cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1099
Views
1
Helpful
9
Replies

Get 403 Error when calling SCIM User API

mikechiu1012
Level 1
Level 1

Hi I got 403 when calling SCIM Users API. below is my setting:

The granted user is a full_admin role.

The application(integration) granted all possible scopes.

The response is 

> curl -v -H "Authorization: Bearer $token" "https://webexapis.com/identity/scim/2c995b9c-774e-4105-830c-1d3ef790cd/v2/Users" | jq .

{
  "message": "The server understood the request, but refused to fulfill it because the access token is missing required scopes or the user is missing required roles or licenses.",
  "errors": [
    {
      "description": "The server understood the request, but refused to fulfill it because the access token is missing required scopes or the user is missing required roles or licenses."
    }
  ],
  "trackingId": "ROUTERGW_78b53e80-b4db-44dc-b0a9-4f45f4b3c5fc"
}

 Is there any configuration or license I need to assign to make the SCIM enable? Thanks.

1 Accepted Solution

Janos Benyovszki
Cisco Employee
Cisco Employee

@mikechiu1012 the scopes needed for listing users with the SCIM API are mentioned here https://developer.webex.com/docs/api/v1/scim2-user/search-users . If you think your access token has all the right scopes and the user has all access rights, please open a support ticket here https://developer.webex.com/support and we will look into it. 

View solution in original post

9 Replies 9

Janos Benyovszki
Cisco Employee
Cisco Employee

@rachelro the SCIM API https://developer.webex.com/docs/scim-2-overview uses the same tokens as the rest of the REST APIs. Not sure why that 403 appeared to be honest, difficult to tell without logs. If you have the requests and tracking IDs you can open a support case https://developer.webex.com/support and our team can look into it, or check with engineering.

OK, @Janos Benyovszki  Thank you very much!

Janos Benyovszki
Cisco Employee
Cisco Employee

@rachelro deactivating your account might invalidate the access token. I can imagine that you had an old access token that was not working, but then with the reactivation and the generation of the new token, your access rights got applied to the token properly, so it started working.

@Janos Benyovszki  My token was not old, yesterday I created a new one several times and every time I tried it still didn't work and I got a 403 error, only today it did work for me after I made it deactivating.
so I wanted to understand if there is a connection?
Or if there is some special process in creating a token that will be used for the SCIM API ?

Janos Benyovszki
Cisco Employee
Cisco Employee

@rachelro if your token works from Postman, but not from your app, then it would mean that you are not using the same token in both places. Check for any hardcoded tokens in your code, it might be the cause of the issue. If the same token works from Postman, it should work from your app as well.

Hi @Janos Benyovszki,
I noticed that I used the same token in Postman and my app, and after I changed my user status from active to inactive and back to active, I created a new token and then the API did succeed.
could it be related? I made Inactive and then returned to Active?
Thanks!

Janos Benyovszki
Cisco Employee
Cisco Employee

@mikechiu1012 the scopes needed for listing users with the SCIM API are mentioned here https://developer.webex.com/docs/api/v1/scim2-user/search-users . If you think your access token has all the right scopes and the user has all access rights, please open a support ticket here https://developer.webex.com/support and we will look into it. 

Hi @Janos Benyovszki,
Is there a solution to the problem that @mikechiu1012  presented?
I am also encountering the same problem and my token has all the necessary roles and permissions and the licenses
and more than, that in the test in Postman the API works but does not work in the service I created with the same details one by one.
Thanks in advance!


Hi @Janos Benyovszki , thanks for your response. Ok I will open a support ticket. Thanks!