-
Re: REST API - You are not allowed to perform this request
nilsheuer Nov 28, 2014 3:02 AM (in response to jmarleau)If you look at the details of the 403 message you will likely see:
{
"code": 4026,
"message": "The request could not be validated as originating from within the SBS application"
}
This is a common error when the authentication token is not set correctly. The content in an HTML widget are actually encapsulated in an iframe, so this might be a side effect of Jive's cross site request forging protection.
If you want something like this to work reliably, maybe a custom widget or app, might be a better solution.
-
Re: REST API - You are not allowed to perform this request
jmarleau Dec 1, 2014 10:10 AM (in response to nilsheuer)Hi Nils,
Thank's for the response. Here some extra though and question if you have some idea...
1- All I get through REST is the message "You are not allowed to perform this request". Where could I check and find the detail of the error?
2- The application is actually under federated login so, it leverage the user logged in. It's would not surprise me if it's a security issue but, I am trying to see what would be wrong. I created 2 doc, one my user, one my test user, and both can POST to their own doc using the script, but they both cannot update the doc from the other user. I actually tested successfully with and admin user, they can update both docs.
-I'm not sure why it works for your own docs and not for the docs that you didn't create but have edit access. I can edit if I use jive directly.
-I'm not sure how the authenticate token would be valid for your own docs, invalid for someone else docs and valid if you are admin.
3- Widget or app, I have no idea how to overcome the federated login as our apps is under a different subdomain, (as recommended by Jive) and it represented a cross site request and ALL request become anonymous.
Thank's
-
Re: REST API - You are not allowed to perform this request
nilsheuer Dec 1, 2014 10:44 AM (in response to jmarleau)In my mobile, so I can only answer 3 right now: The addon/apps framework provides alternatives to overcome the cross domain issues. Mainly the osapi.jive.corev3. Contents Js API for manipulating jive content, and the osapi.http.get/post/etc methods for cross domain API calls. Much more stable and safe than embedded Js in an html widget
Sent from my mobile
-
Re: REST API - You are not allowed to perform this request
jmarleau Dec 2, 2014 1:12 PM (in response to nilsheuer)Hi Nils,
If you have a chance to review 1 & 2 ...
With regards to option 3, I would like to expand. The goal of my app, was to browse recent content for the current user and display a summary base on specific criteria. Before I started to build the solution in a HTML Widget, I tried to create the app using the app framework. I'm having a hard time finding documentation and sample with version 6.0, most of the documentation is on version 7.0 and up and, to be honest, I would recommend, to highlight if the solution is for which version of Jive because I tried many things that were simply not available in 6.0.
Developing the hello world worked like a charm using the sample but, not really useful :0).
I see a lot of documentation on how to use the new node.js framework, but that's only available using version 7.0 and up.
Developing an app, is through the web dev console.
Developing Jive Apps for your own community - using the Dev Console app
I created a template and create an apps, I created a webserver using the recommended https://www.nitrous.io/app but all my API queries, api/core/v3/contents?count=100&sort=latestActivityDesc&fields=subject,type are failing with 401 error. Due the fact, the app is located under apps.servername.com and not www.servername.com. I haven't found how to overcome this issue, as, what I found suggest to use a username/password and that's not possible using SSO. Not sure that's what I would like to do neither.
I might have misunderstood the osapi.jive api, I though it was a wrapper to the REST api, and didn't thought it was necessary to use if I know the REST api call and how to process than answer.
Short to say, I tried many option and I though the HTML widget was the safer solution, using the user credential by default.
Do we have a sample of osapi.jive api that uses works under SSO?
-
Re: Re: REST API - You are not allowed to perform this request
nilsheuer Dec 2, 2014 1:19 PM (in response to jmarleau)Hi Jean-Francois!
OK, good that you got the app sample working. As you correctly figured out, the JS API is more than a wrapper for the REST api, and will take care of things like authentication, etc. It works perfectly with federated users.
So instead of using the rest api to query api/core/v3/contents?count=100&sort=latestActivityDesc&fields=subject,type , you would write something like this:
var request = osapi.jive.corev3.contents.get({ "count":100 "fields": "subject,type" }); request.execute(function(data) { console.log("Fetched the contents", data); });
This will work in Jive 6
-
Re: Re: REST API - You are not allowed to perform this request
nilsheuer Dec 2, 2014 1:20 PM (in response to jmarleau)Point 1: You should see this as the page payload
2: Sorry, I can't help you here. This is a scenario I never looked into.
-
-
-
-
-
Re: REST API - You are not allowed to perform this request
jmarleau Dec 4, 2014 1:59 PM (in response to jmarleau)Humm! Apparently all REST API commands requires a "Full Access". This is actually administrator of our jive instance and, I doubt we will grant that level of access to some user for editing using the tool I created.
-
Re: REST API - You are not allowed to perform this request
nilsheuer Dec 4, 2014 2:12 PM (in response to jmarleau)That is most certainly not correct. The rest API is available to all registered users and respects permissions.
-
Re: REST API - You are not allowed to perform this request
jmarleau Dec 4, 2014 2:20 PM (in response to jmarleau)Thank's to Jive Core API: The Definitive Guide WEDNESDAY, OCT 22ND 2:15 PM – 3:15 PM
I think I figure out the issue wasn't security but, because I wasn't posting all the fields back (only the minimum) and apparently requires all of them. It actually act differently when you post profile variables ...
-