Citrix: Forbidden while downloading the attachment from ShareFile API - citrix

We has been using ShareFile API for downloading the Citrix Attachment. We are using Oauth 2.0. The general flow is - our clients will authorize the our Citrix ShareFile App to grant permission for accessing their files. Oour ShareFile app should already have the required permission\scopes because with the same app we are successfully downloading attachment files of our customers. However, we are having some problems with one client.
When we tried to download that attachment with the access token, we are getting the following error:
Request:
https://myclientdomain.sf-api.com/sf/v3/Shares(sfe78bf8c64fc465caf1c368cc61fdd0e)/Download(fie36670-d35a-a180-e24e-e13643a70d9e)
Response:
{
"code": "Forbidden",
"message": {
"lang": "en-US",
"value": "Share download requires defining Name, Email and Company"
},
"reason": "NotAuthorized"
}
I refreshed the new token from Postman and after that, the token can download the same attachment. But the surprising point is - the same access token will not work after a few hours and started to see the same error.
I would also like to know what the error message "Share download requires defining Name, Email and Company" refers to.
Please also note that the customer had reauthorized the app but even with that new access token, we are getting the error.
Any help would be highly appreciated!!

Related

403 :Permission denied while hitting google developer reporting API

i am trying to hit https://playdeveloperreporting.googleapis.com/v1alpha1/apps/com.example/anrRateMetricSet.
It returns 403: permission denied
Here i am trying to capture the health metrics for my android app from Google console.
Reference:https://developers.google.com/play/developer/reporting/reference/rest/v1alpha1/vitals.anrrate/get?hl=en_GB
So i have Service account created on google console under "I AM and Admin"
I am trying to hit "https://playdeveloperreporting.googleapis.com/v1alpha1/apps/com.example/anrRateMetricSet"
By using access token created from key.JSON downloaded from linked Service account to the project.
But i am getting
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
Could n't understand what might be the issue. Since the Service account is linked to project.
Your help is highly appreciated . Thank you

Azure media service v3 - Create job with sas url is failing due to Access issue

I'm trying to create a asset from code, but i'm getting below error:
{
"error": {
"code": "Conflict",
"message": "The server received a 403 Forbidden error when accessing Azure Storage. Please check your permissions to the storage accounts linked to the media account.",
"details": [
{
"code": "AuthorizationFailure",
"message": "The server received a 403 Forbidden error when accessing Azure Storage. Please check your permissions to the storage accounts linked to the media account."
}
]
}
}
Also, I tried directly in portal with generated sas url, though I'm facing access issue, I can confirm AAD service principle has assigned "contributor" role, but still I get error.
Error:
The client 'xx' with object id 'xx' does not have authorization to perform action 'Microsoft.Media/mediaservices/assets/write' over scope '/subscriptions/xx/resourceGroups/xx/providers/Microsoft.Media/mediaservices/itskssearchmediadev/assets/ignite-mp4-20220207-192422' or the scope is invalid. If access was recently granted, please refresh your credentials.
What else permission do I need to provide?
Note: I also tried with my personal a/c which has full access, it works there.
The Storage Account Contributor role permits management of storage accounts (e.g., creating and deleting storage accounts), but it does not permit access to data in the storage account.
To allow Media Services to write to the storage account, the Managed Identity must be granted a role that has access to the storage account data, for example, Storage Blob Data Contributor.

Microsoft Azure API List All Tenants

We are a CSP partner with MS. My goal is to call the Azure API and list all the different tenants we have in our account.
I found this Azure API resource that appears to allow the listing of all tenants: https://learn.microsoft.com/en-us/rest/api/resources/Tenants/List
I’ve been able to implement the authorization code flow, and I can call MS Graph API’s successfully. However when I try to call this API I receive this response:
{
"error": {
"code": "AuthenticationFailed",
"message": "Authentication failed."
}
}
I feel like it may an issue with the permissions I've granted in my app registration, but I can't seem to figure what is needed to make it happen.
I wish there was a way to use the MS Graph API to get all of our tenants, but from my research that doesn't exist.
I think you missed the bear token. I test this api by postman.
You can read this article.
Get an Azure Active Directory token using Azure Active Directory Authentication Library

Hyperledger, Using Google OAUTH2.0 with a REST server

I deployed the network to query from the REST client and launched the REST instance. I wanted to use Google Oauth for the authentication needs but there happens to be an authentication error.
The network is on the localhost:3000 and looks fine; however, when I import a business card and "try it out" the /system/historian I get this response body:
"error": {
"statusCode": 500,
"name": "Error",
"message": "Error trying login and get user Context. Error: Error trying to enroll user or load channel configuration. Error: Enrollment failed with errors [[{"code":20,"message":"Authorization failure"}]]",
"stack": "Error: Error trying login and get user Context. Error: Error trying to enroll user or load channel configuration. Error: Enrollment failed with errors [[{"code":20,"message":"Authorization failure"}]]\n at client.getUserContext.then.then.catch (/home/composer/.npm-global/lib/node_modules/composer-rest-server/node_modules/composer-connector-hlfv1/lib/hlfconnection.js:395:34)\n at \n at process._tickDomainCallback (internal/process/next_tick.js:228:7)"
The expected behaviour was to get a set of transactions showed up
I checked the wallet, thinking I might have a problem with the card but there seems to be no problem. The code is 200 which is expected, and here is the response body:
[
{
"name": "liner1",
"default": false
},
{
"name": "liner1#iot-perishable-network-advanced",
"default": true
}
]
If you have got as far as importing a card to a Wallet, then your Google Oauth config is fine.
This looks like a problem with the card you have imported. When the Identity is Issued (and the Card is created) a one-time secret is created. When the card is used for the first time the secret is exchanged for Certificates/Keys and the the one-time secret is invalidated.
I'm guessing that you have imported a .card file for a user which has already been used, so now the secret is invalid. If I'm right, you need to export the card from the place where it is working to a new .card file that contains the certificates/keys, and import that new .card file into the REST server wallet. Maybe the command composer card export is what you are looking for.
There is more information on cards in the Composer Knowledge Wiki.

Access to cloud storage from client URL

From a Google cloud application, I need to open a file located in my project’s cloud storage. I tried to use a URL of the following form to access the file but I get the error below:
http://storage.googleapis.com/my-bucket/my-file
Error: Access denied. Anonymous caller does not have storage objects
www.googleapis.com/upload/storage/v1/b/http://my_appl//my-bucket/my-file
Error 404
www.googleapis.com/storage/v1/b/my-bucket/my-file
Error 404
https://www.googleapis.com/storage/v1/b/my-bucket/o/my-file
"code": 401,
"message": "Anonymous caller does not have storage.objects.get access to my-bucket/my-file
https://www.googleapis.com/storage/v1/b/my-bucket/o/my-file/place?key=my-key
Not found
Am I composing the URL incorrectly?
http://storage.googleapis.com/my-bucket/my-file
This one is fine. However, unless an object is publicly readable, you'll need to authorize the request, which means either including an "Authorization" header in the request with appropriate credentials or signing the URL with the private key of a service account.
https://www.googleapis.com/download/storage/v1/b/my-bucket/o/my-file?key=my-key&alt=media
This is also okay, but an API key does not provide authentication. You'll still need an Authorization header unless the object is publicly viewable.