Not able to call ISC apis from a Web Service source

gourab · June 1, 2024, 5:27pm

Hi Team,
We are building an Webservice connector type application . To do provisioning in target system we need some details from ISC , so we have planned to use ISC api inside that source.
We are trying to generate ISC access_token 1st to call rest of the apis but whenever we are trying /oauth/token api call using curl from web service operation it is throwing 401 unauthorised error. But same curl is generating access_token from postman and directly from VA itself .
Anyone faced this kind of situation ?

Thanks
Gourab

kjakubiak · June 1, 2024, 5:32pm

Could you please elaborate your usecase? Most of the data you have in ISC should be accessible directly in the connector so I cant really imagine why you may need to call ISC API.

Regarding 401 response - are you sure you use same credentials as the ones in postman?

gourab · June 1, 2024, 5:37pm

To add entitlements to target system we need some entitlement metadata like owner , etc (what we have configured as entitlement schema), we need to construct a json body and call target system api to set that to the user.
To get the details OOTB we have thought we have an get entitlement api , so we can call it 1st to fetch those details.

Yes im using same client id and secret what I’m using in postman

kjakubiak · June 1, 2024, 5:44pm

Wouldn’t it be easier to make a before operation rule or before provisioning rule to add this information directly from ISC?

MVKR7T · June 1, 2024, 7:47pm

I guess you are avoiding Before Provisioning Rule as it is cloud based Rule. You need to fetch some identity data for your request, so you are calling APIs.

Never tried, but it should work.

Are you sure that 401 is from token generation, as it doesn’t require any authentication. Maybe from other API call ?

Other possibility is, your VA might be blocking those API calls.

Thanks
Krish

gourab · June 2, 2024, 5:35pm

Hi @MVKR7T ,
Thank you for your response. Yes, you’re right. I’m trying to avoid using cloud rules.

I have been checking the VA logs, and what I have observed is that when I try to get the ISC token using the curl command, it actually adds an extra header taken from the source target system configuration(looks like {authorization: Basic ***}). Perhaps that is the issue causing the 401 error.

MVKR7T · June 2, 2024, 5:55pm

Cool, maybe can you share the code by masking sensitive data, so that we can have a look and suggest you some fix.

Thanks
Krish

jrossicare · June 3, 2024, 2:56am

you can use a before operation rule. That is connector based and not cloud based.

In there you can make ISC API calls.

To authenticate, all you need is your PAT Client ID and secret.

    String authenticate(String url, String clientId, String clientSecret) throws Exception {
        //log.error(logPrefix + "WSlookup - start authenticate");
        WebServicesClient client = new WebServicesClient();
        Map args = new HashMap();
        Map header = new HashMap();
        Map payload = new HashMap();
        List allowedStatuses = new ArrayList();
        String request = String.format("%s/oauth/token?grant_type=client_credentials&client_id=%s&client_secret=%s", url, clientId, clientSecret);
        args.put(WebServicesClient.ARG_URL, request);
        header.put("Accept", "application/json");
        allowedStatuses.add("200");
        client.configure(args);
        try {
            String response = client.executePost(request, payload, header, allowedStatuses);
            //log.error(logPrefix + "WSlookup - Authenticate - response: " + response);
            Map responseMap = JsonUtil.toMap(response);
            String accessToken = (String) responseMap.get("access_token");
            log.error(logPrefix + "IDN Authentication successful- got accessToken");
            return accessToken;
        } catch (Exception e) {
            throw new Exception(String.format("IDN Authentication failed: %s", e.getMessage()));
        }
    }

MVKR7T · June 3, 2024, 6:43am

Thanks for sharing the sample code, Before Provisioning Rule is a Cloud Rule.

Check Rules doc for more info, Cloud Executed Rules | SailPoint Developer Community

jrossicare · June 3, 2024, 6:50am

Thanks for pointing out the typo.

I have edited my above post to say Before Operation rule. As that is the connector based one.

gourab · June 3, 2024, 8:00am

Thanks @jrossicare
I will give it a try

system · August 2, 2024, 8:00am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Web Service Connector Calling ISC API ISC Discussion and Questions webservice-connector , identity-security-cloud	8	92	September 8, 2024
Message: 401 : Unauthorized, HTTP Error Code: 401 ISC Discussion and Questions webservice-connector , apis , identity-security-cloud	3	147	October 27, 2024
Unable to generate Access Token ISC Discussion and Questions webservice-connector , identity-security-cloud	7	292	August 16, 2024
User authentication for API calls ISC Discussion and Questions apis , identity-security-cloud	3	33	October 16, 2024
Unable to make API call from postman ISC Discussion and Questions apis , identity-security-cloud , postman	5	38	October 12, 2024

Not able to call ISC apis from a Web Service source

Related topics