I am using Postman to make an HTTP rest call to DataStax Astra Cassandra DB to select on a table but it's telling me I don't have select table permission even though the user for the token I'm providing does have that permission.
Here are my inputs
Authorization Type
API Key
Key
X-Cassandra-Token
Value
$ASTRA_DB_APPLICATION_TOKEN
^ of course replaced with my actual token AstraCS::...
And here is the json response I get back
{
"description": "Role unauthorized for operation: Not authorized to access keyspace.table for SELECT (from source api: rest)",
"code": 401
}
I double checked that the role associated with the token does have the select table permission.
Related
Environment for resource/permission token creation:
nodejs v14
#azure/cosmos
Environment to fetch docs:
rest api postman client windows machine
I am getting error when trying to fetch GET docs using created permission with below PermissionDefinition as:
{
id: "key-name", permissionMode: "All",
resource: "dbs/<db-name>/colls/<col-name>/docs/*",
resourcePartitionKey: ["partition-key"]
}
Also tried resource id as "dbs//colls//docs"
But getting same error, I am able to success fetch collection info with url as
https://{{DocumentDBHost}}/dbs/<db-name>/colls/<coll-name>
Below is error when trying to get docs from collection through rest api using permission resource token as:
{
"code": "Forbidden",
"message": "Insufficient permissions provided in the authorization header for the corresponding request. Please retry with another authorization header.\r\nActivityId: d6fe0b9e-c0a2-42a4-9378-50ccf1613aa7, Microsoft.Azure.Documents.Common/2.14.0"
}
using url as:
// to read specific doc
https://{{DocumentDBHost}}/dbs/<db-name>/colls/<coll-name>/docs/<doc-id>
// to read all docs in collection
https://{{DocumentDBHost}}/dbs/<db-name>/colls/<coll-name>/docs
Perparing auth token as
var permToken = "type=resource&ver=1&sig=UVlXYH0zKJyubcH9LAsBiw==;w7eUSmBFoA4dpcGNgV3Lm3kbFUE42IixXPEI2LVEr******************BPeWGl2pnkfN6V7FLX0leF/9WeDzUz06rq3po48jUSws5hNY8aR9LqMdSgwE1U4ygNbINMNe****************************v+u/ge9lKy10eZObL1u4FQMiE=;"
auth = encodeURIComponent(permToken);
So, doing encoding uri also on token got through permission
Other headers added to rest api are as follows:
[{"key":"Accept","value":"application/json","enabled":true},{"key":"x-ms-version","value":"2015-12-16","enabled":true},{"key":"Authorization","value":"{{authToken}}","enabled":true},{"key":"x-ms-date","value":"{{RFC1123time}}","enabled":true},{"key":"x-ms-documentdb-partitionkey","value":"[\"dl\"]","type":"text","enabled":true}]
Kindly pass detailed rest api doc when using resource/permission token, if there is any any change in specs. I already shared secondary key are success working for authorization part for same api request to CosmosDB
Trying to get response for https://graph.microsoft.com/v1.0/users/{user_id}/drives but get:
{'error': {'code': 'ResourceNotFound',
'message': "User's mysite not found.",}
Permissions is ok, user_id is correct
I tried to reproduce the error on my side, and found that, if I used ropc flow to generate an access token and used a different user id in request, it then returned 'User's mysite not found'. And if I used credential flow with a user id which doesn't has one drive license, it then returned that error. If I used correct user id which has one drive license, 200 code returned. And the api doc also mentioned that 'idOrUserPrincipalName string Required. The identifier for the user object who owns the OneDrive'
So my idea is check the user id if you used password flow to generate the access token and if not, you should make sure the user to tested via the api has the correct license.
I have a protected service, but I need to create links for sharing purpose. So I came over this feature:
new ApiKeyAuthProvider(AppSettings) {
AllowInHttpParams=true
},
I'm calling the service, getting the API directly from the ApiKey table, and in the debug console I can even see the SQL, which is correct (select where id, and id is my api key) and matches an active user, but still I'm getting a 403 from ServiceStack.
The apikey query param is used. Https is used (with valid CA signed cert).
403 Forbidden indicates Authentication was successful (otherwise would return 401 unauthorized) but the authenticated user does not have access to the resource, e.g. they don't have the required roles or permissions.
I am trying to call graph api to get user information. I am using postman to get the token first and then using that token trying to make a request to graph api
I get the token with below post request and with 4 key values for grant_type, client_id, client_secret and resource.
https://login.microsoftonline.com/{{tenantid}}/oauth2/token
The response is
{
"token_type": "Bearer",
"expires_in": "3600",
"ext_expires_in": "3600",
"expires_on": "1555583717",
"not_before": "1555579817",
"resource": "https://management.azure.com/",
"access_token": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNiIsIng1dCI6IkhCeGw5bUFlNmd4YXZDa2NvT1UyVEhzRE5hMCIsImtpZCI6IkhCeGw5bUFlNmd4YXZDa2NvT1UyVEhzRE5hMCJ9.yyyyyyyLTBjYjZmZDNiM2UwNCIsInRpZCI6IjM3NGY4MDI2LTdiNTQtNGEzYS1iODdkLTMyOGZhMjZlYzEwZCIsInV0aSI6ImVWTWdDbkU4QWtPVXY3bFQ2QlRSQUEiLCJ2ZXIiOiIxLjAifQ.kxHCm2oGsuUvlXbncXQe7Wb0l-ZENqqG9_P_co0SPdYA3GkhFKDi6sQ7OaaHeDs4S6kN0-Diw5qBOzmFipSA5EUorA7UDbJfiSVVlaEzLY3IX_4WSV4Exc-kLOaX0j7KgvsEQbc5TEk8e4dPfokG98gGPmhy19xLyV84lX1v6DzgXINzP8gPkGmqR_J7iVFQ3m-Y18dHlxDpqQMTKxvQGnrsa7rflyxGUwEwwFZJH8t5NRv_mjQOIQBuosfhMAH88l-J8zEmXWLFqEzFBBWrz9UxT6X-XxRQZW4WBSoHTKd3vuBcEo6kUclfe4G7COOvI4zG0-j10mmGziKlzjNVMw"
}
Then I use the token to make GET request
https://graph.windows.net/{{company}}/users/{{email}}?api-version=1.6
and header
Key Value
Authorization Bearer {{token}}
but it fails with this error
{
"odata.error": {
"code": "Authentication_MissingOrMalformed",
"message": {
"lang": "en",
"value": "Access Token missing or malformed."
}
}
}
What is the correct way to make a request to graph api ?
Updated answer according to your case
Okay I am showing the step from the beginning. Make sure you have complete following step exactly.
Step:1 : Application Registration
Go to your azure portal and click on azure active directory. Now click on App registrations and Enter a name for your app. Make sure you have select Web app / API as application type. Put any Sign on URL it does not have any impact though.
See the screen shot below:
Step:2 Application Configuration
Configure your application setting by clicking on settings option. Copy the Application Id which is your client ID. Generate your client_secret on Key menu. Now click on Required permission option and click on Add at new window. Choose Select an API choose Microsoft Graph Then Select it.
See the below screen shot
So your azure portal configuration is all set.
Step:3 Token Access Flow
For getting token I am using OAuth 2.0 Client Credentials Grant Flow. Let fire up POSTMAN Enter your token endpoint your like below:
https://login.microsoftonline.com/`YourTenantNameOrID`.onmicrosoft.com/oauth2/token
Enter following data in right format:
grant_type:client_credentials
client_id:Your Portal Application ID
client_secret:Your application Key
resource:https://graph.microsoft.com/
Note: I am using Microsoft Graph API so resource has chosen
//graph.microsoft.com/
See the screen shot for more details
Step: 4 Check Claims Of your Token
You can make sure your token contains required information by validating it claims on JWT. You can use https://jwt.io/ to validate your token.
See the picture of claims below:
Step:5 Access Your Microsoft Graph API Resource
Define your Microsoft Graph API resource URL
For example : https://graph.microsoft.com/v1.0/users
Select your API http verb
Select Your Token Type to Bearer Token
Enter your token on left token text box
You are done click send and check your response as expected. See the screen shot for details.
Request Format:
Response From API:
Note: Make sure you have resource access permission unless you would get access denied error.
For more information you could take a look here
If you have any more confusion feel free to ask in comment line. Thank you and Happy coding!
I am trying to login with username and password using Azure AD B2C with MSAL. After logging in, we are authenticating access token using web API which returns the resource token and after getting it we connect the DocumentClient using resource token as mentioned below, but when we try to perform the action like savedocument in Cosmos DB, facing following error
var Client = new DocumentClient(new System.Uri(App.accURL), resourceToken);
Message:
{"Errors": ["Authorization Token doesn't present sufficient permissions to serve the request."]}
ActivityId: 3360415e-b937-4061-b74d-485d44550df2,
Request URI: /apps/7dc938ac-8c47-4af3-9760-5e80284624b0/services/4344f786-4b9a-4293-ab0a-d27a5ccae76a/partitions/26b66fff-1ad2-47dc-90c8-cc9ee7b0d23b/replicas/131448621059935679p: Error: ...
when we try to perform the action like savedocument in cosmosDB, facing following error. Authorization Token doesn't present sufficient permissions to serve the request.
AFAIK, we can associate only one permission to a specific resource for a user. And there are only two permission modes: All (Read, write, delete permissions) or Read. I would recommend you checking the permissionMode, ResourceLink, ResourceTokenExpirySeconds if you specified for your user have correctly configured.
You could List Permissions for a user and use DocumentClient.ReadPermissionFeedAsync for retrieving the permissions for a user. Additionally, you could refer to the related tutorials Permissions in Azure DocumentDB and Cosmos DB > Permissions.
If you still could not locate this issue, please updated your question with the related code for granting permission for your user and leverage fiddler to collect the network traces when using the resourceToken token for accessing resources.