I am using internal mulesoft APIs from Anypoint Access Management API Reference. I have successfully setup my postman to get the security token after login, and even executed successfully the /api/users/me and several other APIs as API creation, Portal creation, etc. However, regardless of the access provided to the connection/login user, i can't get the full list of users (/api/users) or full list of organizations (/api/organizations), receiving a 401-Not authorized error. What special permission does the connection user require to execute these 2 APIs?
Thank in advance!
Had the same issue but figured it out.
Instead of calling: /api/users, you should be calling https://anypoint.mulesoft.com/accounts/api/organizations/{orgId}/members to get a list of users.
Related
I wanna answer my application's reviews with service account. But regarding to api documantation of google play console, for answering review's, i need to have my auth'key. :
GET https://www.googleapis.com/androidpublisher/v3/applications/your_package_name/reviews?
access_token=your_auth_token
But in my json file that i got from "create key" on my service account page, i have nothing like: "auth token". What should i do?
Note: I also have 1 more small question: I wanna list all of my applications for google play. I found some non-offical api's that can retrieve all app's for spesific developer. But for that i need to have people's developer name that i cannot retrieve from any api.
But in my json file that i got from "create key" on my service account page, i have nothing like: "auth token". What should i do?
Your auth token is not in the key file you downloaded it contains what you need to request an access token.
Assuming that you have created service account credentials on Google cloud console. What you have in that file is the credentials you need to create an access token.
Your application calls Google APIs on behalf of the service account, so users aren't directly involved. This scenario is sometimes called "two-legged OAuth," or "2LO." (The related term "three-legged OAuth" refers to scenarios in which your application calls Google APIs on behalf of end users, and in which user consent is sometimes required.)
Requesting an access token using a service account requires a number of steps Preparing to make an authorized API call I recommend you look for a client library in your chosen language coding it yourself is not for the feint at heart.
I wanna list all of my applications for google play.
In order to do that you will need to grant the service account access to your accounts data probably by sharing the data with it. Or you will need to use Oauth2 to authorize your application then you will have access to it.
When you access a mailbox of a specific user via a background service using MS Graph, the token will expire after 90 days since MSGraph (MSAL.NET/Azure AD 2.0) does not return a refresh token (see here).
Using administrator consent should resolve this issue, but the only choice is to get access to ALL mailboxes of the organization. This is way too great a security risk for this task.
Does anybody know a middle ground for this?
Is there a way to get the refresh token when using user consent, or limit admin consent to 1 mailbox?
Is this an issue that Microsoft should resolve?
Microsoft Graph documentation has provided a method to accomplish this requirement.
Just use the New-ApplicationAccessPolicy PowerShell cmdlet to configure access control.
New-ApplicationAccessPolicy -AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b -PolicyScopeGroupId EvenUsers#contoso.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group EvenUsers."
See details from Scoping application permissions to specific Exchange Online mailboxes.
GOAL: Create users in Azure Active Directory using our Global Admin account from an API.
PROBLEM: Every single way I try, I get "unauthorized".
WHAT I'VE TRIED:
I've been focusing mostly on this: https://graph.microsoft.com/v1.0/invitations
I've tried as outlined here
the "Authorization Bearer {token}" is problematic -- I can't seem to properly retrieve tokens, using any of the built URLs recommended (ie, combining ClientID & TenantID in the URL.)
I've tried the relevant portions of this, including creating the app, setting permissions on the app, trying both Web API and Native. I'm able to get a code back, but using it always comes back with Unauthorized.
As an aside, I am using Nintex to run this web service, as it is part of my workflow. Typically, web services don't give me issues. So, this sucks.
I'm missing something, here. Any thoughts or direction?
UPDATE: Removed the word "method" - bad choice of phrasing.
If you want to use Microsoft Graph explorer to create user as the global admin, you could use POST https://graph.microsoft.com/v1.0/users, and the required permission is:
Permissions
For the details, you could read Create user.
Global admin runs as a user by default. To grant access to Active Directory, you need to elevate permissions in the portal.
I'm not convinced you have the permissions to create the user, and that's why I think you're getting the error.
Also, try and avoid using Global Admin. Create a Service Principal and provide more granular permissions.
Good morning I am using internal mulesoft Access Management APIs API Reference. I have successfully setup my postman to get the security token after login, and even executed successfully the /api/users/me. However, regardless of the access provided to the connection/login user, i can't get the full list of users (/api/users), receiving a Not authorized error. Let me explain the context. We are running on a federated platform, so we can't manage the users registration from the console, but need to wait until they login through SSO the first time to grant access to the correspondent business group and role. There is a complain as the users need to send the admin a note letting know of their successful first login, and afterwards wait to receive the access to the business group. After they login for the first time, their profiles are created in the root org. You can see them only when you are in the master organization. However, you can't get their new user id when you request a list of users of this master organization (/api/organizations/{orgId}/users). We are looking to execute this /api/users in a batch app that runs periodically and do a cross verification to get the users not associated to any orgid or role. This way we can avoid the requirement of the user sending a note to the admin. When I execute the /accounts/api/users, (API Call), we receive a 401 Unauthorized response, despite the token is correct as it is working fine with the others APIs. there is no mention of any other parameter or requirement in the API reference.
Please advise what can be done to solve this authorization error and complete our app. Thank you in advance.
Had the same issue but figured it out.
Instead of calling /api/users, you should be calling
https://anypoint.mulesoft.com/accounts/api/organizations/{orgId}/members
to get a list of users
I am using HttpwebRequest to pull list of all Components from Urban-code Deploy to my application. I have used my own credential in the code(C#) to access it. It is working fine. Now, i have to use the Service account that my company has, in order to pass the credential. I tried using DefaultCredential and defaultNetworkcredential but getting same error--Unauthorized access. Any help!!! Thank u!!!
You got an answer on the UrbanCode forum here: https://developer.ibm.com/answers/questions/372586/authentication-using-service-account-without-admin/?smartspace=urbancode
You just need a user account in the system with permissions to access the data. Accessing data via REST API requires the same permissions as through the UI. There's no way to bypass that.