0 Replies Latest reply on Oct 12, 2018 8:53 AM by melvinj

    VMware Identity Manager API: Any user gets a token, but operations using that token get 403

    melvinj Lurker

      I'm using the VMWare Identity Manager API.  To get a token, I make POST to /SAAS/auth/oauthtoken and get back a response:

       

      {

          "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIyMzY1YzQxMy0xZjJhLTQ3OWEtYTg4YS05NWUwMzIzYWI3Y2IiLCJwcm4iOiJja2V5dG9vbHNfc2VydmljZUBWSUVXSU0wMU5BIiwiZG9tYWluIjoiU3lzdGVtIERvbWFpbiIsInVzZXJfaWQiOiIzMjEiLCJhdXRoX3RpbWUiOjE1MzkzNTkyMjQsImlzcyI6Imh0dHBzOi8vd29ya3NwYWNlcG9jLmplZmZlcnNvbi5lZHUvU0FBUy9hdXRoIiwiYXVkIjoiaHR0cHM6Ly93b3Jrc3BhY2Vwb2MuamVmZmVyc29uLmVkdS9TQUFTL2F1dGgvb2F1dGh0b2tlbiIsImN0eCI6Ilt7XCJtdGRcIjpcInVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0XCIsXCJpYXRcIjoxNTM5MzU5MjI0LFwiaWRcIjoxMn1dIiwic2NwIjoiYWRtaW4iLCJpZHAiOiIwIiwiZW1sIjoiT0F1dGhDbGllbnRfY2tleXRvb2xzX3NlcnZpY2VAbm9yZXBseS5jb20iLCJjaWQiOiJja2V5dG9vbHNfc2VydmljZSIsImRpZCI6IiIsIndpZCI6IiIsInJ1bGVzIjp7ImV4cGlyeSI6MTUzOTM3MDAyNCwicnVsZXMiOlt7InJlc291cmNlcyI6WyIqIl0sImFjdGlvbnMiOlsiKiJdLCJjb25kaXRpb25zIjpudWxsfV0sImxpbmsiOm51bGx9LCJleHAiOjE1MzkzNzAwMjQsImlhdCI6MTUzOTM1OTIyNCwic3ViIjoiMDc5NWUyYmQtYTk1Yi00NGU0LWI2OWUtYTk0YmUxYzk4M2Y4IiwicHJuX3R5cGUiOiJTRVJWSUNFIn0.wpNm_fYRwm8CUUgPunhxXOGmqq2cwKyP5KsfGUmIYkbWVmUcliOYfT8xH1eID-stI_EcEPZFc-cX585IX9_PwxS8r5sLAK2UJEPaTSQWrsxag2JTuPIG_JtG6ud6YQgavkZolBJUFNFDW_B8OoguIDgJ267gUTDJzTFyHpsMHaA",

          "token_type": "Bearer",

          "expires_in": 10799,

          "refresh_token": "2sCURRhqbrPfEthn9KorfJikk2lf5APL",

          "scope": "admin"

      }

       

      When I try to use this token on an endpoint like /SAAS/jersey/manager/api/scim/Users or /SAAS/jersey/manager/api/entitlements/search I get a 403:

       

      {

          "Errors": [

              {

                  "code": "403",

                  "description": "User is not authorized to perform the task."

              }

          ]

      }

       

      The problem is that it doesn't matter what username value I use to get the token.  A token is always issued.  It's just never valid.  

       

      Has anyone ever seen anything like this before?