I am able to successfully execute below APIs
/v2/checkout/orders
/v2/checkout/orders/{order_id}/authorize
/v2/checkout/orders/{order_id}/capture
Why am I getting the "NOT_AUTHORIZED" response while executing PayPal refund as described here? - https://developer.paypal.com/docs/api/payments/v2/#captures_refund
POST request
https://api.sandbox.paypal.com/v2/payments/captures/<Capture ID I got from capture request>/refund
Response
{
"name": "NOT_AUTHORIZED",
"message": "Authorization failed due to insufficient permissions.",
"debug_id": "6c6xxxxx6c",
"details": [
{
"issue": "PERMISSION_DENIED",
"field": "capture_id",
"value": "XXXXXXXXX",
"description": "You do not have permission to access or perform operations on this resource.",
"location": "path"
}
],
"links": [
{
"href": "https://developer.paypal.com/docs/api/v2/payments/#NOT_AUTHORIZED",
"rel": "information_link"
}
]
}
You have to contact the PayPal support to add permission for your existing ClientId and Client secret (which works fine for PayPal V1 APIs) for V2 Refunds and Cancel request and there is no other way you can set the permission for same.
If you need to avoid this then Just create new ClientId and Client secret from PayPal accounts and it will work fine with PayPal V2 APIs.
Creating a new application with a new set of client ID and secret worked for me.
Related
Normally, a Microsoft Graph Subscription can be updated by a signed-in user using a Patch request -
PATCH https://graph.microsoft.com/v1.0/subscriptions/{id}
Content-type: application/json
{
"expirationDateTime":"2016-11-22T18:23:45.9356913Z"
}
This works fine, however, I've registered an application on Azure Portal, and using it's access token and the same Patch request I get an error -
{
"error": {
"code": "ExtensionError",
"message": "Operation: Update; Exception: [Status Code: Unauthorized; Reason: ]",
"innerError": {
"date": "2023-01-11T07:16:51",
"request-id": "a5854647-....-....-....-e4844c8c4a12",
"client-request-id": "a5854647-....-....-....-e4844c8c4a12"
}
}
}
Currently the application has been assigned an API permission User.ReadWrite.All. I couldn't find any another permission that will help me update subscriptions on Microsoft and I don't think creating a service account is the ideal way.
Any suggestion will be highly appreciated. Thanks!
Just learned something new about subscriptions. Each AAD resource has its own subscriptions isolated. Meaning I can't update a subscription which was created by a different AAD user.
I am following the documentation posted here (https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops).
I have a react-based webapp and a powershell-based function app, both in Azure. My function app is presently using a personal access token created with my work account (AAD) credentials, which is not desirable. My goal is to use OAuth2 to authorize my function app to make code changes to a GIT repository on behalf of a webapp user. When I follow the instructions above, I am able to acquire what appears to be a valid authorization code, access token, and refresh token, I receive the following error message from Azure DevOps:
TF400813: The user 'ffffffff-ffff-ffff-ffff-ffffffffffff' is not authorized to access this resource.
…
401 - Uh-oh, you do not have access.
The request requires authentication.
4/21/2021 12:04:16 AM (UTC)
ffffffff-ffff-ffff-ffff-ffffffffffff
Sign out and login with different account
I have obscured the guids in the example above, but the user GUID appears to match the GUID I find for my work account when I call the legacy identity APIs (https://learn.microsoft.com/en-us/rest/api/azure/devops/ims/identities/read%20identities?view=azure-devops-rest-6.0).
I created my application (https://app.vsaex.visualstudio.com/app/register) with the same scopes that I used to create my personal access token. I verified in my dev.azure.com profile that my application is listed as an authorized OAuth app, as expected after creating the authorization request and receiving the authorization code.
The error message above is confusing to me. It says that the user (me) is not authorized to access the resource but also says that the authentication failed. Which is it?
Is this a problem with how I am acquiring my authorization/access tokens? Am I somehow using the wrong account? Are my scopes wrong?
Reproduction of Problem
Here is the state from my registered application:
My application state:
{
"scopes": "vso.code_full vso.code_status vso.graph_manage vso.identity_manage vso.threads_full vso.tokens",
"tokenUrl": "https://app.vssps.visualstudio.com/oauth2/token",
"state": "foo",
"authCallback": "https://myapp.azurewebsites.net/oauth-callback",
"clientSecret": "S.S.S-S-S",
"authUrl": "https://app.vssps.visualstudio.com/oauth2/authorize",
"appWebsite": "https://myapp.azurewebsites.net/",
"appSecret": "S",
"appId": "FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF"
}
Step 1. Authorize the application.
I invoke the following auth URI from an in-private browser.
I authenticate my work account, and authorize the application for the requested scopes.
I can verify the app is an authorized oauth app in my dev.azure.com profile.
https://app.vssps.visualstudio.com/oauth2/authorize?client_id=FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF&response_type=Assertion&state=foo&scope=vso.code_full%20vso.code_status%20vso.graph_manage%20vso.identity_manage%20vso.threads_full%20vso.tokens&redirect_uri=https://myapp.azurewebsites.net/oauth-callback
I receive an authcode, "A.A.A-A-A-A" (shown decoded/obfuscated below):
{
"typ": "JWT",
"alg": "RS256",
"x5t": "....."
}
{
"cid": "ffffffff-ffff-ffff-ffff-ffffffffffff",
"csi": "ffffffff-ffff-ffff-ffff-ffffffffffff",
"nameid": "ffffffff-ffff-ffff-ffff-ffffffffffff",
"iss": "app.vstoken.visualstudio.com",
"aud": "app.vstoken.visualstudio.com",
"nbf": 1618438026,
"exp": 1776204426
}
Step 2. Request the access token and refresh token from my powershell function app:
I make a rest api call to the token endpoint:
"Uri": "https://app.vssps.visualstudio.com/oauth2/token"
"Method": "POST"
"ContentType": "application/x-www-form-urlencoded"
"Body": "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=S.S.S-S-S&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=A.A.A-A-A-A&redirect_uri=https://myapp.azurewebsites.net/oauth-callback"
…and I get the following JSON response:
Token Response:
{
"access_token": "X.X.X-X-X-X-X-X-X",
"token_type": "jwt-bearer"
"expires_in": 3599,
"refresh_token": "R.R.R-R-R-R",
"scope": "vso.code_full vso.code_status vso.graph_manage vso.identity_manage vso.threads_full vso.tokens vso.authorization_grant"
}
Yielding the following JWT for the access token:
{
"typ": "JWT",
"alg": "RS256",
"x5t": "....."
}
{
"nameid": "ffffffff-ffff-ffff-ffff-ffffffffffff",
"scp": "vso.code_full vso.code_status vso.graph_manage vso.identity_manage vso.threads_full vso.tokens",
"aui": "ffffffff-ffff-ffff-ffff-ffffffffffff",
"appid": "ffffffff-ffff-ffff-ffff-ffffffffffff",
"iss": "app.vstoken.visualstudio.com",
"aud": "app.vstoken.visualstudio.com",
"nbf": 1618963456,
"exp": 1618967056
}
Step 3. Make a DevOps REST API call.
In this case, I am requesting a list of respositories in my org/project:
"Uri": "https://dev.azure.com/myorg/myproj/_apis/git/repositories?api-version=6.0"
"Method": "GET"
"Headers": {"Authorization": "Bearer X.X.X-X-X-X-X-X-X"}
This is where things go wrong. DevOps returns a 401 error indicating that my account is not authorized.
TF400813: The user 'ffffffff-ffff-ffff-ffff-ffffffffffff' is not authorized to access this resource.
If I make the exact same http GET from Step 3, but I substitute my PAT with identical scopes as the registered application, the call succeeds. The PAT seems to be created with the exact same profile/account that is authorized in Step 1.
This behavior can be observed when the organization admins have disabled OAuth in the settings. The relevant option can be viewed by any member of the org at e.g. https://dev.azure.com/contoso/_settings/organizationPolicy
Sadly there is no better indication of this for the app or the user, as far as I can see.
Your app can still ask the user for authorization, all OAuth operations succeed, a seemingly valid access token gets returned, but then it simply does not work and returns 401 from all APIs, even if a PAT with the same scope(s) works fine.
I am trying to create GitHub service connection using azure Devops rest api -
In postman I put following Json Body-
{
"name": "release-1",
"type": "github",
"url": "https://github.com",
"authorization": {
"scheme": "PersonalAccessToken",
"parameters": {
"accessToken": "<Github_Personal_Access_Token>"
}
}
}
This Creates service connection but It gives error when I open service connection in UI and try to verify but if I edit and replace with same Github token In UI then it works. seems like its not taking token I am providing in Json body -
I also see information here on this ongoing issue - https://ljvmiranda921.github.io/notebook/2019/12/28/workaround-azure-github-pat/
I want to automate GitHub service connection creation.
How to create GitHub service connection using Azure Devops rest api ?
How to create GitHub service connection using Azure Devops rest api ?
Are you creating this GitHub service connection?
If so, you should use EndPoints-Create API and your Json Body can follow this format:
{
"authorization": {
"scheme": "Token",
"parameters": {"AccessToken": "YourGitHubPAT"}
},
"data": {},
"description": "",
"name": "YourServiceConnectionName",
"serviceEndpointProjectReferences": [{
"description": "",
"name": "YourServiceConnectionName",
"projectReference": {
"id": "YourProjectID",
"name": "YourProjectName"
}
}],
"type": "github",
"url": "https://github.com",
"isShared": false
}
We should enter the value of YourGitHubPAT, YourServiceConnectionName(twice in two points), YourProjectID and YourProjectName with your own values to make the body work. We can get YourProjectID via Projects-List API.
After running that in PostMan, I can verify it successfully without issues. I guess your issue may have something to do with your parameters. Use
"authorization": {
"scheme": "Token",
"parameters": {"AccessToken": "<Github_Personal_Access_Token>"}
},
Instead of
"authorization": {
"scheme": "PersonalAccessToken",
"parameters": {"accessToken": "<Github_Personal_Access_Token>"}
Update about how to enable grant access to all pipelines:
Dislike other elements like Token, Name and Description, Grant Access Permissions to all pipelines option is managed by another API.
API to enable this option:
https://dev.azure.com/{YourOrganizationName}/{YourProjectName}/_apis/pipelines/pipelinePermissions/endpoint/{YourEndPointID}?api-version=5.1-preview.1
Body:
{
"resource": {
"id": "YourEndPointID",
"type": "endpoint",
"name": ""
},
"pipelines": [],
"allPipelines": {
"authorized": true,
"authorizedBy": null,
"authorizedOn": null
}
}
Note: We need to enter EnterPointID in URL and Body. (Twice!)
In PostMan, you should use PATCH method and application/json type. The YourEndPointID is ServiceConnectionID, you can get this value from EndPoints-Create API's response.
So normally to create a service connection with "Grant Access to All..." enabled, we should run Endpoints-Create first and then run the second API to enable this option.
(And this is the same behavior in Web Portal. When we click Verify and Save button in web browser, it actually also calls these two APIs to complete the process.)
I developed a side-by-side app using Java + SAP Cloud SDK (Neo). The app adds records to a custom business object.
The app was working fine when I concluded development in February. Now, I need to do some additional improvements, but I can add records anymore.
I am getting the error SCBO_AUTHORIZATION/000 - You are not authorized to create XXXXXXX instance.
I assigned CBO to a business role, the custom communication scenario along with communication arrangement is in place. I tested already the service (metadata) and the user is not locked.
Here´s the error sent back from the backend:
2020 05 27 19:36:55#+00#ERROR#com.sap.cloud.extensibility.services.CockpitServiceImp##PHENRIQUE#https-jsse-nio-8041-exec-8#na#fzrl99axqb#csccapplication2#web#fzrl99axqb#na#na#na#na#Error building up cockpit. com.sap.cloud.sdk.s4hana.datamodel.odata.helper.ODataVdmErrorResultHandler$ErpODataException: The endpoint responded with HTTP error code 400.
You're not authorized to create CSCCOCKPIT instance.
Full error message:
{
"error": {
"code": "SCBO_AUTHORIZATION/000",
"message": {
"lang": "en",
"value": "You\\u0027re not authorized to create CSCCOCKPIT instance."
},
"innererror": {
"application": {
"component_id": "BC-ESI-ESF-GW",
"service_namespace": "/SAP/",
"service_id": "YY1_CSCCOCKPIT_CDS",
"service_version": "0001"
},
"transactionid": "338BDCAE69170270E005EC3E361F2498",
"timestamp": "20200527193655.5607910",
"Error_Resolution": {
"SAP_Transaction": "For backend administrators: use ADT feed reader \\"SAP Gateway Error Log\\" or run transaction /IWFND/ERROR_LOG on SAP Gateway hub system and search for entries with the timestamp above for more details",
"SAP_Note": "See SAP Note 1797736 for error analysis (https://service.sap.com/sap/support/notes/1797736)"
},
"errordetails": [
{
"code": "SCBO_AUTHORIZATION/000",
"message": "You\\u0027re not authorized to create CSCCOCKPIT instance.",
"propertyref": "",
"severity": "error",
"transition": true,
"target": ""
}
]
}
}
}
Could someone give a clue on where could the issue be?
BR,
Pietro
The error happened because all the fields in the custom business object in S/4Hana Cloud were set as "read-only".
I'm looking for help of somebody who knows something about Jira add-ons.
I'm trying to implement Jira add-on with an ability to create issues on behalf of a user.
So, I completed all steps (as I think) leading me to my goal, but I faced a problem with impersonating. When I try to create an issue using Jira REST API, I receive the following error:
{
"error": "Add-on 'com.example.myapp' disallowed to impersonate the user because 'no valid active user exists'"
}
What was done:
Folowing the getting started tutorial I created the add-on descriptor:
{
"name": "Hello World",
"description": "Atlassian Connect app",
"key": "com.example.myapp",
"baseUrl": "https://url.ngrok.io",
"vendor": {
"name": "Example, Inc.",
"url": "http://example.com"
},
"authentication": {
"type": "jwt"
},
"scopes": [
"act_as_user",
"read",
"write",
],
"lifecycle": {
"installed": "/api/created",
},
"apiVersion": 1
}
I also implemented webhook to handle 'installed' callback from add-on like described here. So, when a user installs the add-on the webhook will receive the following object:
{
'key': 'com.example.myapp',
'clientKey': '<client key>',
'oauthClientId': '<OAuth client ID>',
'publicKey': '<public key>',
'sharedSecret': '<shared secret>',
'serverVersion': '100095',
'pluginsVersion': '1.250.0',
'baseUrl': 'https://<user's domain>.atlassian.net',
'productType': 'jira',
'description': 'Description',
'eventType': 'installed'
}
Using this data I generated JWT signed with the shared secret like described in the tutorial. So, my JWT payload includes the following claims:
{
'iss': 'urn:atlassian:connect:clientid:<OAuth client ID>',
'sub': 'urn:atlassian:connect:useraccountid:<client key>',
'tnt': 'https://<user's domain>.atlassian.net',
'iss': '<created at>',
'exp': '<created at + 1 minute>'
}
The next step I performed is access token generation using auth.atlassian.io/oauth2/token endpoint and the following parameters:
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=<my JWT>&scope=ACT_AS_USER READ WRITE
The result of all these actions is an access token witch I can use to perform REST API requests. But the error described above returned every time I try to create Jira issue performing POST [user's domain].atlassian.net/rest/api/2/issue/ with Authorization: Bearer [access_token] header.
What I've noticed is that account ID in installed callback object (clientKey) has 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' (uuid) format. But when I open my account in Jira (account in witch the add-on is installed) I see that the account ID in URL has 'YYYYYY:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' format. I prepended the subject in my JWT payload with YYYYYY part:
'sub': 'urn:atlassian:connect:useraccountid:'YYYYYY:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
and generated a new access token using this JWT. I've used new access token to create an issue and it was successfully created, the reporter of the issue is a user installed my add-on, just like I wished.
Finally, the question is: where can I find that YYYYYY part for my add-on? How to get it automatically? What I've missed following the tutorials? Any help will be appreciated.
Thank you!