i am trying to use moneyhub authorize api in python, but show me this error
error=invalid_scope&error_description=missing%20permission%20for%20connection%20type%3A%20api
API document: https://docs.moneyhubenterprise.com/docs/troubleshooting task document:
Related
Environment for resource/permission token creation:
nodejs v14
#azure/cosmos
Environment to fetch docs:
rest api postman client windows machine
I am getting error when trying to fetch GET docs using created permission with below PermissionDefinition as:
{
id: "key-name", permissionMode: "All",
resource: "dbs/<db-name>/colls/<col-name>/docs/*",
resourcePartitionKey: ["partition-key"]
}
Also tried resource id as "dbs//colls//docs"
But getting same error, I am able to success fetch collection info with url as
https://{{DocumentDBHost}}/dbs/<db-name>/colls/<coll-name>
Below is error when trying to get docs from collection through rest api using permission resource token as:
{
"code": "Forbidden",
"message": "Insufficient permissions provided in the authorization header for the corresponding request. Please retry with another authorization header.\r\nActivityId: d6fe0b9e-c0a2-42a4-9378-50ccf1613aa7, Microsoft.Azure.Documents.Common/2.14.0"
}
using url as:
// to read specific doc
https://{{DocumentDBHost}}/dbs/<db-name>/colls/<coll-name>/docs/<doc-id>
// to read all docs in collection
https://{{DocumentDBHost}}/dbs/<db-name>/colls/<coll-name>/docs
Perparing auth token as
var permToken = "type=resource&ver=1&sig=UVlXYH0zKJyubcH9LAsBiw==;w7eUSmBFoA4dpcGNgV3Lm3kbFUE42IixXPEI2LVEr******************BPeWGl2pnkfN6V7FLX0leF/9WeDzUz06rq3po48jUSws5hNY8aR9LqMdSgwE1U4ygNbINMNe****************************v+u/ge9lKy10eZObL1u4FQMiE=;"
auth = encodeURIComponent(permToken);
So, doing encoding uri also on token got through permission
Other headers added to rest api are as follows:
[{"key":"Accept","value":"application/json","enabled":true},{"key":"x-ms-version","value":"2015-12-16","enabled":true},{"key":"Authorization","value":"{{authToken}}","enabled":true},{"key":"x-ms-date","value":"{{RFC1123time}}","enabled":true},{"key":"x-ms-documentdb-partitionkey","value":"[\"dl\"]","type":"text","enabled":true}]
Kindly pass detailed rest api doc when using resource/permission token, if there is any any change in specs. I already shared secondary key are success working for authorization part for same api request to CosmosDB
I am trying to connect to Microsoft Defender API using Elastic Filebeat. I followed the instructions here register a new application with granted permission.
Create app for Microsoft Defender
However, when trying to call the api, i encountered this message:
Error while processing http request: failed to execute http client.Do:
server responded with status code 403:
{"error":{"code":"Forbidden","message":"The application does not have
any of the required application permissions (Alert.ReadWrite.All,
Alert.Read.All, Incident.ReadWrite.All, Incident.Read.All) to access
the resource.","target":}} {"input_source":
"https://api.security.microsoft.com/api/incidents", "input_url":
"https://api.security.microsoft.com/api/incidents"}
Can anyone assist me on this ?
EDIT: Added JWT token screenshot for reference if needed
JWT decoded screenshot
Your token lacks permissions, you need to use the client credential flow to obtain the token:
Parse the token:
I am trying to retrieve the properties of an ItemAttachment, which is of message type. I have given all the required permissions and able to receive the ItemAttachment properties.
But when I use $expand to get further properties of the ItemAttachment message. I am getting Access Denied Error.
For what I have read it says that you need Mail.read permission which I have already given to my Azure AD application for Graph API and I am able to fetch all the messages but only when I try to use $expand to get the properties for the ItemAttachment which is of message type I am getting Access Denied.
I couldn't find any thing related to specific permissions that might be required for this to work on the microsoft doc (https://learn.microsoft.com/en-us/graph/api/attachment-get?view=graph-rest-1.0&tabs=java).
I also referred to a similar post (How to retrieve contents of an itemAttachment via the Microsoft Graph API) and do not find anything either.
Below are the details:
Java Code:
graphClient.me().messages(messageId).attachments(attachmentId)
.buildRequest()
.expand("microsoft.graph.itemattachment/item")
.get();
This generates a REST call something like below :
GET https://graph.microsoft.com/v1.0/me/messages/A2zjArAAA=/attachments/5AlfysT-Cz27w=?$expand=microsoft.graph.itemattachment/item
But I am getting below "Access Denied" error.
403 : Forbidden
Cache-Control : private
Content-Length : 101
Content-Type : application/json; odata.metadata=minimal; odata.streaming=true; IEEE754Compatible=false; charset=utf-8
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again."
}
}
I have the following permissions for my application Azure Active Directory Application :
The microsoft graph API SdkVersion that I am using is : graph-java/v2.3.1.
I am not sure if I am missing anything here.
Appreciate if anybody can please guide me towards a solution for this .
As Shiva mentioned in comments, you use graphClient.me() in your code, but you assign Mail.Read permission of "Application" type. If assign "Application" type permission, it just requires client_id, scope, client_secret, grant_type to get access token. So the access token doesn't contain user info, ad do not know who is me, so the code graphClient.me() can't be recognized.
If you want to run the code(graphClient.me()...) success, you need to add permission Mail.Read in "Delegated" type but not "Application" type (follow the steps in below screenshot and also do not forget do grant admin consent).
As you are using application permissions it seams like you have a daemon application and the flow that you use for daemon applications will produce App token. This doesn't recognise /me because there is no user here. So try using /users/{userid}/messages.
According to the docs, to create a list, a Sites.ReadWrite.All application permission is needed.
I have an Azure app with exactly that permission:
Yet, when trying to create a list I still get access denied.
403 : Forbidden
[...]
[Some information was truncated for brevity, enable debug logging for more details]
Exception in thread "main" com.microsoft.graph.http.GraphServiceException: Error code: accessDenied
Error message: Access denied
The full output can be found here. The complete code which reproduces the behavior can be found here. The application requires access without a user. The access token is generated through a client assertion flow.
The question is: What's wrong here? Is it the documentation which is outdated? Or am I doing something wrong?
I am trying to login with username and password using Azure AD B2C with MSAL. After logging in, we are authenticating access token using web API which returns the resource token and after getting it we connect the DocumentClient using resource token as mentioned below, but when we try to perform the action like savedocument in Cosmos DB, facing following error
var Client = new DocumentClient(new System.Uri(App.accURL), resourceToken);
Message:
{"Errors": ["Authorization Token doesn't present sufficient permissions to serve the request."]}
ActivityId: 3360415e-b937-4061-b74d-485d44550df2,
Request URI: /apps/7dc938ac-8c47-4af3-9760-5e80284624b0/services/4344f786-4b9a-4293-ab0a-d27a5ccae76a/partitions/26b66fff-1ad2-47dc-90c8-cc9ee7b0d23b/replicas/131448621059935679p: Error: ...
when we try to perform the action like savedocument in cosmosDB, facing following error. Authorization Token doesn't present sufficient permissions to serve the request.
AFAIK, we can associate only one permission to a specific resource for a user. And there are only two permission modes: All (Read, write, delete permissions) or Read. I would recommend you checking the permissionMode, ResourceLink, ResourceTokenExpirySeconds if you specified for your user have correctly configured.
You could List Permissions for a user and use DocumentClient.ReadPermissionFeedAsync for retrieving the permissions for a user. Additionally, you could refer to the related tutorials Permissions in Azure DocumentDB and Cosmos DB > Permissions.
If you still could not locate this issue, please updated your question with the related code for granting permission for your user and leverage fiddler to collect the network traces when using the resourceToken token for accessing resources.