I am trying to use Blueprism to download pdf files from Sharepoint.
I am using the below code. Url and Path are both variables which get passed through. This is producing a 403 forbidden error. I believe that Blueprism is required to pass credentials to Sharepoint before it will be allowed to download the file. Is this possible?
Using wc As New System.Net.WebClient()
wc.DownloadFile(Url, Path)
End Using
I don't think you have a password related issue, likely the SharePoint is recognising your account access via AD group or SSO of some kind. 403 means the server has understood your request but is denying to fulfil it because of an access reason on the profile you have. Make sure you can manually download the file on the profile you are emulating for a start then also check the profile the bot is operating under (not necessarily yours in some cases ) has access to said file.
Literally 403 is a request that relates to an access issue so somewhere something doesn't have the correct access lined up
First of all, is this a Sharepoint Online or OnPremises version? As you understand, you are connecting to web resource via an API and as such you have to get authenticated and authorized to access those resources.
If it's SPO, you can use the API component for SharePoint integration from DX and configure.
In case of SP On prem, you have to customize a lot to achieve your results.
Related
We are trying to connect an internal application to Sharepoint 365. The goal is to read data from Sharepoint 365 lists and Excel documents. We want to take advantage of the fact we already use OAuthentication and basically our users login with their own Windows credentials. Now, to accomplish that we first need to register an application with Sharepoint which we did using this link:
https://mycompany.sharepoint.com/sites/MySite/_layouts/15/appregnew.aspx
After that we also need to get an authorization code for clients to login with their Windows account. We do that with this URL:
https://mycompany.sharepoint.com/sites/MySite/_layouts/15/OAuthAuthorize.aspx?client_id=14f0e39c-1234-42ea-bed5-ee5c7c834655&scope=List.Read&response_type=code&redirect_uri=https%3A%2F%2Fmysite.mycompany.com%3A9090%2Foauth%2F2.0%2FredirectURL.jsp
When we run that last link we get the error below:
Sorry, something went wrong
There is no claims identity. Please make sure the web application is configured to use Claims Authentication.
TECHNICAL DETAILS
Troubleshoot issues with Microsoft SharePoint Foundation.
Correlation ID: 367ee69f-5066-0000-e1ef-cee55f7b7000
As you can see, the error is not very helpful. I have done already lots of research and answers vary from lack of higher level of access, to invalid URL request. I have elevated access and the URL is well constructed. Yet the error persist.
So, my question, what is the meaning of the error? Why is not executing?
We logged a Microsoft Premier Support ticket and behold! the problem has been fixed.
I've built an API-based integration with DocuSign (using their PHP SDK), and am now at the point of deploying to the production server. I have reconfigured everything with the production integration key, public/private key pair, user and account IDs, endpoint URL, etc. replacing the demo ones. The OAuth portion of the conversation is working fine, and I get a valid token back. When I then try to send an envelope, I hit a USER_LACKS_MEMBERSHIP error, and cannot figure out why. As far as I can see, everything about the API user is the same between the demo and production systems.
I've authorized the application and made sure that it's in the list of "Applications with Access to DocuSign".
I have enabled logging, but the only things that are showing up in there appear to be from my own navigation in the site, nothing related to the API calls at all.
Most of the documentation that I can find on this simply repeats the generic error text: "The UserID does not have a valid membership in this Account." If I go to the account admin and look at the list of users, the one I'm expecting is right there, with DS Admin permission; not sure what else might be done to give them "membership". One mentioned not using SendOnBehalfOf, but I'm not, so I can't really remove that.
All the code is identical, just configuration that's changed. Not sure where else to look. Anybody have any suggestions for what to try?
FURTHER INFORMATION
I've tried the getUserInfo call in the SDK, passing the same access token I use for the other call. It returns successfully, showing that it is for the user I'm expecting, in the one group we have, on the production server. And yet, when I enable logging again, as this same user, there is still zero record in the resulting logs of any of this API activity.
Attempts to do things like list templates with the SDK fail with the same USER_LACKS_MEMBERSHIP error.
Using the Diagnostics API (again, through the SDK) to check logging status shows that it is NOT enabled (despite my enabling it in the UI), but can be enabled with a separate call. Subsequently attempting to use listRequestLogs in the SDK generates a 404 error, though the URL matches what's listed in the API documentation (/v2/diagnostics/request_logs). Not sure whether these findings confirm that I'm somehow logging onto the API and the UI with different users (even though the user name and internal ID match), or that there's some problem with the logging facility in DocuSign.
The problem turns out to be the URL I was using for API calls. I switched from demo.docusign.net in testing to www.docusign.net in live, but being in Canada we need to use ca.docusign.net. For those who find this later, you can get the correct base path to use from the oauth/userinfo endpoint, or the getUserInfo() call through the SDK (PHP SDK, at least; don't know what the analogous call would be in others).
There are 3 things to consider:
API calls are made to an endpoint (URL) that contains the account # (either GUID or short form) in the url. Take a note of that number in the url.
Auth Token is a token for a specific user in a specific account.
UserId for the specific call. That is a specific user in the account.
If the user is not in the account, or there's a mismatch between #1 and #2 - you'll get this error. You must work with a single account and have it in all places as well as the user must be a member of this account.
Re:
I have enabled logging, but the only things that are showing up in there appear to be from my own navigation in the site, nothing related to the API calls at all.
Since the request logging is not showing your API activity, the problem is that the person you've logged in as on the web tool is not the same as the person (user id) that you've logged in as on your application.
Solution for OAuth Authorization Code authentication: double check that when your app is logging into DocuSign, you're using the account.docusign.com authentication server, not the account-d.docusign.com auth server. (Look at the URL in your browser during the login sequence.)
Solution for OAuth JWT authentication: re-check that the impersonated user id is from the production system and you're using the right authentication server
I'm trying to use the Sharepoint -> Get File Content action in Power Automate, but I'm getting a 403 error - Access Denied. I am using the same login for SPO and Power Automate. I have (for now) hard-coded a file to fetch - I can definitely browse to it, but for some reason I get the error in Power Automate. Is there another permission that I need to be granted to access the same file via Power Automate that I might be missing?
I have tried Get File Content with several different files, and they all give the same result. In each case, I can manually browse to the site/library/folder where the file is and download it, using the same login.
Have you made some changes on the sharepoint permissions?
Have you recreate a new connection to sharepoint in flow connections?
In many cases, an error code of 403 appears in a flow fail because of an authentication error. If you have this type of error, you can usually fix an authentication error by updating the connection,please make sure you have update the connection.
You could refer to link below
https://learn.microsoft.com/en-us/flow/fix-flow-failures
If you have updated the connection and the issue still exists,I afraid that there is some permissions setted in the sharepoint forbid you to access the sharepoint.
Please take a try to contact with the sharepoint administrator to see if you have been access denied in sharepoint.
I have created three B2C applications:
TestWebApp
TestApiOne
TestApiTwo
Both API applications were created the exact same way. Web API access is enabled, reply URLs have been specified, an App ID URL has been assigned, and keys have been generated. Both APIs have an additional read and write scope.
In TestWebApp API access, I am able to add TestApiOne with all three scopes without an issue.
When trying to add TestApiTwo to the TestWebApp API access list, the operation fails with the following error.
Failed to add the API access. Reason: The B2C service has an internal
error. If you created this B2C directory just now, please try again
after couple of minutes. If the problem persists, please contact
Support
(https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-support/).
If you do not have a B2C directory you can refer
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-get-started/
I thought maybe there is a limit of one API per application. To test, I created a temporary application "TempApp". I received the same error displayed above while trying to add API access for both TestApiOne and TestApiTwo.
Has anyone else experienced this issue?
There's not a limit of one API per application. I have done research and it works fine by my side.
Please have a look at the guide and check your steps.
I have tried to replicate the issues that you are facing by putting diff redirect reply url domains and also by making one application to be native and one normal web app but it doesn't help.
Could you try to delete all the webapps and try making 1 and then adding another to it.
Then create the 3rd one.
Please check this or if you can share some screen shots. That would be helpful.
You can definitely add multiple web apps to api access of one web app.
not sure if this is the right place to post dev question so please point me to the right place if its not...
I have a customer that gave a user permission to one specific list.
for example:
https://[tenant].sharepoint.com/sites/qa/permissions/lists/tasks
The user cannot browse to the site:
https://[tenant].sharepoint.com/sites/qa/permissions
But he can get to the list with no problems.
When we try to get the list items using REST api, that user gets "UnauthorizedAccessException" error.
Rest API url we tried:
https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')
https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')/items
Users with at least read permissions on the site /sites/qa/permissions have no problems getting to both these API endpoints.
Is there a different way to make the REST API work for users with permissions to just one list?
Is there a limitation of the REST API and it does not support that?
Thanks!
(I posted this on technet as well, and will update here if I get an answer there)
You can deactivate the site collection feature Limited-access user permission lockdown mode.
When this feature is activated, users with "Limited access" as permissions have reduced permissions which prevent them from accessing the list item/documents properties. This will cause the Unauthorized Exception error while accessing SharePoint artefacts.
So, go to your Site Settings > Site collection features
And Deactivate the Limited-access user permission lockdown mode feature.
After that, refresh and check.
More details - Enable or disable site collection features