Access denied: no access to call this method - api

I'm trying to implement VK API, so thanks OAuth code I get a token and just add this scope offline,audio and now doing this request:
https://api.vk.com/method/account.getInfo?access_token=XXXXX&v=5.62
And go this in return:
{
"error": {
"error_code": 15,
"error_msg": "Access denied: no access to call this method",
"request_params": [
{
"key": "oauth",
"value": "1"
},
{
"key": "method",
"value": "account.getInfo"
},
{
"key": "v",
"value": "5.62"
}
]
}
}
Why, there's a scope for this too?

Your application isn't Standalone type or you received access token not via Implicit Flow scheme.
Note: you should set parameter redirect_uri=https://oauth.vk.com/blank.html to get access token without limitations. In other ways access token will be limited to call methods which available only for standalone applications.

you also need to place
scope=messages in authorization method
GetToken.Navigate("https://oauth.vk.com/authorize?client_id="+ VkAPI.__APPID + "&display=page&redirect_uri=https://oauth.vk.com/blank.html&scope=messages&response_type=token&v=5.87&revoke=1");

Related

Why I'm getting a 403 (Insufficient Permission) error on Google Workspace Admin SDK?

When I try to access Admin SDK API I get this error:
XHRGEThttps://admin.googleapis.com/admin/directory/v1/users?customer=some_custumer
[HTTP/3 403 Forbidden 220ms]
Even passing a API_KEY (&key=my_api_key), the same happens.
{
"error": {
"code": 403,
"message": "Request had insufficient authentication scopes.",
"errors": [
{
"message": "Insufficient Permission",
"domain": "global",
"reason": "insufficientPermissions"
}
],
"status": "PERMISSION_DENIED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
"domain": "googleapis.com",
"metadata": {
"method": "ccc.hosted.frontend.directory.v1.DirectoryUsers.List",
"service": "admin.googleapis.com"
}
}
]
}
}
Header:
www-authenticate
Bearer realm="https://accounts.google.com/", error="insufficient_scope", scope="https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/directory.user https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/apps.directory.user.readonly https://www.googleapis.com/auth/directory.user.readonly https://www.googleapis.com/auth/cloud-platform"
I've configured my app on Google Console. Configured the authentication and scopes like this scopes. I've also configured domain-wide-delegation in Admin Console. I'm expecting to list all Workspace users through this API, but I got this error.
The OAuth works fine.
I am not sure what you are using but here you have my assumptions:
If you are using OAuth, you will need to use a user with enough
privileges to list your users (a super admin account for example)
If you are using a service account, besides allowing wide domain
delegation you need to implement impersonation in your code, that
way you will specify which account the service account will
impersonate to make the API call. So, it is very important to
impersonate an account with enough permissions
If you have any questions please let me know

403 Error creating dataSource for com.google.blood_pressure in Google Fit REST API

Goal:
I have a simple web application where I submit my Blood Pressure and Heart Rate measurements.
Now I'd like to submit these measurements to my Google Fit Account.
I tried Googles tutorial: https://developers.google.com/fit/scenarios/write-bp-data
OAuth2 Setup
I created new credentials in one of my existing Cloud Console Projects. And then requested a new authorization code using the following scopes (The project is in Testing State and my account is registered as tester):
https://www.googleapis.com/auth/fitness.blood_pressure.write
https://www.googleapis.com/auth/fitness.heart_rate.write
Requesting the token returns the following response:
{
"access_token": "ya29.XXXXXXXXXXXXXXXX",
"expires_in": 3599,
"refresh_token": "1//XXXXXXXXXXXXXXXX",
"scope": "https://www.googleapis.com/auth/fitness.heart_rate.write https://www.googleapis.com/auth/fitness.blood_pressure.write",
"token_type": "Bearer"
}
As you can see, both write scopes are granted.
Additionally, if I check the permissions in my Google Account, both scopes are set.
Create dataSource
Now I create two dataSources (one for com.google.heart_rate.bpm and one for com.google.blood_pressure).
creating the Heart Rate dataSource works as expected, but creating a dataSource for Blood Pressure returns a 403 PERMISSION_DENIED Error:
Request (POST https://www.googleapis.com/fitness/v1/users/me/dataSources)
{
"dataStreamName": "BPA-BloodPressure",
"type": "raw",
"application": {
"detailsUrl": "https://aaa.bbb.ccc",
"name": "Blood Pressure App",
"version": "1"
},
"dataType": {
"name": "com.google.blood_pressure"
}
}
Response
{
"error": {
"code": 403,
"message": "Scope not included to modify data of type com.google.blood_pressure. Possible scopes: https://www.googleapis.com/auth/fitness.blood_pressure.write",
"errors": [
{
"message": "Scope not included to modify data of type com.google.blood_pressure. Possible scopes: https://www.googleapis.com/auth/fitness.blood_pressure.write",
"domain": "global",
"reason": "forbidden"
}
],
"status": "PERMISSION_DENIED"
}
}
The Google Fit REST API tells me that the Scope fitness.blood_pressure.write is missing, but as you can see the Scope is given for the used access token.
Notes
I am working with Postman to test all requests. Later a Java/Groovy or PHP backend will used.
I also tried with read and write scopes for both data types.
I can see my app with both write scopes in Google Fit under "Connected apps".
Change dataType name to "fitness.blood_pressure" instead of "com.google.blood_pressure"
The body will be like this.
{
"dataStreamName": "BPA-BloodPressure",
"type": "raw",
"application": {
"detailsUrl": "https://aaa.bbb.ccc",
"name": "Blood Pressure App",
"version": "1"
},
"dataType": {
"name": "fitness.blood_pressure"
}
}

Keycloak - using admin API to add client role to user

I'm triyng to use keycloak AdminAPI (https://www.keycloak.org/docs-api/3.0/rest-api/index.html#_users_resource) to create user and assign client roles. I'm receiving correct token, and user is created but assigning roles return 404
I'm using Postman to connect with API:
/auth/realms/{realmName}/protocol/openid-connect/token
Content-Type application/x-www-form-urlencoded <-with parameters ofc
/auth/admin/realms/{realmName}/users
Content-Type application/json
Authorization Bearer {TOKEN}
Body:
{
"username": "name",
"enabled": true,
"emailVerified": false,
"firstName": "first",
"lastName": "last",
"credentials": [
{
"type": "password",
"value": "newPas1*",
"temporary": false
}
]
}
Above works for me, but the next one don't
/auth/admin/realms/{realmName}/users/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx/role-mappings/clients/realm-management
Content-Type application/json
Authorization Bearer {TOKEN}
Body:
{
"roles": [
{
"id": "0830ff39-43ea-48bb-af8f-696bc420c1ce",
"name": "create-client",
"description": "${role_create-client}",
"composite": false,
"clientRole": true,
"containerId": "344e7c81-e7a2-4a43-b013-57d7ed198eee"
}
]
}
where 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx' is userID returned during creation and create-client role exists
I need a way to add client role via Http request. I saw there are some keycloack implementation for java but I'm using .NET CORE so there will be the target implementation but I need to have working request first as you may gues
You have to pass client UUID to the role-mappings REST method, not the ID that you specify when creating a client in admin UI. Use GET /admin/realms/{realm}/clients?clientId=realm-management REST method to find out the client UUID.
UPDATE
In Keycloak 6.0.1 to add a role it is required to pass role name and id.
Example:
POST /auth/admin/realms/{realm}/users/{user}/role-mappings/clients/{client}
[
{
"id": "0830ff39-43ea-48bb-af8f-696bc420c1ce",
"name": "create-client"
}
]

Mimecast API authentication issue

trying to connect to endpoint with all needed headers defined:
https://us-api.mimecast.com/api/login/login.
Error message receieved : 0018 Client update required
Did anyone encounter/solve this issue?
{
"meta": {
"status": 401
},
"data": [],
"fail": [
{
"key": {
"username": "datadash#itprosusa.com",
"tokenType": "key",
"verifyOnly": false
},
"errors": [
{
"code": "err_xdk_client_update_required",
"message": "0018 Client update required",
"retryable": false
}
]
}
]
}
I came across the same error message when trying to get Access key and Secret Key. You can actually get these in the Mimecast portal UI by going to: Administration | Services | APIĀ Applications, then Add API Application fill in the details and wait 30 minutes. After 30 minutes click on your newly created API application and select Create Keys, fill in the required information and it will provide you with your Access key and Secret key used for API calls.
If this doesn't answer your question or help you I would suggest getting in contact with Mimecast Support, they are usually pretty good!

Accessing a cloud hub API

https://anypoint.mulesoft.com/apiplatform/anypoint-platform/#/portals/organizations/68ef9520-24e9-4cf2-b2f5-620025690913/apis/8617/versions/40329/pages/35412
/applications/{domain}/logs Traits: environment_based
Retrieve log messages for the application, ordered newest to oldest.
I am trying to access this api but am unable to relate what client id does it ask. Also I am unable to relate to oauth authentication this needs.
I am new to mule.
i am sharing the steps by step instructions to access the details of apps from api.
Step 1 : Get the access token from the Api
https://anypoint.mulesoft.com/accounts/login?username=YOUR_USERNAME&password=YOUR_PASSWORD
NOTE : Use POST method and add Header Content-Type=application/json
You will get response in JSON format like below
{
"access_token": "44126898-7ed8-4453-8d28-skajnbf",
"token_type": "bearer",
"redirectUrl": "/home/"
}
Step 2: Get your organization id
https://anypoint.mulesoft.com/accounts/api/me
NOTE : Use GET method and add below Headers
Content-Type = application/json
Authorization = Bearer ACCESS_TOKE_YOU_GOT_ABOVE
Example : Authorization = Bearer 44126898-7ed8-4453-8d28-skajnbf
In the response you will have a section where you will get you organization related details like below
"organization": {
"name": "Sample",
"id": "c1e68d1e-797d-47a5-b",
"createdAt": "2016-11-29T09:45:27.903Z",
"updatedAt": "2016-11-29T09:45:27.932Z",
"ownerId": "68df9a5",
"clientId": "7200350999564690",
"domain": "******",
"idprovider_id": "mulesoft",
"isFederated": false,
"parentOrganizationIds": [],
"subOrganizationIds": [],
"tenantOrganizationIds": [],
"isMaster": true,
"subscription": {
"type": "Trial",
"expiration": "2016-12-29T09:45:27.906Z"
},
Step 3: Get the environment Details
https://anypoint.mulesoft.com/accounts/api/organizations/YOUR_ORGANIZATION_ID_FROM_ABOVE/environments
NOTE : Use GET method and add below Headers
Content-Type = application/json
Authorization = Bearer ACCESS_TOKE_YOU_GOT_ABOVE
Example : https://anypoint.mulesoft.com/accounts/api/organizations/c1e68d1e-797d-47a5-b/environments
You will get all available environments in the response in JSON format as below
{
"data": [
{
"id": "042c933d-82ec-453c-99b2-asmbd",
"name": "Production",
"organizationId": "c1e68d1e-797d-47a5-b726-77asd",
"isProduction": true
}
],
"total": 1
}
Step 4: Now specify the domain name and fetch the logs
https://anypoint.mulesoft.com/cloudhub/api/v2/applications/YOUR_CLOUDHUB_APP_NAME/logs
Example : https://anypoint.mulesoft.com/cloudhub/api/v2/applications/first-test-api-application/logs
NOTE : Use GET method and add below Headers
Content-Type = application/json
Authorization = Bearer ACCESS_TOKE_YOU_GOT_ABOVE
X-ANYPNT-ENV-ID = ENVIRONMENT_ID_YOU_GOT_ABOVE
Example : X-ANYPNT-ENV-ID = 042c933d-82ec-453c-99b2-asmbd
You will get the logs in JSON format as below
{
"data": [
{
"loggerName": "Platform",
"threadName": "system",
"timestamp": 1480503796819,
"message": "Deploying application to 1 workers.",
"priority": "SYSTEM",
"instanceId": "583eb1f1c4b27"
},
{
"loggerName": "Platform",
"threadName": "system",
"timestamp": 1480503797404,
"message": "Provisioning CloudHub worker...",
"priority": "SYSTEM",
"instanceId": "583eb1f1e4b27"
}
],
"total": 2
}
NOTE : FOR ENHANCED LOGGING YOU SHOULD SELECT APPROPRIATE DEPLOYMENT AND INSTANCE IDs TO GET LOGS IN SIMILAR MANNER
Hope this Helps for Beginners
To see the clientID. Log into your CloudHub account. Click on the "gear" icon in the upper right corner. Click on the name of your organisation. you should now see your "clientID" and the "ClientSecret" ID.
Before you use the CloudHub APIs or the Anypoint platform APIs you have to create an account on the Anypoint Platform - Check the architecture of the Anypoint API platform #
https://docs.mulesoft.com/anypoint-platform-for-apis/anypoint-platform-for-apis-system-architecture
Once your are done with the registration with the Anypoint API platform you need to set up users, roles & privileges as an admin -
https://docs.mulesoft.com/anypoint-platform-administration/managing-accounts-roles-and-permissions
As admin you need to control access to APIs by creating & supplying client Id and client Secret - https://docs.mulesoft.com/anypoint-platform-administration/manage-your-organization-and-business-groups
I guess that's the client you referring to. It needs to be present in the request for all the APIs.
As far as OAuth is concerned, it is not completely functional on Cloudhub API. You will have to raise a ticket for support. Check this out -
https://docs.mulesoft.com/mule-user-guide/v/3.7/mule-secure-token-service
If you are new to Mule, run through the Mule Intro videos and try out the Anypoint Studio to get feel of Mulesoft Applications.
Hope this helps.