Remove Account API can't be called with API Token (PAT/UserContextAuth)

adamian · September 19, 2024, 3:43pm

What problem are you observing?

I have created an API Token and I have gave it the permission of sp:scopes:all (as instructed in Remove Account API + API Token Scope )

The call to delete-account-async | SailPoint Developer Community fails with HTTP 403 Forbidden.

{"detailCode":"403 Forbidden","trackingId":"da91d8e6791b4ce78128b625a07b67d7","messages":[{"locale":"en-US","localeOrigin":"DEFAULT","text":"The server understood the request but refuses to authorize it."},{"locale":"und","localeOrigin":"REQUEST","text":"The server understood the request but refuses to authorize it."}],"causes":[]}

The call succeeds if I use a Personal Access Token (PAT), as an admin with sp:scopes:all

What is the correct behavior?

I may have missed it, but I don’t find in the documentation where it is mentioned that we need to create a PAT and we can not use an API Key:

So I think either the documentation is wrong/incomplete, or the API doesn’t accept a valid API token.

What product feature is this related to?

ISC

What are the steps to reproduce the issue?

Create an API Key with scope sp:scopes:all
Use the API token to call the endpoint delete-account-async | SailPoint Developer Community for a random account
Check that the response is 403 and the request failed. The account is still present on the identity.

Do you have any other information about your environment that may help?

No.

colin_mckibben · September 20, 2024, 3:17pm

It’s not very intuitive, but if an API endpoint says it needs “UserContextAuth” in the Authorization box, then it requires a PAT or authorization code grant type.

This particular endpoint requires a user context, so a PAT will work.

adamian · September 23, 2024, 7:11am

Let’s take this API endpoint as a counterexample: get-account | SailPoint Developer Community

I have the following API Key (client credentials):

I am allowed to use this API key to call the get-account API, and I do NOT have to use a PAT.
Why is this possible?

I’ve now noticed that for the beta api we have this required scopes:

scopes: idn:accounts:read,idn:accounts:manage

but for the v3 we have:

scopes: idn:accounts:read

Using just the scope idn:accounts:manage I am able to call both the beta and the v3 endpoints. Why is that?
Should I not need idn:accounts:read for both of them? Is the documentation incorrect or the security check incorrect?

Topic		Replies	Views
Remove Account API + API Token Scope Bugs apis , identity-security-cloud , api-specifications	4	25	September 19, 2024
API Authentication for service-desk-integrations ISC Discussion and Questions apis , identity-security-cloud	5	311	December 19, 2023
Update PAT (Access Token) Scope via API ISC Discussion and Questions apis , identity-security-cloud	9	48	September 4, 2024
Generating a PAT through the API for another Identity ISC Discussion and Questions apis , identity-security-cloud , authentication	12	1065	August 8, 2023
Issue with API key authorisation Bugs apis , identity-security-cloud	4	238	December 4, 2023