I have a nodejs project that is using adal-node (https://www.npmjs.com/package/adal-node) to authenticate via OAuth2 to Dynamics CRM. I have successfully gotten the authorizationUrl, then posted the code to get the accessToken. However, this last response does not return an instanceUrl. So I've been scowering the MSDN pages online for documentation on how to use the accessToken to obtain the correct organization instance Uri. I've tried this (https://msdn.microsoft.com/en-us/library/mt607485.aspx) and just get a 401 "Authorization has been denied for this request" response. Maybe I'm formatting this request improperly? Can someone kindly direct me to some documentation on how to use the valid accessToken I've obtained to retrieve the organization instance Uri for this user? Thanks.
Recently went through this myself, the issue I think you might be experiencing is the resource that is being requested access to when you request your authentication token is incorrect. While you would think it would be https://globaldisco.crm.dynamics.com/, I actually been successfully with https://disco.crm.dynamics.com/ (ensure to include the trialing slash) as the resource.
If your token is rejected then look at the WWW-Authenticate attribute in the response header and it will indicate the resource you should be requesting. Similar to this:
Bearer authorization_uri=https://login.windows.net/common/oauth2/authorize, resource_id=https://disco.crm3.dynamics.com/
After getting the right resource I was able to query the global disco service without issues and even though giving the NA disco resource returned instances from various regions. This worked on Azure AD tenants started in NA as well as the UK.
I have blogged a full sample here - http://colinvermander.com/2017/01/19/calling-the-dynamics-global-discovery-service/
According the description at https://msdn.microsoft.com/en-us/library/mt607485.aspx, to request against to https://globaldisco.crm.dynamics.com/api/discovery/v1.0/Instances(UniqueName='myorg'), you need to replace myorg to your own unique name of your dynamic crm server.
You can refer to https://www.dynamics-pros.com/support/kb/kb102033 for how to get the unique name.
Related
Unable to use Microsoft Graph API to create or update SharePoint list items with client credentials access token (getting access token with out a user), I get the following error,
I'm able to successfully call GET and DELETE methods with the same access tokens for the same site/list, additionally I'm able to call all methods GET/POST/PATCH/DELETE for the same site/list using the user generated access token.
For my use case I need to able to create/update list items with out user access so, followed this article - https://learn.microsoft.com/en-us/graph/auth-v2-service, API has required permissions granted in the application
can't seem to find any documentation on what exactly I'm missing, looks like POST/PATCH endpoints are looking for some user info in the token, but client crendentials do not have any user info so not sure what to do next, Here's the documentation I'm following https://learn.microsoft.com/en-us/graph/api/listitem-create?view=graph-rest-1.0&tabs=http & I've tried using the .net graph client SDK as well and I get the same error message for both POST/PATCH requests.
Any help on how to successfully create/update sharepoint list items via graph api using client credential token would be highly appreciated.
Followed this article in setting up the application in azure ad - https://learn.microsoft.com/en-us/graph/auth-v2-service, Added app roles are as highlited in this article https://learn.microsoft.com/en-us/answers/questions/756563/app-roles-in-client-credentials-scope-in-azure-b2c.html but no luck.
Hope you are not using delegated permission in your personal account ,
Looks like there is something wrong with your API call ,make sure you are using the correct API call - https://graph.microsoft.com/v1.0/sites/{site-id}/lists/{list-id}/items
You can also Try to create and Update in graph explorer- https://learn.microsoft.com/en-us/graph/api/listitem-create?view=graph-rest-1.0&tabs=http#example .
Hope this helps
Thanks
I've built an API-based integration with DocuSign (using their PHP SDK), and am now at the point of deploying to the production server. I have reconfigured everything with the production integration key, public/private key pair, user and account IDs, endpoint URL, etc. replacing the demo ones. The OAuth portion of the conversation is working fine, and I get a valid token back. When I then try to send an envelope, I hit a USER_LACKS_MEMBERSHIP error, and cannot figure out why. As far as I can see, everything about the API user is the same between the demo and production systems.
I've authorized the application and made sure that it's in the list of "Applications with Access to DocuSign".
I have enabled logging, but the only things that are showing up in there appear to be from my own navigation in the site, nothing related to the API calls at all.
Most of the documentation that I can find on this simply repeats the generic error text: "The UserID does not have a valid membership in this Account." If I go to the account admin and look at the list of users, the one I'm expecting is right there, with DS Admin permission; not sure what else might be done to give them "membership". One mentioned not using SendOnBehalfOf, but I'm not, so I can't really remove that.
All the code is identical, just configuration that's changed. Not sure where else to look. Anybody have any suggestions for what to try?
FURTHER INFORMATION
I've tried the getUserInfo call in the SDK, passing the same access token I use for the other call. It returns successfully, showing that it is for the user I'm expecting, in the one group we have, on the production server. And yet, when I enable logging again, as this same user, there is still zero record in the resulting logs of any of this API activity.
Attempts to do things like list templates with the SDK fail with the same USER_LACKS_MEMBERSHIP error.
Using the Diagnostics API (again, through the SDK) to check logging status shows that it is NOT enabled (despite my enabling it in the UI), but can be enabled with a separate call. Subsequently attempting to use listRequestLogs in the SDK generates a 404 error, though the URL matches what's listed in the API documentation (/v2/diagnostics/request_logs). Not sure whether these findings confirm that I'm somehow logging onto the API and the UI with different users (even though the user name and internal ID match), or that there's some problem with the logging facility in DocuSign.
The problem turns out to be the URL I was using for API calls. I switched from demo.docusign.net in testing to www.docusign.net in live, but being in Canada we need to use ca.docusign.net. For those who find this later, you can get the correct base path to use from the oauth/userinfo endpoint, or the getUserInfo() call through the SDK (PHP SDK, at least; don't know what the analogous call would be in others).
There are 3 things to consider:
API calls are made to an endpoint (URL) that contains the account # (either GUID or short form) in the url. Take a note of that number in the url.
Auth Token is a token for a specific user in a specific account.
UserId for the specific call. That is a specific user in the account.
If the user is not in the account, or there's a mismatch between #1 and #2 - you'll get this error. You must work with a single account and have it in all places as well as the user must be a member of this account.
Re:
I have enabled logging, but the only things that are showing up in there appear to be from my own navigation in the site, nothing related to the API calls at all.
Since the request logging is not showing your API activity, the problem is that the person you've logged in as on the web tool is not the same as the person (user id) that you've logged in as on your application.
Solution for OAuth Authorization Code authentication: double check that when your app is logging into DocuSign, you're using the account.docusign.com authentication server, not the account-d.docusign.com auth server. (Look at the URL in your browser during the login sequence.)
Solution for OAuth JWT authentication: re-check that the impersonated user id is from the production system and you're using the right authentication server
I am new to software development & IT. I am working on a proof of concept with Azure. I am trying to work with Postman to send a PUT or POST request to a blob I have on Azure. I was able to successfully use a GET.
When I do a PUT or POST, Postman returns a 404 status that the specified resource does not exist. I think I set up the access policy correctly. I understand I may need a shared access signature. Where would I put that or how to I configure it in Postman?
Please let me know what you think. Thank you.
Jonathan
Ensure you have set the required headers like x-ms-date and x-ms-blob-type and that you use the PUT verb. You pass your credentials using the Authorization header. See:
Authorization for the Azure Storage Services
I am trying to get data from Netsuite using RESTlet. For that, i am using the following details in PHP:
Consumer Key
Consumer Secret
Script Id
Deploy Id
Access Token Id
Access Token Secret
At first time of using these details, i got that error is Invalid login attempt.
I found why it is coming , because of the following any one or all of the wrong details.
Consumer Key
Consumer Secret
Access Token Id
Access Token Secret
After giving correct details it works fine and i stored all these details in DB. I didn't change anything. But after few days i am getting the same error.
I want to know whether the access token will expire after some days or why the error is coming.
I recently had similar issue, everything worked on my machine, but fail with same exception on the test server. Carefully debugged and saw that timestamps for generating request access token are with 12 min difference.
After synching times everything went fine. So even token definitions in NetSuite doesn't expires, timestamps for generating request tokens must be in 'some' time-window with time in the NetSuite environment.
Too bad that SuiteAnswers (https://netsuite.custhelp.com/app/answers/detail/a_id/44241/kw/44241) doesn't mention anything about time.
If you are trying to access a RESTlet through Token Based Authentication (TBA) and are receiving the INVALID_LOGIN_ATTEMPT error and the login audit detail is permission_denied, then the following may work.
Ensure that the role:
Isn't an administrator type role
Doesn't have the Web Services Only Role checked
Also double check that your related integration has the TOKEN-BASED AUTHENTICATION checked.
Note: to check your audit trail detail, go to Setup > Users/Roles > View Login Audit Trail, check USE ADVANCED SEARCH, and be sure to add Detail as a result column.
In my case I was getting the account id from the URL which is lowercase, while it should be upper case.
I was testing on a sandbox and sb1 should be xxxxxx-SB1 on the URL and Realm should be xxxx_SB1
Finally I found the answer for 403 error in my case, I changed the time offset with my standard CST time zone, and repost, it worked.
If you found this 403 error and have been trying every ways, check the time on your machine
If you are using user credentials for RESTlet Authentication ensure that the role in use doesn't have the web services only Role checked.
It has to ensure the token (Token ID) matches the proper Application on the Netsuite side.
Setup -> Integration -> Manage Integrations
I'm looking for a REST call to get all MS-Online users.
I am able to get these users through the following Powershell command
Get-MSOLUser -All
I am currently using http://{siteurl}/_api/web/siteusers call to fetch users, but this doesn't return all users that I get using Powershell.
Is there a way I could get all those users?
NOTE: One thing that I have noted is that /siteusers call doesn't return those users who haven't created a personal site(Onedrive) or in other words, returns only those users who have a /personal/user_name_domain_com site.
Could this be the reason why /siteusers call is not returning this data while Powershell is?
I figured it out myself! The trick is to use Graph API. Refer to Azure Graph API for users.
Get an access token for "https://graph.windows.net" resource. This access token can then be used to access https://graph.windows.net
Url to hit
https://graph.windows.net/yourdomain/users?api-version=2013-04-05
Domain should be something like abc.onmicrosoft.com
Headers
Content-Type : application/json;odata=verbose Note::(application/json will do)
Authorization : Bearer eYrvwvZ_PN9Ty5a2pQrb23y******