Kappa0xc0035fd6 Posted August 5, 2020 Posted August 5, 2020 Hello, I'm working on a oauth application, where I'm trying to retrieve information about the user that has logged in:https://invisioncommunity.com/developers/rest-api?endpoint=core/me/GETindex Currently, I get the information without they key icon in front of it. When I hover over the key icon, it says: "Only available when the request was made using an API key, or an oAuth Access Token obtained with the Client Credentials grant type" So I assumed I had to enable the option "Client Credentials" under "Available Grant Types", which I did. So what I do now is the following: 1. I send the user to: https://www.host.com/oauth/authorize/?response_type=code&client_id=CLIENT_ID&scope=profile 2. Get the code, and send a POST request to https://www.host.com/oauth/token/, with the following data: client_id : CLIENT_ID client_secret : CLIENT_SECRET code : CODE grant_type: client_credentials scope: profile Which returns: { "access_token": "ACCESS_TOKEN", "token_type": "bearer", "scope": "profile" } 3. Then I do a GET request to https://www.host.com/api/core/me with the bearer authorization, where I enter the retrieved access_token. Now I get a error: NO_PERMISSION Why do I get this? How will I able to access for example: secondaryGroups once the user authorized?
bfarber Posted August 6, 2020 Posted August 6, 2020 What is the error code returned with the NO_PERMISSION message? You're accessing your API endpoint securely (i.e. over https) correct?
Kappa0xc0035fd6 Posted August 6, 2020 Author Posted August 6, 2020 3 hours ago, bfarber said: What is the error code returned with the NO_PERMISSION message? You're accessing your API endpoint securely (i.e. over https) correct? The full error code is as following: { "errorCode": "2S291/3", "errorMessage": "NO_PERMISSION" } Which means according to the rest api: "The API key does not have permission to access the requested endpoint." I don't think this really makes sense, as I don't use a API key to access this. Also, if I check over here: https://invisioncommunity.com/developers/rest-api?endpoint=core/me/GETindex It says: "This endpoint is only available for requests made using an OAuth Access Token for a particular member, not using an API Key or the Client Credentials Grant Type." and the response name "secondaryGroups" for example says the following: "Only available when the request was made using an API key, or an oAuth Access Token obtained with the Client Credentials grant type" I did use the access token obtained with the client_credentials as grant type, so to me it looks like this is a bug.
bfarber Posted August 6, 2020 Posted August 6, 2020 Wait - the endpoint you are requesting states in the documentation that it is not available if you are using the client_credentials grant type. You said that's the grant type you are using, so that endpoint is not going to be available in that case.
Kappa0xc0035fd6 Posted August 6, 2020 Author Posted August 6, 2020 10 minutes ago, bfarber said: Wait - the endpoint you are requesting states in the documentation that it is not available if you are using the client_credentials grant type. You said that's the grant type you are using, so that endpoint is not going to be available in that case. Okay, but why does it has all those response objects with this note: “Only available when the request was made using an API key, or an oAuth Access Token obtained with the Client Credentials grant type” in this endpoint: https://invisioncommunity.com/developers/rest-api?endpoint=core/me/GETindex ? If those aren’t accesable?
Solution bfarber Posted August 7, 2020 Solution Posted August 7, 2020 That would be a confusion point technicality. If you realllllllly want to know... The documentation is auto-generated based on docblock headers in the code. The core/me/GETindex endpoint has this /** * GET /core/me * Get basic information about the authorized user * * @apimemberonly * @return \IPS\Member */ That @apimemberonly tag says that the function can only be accessed as an authenticated user. However, the return values are not being defined here explicitly and instead are being returned automatically from the \IPS\Member::apiOutput() method. That method does not know where it is being called from (for example if you fetch a topic, the topic's author information will be returned from this same method), so the return values defined for that method denote if they're available when the request comes from an API key or not. /** * Get output for API * * @param \IPS\Member|NULL $authorizedMember The member making the API request or NULL for API Key / client_credentials * @param array|NULL $otherFields Array of additional fields to return (raw values) * @return array * @apiresponse int id ID number * @apiresponse string name Username * @apiresponse string title Member title * @clientapiresponse string timezone Member timezone * @apiresponse string formattedName Username with group formatting * @apiresponse string ipAddress IP address used during registration * @apiresponse \IPS\Member\Group primaryGroup Primary group * @clientapiresponse [\IPS\Member\Group] secondaryGroups Secondary groups * @clientapiresponse string email Email address * @apiresponse datetime joined Registration date * @clientapiresponse string registrationIpAddress IP address when registered * @clientapiresponse int warningPoints Number of active warning points * @apiresponse int reputationPoints Number of reputation points * @apiresponse string photoUrl URL to photo (which will be the site's default if they haven't set one) * @apiresponse bool photoUrlIsDefault Indicates if the value of photoUrl is the site's default * @apiresponse string coverPhotoUrl URL to profile cover photo (will be blank if there isn't one) * @apiresponse string|null profileUrl URL to profile * @clientapiresponse bool validating Whether or not the validating flag is set on the member account * @apiresponse int posts Number of content item submissions member has made * @apiresponse datetime|null lastActivity Last activity date on the site. * @clientapiresponse datetime|null lastVisit Last distinct visit date on the site. * @clientapiresponse datetime|null lastPost Latest content submission date. * @apiresponse int profileViews Number of times member's profile has been viewed * @apiresponse string birthday Member birthday in MM/DD/YYYY format (or MM/DD format if no year has been supplied). * @apiresponse [\IPS\core\ProfileFields\Api\FieldGroup] customFields Custom profile fields. For requests using an OAuth Access Token for a particular member, only fields the authorized user can view will be included */ The @clientapiresponse tag indicates the request must be made using client credentials or an API key, while the @apiresponse tag indicates the value is returned for any request. This is mainly because some data is more privileged than others and can't be returned for any old user calling the API. In other words, the endpoint cannot be accessed via client credentials/API key, only as an authenticated user, and the values returned will only be those that an authenticated user are permitted to see. If a member object is returned elsewhere, however, the notes you are referring to would apply.
Kappa0xc0035fd6 Posted August 7, 2020 Author Posted August 7, 2020 6 hours ago, bfarber said: That would be a confusion point technicality. If you realllllllly want to know... The documentation is auto-generated based on docblock headers in the code. The core/me/GETindex endpoint has this /** * GET /core/me * Get basic information about the authorized user * * @apimemberonly * @return \IPS\Member */ That @apimemberonly tag says that the function can only be accessed as an authenticated user. However, the return values are not being defined here explicitly and instead are being returned automatically from the \IPS\Member::apiOutput() method. That method does not know where it is being called from (for example if you fetch a topic, the topic's author information will be returned from this same method), so the return values defined for that method denote if they're available when the request comes from an API key or not. /** * Get output for API * * @param \IPS\Member|NULL $authorizedMember The member making the API request or NULL for API Key / client_credentials * @param array|NULL $otherFields Array of additional fields to return (raw values) * @return array * @apiresponse int id ID number * @apiresponse string name Username * @apiresponse string title Member title * @clientapiresponse string timezone Member timezone * @apiresponse string formattedName Username with group formatting * @apiresponse string ipAddress IP address used during registration * @apiresponse \IPS\Member\Group primaryGroup Primary group * @clientapiresponse [\IPS\Member\Group] secondaryGroups Secondary groups * @clientapiresponse string email Email address * @apiresponse datetime joined Registration date * @clientapiresponse string registrationIpAddress IP address when registered * @clientapiresponse int warningPoints Number of active warning points * @apiresponse int reputationPoints Number of reputation points * @apiresponse string photoUrl URL to photo (which will be the site's default if they haven't set one) * @apiresponse bool photoUrlIsDefault Indicates if the value of photoUrl is the site's default * @apiresponse string coverPhotoUrl URL to profile cover photo (will be blank if there isn't one) * @apiresponse string|null profileUrl URL to profile * @clientapiresponse bool validating Whether or not the validating flag is set on the member account * @apiresponse int posts Number of content item submissions member has made * @apiresponse datetime|null lastActivity Last activity date on the site. * @clientapiresponse datetime|null lastVisit Last distinct visit date on the site. * @clientapiresponse datetime|null lastPost Latest content submission date. * @apiresponse int profileViews Number of times member's profile has been viewed * @apiresponse string birthday Member birthday in MM/DD/YYYY format (or MM/DD format if no year has been supplied). * @apiresponse [\IPS\core\ProfileFields\Api\FieldGroup] customFields Custom profile fields. For requests using an OAuth Access Token for a particular member, only fields the authorized user can view will be included */ The @clientapiresponse tag indicates the request must be made using client credentials or an API key, while the @apiresponse tag indicates the value is returned for any request. This is mainly because some data is more privileged than others and can't be returned for any old user calling the API. In other words, the endpoint cannot be accessed via client credentials/API key, only as an authenticated user, and the values returned will only be those that an authenticated user are permitted to see. If a member object is returned elsewhere, however, the notes you are referring to would apply. Alright, that clears things up, thankyou. I got two more questions if you don't mind; I'm curious, why's secondary groups a clientapiresponse? I mean in the site groups are a big deal of permissions & now you can't retrieve all groups a member is in, which is basically what I need. And last question, how would I go about using the $otherFields? I see it should be a parameter, but I've tried some random fields & I don't see anything happening. Thanks for clearing things up and helping me out, appreciate it allot.
Recommended Posts