1041uuu |
HelpfulSchwarz said: Hello! Thank you very much for this wonderful guide. I am trying to implement the login functionality in my android app and everything went smoothly till the token exchange step. I get a weird error which says: AuthorizationException: {"type":2,"code":2002,"error":"invalid_grant","errorUri":""} I have checked that my code challenge in auth and token phases are the same, tried with both AppAuth and Retrofit, nothing helps. I am at the end of my wit here. I skimmed through the repository but it's hard to pinpoint the issue as the codebase is quite large and you're using a third-party OAuth client (OpenID's AppAuth) which is poorly documented. So far I've found one critical error: in this file at line 23 you called the setCodeVerifier(codeChallenge) method to set the Code Verifier. However, this function uses the S256 challenge method (i.e. Code Challenge = SHA-256(Code Verifier)), while MAL only supports the "plain" method (docs). You should be able to fix this by using the second overload of the same method: setCodeVerifier(String codeVerifier, String codeVerifierChallenge, String codeVerifierChallengeMethod). The three parameters you have to pass should be codeChallenge, codeChallenge, and AuthorizationRequest.CODE_CHALLENGE_METHOD_PLAIN. Try fixing this and retry. There might be other bugs in the code, maybe it would be easier to build the OAuth client from scratch. |
ZeroCrystalDec 2, 2020 10:14 AM
| ★ HTCPCP/1.0 ★ MetaMAL ★ Picture credits: Kieed & 1041uuu |
HelpfulSchwarz said: Thank you very much for taking time to look through my code! I have tried it and it finally worked :) That's great to hear! Good luck with your app. |
| ★ HTCPCP/1.0 ★ MetaMAL ★ Picture credits: Kieed & 1041uuu |
ahmetbugraozcan said: https://mal.auth0.com/.well-known/openid-configuration is it myanimelist's or not? It's not MyAnimeList, just a different company with the same acronym. I'm not sure about which OAuth libraries are available for Flutter, but it's probably easier to implement the authorisation workflow by hand. It's simpler than it might sound. |
| ★ HTCPCP/1.0 ★ MetaMAL ★ Picture credits: Kieed & 1041uuu |
Terlaws33 said: Blocked By Cross-Origin Policy Hello, I'm trying to get the user's access token. I'm actually using vueJS (a JavaScript framework) to make my application but I can't make post request to another domain it's blocked by CORS Policy so I always have this error on consol: … Do you have any solution to get the user's access token in VueJS? Unfortunately, the API is poorly suited for front-end scenarios like browser-powered applications or userscripts. I explained the problem (and a possible solution) in #36: ZeroCrystal said: As we've briefly discussed in the previous posts, at the moment it's not possible to interact with the API straight from the browser. Normally, you would write something like: Unfortunately, the API servers don't include the CORS headers required to execute the above code snippet. If you don't know what CORS is, you can read this short MDN article. This is an issue that should be solved by MAL's dev team. In the meantime, the easiest solution is probably to use a public reverse proxy to access the API. CORS Anywhere is an example. You can replace the original URL with: This snippet should work as expected, but you are relying on a third-party service. It should be ok for testing, but you shouldn't be using it for public applications. Hosting your own reverse proxy is a better solution (the code for CORS Anywhere is open-source). Still, a proper solution has to be deployed by MAL. |
| ★ HTCPCP/1.0 ★ MetaMAL ★ Picture credits: Kieed & 1041uuu |
Lege111 said: And of course after working on this for 2 days I figure it out 10 minutes after postin this. A classic. |
| ★ HTCPCP/1.0 ★ MetaMAL ★ Picture credits: Kieed & 1041uuu |
selective53 said: I'm having trouble receiving the access token in JS. I'm sending the following POST request with XMLHttpRequest encoded with encodeURI(): `https://myanimelist.net/v1/oauth2/token?client_id=${oAuth.client_id}&client_secret=${oAuth.client_secret}&grant_type=${oAuth.grant_type}&code=${oAuth.code}&code_verifier=${oAuth.code_challenge}` That's because you shouldn't pass those parameters as part of the query string. They must be form-URL encoded and placed inside the body of the POST request. Either way, if you're building a browser-side application, you will have some issues with the (missing) CORS headers. I explained the problem (and a possible solution) in #36: ZeroCrystal said: As we've briefly discussed in the previous posts, at the moment it's not possible to interact with the API straight from the browser. Normally, you would write something like: Unfortunately, the API servers don't include the CORS headers required to execute the above code snippet. If you don't know what CORS is, you can read this short MDN article. This is an issue that should be solved by MAL's dev team. In the meantime, the easiest solution is probably to use a public reverse proxy to access the API. CORS Anywhere is an example. You can replace the original URL with: This snippet should work as expected, but you are relying on a third-party service. It should be ok for testing, but you shouldn't be using it for public applications. Hosting your own reverse proxy is a better solution (the code for CORS Anywhere is open-source). Still, a proper solution has to be deployed by MAL. EDIT: @selective53, you deleted your post just a few seconds before I wrote this message. Do you still need some help? |
| ★ HTCPCP/1.0 ★ MetaMAL ★ Picture credits: Kieed & 1041uuu |
selective53 said: I use Tampermonkey and modify the site so hopefully I won't run into CORS issues. In that case, you might need to use the GM_xmlhttpRequest(…) function to bypass any eventual cross-site origin error. |
| ★ HTCPCP/1.0 ★ MetaMAL ★ Picture credits: Kieed & 1041uuu |
R1dje said: Hello. I don't get it, should I use oAuth 2 to get token even if I want to access public data like top of anime or manga? Yes. Currently, there're no “anonymous” API endpoints that you can use without being authenticated (via OAuth). They will be added in the future. R1dje said: If so, how official android mal client works if I cancel authorization? If not, where to get Bearer YOUR_TOKEN without user ID? It seems like on step 4 I need Parameter code: the user's Authorization Code received during the previous step. (REQUIRED) (Step 3 - User redirection) MAL's official mobile app doesn't use the public API (or, at least, not completely). They run their own private endpoints to compensate for some of the issues and missing features of the public API. I don't know if they mix private and public API calls, but some of the things the app is capable of are impossible to reproduce on a third-party application without performing some minor “hacking”. |
| ★ HTCPCP/1.0 ★ MetaMAL ★ Picture credits: Kieed & 1041uuu |
Wheelz said: I'm trying to build a Discord bot that interfaces with MALs API, is it possible to search for anime by string rather than an integer value? I don't think it's reasonable to expect the average user to know the integer id of the anime they want information on. The https://api.myanimelist.net/v2/anime method ("get anime list") includes an optional "q" search string and can thus be used for exactly this purpose. Documentation : https://myanimelist.net/apiconfig/references/api/v2#operation/anime_get |
| anyone tried authenticating with next-auth.js? had any luck? for me it seems that it can't retrieve the correct url (after "Allow" screen), and it crashes on the callback |
 Set by Secret Santa Stardew <3 |
Chop_in said: anyone tried authenticating with next-auth.js? had any luck? for me it seems that it can't retrieve the correct url (after "Allow" screen), and it crashes on the callback I've never used that library, but, according to the docs (here), you cannot set the "code_challenge_method" to "plain" and thus it's incompatible with MAL. |
| ★ HTCPCP/1.0 ★ MetaMAL ★ Picture credits: Kieed & 1041uuu |
ZeroCrystal said: I've never used that library, but, according to the docs (here), you cannot set the "code_challenge_method" to "plain" and thus it's incompatible with MAL. Thanks, the error code wad different and I didn't even think about it. Anyway i spent probably around 8 hours total trying to debug this thing, and then wrote simple authirization myself in an hour. I hate js libraries even more now :) |
Set by Secret Santa Stardew <3 |
Chop_in said: I hate js libraries even more now :) Welcome to the club! ^^ The authorisation flow is not complicated, it's probably easier to write some code from zero than spending hours looking for the right library. |
| ★ HTCPCP/1.0 ★ MetaMAL ★ Picture credits: Kieed & 1041uuu |
| Hey @allanrivers, are you certain that you're passing the parameters form-url encoded instead of appearing them to the query string? Can you post your Postman configuration or your Laravel code? |
| ★ HTCPCP/1.0 ★ MetaMAL ★ Picture credits: Kieed & 1041uuu |
allanrivers said: I actually just used your python script instead. Worked like an absolute charm, thank you! Good. Glad it helped! |
| ★ HTCPCP/1.0 ★ MetaMAL ★ Picture credits: Kieed & 1041uuu |
fbaierl said: Nevermind, I figured it out. Javascript needs to be enabled for the Android WebView. :) Yep, reCAPTCHA won't let you complete the procedure without enabling JS. |
| ★ HTCPCP/1.0 ★ MetaMAL ★ Picture credits: Kieed & 1041uuu |
I think the issue might be with the %7E |
 |
I didn't have time to test any of this, but "%7E" translates to "~", which is a valid character according to the standard. Also, an invalid Code Challenge would give you an error during the previous phase of the authentication process and not during the token negotiation. Still, it may be worth trying a simpler string as Code Challenge (e.g. AAAAA...). @fbaierl, can you try negotiating the token using a different language or a tool like Insomnia or Postman? It should help to pinpoint the cause of the error. It's weird that MAL returns a 400 status code without any kind of error in the body. |
ZeroCrystalOct 23, 2021 3:13 PM
| ★ HTCPCP/1.0 ★ MetaMAL ★ Picture credits: Kieed & 1041uuu |
| I’m aware that %7E is ~, the sample from the stack overflow shows %7E instead of ~. My thinking is that passing that encoded verifier to the MAL Authenticator would cause an issue because that constructor also encodes the data. In other words, passing an encoded verifier to that constructor would encode it again causing the resulting verifier to be malformed. |
|
KatsuteDev said: I’m aware that %7E is ~, the sample from the stack overflow shows %7E instead of ~. My thinking is that passing that encoded verifier to the MAL Authenticator would cause an issue because that constructor also encodes the data. In other words, passing an encoded verifier to that constructor would encode it again causing the resulting verifier to be malformed. I don't know the internals of Mal4J so I'll trust you. Thanks for the note. Once again, @fbaierl, can you try using a simpler, static string for the Code Challenge? |
| ★ HTCPCP/1.0 ★ MetaMAL ★ Picture credits: Kieed & 1041uuu |
More topics from this board
» Requesting additional authorizationsSomeNewGuy - Aug 18 |
1 |
by ZeroCrystal
»»
Aug 22, 8:31 AM |
|
» Scraping from HTML suggested rateDavenzo - Jan 8, 2023 |
4 |
by 7k72
»»
Jun 23, 6:35 AM |
|
» Accessing Many Users' Listloukylor - Jun 11 |
0 |
by loukylor
»»
Jun 11, 3:07 PM |
|
» Caching strategy to avoid making additional API callsJakuten - Jun 3 |
4 |
by Jakuten
»»
Jun 8, 11:30 AM |
|
» Manga Update API Endpoint Disabledarturitojedi - May 15 |
0 |
by arturitojedi
»»
May 15, 6:45 PM |