amazon Mws Secret_Key without qualifications for use - amazon-mws

I have registered to be the developer associated with seller account and filled developer registration and assessment but I got the message 'amazon Mws Secret_Key without qualifications for use.
What did I miss? and how I could get the access Secret_Key?

As of late Amazon has changed the request process. In the past I was able to request access and have access on the same day. Now there is a new and much longer process. After the registration and assessment Amazon MWS will review your request for up to 60 days (this was the case for me). You can check the status by logging into your Amazon seller account and click on case log. If there is no response to your request then it's still in the review process. Something to keep in mind, when submiting your request it is important that your application followed the acceptable use policy and data protection policy to the T.
Information about Amazon MWS access requirements can be found in the Acceptable Use Policy and Data Protection Policy:
http://docs.developer.amazonservices.com/en_US/dev_guide/DG_AcceptableUsePolicy.html
http://docs.developer.amazonservices.com/en_US/dev_guide/DG_DataProtectionPolicy.html 
For more information about the Developer Registration and Assessment form, please see the FAQ: http://docs.developer.amazonservices.com/en_US/faq.html
Hope that helps.

Related

Salesforce Server-to-Server integration without any user involved

I am working on a integration with Salesforce using REST APIs and, as part of the project, I need to send updates to Salesforce and these updates are not user triggered, they are system triggered.
Because of that, what I expect to see on Salesforce Field History is not a user name but the name of our Connected App (the app that made the update).
What I see today is the user name because the way the integration was made initially using OAuth Authorization Code flow.
To change that part of the project, I followed the link (OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration): https://help.salesforce.com/articleView?id=sf.remoteaccess_oauth_flows.htm&type=5
Making that, I was expeting to generate a token for a System, not for a User, but that's not what happened: when I used the token generate from the JWT Bearer Flow and ran the update, the Field History still shows the user name.
What could I do then?
Which are the options in Salesforce to achieve the behavior I'm expecting?
The most important, in my opinion, is to have a Token for our system, not for a user.
Thanks!
Everybody is an user in Salesforce. Even if you access unauthenticated pages (some contact us form? case or lead capture) - it gets tracked under special Guest User.
It sounds stupid but gives you unified interface to control permissions (Profiles/Permission sets). You want guests to access only FAQ articles and make cases? Sure thing, do it in profile, don't get paranoid about people trying to guess right URLs. You think an app was hacked? You can terminate the session just like any other "user". Want to allow login only in certain hours and from certain IP? Sure.
An app connecting with JWT will still need username (main difference being it's "just" certificate for signing the request instead of password).
Your best bet is to create dedicated "Mr System", "SystemX integration" account. It sounds like waste of license but in the long run saves you questions "why did you edit my account at 1 am" and you could even use it as backup account if you use SSO and it ever fails...

Amazon MWS Download orders Client

We have a java client for downloading orders from Amazon MWS.
We use:
MaWSJavaClientLibrary-1.1.jar
MWSClientJavaRuntime-1.0.jar
MWSOrders_2013-09-01_v2020-10-20.jar
We download an xml with users data, with also shipping details (address, city, zipcode and so on...)
Begining from half 2020, we didn't receive customer name and address anymore. I mean that those 2 tags in xml were not passed anymore. We realized that something was changed in Amazon MWS for GDPR and security reasons.
We compiled a form online where we sent to amazon lots of informations about how we use those data.
However, we have not understand what we have to do in order to get those data again in xml.
Our client continues to work as usual, beu we continue to get xml without customer name and address.
Last email from amazon says:
Good morning,
thank you for your reply. As this issue is unrelated to your Developer Profile role assignments, we recommend that you review the information available in the links below for information on this topic.
Since the new API for Sales Partners (SP-API) is officially available, we are no longer issuing new credentials for MWS and are not updating existing MWS access roles. From now on, it is possible to develop applications in multiple regions with a single set of SP-API credentials.
More information on SP-API can be found here:
https://developer.amazonservices.it
SP-API documentation on GitHub: https://github.com/amzn/selling-partner-api-docs
If you still need assistance on this topic, you can submit a MWS or SP-API technical support request here: https://developer.amazonservices.it/gp/mws/contactus.html
Thank you for selling with Amazon.
is there anyone that had same problem and can help us to retrieve those information again please?
Thanks

Google MBA Service Account get all locations

My company owns several (verified) facilities and using my company's email i can see those locations (business.google.com).
Now, my company would like to fetch the reviews in each location and present it in our company website. Before we're using the Google Place API but since it only returns the latest 5 reviews we opt to using Google My Business API to retrieve a location's complete reviews. We'd like our backend (PHP) to retrieve the reviews so using the same email I created a service account (console.developers.google.com/apis/credentials) because we don't need the end user to allow/interact anything when browsing our website.
Using postman (with my signed JWT) I have managed to get a valid access token
...that I use to retrieve the lists of accounts (mybusinessaccountmanagement.googleapis.com/v1/accounts) I could see the service account itself alone in the response.
Now, I tried calling the account locations api (mybusiness.googleapis.com/v4/accounts/{MY_ACCOUNT_ID_HERE}/locations) but it only returns and empty object response.
Can someone help me resolve this issue. Why my service account can't see the verified locations under my company's email. Is this even possible? Thank you.
Even that this is an older question - I run into the same issue calling the new Google My Business Information v1 API (getting empty results) using a service account.
It seems, that it is not recommended to use Service Accounts, I found this support article on Google: https://support.google.com/business/thread/8281160/cannot-get-access-to-gmb-locations-with-service-account-with-nodejs?hl=en
The "official" recommendation is to use OAuth.
But we finally made it using Service Account. The following steps are necessary to resolve it (at least for us it is working now):
Add a project in Google Cloud Platform
Add and enable the Account Management and Business Information API's.
Add the service account and generate a key (https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount)
Make the Business Profile API request (you need the approval made by Google to be able to make requests against the two API's; otherwise you may run into quota exceeds as "Request per minute" is set to 0 by default). Important: It may take up to 2 weeks until, but we received the approval within about 5 days
Enable domain-wide delegation for the service account using the scope "https://www.googleapis.com/auth/business.manage". More about domain-wide-delegation: https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority)
Add a user identity in GCP. This user also needs to be added in Google My Business for editing locations. When creating your ServiceAccountCredential object, impersonate this user.
Security concerns:
Domain-wide-delegation enables that everyone knowing/having the credentials of the service account could impersonate any person (identity) from withing GCP. At least in this case only for Business Profile API, but anyway, keep this in mind.
Also using private keys for authenticating the service account is not recommended, you should be aware to regularly change / create a new private key or there would be a solution with Identity Workload.
Hope this helps everyone facing the challenge with GMB / GCP / service accounts :-)

What is the Mirror API endpoint for account information so I can get a user's account timezone?

When a user authorizes with my Glassware they provide these permissions to my software:
Although it isn't lining up in the image, the more info is from the top "basic information about your account" permission. It mentions timezone which I would like to access to customize global event time stamps for display to people who don't grok GMT.
I am surprised I can't find the endpoint for this anywhere in the docs.
Anyone know where this might be, or is this a UI bug in the permissions dialog and really we can't see that information? Or perhaps is this only available to trusted partners like NYT and CNN, etc, and not to mere explorers.
I already tried variations on the timeline GET endpoint:
https://www.googleapis.com/mirror/v1/timeline
But substituting in various version of user/users and account/accounts and adding in the user id for a registered user, which I can get through this bit of Java code:
String userId = AuthUtil.getUserId(req);
Any help appreciated!
(Note: I won't give credit to anyone suggesting I get the user's location and use a Google API to reverse look up their location's timezone--see the issue tracker for problems with that approach not to mention I want the timezone the user set in their account not where they are)
The more information screen is coming from the https://www.googleapis.com/auth/userinfo.profile scope: with a token approved for this scope, you can send authorized requests to the userinfo endpoint:
GET https://www.googleapis.com/oauth2/v2/userinfo
Authorization: Bearer <OAUTH_2_TOKEN>
However, you will only be able to retrieve the timezone information if the user set it in their profile and allowed sharing.
In Java, retrieving this information is done with the OAuth2 API.

Paypal Integration in Web application

The scenario is that users of web application can purchase digital items. The web application will use Paypal Instant Payment Notification.
The IPN protocol consists of three steps:
PayPal sends your IPN listener a message that notifies you of the event
Your listener sends the complete unaltered message back to PayPal; the message must contain the same fields in the same order and be encoded in the same way as the original message
PayPal sends a single word back, which is either VERIFIED if the message originated with PayPal or INVALID if there is any discrepancy with what was originally sent.
Let's say it's VERIFIED, how could I know who have completed the transaction or purchased the item (user of the web application) if the user used other email address in his/her paypal? I have stored the email address of the user in session but what if he/she have different paypal email? Paypal email is included in IPN message.
For other details, maybe not useful, the application is written in Struts2 in Google-App-Engine.
You'll need a way to correlate the IPN data coming back with the user. Either by asking them to provide their paypal email or using the username/password generation facility in the IPN service. Here is a somewhat inelegant but functional approach:
When the IPN comes in off the wire, persist the paypal generated username/password and payer_id (in perhaps the datastore).
If you can't correlate by email, then when the user comes back to your site request that they enter the username/password generated from paypal's site once (just to correlate).
Lookup the username/password and then correlate their userid from the UserService back to the payerid.
The reason to use IPN is for subscription services as you can get IPN messages when the subscription is terminated, cancelled, or when payments come in (for an account that stopped paying).
The most important thing to think about is how to correlate a user of your site back to the payer_id (or even payer_ids in some cases) that are used to pay for the services they are using.
On another note, I wouldn't use the session to store information for IPN callbacks, those actually can take a LONG time sometimes (say when the x.com conference is on and everyone is hammering paypal).
If you have a running application or a better description of the look & feel, I might be able to come up with a more elegant suggestion. Let me know if this helps at all.
Why don't you use PayPal's express checkout? This way you negotiate server2server a token and then you can check with PayPal the result of that token on user's return.
If users are buying directly from your application it's easier to implement.
And I think it'is more robust than the method you're using (I never heard of it before :D )

Resources