Jump to content

Accessing user data with Client Credentials as requirement


Go to solution Solved by bfarber,

Recommended Posts

Hello,

I'm working on a oauth application, where I'm trying to retrieve information about the user that has logged in:
https://invisioncommunity.com/developers/rest-api?endpoint=core/me/GETindex

Currently, I get the information without they key icon in front of it.

When I hover over the key icon, it says: "Only available when the request was made using an API key, or an oAuth Access Token obtained with the Client Credentials grant type"
So I assumed I had to enable the option "Client Credentials" under "Available Grant Types", which I did.

So what I do now is the following:

1. I send the user to: https://www.host.com/oauth/authorize/?response_type=code&client_id=CLIENT_ID&scope=profile

2. Get the code, and send a POST request to https://www.host.com/oauth/token/, with the following data:
client_id : CLIENT_ID
client_secret : CLIENT_SECRET
code : CODE 
grant_type: client_credentials
scope: profile

Which returns:
{
    "access_token": "ACCESS_TOKEN",
    "token_type": "bearer",
    "scope": "profile"
}

3. Then I do a GET request to https://www.host.com/api/core/me
with the bearer authorization, where I enter the retrieved access_token.

Now I get a error: NO_PERMISSION

Why do I get this? 
How will I able to access for example: secondaryGroups once the user authorized?

 

Link to comment
Share on other sites

3 hours ago, bfarber said:

What is the error code returned with the NO_PERMISSION message?

You're accessing your API endpoint securely (i.e. over https) correct?


The full error code is as following:

{
    "errorCode": "2S291/3",
    "errorMessage": "NO_PERMISSION"
}

Which means according to the rest api: "The API key does not have permission to access the requested endpoint."
I don't think this really makes sense, as I don't use a API key to access this.

Also, if I check over here: https://invisioncommunity.com/developers/rest-api?endpoint=core/me/GETindex
It says: "This endpoint is only available for requests made using an OAuth Access Token for a particular member, not using an API Key or the Client Credentials Grant Type."

and the response name "secondaryGroups" for example says the following: "Only available when the request was made using an API key, or an oAuth Access Token obtained with the Client Credentials grant type"

I did use the access token obtained with the client_credentials as grant type, so to me it looks like this is a bug.

Link to comment
Share on other sites

10 minutes ago, bfarber said:

Wait - the endpoint you are requesting states in the documentation that it is not available if you are using the client_credentials grant type. You said that's the grant type you are using, so that endpoint is not going to be available in that case.

Okay, but why does it has all those response objects with this note: “Only available when the request was made using an API key, or an oAuth Access Token obtained with the Client Credentials grant type” in this endpoint: https://invisioncommunity.com/developers/rest-api?endpoint=core/me/GETindex ? If those aren’t accesable?

Link to comment
Share on other sites

  • Solution

That would be a confusion point technicality. If you realllllllly want to know...

The documentation is auto-generated based on docblock headers in the code. The core/me/GETindex endpoint has this

	/**
	 * GET /core/me
	 * Get basic information about the authorized user
	 *
	 * @apimemberonly
	 * @return	\IPS\Member
	 */

That @apimemberonly tag says that the function can only be accessed as an authenticated user.

However, the return values are not being defined here explicitly and instead are being returned automatically from the \IPS\Member::apiOutput() method. That method does not know where it is being called from (for example if you fetch a topic, the topic's author information will be returned from this same method), so the return values defined for that method denote if they're available when the request comes from an API key or not.

	/**
	 * Get output for API
	 *
	 * @param	\IPS\Member|NULL	$authorizedMember	The member making the API request or NULL for API Key / client_credentials
	 * @param	array|NULL			$otherFields		Array of additional fields to return (raw values)
	 * @return	array
	 * @apiresponse			int											id						ID number
	 * @apiresponse			string										name					Username
	 * @apiresponse			string										title					Member title
	 * @clientapiresponse	string										timezone				Member timezone
	 * @apiresponse			string										formattedName			Username with group formatting
	 * @apiresponse			string										ipAddress				IP address used during registration
	 * @apiresponse			\IPS\Member\Group							primaryGroup			Primary group
	 * @clientapiresponse	[\IPS\Member\Group]							secondaryGroups			Secondary groups
	 * @clientapiresponse	string										email					Email address
	 * @apiresponse			datetime									joined					Registration date
	 * @clientapiresponse	string										registrationIpAddress	IP address when registered
	 * @clientapiresponse	int											warningPoints			Number of active warning points
	 * @apiresponse			int											reputationPoints		Number of reputation points
	 * @apiresponse			string										photoUrl				URL to photo (which will be the site's default if they haven't set one)
	 * @apiresponse			bool										photoUrlIsDefault		Indicates if the value of photoUrl is the site's default
	 * @apiresponse			string										coverPhotoUrl			URL to profile cover photo (will be blank if there isn't one)
	 * @apiresponse			string|null									profileUrl				URL to profile
	 * @clientapiresponse	bool										validating				Whether or not the validating flag is set on the member account
	 * @apiresponse			int											posts					Number of content item submissions member has made
	 * @apiresponse			datetime|null								lastActivity			Last activity date on the site.
	 * @clientapiresponse	datetime|null								lastVisit				Last distinct visit date on the site.
	 * @clientapiresponse	datetime|null								lastPost				Latest content submission date.
	 * @apiresponse			int											profileViews			Number of times member's profile has been viewed
	 * @apiresponse			string										birthday				Member birthday in MM/DD/YYYY format (or MM/DD format if no year has been supplied).
	 * @apiresponse			[\IPS\core\ProfileFields\Api\FieldGroup]	customFields			Custom profile fields. For requests using an OAuth Access Token for a particular member, only fields the authorized user can view will be included
	 */

The @clientapiresponse tag indicates the request must be made using client credentials or an API key, while the @apiresponse tag indicates the value is returned for any request. This is mainly because some data is more privileged than others and can't be returned for any old user calling the API.

 

In other words, the endpoint cannot be accessed via client credentials/API key, only as an authenticated user, and the values returned will only be those that an authenticated user are permitted to see. If a member object is returned elsewhere, however, the notes you are referring to would apply.

Link to comment
Share on other sites

6 hours ago, bfarber said:

That would be a confusion point technicality. If you realllllllly want to know...

The documentation is auto-generated based on docblock headers in the code. The core/me/GETindex endpoint has this


	/**
	 * GET /core/me
	 * Get basic information about the authorized user
	 *
	 * @apimemberonly
	 * @return	\IPS\Member
	 */

That @apimemberonly tag says that the function can only be accessed as an authenticated user.

However, the return values are not being defined here explicitly and instead are being returned automatically from the \IPS\Member::apiOutput() method. That method does not know where it is being called from (for example if you fetch a topic, the topic's author information will be returned from this same method), so the return values defined for that method denote if they're available when the request comes from an API key or not.


	/**
	 * Get output for API
	 *
	 * @param	\IPS\Member|NULL	$authorizedMember	The member making the API request or NULL for API Key / client_credentials
	 * @param	array|NULL			$otherFields		Array of additional fields to return (raw values)
	 * @return	array
	 * @apiresponse			int											id						ID number
	 * @apiresponse			string										name					Username
	 * @apiresponse			string										title					Member title
	 * @clientapiresponse	string										timezone				Member timezone
	 * @apiresponse			string										formattedName			Username with group formatting
	 * @apiresponse			string										ipAddress				IP address used during registration
	 * @apiresponse			\IPS\Member\Group							primaryGroup			Primary group
	 * @clientapiresponse	[\IPS\Member\Group]							secondaryGroups			Secondary groups
	 * @clientapiresponse	string										email					Email address
	 * @apiresponse			datetime									joined					Registration date
	 * @clientapiresponse	string										registrationIpAddress	IP address when registered
	 * @clientapiresponse	int											warningPoints			Number of active warning points
	 * @apiresponse			int											reputationPoints		Number of reputation points
	 * @apiresponse			string										photoUrl				URL to photo (which will be the site's default if they haven't set one)
	 * @apiresponse			bool										photoUrlIsDefault		Indicates if the value of photoUrl is the site's default
	 * @apiresponse			string										coverPhotoUrl			URL to profile cover photo (will be blank if there isn't one)
	 * @apiresponse			string|null									profileUrl				URL to profile
	 * @clientapiresponse	bool										validating				Whether or not the validating flag is set on the member account
	 * @apiresponse			int											posts					Number of content item submissions member has made
	 * @apiresponse			datetime|null								lastActivity			Last activity date on the site.
	 * @clientapiresponse	datetime|null								lastVisit				Last distinct visit date on the site.
	 * @clientapiresponse	datetime|null								lastPost				Latest content submission date.
	 * @apiresponse			int											profileViews			Number of times member's profile has been viewed
	 * @apiresponse			string										birthday				Member birthday in MM/DD/YYYY format (or MM/DD format if no year has been supplied).
	 * @apiresponse			[\IPS\core\ProfileFields\Api\FieldGroup]	customFields			Custom profile fields. For requests using an OAuth Access Token for a particular member, only fields the authorized user can view will be included
	 */

The @clientapiresponse tag indicates the request must be made using client credentials or an API key, while the @apiresponse tag indicates the value is returned for any request. This is mainly because some data is more privileged than others and can't be returned for any old user calling the API.

 

In other words, the endpoint cannot be accessed via client credentials/API key, only as an authenticated user, and the values returned will only be those that an authenticated user are permitted to see. If a member object is returned elsewhere, however, the notes you are referring to would apply.

Alright, that clears things up, thankyou.

I got two more questions if you don't mind; 

I'm curious, why's secondary groups a clientapiresponse? 
I mean in the site groups are a big deal of permissions & now you can't retrieve all groups a member is in, which is basically what I need.

And last question, how would I go about using the $otherFields? I see it should be a parameter, but I've tried some random fields & I don't see anything happening.

Thanks for clearing things up and helping me out, appreciate it allot.

Link to comment
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...