VMware Workspace ONE Community
melvinj
Contributor
Contributor
Jump to solution

VMware Identity Manager API: Any user gets a token, but operations using that token get 403

I'm using the VMWare Identity Manager API.  To get a token, I make POST to /SAAS/auth/oauthtoken and get back a response:

{

    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIyMzY1YzQxMy0xZjJhLTQ3OWEtYTg4YS05NWUwMzIzYWI3Y2IiLCJwcm4iOiJja2V5dG9vbHNfc2VydmljZUBWSUVXSU0wMU5BIiwiZG9tYWluIjoiU3lzdGVtIERvbWFpbiIsInVzZXJfaWQiOiIzMjEiLCJhdXRoX3RpbWUiOjE1MzkzNTkyMjQsImlzcyI6Imh0dHBzOi8vd29ya3NwYWNlcG9jLmplZmZlcnNvbi5lZHUvU0FBUy9hdXRoIiwiYXVkIjoiaHR0cHM6Ly93b3Jrc3BhY2Vwb2MuamVmZmVyc29uLmVkdS9TQUFTL2F1dGgvb2F1dGh0b2tlbiIsImN0eCI6Ilt7XCJtdGRcIjpcInVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0XCIsXCJpYXRcIjoxNTM5MzU5MjI0LFwiaWRcIjoxMn1dIiwic2NwIjoiYWRtaW4iLCJpZHAiOiIwIiwiZW1sIjoiT0F1dGhDbGllbnRfY2tleXRvb2xzX3NlcnZpY2VAbm9yZXBseS5jb20iLCJjaWQiOiJja2V5dG9vbHNfc2VydmljZSIsImRpZCI6IiIsIndpZCI6IiIsInJ1bGVzIjp7ImV4cGlyeSI6MTUzOTM3MDAyNCwicnVsZXMiOlt7InJlc291cmNlcyI6WyIqIl0sImFjdGlvbnMiOlsiKiJdLCJjb25kaXRpb25zIjpudWxsfV0sImxpbmsiOm51bGx9LCJleHAiOjE1MzkzNzAwMjQsImlhdCI6MTUzOTM1OTIyNCwic3ViIjoiMDc5NWUyYmQtYTk1Yi00NGU0LWI2OWUtYTk0YmUxYzk4M2Y4IiwicHJuX3R5cGUiOiJTRVJWSUNFIn0.wpNm_fYRwm8CUUgPunhxXOGmqq2cwKyP5KsfGUmIYkbWVmUcliOYfT8xH1eID-stI_EcEPZFc-cX585IX9_PwxS8r5sLAK2UJEPaTSQWrsxag2JTuPIG_JtG6ud6YQgavkZolBJUFNFDW_B8OoguIDgJ267gUTDJzTFyHpsMHaA",

    "token_type": "Bearer",

    "expires_in": 10799,

    "refresh_token": "2sCURRhqbrPfEthn9KorfJikk2lf5APL",

    "scope": "admin"

}

When I try to use this token on an endpoint like /SAAS/jersey/manager/api/scim/Users or /SAAS/jersey/manager/api/entitlements/search I get a 403:

{

    "Errors": [

        {

            "code": "403",

            "description": "User is not authorized to perform the task."

        }

    ]

}

The problem is that it doesn't matter what username value I use to get the token.  A token is always issued.  It's just never valid.  

Has anyone ever seen anything like this before? 

Labels (2)
Reply
0 Kudos
1 Solution

Accepted Solutions
JitseH
Contributor
Contributor
Jump to solution

I ran into the same issue and found the solution:

When you send the request with your access_token as Bearer token you are authorized to perform the operation.

Postman example:

pastedImage_0.png

View solution in original post

Reply
0 Kudos
1 Reply
JitseH
Contributor
Contributor
Jump to solution

I ran into the same issue and found the solution:

When you send the request with your access_token as Bearer token you are authorized to perform the operation.

Postman example:

pastedImage_0.png

Reply
0 Kudos