6 Replies Latest reply on Jul 9, 2013 2:52 AM by nils.drews

    HTTP 403 / "An authenticated API accessor is required in order to access this endpoint"?

    it2000
    it2000 Oct 19, 2012 11:37 AM

      I try to get the notifications using https://community.jivesoftware.com/api/core/v2/inbox/notifications. But I usually get this error (HTTP 403):

      throw 'allowIllegalResourceCall is false.';
{
  "message" : "An authenticated API accessor is required in order to access this endpoint",
  "code" : 4089
}

      Sometimes I get:

      throw 'allowIllegalResourceCall is false.';
{
  "data" : [ ]
}

      Both replies are not what I do expect.

      Does the API call does not work here or does one need more than the session cookies (provided by /api/core/v2/authentication/formlogin)?

      • 101329 Views
      • Categories: REST API / Webhooks
      • Tags:
        • Re: HTTP 403 / "An authenticated API accessor is required in order to access this endpoint"?
          jiviliu
          jiviliu Mar 14, 2013 6:23 AM (in response to it2000)

          Hello,

           

          we are trying to access the actions and notifications from our Jive installation via REST API.

          We are using Jive 5.0.4 and have no problems accessing other services e.g. the activity stream (GET /api/core/v2/activity).

           

          When we try to access either the actions (GET /api/core/v2/inbox/actions) or notifications (GET /api/core/v2/inbox/notifications) we also get the following error message:

           

          HTTP 403 Forbidden
throw 'allowIllegalResourceCall is false.';
{
  "message" : "An authenticated API accessor is required in order to access this endpoint",
  "code" : 4089
}

           

          Every request was made as an authenticated Jive user (either via authentication service (/api/core/v2/authentication/formlogin), session cookie or HTTP basic auth). The error occurs everytime.

           

          Is this a bug in the API? Is there another way required to authenticate the user calling the service to access the inbox?

           

          Thanks & kind regards

          Jun Ying and Notmy Surname

          • Re: HTTP 403 / "An authenticated API accessor is required in order to access this endpoint"?
            nils.drews Employee Jul 2, 2013 3:37 AM (in response to it2000)

            Hello all,

             

            I'm just investigating this for another customer but want to share my findings with you all. The error you are getting is due to the fact that you need to have an APIAccessor here. The recommended way of getting such an accessor is to use OAuth2 and is described here:

            To use OAuth2 tokens to authenticate request to the core API, there are four steps:

            1. Use a Jive mechanism (such as the mobile client manager) to create a Jive OAuth2 activation code
            2. Activate the code to receive your client id and secret, as well as your refresh token
            3. Request an access token using the client id, secret and refresh token
            4. Access protected resources using the access token

            The easiest way would be to write an OpenSocial widget that pulls in all the data and use that for communicating with Jive. Essentially a Jive App, but not within Jive. We then use the whole Opensocial/Jive Apps infrastructure to authenticate here.

             

            Alternatively there is the possibility to just overlay the "com/jivesoftware/api/core/v2/services/communications/InboxService.java" and remove the "accessor = true" parameter from the RequiresAuthentication annotation, As far as I can see this is the only service that requires this yet. In the future there may be more but even in the latest cloud code of today I couldn't find another one yet.

             

            This infrastructure is used to protect certain areas of the code against unlimited API access. The InboxService can put heavy strain on the server, so you should not pull this for all users too often.

             

            Within Jive 6 the recommended way would be to use the V3 API which is not protected in this way.

             

            Bye, Nils

             

            FYI: Janko Zehe (Christian does not seem to be in the Community!?), Guido Becker

              • Re: HTTP 403 / "An authenticated API accessor is required in order to access this endpoint"?
                nils.drews Employee Jul 9, 2013 2:52 AM (in response to nils.drews)

                The way I described above does not work and is wrong. The issue we have here at hand is that this Framework with the API Accessors was put in pace to:

                To properly service such external facing APIs, an ApiAccessor is used to identify which external system is accessing these Jive features. The ApiAccessor provides a security mechanism through entitlements and may be extended to provide additional metadata suitable to be presented to Jive users. This extended capability allows a Jive user to see which external system produced activity entries in a standardized way.

                 

                So to get a proper ApiAccessor you must make your "external system" known to Jive. And that could be doen for example by a plugin. The far easier way would be to use an own webservice to get all this data from the instance in a way that you prefer.

                Overlaying the InboxService does not work as straight forward as I said, you also need to patch the com.jivesoftware.api.core.v2.providers.communications.InboxProvider#getActionsPredicate as this checks the same code as well. and that can then easily affect for example mobile and other different existing external systems. You have been warned.

                 

                Within Jive 6 the recommended way would still be to use the V3 API which is not protected in this way.

                 

                Bye, Nils

                 

                FYI: Janko Zehe, Christian Zehe, Guido Becker