API Error: GET method is not allowed

Since 2 hours i get an error when I try to enter the “WoW Account Profile API”;

Array
(
    [error] => invalid_request
    [error_description] => GET method is not allowed.
)

When I try to enter the account API over the https://develop.battle.net/documentation/world-of-warcraft/profile-apis test site I get the same error.

I had no problems before. Could you help?

I’ve got a very similar problem with StarCraft 2 APIs tonight.

/oauth/token endpoint returns error 500 when it receives client credentials encoded as base64 string in Authorization header. It used to work fine until tonight. Node.js example mentioned here doesn’t work for me either.

Funny enough, when I try an equivalent request using curl -u CLIENT_ID_HERE:CLIENT_SECRET_HERE ... to /oauth/token it works fine.

I’m not sure if I should update my API library to use different auth method or it’s just a bug on Blizzard’s end.

I use the php “curl_setopt” to build the /oauth/token url. This doesnt work anymore. Also if you try to open the url manually in the browser this mistake comes.

Just chiming in that I also started receiving this error today when before the method I used worked fine. The error also occurs on Blizzards own API pages using the ‘try it’ button.

After reading the documentation again I found a few interesting things I’d like to share.

The official documentation for the client credentials flow says:

To request access tokens, an application must make a POST request with the following multipart form data to the token URI: grant_type=client_credentials
The application must pass basic HTTP auth credentials using the client_id as the user and client_secret as the password.

See the OAuth RFC for detailed information about the client credentials flow.

The official documentation for the authorization code flow says:

To request access tokens, an application needs to provide the following POST parameters to the token URI, using the developer’s client ID and secret with HTTP basic authorization:

Term Description
redirect_uri The same redirect_uri used when obtaining the authorization.
scope The scopes needed for the access token. Note that this can be fewer scopes than the authorization.
grant_type The previously-retrieved authorization_code .
code The code for the specific grant_type used.

For more detailed information about the Authorization Code Flow, see the OAuth 2.0 Authorization Framework RFC.

If you go to section 3.2 of RFC 6749 it clearly states the OAuth2 server must use the http POST method for the token endpoint.

The client MUST use the HTTP “POST” method when making access token
requests.

If this is a bug or an intentional change to comply with the RFC only a blue can answer, however the solution for now is to implement the request to the token endpoint using POST.


I just tested and this code still works as it was already based on a POST request. If you need help getting this to work, please reply to the original post and I’ll try yo help you with that.

2 Likes

I´m using this curl function. Isn´t this some kind of a post request? In the thread you´ve linked is a PHP (with curl) solution, too. Is this one working?

function getSslPage2($url2, $userAgent)
{
    $ch2 = curl_init($url2);

    curl_setopt($ch2, CURLOPT_USERAGENT, $userAgent2);
    curl_setopt($ch2, CURLOPT_SSL_VERIFYPEER, FALSE);
    curl_setopt($ch2, CURLOPT_HEADER, false);
    curl_setopt($ch2, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch2, CURLOPT_URL, $url2);
    curl_setopt($ch2, CURLOPT_REFERER, $url2);
    curl_setopt($ch2, CURLOPT_RETURNTRANSFER, TRUE);

    $result2 = curl_exec($ch2);
    curl_close($ch2);

    return json_decode($result2, true);
}

$url2 = "https://eu.api.blizzard.com/profile/user/wow?namespace=profile-eu&locale=de_DE&access_token=$token";

$data2 = getSslPage2($url2, $userAgent);

The error is not actually when accessing https://eu.api.blizzard.com/profile/user/wow, but when you are generating the access_token on the endpoint https://<region>.battle.net/oauth/token.

All the other endpoints are still working with GET normally.

Yes, it is, but that only works for the client_credentials flow.

For PHP and authorization_code you can use this one instead: https://gitlab.com/davidmatthew/blizzard-api-php/-/blob/master/blizzard_api/request_handler.php#L104

Ah I understand. But for the access token I´m using a curl function, too. Why this one isn´t working anymore?

// Get Token

function getSslPage($url, $userAgent)
{
    $ch = curl_init($url);

    curl_setopt($ch, CURLOPT_USERAGENT, $userAgent);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
    curl_setopt($ch, CURLOPT_HEADER, false);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_REFERER, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);

    $result = curl_exec($ch);
    curl_close($ch);

    return json_decode($result, true);
}


$userAgent = 'Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0';

$url = "https://eu.battle.net/oauth/token?client_id=XY&client_secret=XY&redirect_uri=XY&scope=wow.profile&grant_type=authorization_code&code=$authcode";

$data = getSslPage($url, $userAgent);

You need to set this:

curl_setopt($ch, CURLOPT_POSTFIELDS, $postRequest);

I guess even an empty array will do:

curl_setopt($ch, CURLOPT_POSTFIELDS, []);

Thank you, that worked perfectly.

Yup, thanks for the explanations.
Don’t know why they changed it now to dis-allow what they have been letting pass, but I have mine set up the correct way with a post request now. Thanks.

I am also getting this error, this applies to calls directly on develop.battle.net. When I enter my client ID and client secret it doesn’t “log me in” instead I get “GET not allowed”. I tried making a new client with new credentials but the error persists.
Even using my access token (that I have been using in my code without issues) returns a 401 error…

1 Like

The workaround here is to click on the link provide your own token instead of using your credentials to sign in.

To generate a simple access_token using the client_credentials flow one alternative is using the Rested extension for Google Chrome or Mozilla Firefox:

Well, it seems I can’t GET anything anymore as well. :woozy_face:

I’m a complete noob in APIs for my part.
So when accessing one of the legacy API of this page :
https://develop.battle.net/documentation/starcraft-2/community-apis

Am I supposed to click on provide my own access token, and then paste this ?


    function getSslPage($url, $userAgent)
    {
    $ch = curl_init($url);

    curl_setopt($ch, CURLOPT_USERAGENT, $userAgent);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
    curl_setopt($ch, CURLOPT_HEADER, false);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_REFERER, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
    curl_setopt($ch, CURLOPT_POSTFIELDS, []);

    $result = curl_exec($ch);
    curl_close($ch);

    return json_decode($result, true);
    }

    $userAgent = 'Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0';

    $url = "https://eu.battle.net/oauth/token?client_id=XY&client_secret=XY&redirect_uri=XY&scope=wow.profile&grant_type=authorization_code&code=$authcode";

    $data = getSslPage($url, $userAgent);

While filling the first XY with my client ID, the second one with my client secret, and the third one with :
https://develop.battle.net/documentation/starcraft-2/community-apis

Unfortunately for profile related APIs it is a little more complicated because it requires a valid token generated with the authorization code flow.

This means you need to make all the requests on this documentation

1 Like

Ok.

Then I hope they will fix this quickly 'cause I’m afraid I don’t have the time for blind trial and error through the documentation. :laughing:

Thanks for your answer regardless.

I guess you can use Postman to get a valid token:

1 Like

Thanks, I’ll consider it if the wait for the fix becomes too long. At least I’ve got an alternative in that case. :slightly_smiling_face:

I just want to thank the API devs for implementing another unannounced change. I was getting bored with everything working all the time.

4 Likes

I was able to fix my code thanks to the information in this thread. For the record: I only saw “400 Bad Request”, I never saw anything about GET being bad all of a sudden. The fix was as simple as changing GET to POST in my C# code, but digging to the right location took a while …

I agree, the communication of this kind of things sure could use some improvement.