I have a protected service, but I need to create links for sharing purpose. So I came over this feature:
new ApiKeyAuthProvider(AppSettings) {
AllowInHttpParams=true
},
I'm calling the service, getting the API directly from the ApiKey table, and in the debug console I can even see the SQL, which is correct (select where id, and id is my api key) and matches an active user, but still I'm getting a 403 from ServiceStack.
The apikey query param is used. Https is used (with valid CA signed cert).
403 Forbidden indicates Authentication was successful (otherwise would return 401 unauthorized) but the authenticated user does not have access to the resource, e.g. they don't have the required roles or permissions.
Related
Using the PHP API. App was working great on the developer side, now that I've gone "LIVE" and try to create/send the envelope I'm getting a 404 error.
I have:
verified the API integration key
changed the config settings for user id and client secret for the newly created Admin account
had the admin account take ownership of the app and granted consent
created new private and public keys, and verified that I'm pointing to the right files
verified that the claim is correct, particularly the aud parameter.
I ran get_userinfo to verify the API account id, sub user id, and production uri
I've got my JWT token
My create/send url:
https://na4.docusign.net/v2.1/accounts/a...z/envelopes
What have I missed?
As reported by the OP in a comment:
omitted "restapi" from my url
Trying to get response for https://graph.microsoft.com/v1.0/users/{user_id}/drives but get:
{'error': {'code': 'ResourceNotFound',
'message': "User's mysite not found.",}
Permissions is ok, user_id is correct
I tried to reproduce the error on my side, and found that, if I used ropc flow to generate an access token and used a different user id in request, it then returned 'User's mysite not found'. And if I used credential flow with a user id which doesn't has one drive license, it then returned that error. If I used correct user id which has one drive license, 200 code returned. And the api doc also mentioned that 'idOrUserPrincipalName string Required. The identifier for the user object who owns the OneDrive'
So my idea is check the user id if you used password flow to generate the access token and if not, you should make sure the user to tested via the api has the correct license.
I have an Azure Function that I have secured using Azure Active Directory (using express settings)
I generated an secret key and was able to get the other bits required (client id, tenant etc).I followed this guide to test the Client Credentials
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds .
I was able to get an access token but when I try to access the function using the Bearer Token I get error code 403 with 'You do not have permission to view this directory or page.'
How can I fix this? I want to secure my Azure function using a secret key.
Edit ----------
I want to access my Azure function http endpoint.
The requests I have used:
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token/
With body:
client_id:{Application Id in Azure AD}
scope:https://{functionname}.azurewebsites.net/.default // This might be the source of the problem
client_secret:{Key Generated}
grant_type:client_credentials
This returns an access token eyJ0eXAiOiJKV1QiLCJhbGciOiJS.....
Then
Get http endpoint of my AzureFunction
https://{functionName}.azurewebsites.net/api/endpoint?Params
The Header contains Authorization Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJS.....
When I try to list all lists in a sharepoint site using this Microsoft Graph query, it returns me an 401 error. But reading a list works fine.
{
"error": {
"code": "unauthenticated",
"message": "Access denied. You do not have permission to perform this action or access this resource.",
"innerError": {
"request-id": "6929864e-9d14-4911-9d7e-d0a29259e05f",
"date": "2017-06-21T21:00:15"
}
}
}
Does not work: https://graph.microsoft.com/beta/sites/{site-id}/lists
Work: https://graph.microsoft.com/beta/sites/{site-id}/lists/{list-id}
Thanks
Typically, a 401 response indicates that the information the server needs to authenticate your API request is either missing from the request or present but somehow invalid. I'd suggest that you:
1) Verify that the Authorization header is present in the request that fails.
2) If present, then verify that the contents of the Authorization header in the request that fails is identical to the contents of the Authorization header in the request that succeeds.
If you're sending the exact same Authorization header in both requests, then I wouldn't expect the server to return a 401 response for one operation but not the other. (If it were a permissions issue -- i.e., the user has rights to perform operation-A but not operation-B, then I'd expect the server to return a 403 Forbidden response for operation-B -- not a 401 Unauthorized response.)
Update (some additional thoughts)
It looks like both operations require one of these two access scopes:
Sites.Read.All
Sites.ReadWrite.All
You should verify that the token you're specifying in the Authorization header of the failing request has at least one of these scopes (although as I said earlier, I'd expect the server to return 403 if you didn't have the proper access scope).
Also, if you obtained the access token via OAuth without a user providing authorization, then perhaps the information in this answer might be helpful: How to use OAuth when there is no user delegation? -- Microsoft Graph API. In the scenario that post describes, the server was returning a 401 response because the developer hadn't explicitly obtained administrator consent for the operation they were attempting to perform.
Can you please try again? This (https://graph.microsoft.com/beta/sites/{site-id}/lists) seems to be working now.
Need help in authenticating the token request from any client application to WEB API. We have registered our web API has multi-tenant application in Azure AAD. My client application which has been registered in different tenant was able to get Access token from AAD.while making Http request to our endpoint with passing the access token part of request header, we are receiving 401 unauthorized exception. I found reason while browsing for multi tenant scenario is to disable ValidateIssuer and have custom handler.
• Is there any custom handler on implementing for WindowsAzureActiveDirectoryBearerAuthentication. I see people are using OpenIDConnect. But for WEB API, we are using WindowsAzureActiveDirectoryBearerAuthentication i.e Is there any equivalent Event for validation of access token in UseWindowsAzureActiveDirectoryBearerAuthentication and tell user is authenticated ?.
• Is there any better standard of validation of access token and tell user is valid user ?.
• Can we get the claims of user by passing bearer token to WEBAPI Authorize filter ?. or will httprequest object claims gets user information like given name, tenant name, object ID (esp. localhost debugging scenario also.), If we can get those information, we can have our own logic of validation.
Please let us know whether this approach is best practice for authenticating a user.
You could implement a custom issuer validator and assign it to the IssuerValidator property. This is useful when you can't specify a predefined list of issuers in configuration and need some runtime logic to determine if you trust the issuer presented in the token:
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
IssuerValidator = (issuer, token, tvp) =>
{
if (db.Issuers.FirstOrDefault(b => (b.Issuer == issuer)) == null)
return issuer;
else
throw new SecurityTokenInvalidIssuerException("Invalid issuer");
}
}
You could decode the access token to get basic user information like family_name/given_name , but you can only get that by using user identity to acquire the access token .