jtran7 | 2024-03-12 19:47:33 UTC | #1
I been trying to execute the /api/v2/outbound/dnclists/{dncListId}/phonenumbers API via Python using the client credential OAUTH but I keep getting these unauthorized exception. I have all the admin and developer roles assigned to my client. Is there something I'm missing?
Exception when calling OutboundApi->postoutbounddnclist_phonenumbers: (401)
HTTP response body: {"message":"No authentication bearer token specified in authorization header.","code":"authentication.required","status":401,"}
tim.smith | 2024-03-11 15:23:43 UTC | #2
jtran7, post:1, topic:25121
I have all the admin and developer roles assigned to my client. Is there something I'm missing?
The error is indicating that you're not sending an auth token, not that it's valid and lacking permissions. Be sure to look through your code and make sure you're initializing things properly and are setting the access token correctly before making requests.
jtran7 | 2024-03-12 19:47:09 UTC | #3
tim.smith, post:2, topic:25121
an auth token, not that it's valid and lacking permissions. Be sure to look through your code and make sure you're initializing things properly and are setting the access token correctly before making requests.
I been assigning the client
id and clientsecret (variables I used) with the one I get from my Oauth. Odd I doubled checked and even used a new one and still getting me the same error. Could it be the code I'm using to pass them in. Said "invalid client" and "client not found"
PureCloudPlatformClientV2.apiclient.ApiClient().getclientcredentialstoken(clientid, clientsecret)
tim.smith | 2024-03-11 15:46:10 UTC | #4
jtran7, post:3, topic:25121
Said "invalid client" and "client not found"
If authorization fails, all subsequent API requests will also fail because they lack valid authorization. There are two common causes for this: typos and not setting the region to the same region where the credentials are from. https://developer.genesys.cloud/devapps/sdk/docexplorer/purecloudpython/#setting-the-environment
jtran7 | 2024-03-11 16:26:34 UTC | #5
I think I figured out why its happening I basically gave the OutboundApi() instance the token I got from my API; Thou now I'm getting permission errors. Is this still related to the roles assigned? I checked and I have all the permission for adding outbound dnc selected including all the admin accounts.
Is there a section we need to enable on the code side to assign that missing permission? Or is it because it doesn't like using client credential Oauth
"message":"Unable to perform the requested action. You must have at least one of the following permissions assigned: [outbound:dnc:add]
tim.smith | 2024-03-11 16:35:35 UTC | #6
jtran7, post:5, topic:25121
I checked and I have all the permission for adding outbound dnc selected including all the admin accounts.
jtran7, post:5, topic:25121
You must have at least one of the following permissions assigned: [outbound:dnc:add]
Keep in mind that you, as a user, are not client credentials. The "you" in this error message is referring to the OAuth client. Your user account may have permission to do things and it will work when you're signed in to API Explorer as your user, but the client credentials you've created have their own permissions that are granted to it based on the roles configured for the client. https://help.mypurecloud.com/articles/about-people-permissions/
jtran7 | 2024-03-11 16:42:59 UTC | #7
Yea that's the thing I added almost all the admin and dnc permission to my oauth role. Maybe it takes time for it get the information.
jtran7 | 2024-03-11 16:45:58 UTC | #8
I'll see if one of my roles I assigned to that client needs more permission. I guess just giving them all the DNC permission isn't enough.
tim.smith | 2024-03-11 16:48:45 UTC | #9
It requires the permission stated in the error message. Once you've granted that permission to a role assigned to the oauth client, wait 10 mins just to rule out any caching issue. Then run the app again to get a new token and see if it works. If you continue to get the 403 and are sure your configuration is correct, please open a case with Genesys Cloud Care to investigate further.
jtran7 | 2024-03-11 18:04:51 UTC | #10
Yep I think it definitely needed a refresh of a new token. It worked now after I got a new one. Thanks.
AshaIT | 2024-03-12 19:27:08 UTC | #11
@tim.smith I am also getting exactly same error and I have all roles and permissions assigned
{ "message": "No authentication bearer token specified in authorization header.", "code": "authentication.required", "status": 401, "messageParams": {}, "contextId": "b856992b-3d3b-487f-aeff-73ae8c1a80dd", "details": [ { "errorCode": "ACTION.REMOTE_ENDPOINT" }
I am trying to understand the following:
I already have client Id and secret configured for earlier version of SAP CRM 7, Now I want to use same for SAP Hana, Can i ?
tim.smith | 2024-03-12 19:29:12 UTC | #12
AshaIT, post:11, topic:25121
I am also getting exactly same error and I have all roles and permissions assigned
AshaIT, post:11, topic:25121
"status": 401,
Same as above, a 401 means you're not sending an auth token.
AshaIT | 2024-03-12 19:33:38 UTC | #13
I added a auth token manually in headers of request with x-api-key
do i need to share client id and secret with SAP hana team ?
tim.smith | 2024-03-12 19:35:52 UTC | #14
I don't know anything about SAP, but you would need to configure it to make requests per the documentation: https://developer.genesys.cloud/authorization/platform-auth/use-client-credentials
AshaIT | 2024-03-12 19:42:05 UTC | #15
So for now we are not using OAuth and we have temporary solution with AWS secrets manager /AWS Lambda , In our request from genesys we need to enter URL and headers (Key and Token).
Moving forward once AWS design is implemented we will use Ouath.
tim.smith | 2024-03-12 19:45:27 UTC | #16
AshaIT, post:15, topic:25121
So for now we are not using OAuth
That's not an option. Genesys Cloud API authorization is exclusively OAuth. If you don't implement one of the supported OAuth flows, you can't get an auth token, and you can't make API requests.
AshaIT | 2024-03-12 20:08:08 UTC | #17
ok thx ! Can we test using postman with this temporary solution ?
tim.smith | 2024-03-12 20:13:13 UTC | #18
You can make requests to the Platform API directly from your browser using API Explorer: https://developer.genesys.cloud/devapps/api-explorer. There is a page about postman if you need to use that instead though.
AshaIT | 2024-03-13 18:27:24 UTC | #19
Hi @tim.smith
I am working on a solution Genesys --> AWS API Gateway ---> CRM(SAP), I need to understand flow using Oauth Authentication with Grant type Client Credentials. Pls share any details on this design and how a token is generated in Genesys or Postman.
Thanks
AshaIT | 2024-03-13 18:38:30 UTC | #20
APP is our CRM in this image ?
tim.smith | 2024-03-13 18:56:04 UTC | #21
AshaIT, post:19, topic:25121
I need to understand flow using Oauth Authentication with Grant type Client Credentials.
This is the documentation for how to implement the client credentials OAuth flow:
quote="tim.smith, post:14, topic:25121"] you would need to configure it to make requests per the documentation: [https://developer.genesys.cloud/authorization/platform-auth/use-client-credentials [/quote]
AshaIT, post:19, topic:25121
Genesys --> AWS API Gateway ---> CRM(SAP)
This is backwards. Your app makes requests to the Genesys Cloud API. API Gateway isn't involved here unless your SAP application makes requests to your API Gateway application that invokes something you didn't list (like a lambda function) to invoke the Genesys Cloud API.
AshaIT | 2024-03-13 19:26:27 UTC | #22
Yeah SAP makes requests to API gateway application and invoke Lambda function to invoke Genesys Cloud API
I went through Ouath doc
OAuth2.0 Roles
The idea of roles is part of the core specification of the OAuth2.0 authorization framework. These define the essential components of an OAuth 2.0 system, and are as follows:
- Resource Owner: The user or system that owns the protected resources and can grant access to them.
- Client: The client is the system that requires access to the protected resources. To access resources, the Client must hold the appropriate Access Token.
So I assume Resource Owner is Genesys Cloud and Client is SAP, Correct ?
an done thing more, Are you saying we do not need API gateway if we use Ouath ?
AshaIT | 2024-03-13 19:50:05 UTC | #23
The Authentication flow using Ouath as far as I understand between Genesys Cloud API and SAP:
1 . Create a Ouath Client
2.Authorize SAP Hana as a client in Genesys, Client ID and Secret is created for SAP in Genesys
- Client i.e SAP make a authorization request to Genesys Platform API an drequests for a Token
- Genesys sends a Token to be used by SAP i.e Client and token will expire in xyz seconds
tim.smith | 2024-03-13 20:08:46 UTC | #24
I've pointed to the documentation for getting an auth token using client credentials already. It's a single HTTP request. None of your other integrations, architecture, 3rd party software, etc. are relevant to making this HTTP request; the application that will use the auth token should make this request.
If you need to discuss this further, please start a new topic including the error you're getting when making this request.
tim.smith | 2024-03-13 20:08:51 UTC | #25
This post was migrated from the old Developer Forum.
ref: 25121