I'm using the VMWare Identity Manager API. To get a token, I make POST to /SAAS/auth/oauthtoken and get back a response:
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIyMzY1YzQxMy0xZjJhLTQ3OWEtYTg4YS05NWUwMzIzYWI3Y2IiLCJwcm4iOiJja2V5dG9vbHNfc2VydmljZUBWSUVXSU0wMU5BIiwiZG9tYWluIjoiU3lzdGVtIERvbWFpbiIsInVzZXJfaWQiOiIzMjEiLCJhdXRoX3RpbWUiOjE1MzkzNTkyMjQsImlzcyI6Imh0dHBzOi8vd29ya3NwYWNlcG9jLmplZmZlcnNvbi5lZHUvU0FBUy9hdXRoIiwiYXVkIjoiaHR0cHM6Ly93b3Jrc3BhY2Vwb2MuamVmZmVyc29uLmVkdS9TQUFTL2F1dGgvb2F1dGh0b2tlbiIsImN0eCI6Ilt7XCJtdGRcIjpcInVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0XCIsXCJpYXRcIjoxNTM5MzU5MjI0LFwiaWRcIjoxMn1dIiwic2NwIjoiYWRtaW4iLCJpZHAiOiIwIiwiZW1sIjoiT0F1dGhDbGllbnRfY2tleXRvb2xzX3NlcnZpY2VAbm9yZXBseS5jb20iLCJjaWQiOiJja2V5dG9vbHNfc2VydmljZSIsImRpZCI6IiIsIndpZCI6IiIsInJ1bGVzIjp7ImV4cGlyeSI6MTUzOTM3MDAyNCwicnVsZXMiOlt7InJlc291cmNlcyI6WyIqIl0sImFjdGlvbnMiOlsiKiJdLCJjb25kaXRpb25zIjpudWxsfV0sImxpbmsiOm51bGx9LCJleHAiOjE1MzkzNzAwMjQsImlhdCI6MTUzOTM1OTIyNCwic3ViIjoiMDc5NWUyYmQtYTk1Yi00NGU0LWI2OWUtYTk0YmUxYzk4M2Y4IiwicHJuX3R5cGUiOiJTRVJWSUNFIn0.wpNm_fYRwm8CUUgPunhxXOGmqq2cwKyP5KsfGUmIYkbWVmUcliOYfT8xH1eID-stI_EcEPZFc-cX585IX9_PwxS8r5sLAK2UJEPaTSQWrsxag2JTuPIG_JtG6ud6YQgavkZolBJUFNFDW_B8OoguIDgJ267gUTDJzTFyHpsMHaA",
"token_type": "Bearer",
"expires_in": 10799,
"refresh_token": "2sCURRhqbrPfEthn9KorfJikk2lf5APL",
"scope": "admin"
}
When I try to use this token on an endpoint like /SAAS/jersey/manager/api/scim/Users or /SAAS/jersey/manager/api/entitlements/search I get a 403:
{
"Errors": [
{
"code": "403",
"description": "User is not authorized to perform the task."
}
]
}
The problem is that it doesn't matter what username value I use to get the token. A token is always issued. It's just never valid.
Has anyone ever seen anything like this before?
I ran into the same issue and found the solution:
When you send the request with your access_token as Bearer token you are authorized to perform the operation.
Postman example:
I ran into the same issue and found the solution:
When you send the request with your access_token as Bearer token you are authorized to perform the operation.
Postman example: