when calling warehousingwebservice in hybris 1905 it is giving access denied while in 1811 it is not. please assist with what should be changed to solve this problem
[RestHandlerExceptionResolver] Translating exception [org.springframework.security.access.AccessDeniedException]: Access is denied
tried doing
https://answers.sap.com/questions/12758632/there-is-no-resource-for-path-oauthtoken-hybris-60.html
and
https://answers.sap.com/questions/12767378/how-can-we-access-oauth2-using-postman.html
but problem still exists
What I can see is that you are requesting oauth token for grant_type=client_credentials which will give you a token to access non users services. Instead you would need to use grant_type=password.
For consignment services, you would need to request a token for authorized users group users for service you need to access. you would need t provide username and password while making a new token request.
Related
I am trying to fetch the list of resources present in my Azure Resource Group.
To do that, I got an access token by registering one app in Azure AD using the client_credentials flow.
But when I am using that token to query like below, I'm getting 401 Unauthorized - Authentication failed error.
Query that I used:
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/resources?api-version=2021-04-01
I have owner access to all my resources but why am I getting 401 Unauthorized error. Is there any step that I missed?
Can anyone point me in a right path?
I came to know I have to give API permissions for Azure Service Management.
After giving user_impersonation, I changed the scope to https://management.azure.com/.default and got access token.
Using this token, I successfully got the list of resources without any errors.
I added a service provider to WSO2IS and use its secret to get an access token, I then use this access token to execute endpoint https://localhost:9443/t/carbon.super/api/server/v1/tenants, but I am getting 403 error. An access token is for the admin user, that as far as I see has all privileges. Why am I getting a forbidden error and how can I fix it?
Follow the steps in https://stackoverflow.com/a/65371473/10055162. If you generated the token without passing the required scopes (In your case internal_list_tenants), you will get 403 Forbidden response from the REST API call. More info (3)
I am using Identity server 5.2.0 and api manager 2.0.0. I have implemented a method to use refresh token to get the new access token for a user if the token has expired. But after implementing this some of the users will be unauthorized. When the user tries to login, token and scopes will be returned correctly but when calling the an api with the token, the user is unauthorized. Deleting and adding the user with same username also does not solve the issue. Is there any setting that blocks a user that may cause this issue?
Are you sure, the application in APIM is subscribed to the API you're trying to invoke? If not, you need to do that.
We are having issues with obtaining access tokens for Sharepoint/Exchange resources for a non-multi-tenan Office365 deployment.
This tenant has an O365-D-vnext (dedicated, not multi-tenants) environment which seems to use a different resource end points for sharepoint and exchange, and possibly the management APIs as well.
We use the 'client credential flow' (app-only) to authenticate the global admin for this tenant. The authentication went through, and we got back an auth token (which we discard as it’s not applicable in app-only authentication flow) and tenant-id (we verified the tenant id with the customer). We then tried to get tokens for 3 different APIs using
login.microsoftonline.com//oauth2/token
Here is where we are at with this:
1) We were able to get token for
https://graph.windows.net
and access the active directory groups (we should be able to fetch the users as well)
2) We were able to obtain an access token for exchange resource endpoint
https://outlook.office365.com/
but when we tried to use it, we got 404 for users that we know have mailboxes. We are not sure if outlook.office365.com works for O365-D-vnext (dedicated, not multi-tenants) environment.
3) We were able to get token for
https://{tenant}-my.sharepoint.com"
but when we tried to use the token to access user’s Onedrive, it returned this error: {“error":"invalid_client","error_description":"Invalid audience Uri 'https://{tenant}-my.sharepoint.com/'} . We were told by our customer that this endpoint would not work for their non-multi-tenants environment.
We subsequently tried a couple of other vanity URIs that the users of this customer use to access their sharepoint onedrive documents. But we were NOT able to get token for the URIs provided by our customers. We received the following error when using these URIs provided:
{"error":"invalid_resource","error_description":"AADSTS50001: The application named https://<tenant-my-site>.com was not found in the tenant named https://<tenant>-my.sharepoint.com/. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: … ”error_codes":[50001] …}
Any ideas on how to get access tokens for this type of deployments?
My app got white-listed for using the Ads API.
I was wondering in regarding to the authentication flow.
Say, that I need to retrieve and execute actions via the API on daily tasks ( with no user interaction) , I find the authentication process quite cumbersome.
Is there a way to work with my app access token instead of a user access token?
I want to be able to approve my app only once for each user and then to be able to work with no user interaction.
Can I achieve this?
App access token is not relevant for this case.
I had to work with the user access token.
I followed this doc: https://developers.facebook.com/docs/reference/ads-api/
Eventually , one should use some client side code in order to get a user permissions and then make another request for getting the user token.
So you'll have to call
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&scope=ads_management,offline_access&response_type=code
Get the authentication code and make another call:
https://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&client_secret=YOUR_APP_SECRET&code=AUTHORIZATION_CODE
Then you'll get an access token which is valid only for two months, in opposed to what Facebook docs says in here:
https://developers.facebook.com/roadmap/offline-access-removal/
"Ads APIs are special cased to allow collection of statistics offline. PMD partners should use server-side OAuth flow in order to receive a non-expiring token rather than a token that has longer expiration time."
Too bad that the access token is not really valid forever...
According to "Exception 4" in this document , if you have Ads API access you should be able to get a non-expiring token if you use the correct workflow. Following the guidelines outlined here, if you use the server side OAuth flow, to make the following request you should get a non-expiring token:
GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
thx for the feedback regarding the Access token process being cumbersome. Because this is a one to many solution - a single App ID can manage multiple ad accounts, on behalf of multiple people - we need to make calls on behalf of people.
You should be able to get a persistent access token for Ads API. If you are not getting it, please provide exact steps you are following so we can see if there is a bug or you might be missing a step.
Thx.