8 Replies Latest reply on Feb 19, 2015 3:29 AM by ztenerowicz

    URI Scope does not allow access to jive attachments API

    kamilwylegala

      Hello guys,

       

      I work on external storage provider for Jive and I try to use attachments service from Jive REST Rest API v3.9 → Attachment service

       

      When I delete attachment sending:

      DELETE {jive-domain}/api/core/v3/attachments/{attachment-id}


      I get error 401 message with following content:

      entity: { message: 'URI Scope does not allow access' }

       

      For each request I always pass auth token obtained after Jive's request to esp when new place is being created. The place creation request has the oauth code that is used to get the token. I use requestAccessToken method from jive-sdk for nodeJs to do that.


      Please tell me whether there is any way to change scope of this auth code (if it's the cause). And what the scope should be.


      My goal to achieve is to be able to remove attachments in Jive when attachment is being deleted in ESP. Unfortunately this part is missing in ExternalStorage-API-Docs so that's why I try to use attachments service.


      Best Regards,

      Kamil Wylegała.


      ps. your editor defaults to Comic Sans. Is that a new policy?

        • Re: URI Scope does not allow access to jive attachments API
          ztenerowicz

          On top of that - my observation (I'm working on the same project) is that whenever we call .doRequest() from Jive SDK and it refreshes the token, we get a token that has incorrect scope.

          • Re: URI Scope does not allow access to jive attachments API

            looks like there's only one instance in the code base that actually prints that error out:

             

            class URIScopeValidator {

             

             

                    public void validate(HttpServletRequest request, OAuth2Code token, OAuth2DataService oAuth2DataService)

                            throws OAuth2Exception {

                        List<String> scopes = token.getScope();

                        if(scopes == null || scopes.isEmpty()) {

                            throwAccessDenied("Scope cannot be null or empty", HttpServletResponse.SC_FORBIDDEN);

                        }

                        String requestURI = request.getRequestURI().toLowerCase();

                        String baseURL = JiveGlobals.getDefaultBaseURL();

                        String pathContext = "";

                        try {

                            pathContext = new URL(baseURL).getPath();

                        }

                        catch (MalformedURLException e) {

                            // unlikely to reach here

                            e.printStackTrace();

                        }

                        for(String scope : scopes) {

                            // assume scope always starts with OAuth2Utils.URI_SCOPE_PREFIX

                            if(requestURI.substring(pathContext.length()).startsWith(scope.substring(OAuth2Utils.URI_SCOPE_PREFIX.length()))) return;

                        }

                        throwAccessDenied("URI Scope does not allow access", HttpServletResponse.SC_FORBIDDEN);

                    }

                }

            What I'd like to see is what the scope is associated with the OAuth2Code token in the above code, which I think would require us to deliver a logging patch that you can use (unless you have source access and can do it yourself?).  I'll ask someone from our backline team to see if they can get you a patch for this.

             

            What version of Jive are you doing this against?

             

            AJ

              • Re: URI Scope does not allow access to jive attachments API
                ztenerowicz

                Hi,

                 

                We are using the nodejs sdk and we test against https://jivedemo-egnyte.jiveon.com/ which is constantly updated with newer versions of 8.* _but_ the project is supposed to run on 7.0.1 too (Ryan knows why)

                 

                The code we are using is the one that comes with a place creation request and I haven't seen any scope settings to date. As far as I know OAuth, if we get the code, the scope is already determined.

                If we use the refresh token mechanism we should get a new token with the same scope. But we get a token that is not usable.

                 

                This is still an issue in two distinct places.

                If you can debug jivedemo-egnyte instance, we can set up a date and reproduce.

                • Re: URI Scope does not allow access to jive attachments API

                  The tokens you get on external container registration are only scoped for that particular container and only for ESF endpoints.

                  If you need to use the Core V3 endpoints, then you must also register for that separately (per tenant).

                   

                    • Re: URI Scope does not allow access to jive attachments API

                      Thanks Moshe!

                       

                      Kamil: does that answer your question?

                        • Re: URI Scope does not allow access to jive attachments API
                          ztenerowicz

                          Let me fill in for Kamil, as he's busy with something else.

                          [action items in bold]

                           

                          We are using just the ESF endpoints (as per the zip fie External Storage Framework - Documentation + some guessing where it's broken) for everything that got documented there.

                          Deleting or manipulating attachments is not documented there, so we tried a workaround. Please share documentation for a delete attachment endpoint in ESF or describe the process of getting access to core/v3 API by an ESP integration.

                           

                          Second action item here is figuring out why we keep getting 401 scope errors _every time_ after jive SDK goes to refresh token procedure.

                          I see two options here:

                          A. We're missing some undocumented configuration item that is required for the token to get refreshed with the right scope (seems unlikely, as the token itself has the scope associated to it as per oauth spec)

                          B. doRequest() from Jive SDK for Node.js is not working with ESF and for some reason, the initial token can be used through the method, but then it uses a refresh flow for other API. And then, most peculiarly, the refresh token flow successfully gets a new token but it's no longer working as it has a scope for the wrong API.

                          So the question here is: was doRequest() method in the SDK a trap? Do we have to implement our own that won't be hardcoded to a different API?

                           

                          Please provide a complete guide or a working example of refreshing an ESF token using jive-sdk for Node.js

                          ESF example from the SDK only uses jive.util.buildRequest() and doesn't feature any token refreshing (so it only works for a day with every group or place you create with it)

                            • Re: URI Scope does not allow access to jive attachments API

                              Hey zbigniew tenerowicz,

                               

                              To delete an attachment you need to return a resource "self" when you upload the attachment, then you should implement an endpoint that consumes an HTTP DELETE operation the call for this deletion.

                              You shouldn't use jive API V3 to delete an attachment.

                               

                              Hope that clears things up a bit.

                               

                              Moshe.

                                • Re: URI Scope does not allow access to jive attachments API
                                  ztenerowicz

                                  Ok, I'm going to start using some notation to highlight what direction we're talking about

                                  Also, the other thread is not at all related.

                                   

                                  Storage ==> Jive

                                  1. Attachment file was deleted in storage

                                  2. I need to update Jive with information about that fact, so that the attachment disappears in Jive

                                   

                                  Just like with regular files, I need to know an endpoint in ESF (currently undocumented) to send a DELETE to.

                                   

                                  Hope now it's clear enough.

                                   

                                  Seeing your answer stating that deleting attachments is not supported, I assume we will have to use core/v3 api to do that then.

                                  If so, one question remains valid:

                                  How does ESP get authorized to access core/v3 api?

                                   

                                  Should I put that in a new question thread?

                                   

                                  [edit]

                                  There is a second issue mentioned here that didn't get addressed. I created a separate thread for that issue here External Storage Framework refresh token flow in SDK returns a bad token. All the above still valid.

                                   

                                  btw. Thanks for clearing things out with attachments, we already adapted to that.