I am not able to authorize in accessing users from intercom using get request. This is what I have done:
import requests
headers = {
'Authorization': 'Bearer {my accsess token}',
'Accept': 'application/json',
'Content-Type': 'application/json',
}
res = requests.get("https://api.intercom.io/users",headers=headers)
Error I am getting:
{"code":"token_unauthorized","message":"Not authorized to access
resource"}
Please tell me what I am doing wrong.
Thanks in advance.
I ran into this problem and it was due to a typo with my 'https://app.intercom.io/oauth' URL. This was hard to debug because the redirect URL was entered in an earlier command when you apply for a code, to get the bearer token. In my case, since I had a default Redirect URL when I applied for the OAuth, I just dropped the redirect URL from my call to 'https://app.intercom.io/oauth'.
Micheál here from the support team at Intercom 👋
Access tokens for the Intercom REST API have the concept of scopes i.e permissions levels. Some operations require a token with elevated scopes. Listing all users is one such operation.
You can read more about access tokens including how to apply for elevated scopes here: https://developers.intercom.com/docs/personal-access-tokens
If you're still having issues please drop us a line at team#intercom.io and we can investigate further 🙂
Related
A brief investigation shows that there once existed an authorization mode known as SOBO (for example, see docusign send on behalf functionality), which I find useful in a scenario when an application associates signing requests not with a logged-on user but with some other user. However I am unable to find any mention of it in current documentation; on the contrary, documentation clearly says only 3 grant types are supported, and all three involve impersonated user's actively expressing his consent. No way to just send user credentials, or, alternatively, have user express his consent just once on the docusign admin page, then reuse that consent for, say, one year or forever. Or some other way to avoid end user interaction.
Also, a requirement of using redirect URI to send back continuation data implies one has to either use on-premise solution or make one's application visible on the internet. No way to use public docusign service with on-premise application, right?
DocuSign is discouraging Legacy Header authentication because it requires your integration to hold on to the user's plain-text password. It also cannot support accounts that leverage Single-Sign On or Two-Factor Authentication. The long-term plan is likely to eventually retire it entirely, but there's no timeline for that. Documentation has been retired, but integrations that have used it in the past can still do so.
JWT auth is the equivalent replacement. With individual consent, a user grants the integration access once. Unless the user revokes that consent, the integration will be able to generate access tokens to act as the user indefinitely - JWT consent does not expire.
If you have an Organization with a Claimed Domain, an org admin can grant blanket consent to allow an integration to act as any user under that domain. If you'd like to grant consent to an integrator key owned by your organization, it's as simple as navigating to Org Admin > Applications > Authorize Application. Granting consent to a 3rd party app is similar to the Individual Consent workflow, but has extra scopes as documented here: https://developers.docusign.com/esign-rest-api/guides/authentication/obtaining-consent
Note that while JWT auth does require a redirect URI to be registered, an integration doesn't necessarily need to 'catch' the user after they've granted consent. While it would be recommended that the landing page trigger the user to move forward in the workflow, it's acceptable to point your redirect URI to https://www.example.com, grant consent, and then generate an access token.
I know this question has already been answered, but I'll post this answer here just in case someone still needs to do this. This method does not require user's consent. The below is Node.js / JS but can be easily translated into whatever language with the basics below.
// set default authentication for DocuSign; pulls data from this account
var auth = {
'Username': '(user email)',
'Password': '(user password)',
'IntegratorKey': '(api key found in admin)',
};
var options = {
'uri': 'https://www.docusign.net/restapi/v2/login_information',
'method': 'GET',
'body': '',
'headers': {
'Content-Type': 'application/json',
// turns the auth object into JSON
'X-DocuSign-Authentication': JSON.stringify(auth)
}
};
// send off your request using the options above
The above returns a response:
{
"loginAccounts": [
{
"name":"Your Company Name",
"accountId":"0000000",
"baseUrl":"https://{your_subdomain}.docusign.net/restapi/v2/accounts/0000000",
"isDefault":"true",
"userName":"User's Name",
"userId":"(36 character UUID)",
"email":"user#example.com",
"siteDescription":""
}
]
}
At this point, you can have to save the baseUrl and accountId that is returned. For the baseUrl, you only need to save the the sub-domain and domain url (https://{your_subdomain}.docusign.net), not the url paramters after that.
Now you can have enough information to make requests. The below example request pulls all the templates under this account.
var options = {
'uri': baseUri+'/accounts/'+accountId+'/templates',
'method': 'GET',
'body': '',
'headers': {
'Content-Type': 'application/json',
// turns the auth object into JSON
'X-DocuSign-Authentication': JSON.stringify(auth)
}
};
// send off your request using the options above
I am using aws custom authorizer using the token and want to send the domain info to it, so we can use it for the authorization process. But I am not sure exactly how to do that.
at the moment, I am trying to do it this way.
please tell me what am I doing wrong here -
sending the data via a post request.
here's the relevant code:
fetch(PRIVATE_ENDPOINT, {
method: 'POST',
headers: {
Authorization: `${token}`,
'domain':'faraz.com'
'Content-Type': 'application/json',
},
})
in the custom authorizer I am getting the token
using const token = event.authorizationToken
but how do I get the domain there?
well, my main question is - how to access data from request headers in custom authorizer
would love some help with this.
I have a React app using axios library for handling request. So following the next post:
How to login with username/password using OAuth2 and microsoft login and HTTP request
I could perform the action on Postman.
Then I set up the axios library to perform the POST
const dataForBody = `${'grant_type=password&' +
'username='}${encodeURI(userName)}&` +
`password=${encodeURI(userPassword)}&` +
`client_id=${encodeURI(clientID)}&` +
`resource=${encodeURI('https://graph.microsoft.com')}&` +
`client_secret=${encodeURI(clientSecret)}`;
const messageHeaders = {
'Content-Type': 'application/x-www-form-urlencoded'
};
axios({
method: 'post',
url: 'https://login.microsoftonline.com/{tenant}/oauth2/token',
headers: messageHeaders,
data: dataForBody,
})
.then((response) => {
});
but I get the following error:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading
the remote resource at
https://login.microsoftonline.com/{tenant}/oauth2/token.
(Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
I tried adding:
'Access-Control-Allow-Origin': 'https://login.microsoftonline.com',
to the headers, but it did not work.
So adding Allow-Control-Allow-Origin: * chrome extension fixed my problem.
The thing is, my app is to be published on azure, so I tested the request on other web browsers and it did not work. So I don't want my users to install the extension.
Is there something wrong with my request? Why postman can do it without setting up headers?
Is there any other approach to achieve it?
PS: I read about using adal.js but I dont want to use the login screen from microsoft, because I know user and pass for the app, and I want to avoid manual login.
The problem you face is due to you trying to call the token endpoint via AJAX, which it won't accept due to the CORS header missing. You can't add it, it's missing from the response from Azure AD.
What you need to do is instead of getting the access token from the token endpoint, you must use the OAuth Implicit Grant Flow. This flow allows you to get the tokens directly in the authorization stage, and is especially designed for JavaScript-based apps. More info here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-dev-understanding-oauth2-implicit-grant.
What this means is that you can't use the Password Grant Flow as you are doing now, unless you make the calls from your backend instead of the frontend.
I'm trying to use the Microsoft Graph API to query an Outlook/O365 mailbox for messages. I registered my app in the Azure portal and received the necessary information to query the API. The app has the Mail.Read permission. (I don't have access to the Azure portal, I was told it was set up this way.) When I get my token from the OAuth endpoint, however, it doesn't work in any subsequent calls. I'm using Python's requests module for testing right now.
Why is this call failing? It seems like I'm passing all of the correct information but I'm clearly missing something.
I'm getting the token by performing a POST on:
https://login.microsoftonline.com/my.domain/oauth2/token
I pass the necessary parameters:
data = {'grant_type': 'client_credentials', 'client_id': CLIENTID, 'client_secret': SECRET, 'resource': APPURI}
and I get a response like this:
{
'resource': 'APPURI',
'expires_in': '3599',
'ext_expires_in': '3600',
'access_token': 'TOKENHERE',
'expires_on': '1466179206',
'not_before': '1466175306',
'token_type': 'Bearer'
}
I try to use that token, however, and it doesn't work for anything I call. I'm passing it as a header:
h = {'Authorization': 'Bearer ' + TOKEN}
I'm calling this URL:
url = 'https://graph.microsoft.com/v1.0/users/my.email.address#example.com/messages'
Specifically, I use this:
r = requests.get(url, headers=h)
The response is a 401:
{
'error': {
'innerError': {
'date': '2016-06-17T15:06:30',
'request-id': '[I assume this should be removed for privacy]'
},
'code': 'InvalidAuthenticationToken',
'message': 'Access token validation failure.'
}
}
in your login request, the resource parameter should be https://graph.microsoft.com
It seems to be the case, that tokens issued from the v1 endpoint aren't valid for atleast some requests with MS Graph API.
Instead try to get the token form the v2 endpoint by calling https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token.
In case you are working with oidc discovery documents, you'll find the one for v2 at https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
I think you will need to register app from here "https://apps.dev.microsoft.com" instead of from Azure Portal.
Unless you are an using Client Credentials, you cannot access the messages another account's mailbox. Make sure that my.email.address#example.com is the same account you are authenticated with and that this address is also the userPrincipalName for the account.
You can also use a simplified URI for requesting your messages and bypassing determining the account's userPrincipalName by using /me. In this case the GET request would be https://graph.microsoft.com/v1.0/me/messages
It's worth noting that even if MS's Azure documentation does not specify the need for listing the resource, I could never get to work without listing the resource.
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds.
There is a supplementary document specifiy to two-legged Auth for MS Graph that actually uses the 'resource' in the example.
https://developer.microsoft.com/en-us/graph/docs/authorization/app_only
Happy hunting!
I've been trying to use the Azure Service Management API in order to list the Hosted Services with no success.
In the first place, I was able to set up the authentication using PowerShell as the Microsoft documentation states here: https://msdn.microsoft.com/en-us/library/azure/dn790557.aspx
My first step was to request an access token using OAuth2 making a POST request to this URL:
https://login.windows.net/<MY_TENANT_ID>/oauth2/token
and passing these parameters:
grant_type: client_credentials
client_id: <THE_CLIENT_ID_OF_THE_APP_REGISTERED_THROUGH_POWERSHELL>
client_secret: <THE_PASSWORD_OF_APP_REGISTERED_THROUGH_POWERSHELL>
resource: https://management.core.windows.net
so, I receive a valid response and an access_token included in the response. So far so good.
Then, I want to make a simple call to the Management API; I would like to list my Hosted Services (Cloud Services), so I make a GET request to this URL:
https://management.core.windows.net/<MY_SUBSCRIPTION_ID>/services/hostedservices
Including the following headers:
Authorization: Bearer <THE_ACCESS_TOKEN_RECEIVED_IN_THE_PREVIOUS_STEP>
x-ms-version: 2014-10-01 (I've also tested with different versions)
but, what I get is a 401 Unauthorized error, with the following message:
The JWT token does not contain expected audience uri 'https://management.core.windows.net/'
I also tried with a Native Application registered directly in the Azure Portal (with Permissions set to use the Service Management API) and requesting a token using the grant_type = authorization_code. I get the access_token correctly and a refresh_token, but when I try to make a request to the above URL, I get the same error message.
On a side note, I am able to use the Azure Insights API successfully; the issue above is with the Azure Service Management API.
Anyone knows what I am missing?
I faced the same problem today. Complete the resource url with '/' https://management.core.windows.net
See the mismatch between the url in your resource and the one in the error message 'https://management.core.windows.net/'