Hi I am new to service now.I have an demo instance "demonowprod.service-now.com" when I try to retrieve data from rest API URL it throws authentication fail message like below.
https://demochannel.service-now.com/api/now/table/incident?sysparm_limit=1
{
"error": {
"detail": "Required to provide Auth information",
"message": "User Not Authenticated"
},
"status": "failure"
}
Any help will be appreciated.
So you have two or one instances?
At first you say your instance name is demonowprod.service-now.com in your query you call demochannel.service-now.com.
The credentials used for API calls are your user credentials. Of course you need to have read access on the incident table when querying it.
I think what you need to do is create a service account of sorts and assign the "rest_service" role to that account. Use this credential when connecting from the other instance of SN. User accounts are created by either admins or user_admins under User Administration > Users.
See http://wiki.servicenow.com/index.php?title=REST_API#gsc.tab=0
Related
My user account can use the Google Classroom web UI to see all the announcements for a given course. Trying to pull them programmatically using the Google Classroom API.
I've set up an app with Oauth consent screen covering (for test purposes) ALL the scopes listed under the Google Classroom API, and can run the consent flow with my user account to get an access token.
I can successfully GET course details by curl'ing https://classroom.googleapis.com/v1/courses/<my course ID> using the access token obtained from the oauth flow. However, when I GET https://classroom.googleapis.com/v1/courses/<my course ID>/announcements with the same token, I get the following:
{
"error": {
"code": 403,
"message": "Request had insufficient authentication scopes.",
"status": "PERMISSION_DENIED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
"domain": "googleapis.com",
"metadata": {
"method": "google.classroom.v1.Work.ListAnnouncements",
"service": "classroom.googleapis.com"
}
}
]
}
}
Behaviour is same in using both client libraries as well as raw REST calls.
Am I missing an auth scope (I switched them all on), am I just not allowed to do this since I'm not the course owner, or am I doing something else wrong? Advice please!
You apear to be using the courses.get method
In order to access this method your application needs to be authorized with one of the following scopes.
You also appear to be using the courses.announcements.list method
This method requires that your application be authorized with one of the following scopes.
The error message "Request had insufficient authentication scopes." means exactly what it says. The access token you are using was not authorized with one of the scopes needed for the courses.announcements.list endpoint there for you can not use it.
You need to delete the access token you have now and request authorization of the user using the proper scope for this method. Always make sure to delete your old token. When changing scopes in code your app does not always request authorization again if you just change the scopes in the code. You need to force it to request authorization again.
All the scopes
you should not be requesting all of the scopes of the user only the scopes that you need. If you only need readonly access make sure not to request write.
I had forgotten that my code explicitly defines the scopes when configuring the client that then builds the oauth request URL:
config, err = google.ConfigFromJSON(b, classroom.ClassroomCoursesReadonlyScope)
Changed to
config, err = google.ConfigFromJSON(b, classroom.ClassroomCoursesReadonlyScope, **classroom.ClassroomAnnouncementsReadonlyScope**)
and it works fine.
We are trying to create an integration with the Google Admin SDK in order to be able to retrieve, update and create accounts within our domain. However, we keep receiving a 403 error indicating that we are not authorized to access the resource/api.
We are using the credentials obtained from a service account which has Domain-wide Delegation of Authority enabled and the following two scopes:
https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.user. We are generating the JWT (which also includes these two scopes) and then sending a request to https://www.googleapis.com/oauth2/v4/token to retrieve the access token.
We are then using the access token to send a request to https://www.googleapis.com/admin/directory/v1/users?domain=XXXX.com. We are including the access token as a Bearer token, part of the headers.
In the response we are getting the following message:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Not Authorized to access this resource/api"
}
],
"code": 403,
"message": "Not Authorized to access this resource/api"
}
}
Is it possible to clarify what are we doing incorrectly?
The problem was that the JWT must include the sub field: The email address of the user for which the application is requesting delegated access.
In order for this to work you must set up domain wide delegation by doing this your service account will then have access to the data in question.
Locate the newly-created service account in the table. Under Actions, click more_vert then Edit.
In the service account details, click expand_more Show domain-wide delegation, then ensure the Enable G Suite Domain-wide Delegation checkbox is checked.
If you haven't yet configured your app's OAuth consent screen, you must do so before you can enable domain-wide delegation. Follow the on-screen instructions to configure the OAuth consent screen, then repeat the above steps and re-check the checkbox.
Click Save to update the service account, and return to the table of service accounts. A new column, Domain-wide delegation, can be seen. Click View Client ID, to obtain and make a note of the client ID.
I want to create a user who has admin rights (search, read, write) access on testIndex index. For this, I created a role testIndex_admin (ref. kibana screenshot given below) and assigned the new user this role.
However after the user logs in he only see an empty screen with a "Help us improve the Elastic Stack by providing basic feature usage statistics?" popup. On the browser console I found the following request being made which failed with 403 error.
Request URL: http://localhost:5601/api/saved_objects/_find?type=index-pattern&per_page=10000
{
"message": "action [indices:data/read/search] is unauthorized for user [user01]: [security_exception] action [indices:data/read/search] is unauthorized for user [user01]",
"statusCode": 403,
"error": "Forbidden"
}
Also, I get the following "Advanced Setting Error" popup that appears (give below)
ElasticSearch v6.3.2
Kibana v6.3.2
What can be done so that the user can access only his testIndex with all priviliges to it?
The kibana_user role grants access to the resources that are required when using Kibana.
You need to grant that role, and whatever additional roles you require to get access to the data itself.
So, if you want the user to be able to use Kibana, then you need to give them the kibana_user role.
So for example my list of roles would appear something like this:
testIndex_admin kibana_user
https://xxxx.service-now.com/api/now/v1/table/incident while we're consuming this API in postman we're getting
{
"error": {
"message": "User Not Authenticated",
"detail": "Required to provide Auth information"
},
"status": "failure"
}
Here we are given basic authentication and the JSON input like
{
"short_description":"Creating incident through Request",
"assignment_group":"287ebd7da9fe198100f92cc8d1d2154e",
"urgency":"3",
"impact":"3"
}
It basically says you are not authenticated, it either means you didnt provide correct credentials or you forgot to provide basic-auth header while querying through postman
I think the error message is pretty clear about what the problem is... you're not authenticated. You'll need to authenticate in order to utilize the API. Unless you have a complex authentication scheme going, you can probably use Basic Authentication in PostMan and use the credentials for an account which you know has access to the resource you're trying to access.
I am trying to use the Google Cloud Resource Manager API to test whether the authenticated user has permissions to a given project. I have read the [Google Cloud Resource Manager API documentation][1] and have tried sending requests, all which fail with the following error:
{ "error": { "code": 400, "message": "Request contains an invalid argument.", "status": "INVALID_ARGUMENT" } }
The POST request is:
https://cloudresourcemanager.googleapis.com/v1/projects/{projectId}:testIamPermissions
where {projectId} is a defined projectId from the Google Cloud Developer Console. I am aware that I can use the project.list method and determine if the given projectId is present in the list of projects for the user. I want to understand how to use the project.testIamPermissions request and determine which permission the user has on the project. [1]: https://cloud.google.com/resource-manager/reference/rest/v1/projects/testIamPermissions
In order to use the Cloud Resource Manager API methods organizations.testIamPermissions or projects.testIamPermissions, you need to provide the resource you'd like to check in the URL and then the permissions you'd like to check in the body.
So, for example, if I want to test if I, the authenticated user, have access to a particular permission (ex. compute.instances.create) on a particular project (ex. my-project) then, I would POST this:
{
"permissions": [
"compute.instances.create"
]
}
to the URL:
https://cloudresourcemanager.googleapis.com/v1/projects/my-project:testIamPermissions
which would give me the following response:
{
"permissions": [
"compute.instances.create"
]
}
because I do in fact have permissions to create new instances in my-project.
However, if I did not have permission to create new instances, the response would look like:
{
}
Try it here via the API Explorer.
If your goal is to find the test of all permissions that the user has on the project, then you have to provide the full list of all project level permissions in your request body and the response will include the subset of those permissions that the user has.
Hope this helps!