I have created a new collection and have added few entities to this collection in the APIGEE BaaS. I am able to run GET query using the admin portal.
I am trying to invoke the same using my REST client.
I am using the following URL: https://api.usergrid.com/myOrg/myapp/mycollection
However, I get below error:
{
"error": "unauthorized",
"timestamp": 1401855388323,
"duration": 1,
"exception": "org.apache.shiro.authz.UnauthorizedException",
"error_description": "Subject does not have permission [applications:get:xxxxxxxxxxx]"
}
I believe I need to add authorization information in the HTTP header for the request. But am unable to find information on what is expected.
How can I invoke the BaaS API?
This is happening because you don't have permission to access the collection without authentication (or in some cases, your authentication token may not have appropriate permission to access that particular collection.
You can read about managing permissions & roles in the Apigee docs.
There are a couple quick ways to solve your problem though:
(The most prevalent) is to authenticate your user account and use an appropriate access token (e.g. https://api.usergrid.com/myOrg/myapp/mycollection?access_token=<token>)
While it's not something you should be doing on the client side, for server-side requests or testing purposes, you can use your app or org-level client_id/client_secret in a similar manner (e.g. https://api.usergrid.com/myOrg/myapp/mycollection?client_id=<id>&client_id=<secret>)
Give the Guest role access to your collection (here's a link to the docs)
Related
I'm using directus to grant users access to ressources required by an SPA written in Angular. To authenticate users I created an auth service and interceptor to handle sessions and attach the "Authorization" header. Those services work fine and login as intended. But here comes the problem:
Directus session times are configured with default values (15 min validity for access_token, 7d for refresh_token) but as soon as the access_token expires I cannot retrieve a new one using the refresh token. This bugs me, because the goal is to keep users logged in for the next 7d (refresh_token lifespan) or until logout if they check this option.
My attempts at achieving this:
Since i'm using graphQL, i tried the "auth_refresh" mutation from the authentication documentation. While the access token is still valid, refreshing works fine. After the access token expired there is no way to retrieve a new one via a valid refresh token.
Alternatively I tried to achieve a refresh via the POST request specified by the docs (to double check if it was some sort of config error with graphql) but I encounter exactly the same problems as with graphQL. Directus returns either "401 unauthorized : Token expired."
if i extend the lifespan of the access token for longer than the server defined lifetime,
Response: Sending a token with prolonged life
or "401 unauthorized : Invalid user credentials." if I request a new token without an
"Authorization" header.
Response: Sending no access token
The refresh token is correctly loaded and sent to the server as specified in the docs in both
cases.
Now my questions are:
Am I missing something? I haven't found any further specification in the docs and the Auth0 protocol specifies that a new access token should be retrievable with a valid refresh token.
If this feature is not intended: How could I achieve a "keep me signed in" option with directus? I would like to keep user rights management in one place and do not really want to handle user auth redundantly for my current use case.
2b. Why is the lifespan of the refresh token so much longer than the lifespan of the access token if this isn't intended?
One of my thoughts is, that it has to do with access rights of the "public" role on the "directus_sessions" table. But I can't think of a way to grant only read rights for owned/received tokens, since there are no payload variables available inside the filters. Could this be the cause? Would there be a way to achieve this?
Thx&Greetz
I currently have a web application that uses Azure AD to authenticate a user. This generates a JWT token which is then sent to my .NET Core Web API, which authenticates and authorizes successfully. The relevant parts of the JWT token that is sent across looks like this when put into jwt.ms (if you need more on this let me know and I can update this):
"aud": "api://<api-clientid>",
"appid": "<webapp-clientid>",
"hasgroups": "true",
"oid": "<userid">,
"tid": "<tenantid>"
I need to get to the groups that the user is a part of, and as the user is part of more than 6 groups, I need to make a call to the Graph API in order to return all groups for the user. This is documented in the description of the access tokens here, which states I should make a call to https://graph.microsoft.com/v1.0/users/{userID}/getMemberObjects.
I have tried using Postman to create a token to authenticate with the Graph API through the on-behalf-of flow, but I get the below error (removed irrelevant parts):
{
"error": "invalid_grant",
"error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID '<api-clientId>' named '<api-displayName>'. Send an interactive authorization request for this user and resource...",
"error_codes": [
65001
],
"suberror": "consent_required",
...
}
I've tried following the web API that calls web APIs guide which seems to do exactly what I want to, using the Microsoft.Identity.Web. When I have tried this, I run into a similar issue with a MicrosoftIdentityWebChallengeUserException saying that I require more consent from the user. I tried changing the audience of the token to be for https://graph.microsoft.com/ but this then fails the authorisation to my web API, and I cannot have multiple endpoints in the audience of the JWT. I also tried using ITokenAcquisition as described here, but this did not work either, with a similar error to Postman.
Finally, I tried following this sample which also appears to do what I require, where I made sure my web API and my web client were set up in the same way that they do. The only change I had to make was a small change to the manifest of the API to include the client application Id in the "knownClientApplications", but this doesn't seem to have made any difference.
I feel like I'm missing something simple here, where either my web application needs to know that my web API might need permission to the Graph API, or I'm missing more configuration on my Azure AD. Any help would be greatly appreciated, and if more information is needed I'll provide as much as I can!
The error message says that admin has didn't consent the application.
Login to Azure AD as Global Administrator and Grant admin consent API permission via App registrations -> API Permissions -> Add a permission -> My APIs -> A -> Application permissions to fix this issue.To fix this issue.
How to get access to LinkedIn API Client using Client Credential Flow (2-legged OAuth) when my usecase does not fit in one of the LinkedIn partners scope? How/where should I apply to get access? Or does it mean only the 4 usecases in this link can use server-side-only access to LinkedIn (without explicit user authentication)?
Currently, when I try to authenticate and get an access token, I have the following error:
{
"error": "access_denied",
"error_description": "This application is not allowed to create application tokens"
}
My usecase is to save time in our internal process following an interview we had with entrepreneurs. We generate a report and, instead of manually picking their profile information from LinkedIn, we would like to pre-fill the report using the LinkedIn API.
The LinkedIn support redirects to either Stack Overflow for API support or the link above to request access (which is for specific usecases only)
Resources:
- Use of OAUth 2.0 Client Credentials Flow
Asking the question here as the linkedin help forum directed to post things related to API on stackoverflow.
I am developing a feature on our org website to show the top 5 company page feeds setup in linkedin. Ive already setup the required access in developer.linkedin and the whole flow works in the developer.linkedin REST console to fetch the feed.
I am currently recieving this error when i try from my machine to fetch the auth token with a valid client id and secret created.
https://www.linkedin.com/oauth/v2/accessToken?grant_type=client_credentials&client_id=OMITTED&client_secret=OMITTED
{
"error": "access_denied",
"error_description": "This application is not allowed to create application tokens" }
The documentation also mentions that this flow isn't available by default and the users will need to contact linkedin.
https://developer.linkedin.com/docs/v2/oauth2-client-credentials-flow
"By default, your application will not have the ability to use LinkedIn's client credentials flow. Contact us to have your application granted permission to use this flow."
What would be the next steps in requesting access to this flow for my org?.
As outlined here:
By default, your application will not have the ability to use LinkedIn's client credentials flow. Contact us to have your application granted permission to use this flow.
The next step would be to contact them directly or Apply to become a Partner
and if accepted you'll be granted access to additional data outside of the scope of the user authentication flow (which basically means you'll be able to make calls directly from your application to access certain information)
I think the answer is well explained by API-University, since the creation of an application in order to get the access_token, will solve the communication issue.
Link to the explanation: https://api-university.com/blog/api-usage/how-to-use-the-linkedin-api-and-oauth/
I'm trying to get a list of groups for a domain in Google Api (https://developers.google.com/admin-sdk/directory/v1/reference/groups/list).
I'm using "domain wide delegation", and have a service account from which the web app makes all its requests to Google.
The admin-sdk requires the requesting user to be an administrator, so i'm impersonating a admin user on the given domain.
This works fine with (https://developers.google.com/admin-sdk/directory/v1/reference/users/get), but when I'm trying to use the group api, it fails like this:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Not Authorized to access this resource/api"
}
],
"code": 403,
"message": "Not Authorized to access this resource/api"
}
}
I have checked the the permissions from the domain administrator have been delegated to the service account. And I have also checked that i can access the list of groups, while being logged in as the domain administrator.
Any help or hints is highly appreciated.
Thanks in advance
You will need to add the scope for reading groups.
First, make sure that you properly followed the steps here in this documentation including this steps on how to Instantiate an Admin SDK Directory service object.
It is important because this one shows you how to make API requests using OAuth 2.0 and your service account's credentials to perform Google Apps Domain-wide delegation.
For more information, check these related SO questions:
Google_Service_Directory - (403) Not Authorized to access this resource/api
Received error “Not Authorized to access this resource/api” when trying to use Google Directory API and Service Account Authentication