API read scopes - 403 forbidden error

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hey,
I created an API client with all the read scopes.
Still, I’m having an issue getting a few endpoints, Can you help me understand we I get a 403 error?
The endpoints are:
List Personal Access Tokens
List OAuth Clients
Configuration of a MFA method
List Identities
List Campaigns

{"messages":[{"text":"The server understood the request but refuses to authorize it.","locale":"en-US"},{"localeOrigin":"REQUEST","text":"The server understood the request but refuses to authorize it"],"detailCode":"403 Forbidden"

2

Hi Yuval!

After you generate your Personal Access Token (PAT), which includes your Client ID and Secret, you need to generate an access token using those credentials. That access token is then used on API calls. Here is some additional documentation on this. This link points you to the Choose Authorization Grant Flow section, but it sounds like you would want to use Option #2, Authorization Code

Please let me know if this helps!

Thank you,

  • Zach
3

Hey Zach,
I do use Client Credentials and get access token.
When I send the access token to the following endpoints I get the error.
I do get some other endpoints with no error - so I can say the access token is approved.

4

Can this be the issue?

INFO
You can also get a 403 Forbidden response error when you call an API that expects a user, but your authorization grant type lacks a user context. Calling most admin APIs with a CLIENT_CREDENTIAL grant often produces this result.

5

Just to confirm, it sounds like you’re using client creds generated for an application (Security Settings → API Management) instead of generating a personal access token (PAT) for a user (Preferences → Personal Access Tokens)

Assuming that’s the case, it’s good to know that not all API endpoints support these application client credentials because they have not yet defined scopes to access them.

The easiest way to find out is to click on the Authorization box and see if it has scopes defined. In the case of get-active-campaigns, there are none
image

However, if you look at the list-accounts endpoint, it specifically lists the scopes required
image

Can this be the issue?

Yes, that’s exactly the issue

image
image974×135 13.4 KB

If an endpoint does not have scopes defined, it doesn’t support application API creds and requires a user PAT

6

I do use CLIENT_CREDENTIALS.
I provided to the Oauth client ALL read scopes.

But I still get 403 in endpoints with scopes detailed in the API references.
All of the below have scopes in the authorization box.

I do get 200 in the following endpoints:
https://sailpoint.api.identitynow.com/v3/sources
and also
https://sailpoint.api.identitynow.com/v3/roles/:id/assigned-identities

BUT
e.g: campaigns
Request:
https://{tenant_name}.api.identitynow.com/beta/campaigns?offset=0

The error response:

{"detailCode":"403 Forbidden","trackingId":"4a59625030f14ad88064a3737510e262","messages":[{"locale":"en-US","localeOrigin":"DEFAULT","text":"The server understood the request but refuses to authorize it."},{"locale":"und","localeOrigin":"REQUEST","text":"The server understood the request but refuses to authorize it."}],"causes":[]}

image
image1920×650 101 KB

7

Just pinging this chat for the follow because I am seeing this issue too with API tokens that DO have the scope and are still throwing 403…

8

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.