I am trying to create a Webhook V2 associated to a folder with the Box CLI (Powershell) but I return this error:
Unexpected API Response [403 Forbidden | wncdt6fz7hr7j3tk] access_denied_insufficient_permissions - Access denied - insufficient permission
I follow these steps:
Create a Custom App with OAuth 2.0 with JWT Authentication
Set Enterprise as Application Access.
Enable/Check all Application Scopes options.
Activate Perform Actions As Users and Generate User Access Token at Advanced Features.
Generate a Public/Private Keypair and download the JSON to set in my Box CLI.
Authorize the custom application using the Client ID at Admin Console.
At Box CLI, create the environment with the JSON configuration downloaded at step 5. Set that environment as default.
Get the Token to use to create the Webhook with the following command:
box tokens:get --user-id $user_number
Create the Webhook:
box webhooks:create folder test_lab -T FILE.UPLOADED -a http://test-lab.us-e2.cloudhub.io/lab -t e66kxXI1MyGtXTs7888uy8hutPrreH9R
When I try to create it, returns the 403 Forbidden error. What can I need to solve the permissions problem?
In order to set Box Webhook endpoints you need to set the url as https and not http
Can you give that a try?
Related
I have been following this tutorial on how to create a SharePoint webhook subscription, and after authenticating and getting the access token, actually trying to send the request to add a webhook subscription to a SharePoint list through Postman gives me an "Access is denied HRESULT: 0x80070005" error:
Error message
Going into the Postman console to see a more verbose error message shows "917656; Access+denied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+automatically."
I have tried all of the following:
Gone into SharePoint to enable Sites.Manage.All permissions for my Azure AD App
Reauthorized with several accounts with various access levels
Verified that ngrok, my webhook receiver, and Azure AD App were all running and all connection strings/client ids/secrets were valid.
Could it be that I'm missing something else in regards to SharePoint permissions for my Azure AD App, or is it another issue?
I tried to reproduce in my environment its working fine getting the access token added webhook subscription to a SharePoint list through Postman
First, Check whether you are added content-type and accept in header
This error may cause because of some security issue postman is not authenticated and not authorized to get data from the SharePoint. For this try to register an app using your URL modify at end /_layouts/15/appregnew.aspx
For sample:
https://imu.sharepoint.com/sites/mirror/_layouts/15/appregnew.aspx
Hope you have access, try to register your app as below:
Here, you need to give permission to that particular app such as Full control permission as below snip link :
In App's permission request XML apply permission as below:
And, Click Create and pop up will display trust it. click trust it site setting tab will display if you click that site collection app permission your postman right side will display client id#tenant id
To get the access token click launchpad -> create request ->https://accounts.accesscontrol.windows.net/Tenant ID()/tokens/OAuth/2/
Try to add values in Body tab like
grant_type - client_credentials
Client_id - ClientID#TenantID
Client_secret - Clientsecret
resource - resource/siteDomain#TenantID
Make sure in your Url remove parenthesis in your TenanID and site domain is in your Url like ***.sharepoint.com
Finally, i have added Authorization in header and in value Bearer access token make sure to remember space between bearer and Your access token, I am getting result successfully without any Access Denied error.
For your Reference :
OfficeDev/TrainingContent
Revisit these things
App registered in AD is having AllSites.Manage permission (delegated) and admin consent granted.
While getting access token via postman, use scope as https://yourtenant.sharepoint.com/.default
headers : Content-Type = application/json, Accept = application/json;odata=verbose
I am trying to retrieve the web job history of an Azure web job via REST using a .NET backend and the OAuth2 credentials flow (as described here
https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/get-triggered-web-job-history-slot)
How do I need to authenticate correctly?
I retrieve the token as follows:
POST https://login.microsoftonline.com/{MySubscription}/oauth2/v2.0/token
client_id={MyApp}
&grant_type=client_credentials
&scope=https://management.azure.com/.default
&client_secret={myclient_secret}
I get a token back, however I get a 403 error message when I try to retrieve the resource:
GET https://management.azure.com/subscriptions/{MySubscription}/resourceGroups/{MyResource}/providers/Microsoft.Web/sites/{MyApp}/slots/{MySlot}/triggeredwebjobs/{MyWebjob}/history?api-version=2021-02-01
Authorization: Bearer {MyToken}
Client '{MyApp}' with object ID '{MyApp}' is not
authorized to perform the action
'Microsoft.Web/sites/slots/triggeredwebjobs/history/read' using the
scope
'/subscriptions/{MySubscription}/resourceGroups/{MyResource}/providers/Microsoft.Web/sites/{MyApp}/slots/{MySlot}/triggeredwebjobs/{MyWebjob}'
or the scope is invalid. If access was granted recently, please update
your credentials.
What am I doing wrong?
I already added the API-Permission
The "403 Token invalid" error usually occurs if you missed giving permissions to particular scope (Azure Service Management).
By giving this scope it enables you to access https://management.azure.com
To resolve this error, please follow below steps:
Go to Azure Ad ->your application -> API permissions -> Add permission -> Azure Service Management -> delegated permissions ->User impersonation -> Add
After giving these permissions try to retrieve the resource again, there won't be any error.
Since I didn't find a solution that worked with OAuth2 and the Credentials flow, I got it working with Basic Authentication. The username (userName) and password (userPWD) can be taken from the publishing profile of the respective app service.
GET https://{appservicename}.scm.azurewebsites.net/api/triggeredwebjobs/{jobName}/history
Authorization Basic ....
I'm trying to get my ansible script to get logged into azure via azure cli. For some reasons, I'm not allowed to use the ansible azure package. I have to use the shell and call directly the commands from there.
I'm fairly new with azure in general, so all this tenants, service principals and such are still concepts that I don't fully grasp.
I've been checking official the documentation. I've created an app registration for it (Named ansible_test). I get all I need, including the secret. and then I call the the commands as this:
az login --service-principal -u $AZURE_SERVICE_PRINCIPAL_NAME -p $AZURE_SECRET --tenant $AZURE_TENANT
where:
$AZURE_SERVICE_PRINCIPAL_NAME = ansible_test
$AZURE_SECRET = ${The one that I've defined via Certificates & secrets section in the app registration}
$AZURE_TENANT = ${The azure tenant that I find in the app registration}
I'm getting the error:
Get Token request returned http error: 400 and server response: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier 'ansible_test' was not found in the directory '${AZURE_TENANT}(Blurred because I'm not sure this is something secret or not)'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
As I understand, I got the wrong tenant. But I'm getting the exact one that I'm getting from the app registration. I've been hitting my head against this wall for some time. I've tried many other things, but it doesn't seem to work.
In this image, I'm trying to show that I've indeed created the app registration (What I'm understanding that it's a service principal). I've blurred the ids just out of ignorance whether they are private or not.
What is that I'm doing wrong? I can't really understand the origin of the error...
The username for a service principal is its Application (client) ID, so you need to use that instead of the app name.
It uses client credentials flow under the covers to get tokens which requires the client id, tenant id + client secret/client certificate to authenticate.
Use the following command, before running this command, make sure to define variables.
az login --service-principal -u ${app_id} -p ${password} --tenant ${tenant_id}
I'm developing an API using VS 2017, which I'm testing using Postman. I've been following this blog post Getting started with Windows Azure AD Authentication using Postman. I finally got it to give me an access token and a refresh token. About 3 quarters of the way through the post I came across this:
resource : https://management.core.windows.net
which has to be put into Postman (I'm using the Windows app version of Postman). I wasn't sure what that was for, so I left it off. I eventually got an access token and a refresh token, but when I when to get more info for all subscriptions, I got errors saying that I had specified a valid resource. So, I thought what I'd have to do was start over again, but re-authenticating and getting a code from Azure. I did so, and put that into Postman, as the blog post instructs. However, issuing this POST results in this error:
"error": "unauthorized_client",
"error_description": "AADSTS70002: Error validating credentials. AADSTS65005: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: d37abf69-42ce-4571-b146-f3422e73f041. Resource value from request: https://management.core.windows.net. Resource app ID: 797f4846-ba00-4fd7-ba43-dac1f8f63013. List of valid resources from app registration: 00000002-0000-0000-c000-000000000000.\r\nTrace ID: 9f028899-6d03-409e-8db4-4e9905000300\r\nCorrelation ID: ec253a1b-9fdc-495f-9310-6b40a42e5d93\r\nTimestamp: 2018-11-19 22:20:02Z",
"error_codes": [
70002,
65005
]
I don't understand why nor what I could have done wrong. I've prespecified the resource as the tutorial instructed, so what have I done wrong?
Looking at the error message, it seems you could have missed adding relevant permissions for "Windows Azure Service Management API" to your app registration.
Steps:
Go to Azure Portal > Azure AD > App registrations > Your app (with app id: d37abf69-42ce-4571-b146-f3422e73f041)
Go to Settings > Required permissions > Add > Select "Windows Azure Service Management API"
Select the relevant permission under Delegated permissions section. Click on select and then "Done". You should get a notification in portal that successfully added permissions. You should see Windows Azure Service Management API listed under required permissions as well.
After these steps, continue as per the blog post you've mentioned with Postman steps to get the access token again.
I found myself in the same situation when i was trying to setup Postman. Its not as complicated as most blogs make seem. I created a tutorial to try to make the process easy.
http://hazelnest.com/blog/blog/2018/11/17/azure-postman-configuration/
https://youtu.be/2bfgeBKRxl4
Hope this helps.
I have been playing around with the Azure SFTP connector for API Apps and Logic Apps (under the new preview site (portal.azure.com)) but have not had much luck getting it to work.
The Connector requires the following package settings to be set: ServerAddress, ServerPort, SSH Server HostKey, Root Folder, Accept Any SSH Server HostKey (bool), and Encrypt Cipher. It does not ask for a user name, and after activating the API app and attempting to use it I get the expected response of HTTP 400 with:
[
"User Name Value cannot be null, empty, or cannot contain only white-space characters."
]
The Swagger api definition does not define any way to pass in the username and I cannot see anyway to define it in the connector settings, does anyone know how to set the username?
You can configure the user and pass at the security component in your App API panel, select it an then you can set the user and password.
Check this url for more info: http://azure.microsoft.com/en-gb/documentation/articles/app-service-logic-connector-sftp/