Hi,

The role needed to log in to an interactive integration is the "API User" role, the "Integration Administrator" is only needed for the users that should have access to log on to the App store and accept tenant based applications.

Could you please check if this has been applied to one of the users logging in:

The same problem is shown there: "0 of 0 licenses in use". There is no way to select any of the roles there:

We worked with our partner manager to get some things checked since this is getting critical for us now. It seemed that there was a new license made for us, but it seems it was separated from our profile. This leaded to all kind of weird problems. This has been resolved now by support by moving all users to the new license.

Currently we get one step further in the log on process: we can choose what company to connect, but selecting either of the two companies leads to another error:

Can you check the actual problem?

For the error IDs you receive, you can use OAuth Debugger available in the developer portal.

Test and debug your OAuth requests by pasting in the Error-ID you may get during your implementation towards the /connect/authorize endpoint. From the My Applications page, you have access to the Debugger.

I see. Thanks! That button deserves a little more emphasis and possibly a mention in the error dialog for development users.

After making some changes and retrieving an access token I get the next error:

Message - Unhandled exception: Failed to update tenant consent for user b0be87dc-xxxx, client xxxx and tenant 0feb108a-xxxx, errorId: a2c7cd20-xxxx
Response - HttpResponseInfo { StatusCode: InternalServerError, ErrorCode: null }
SourceContext - VismaConnect.Web.IdentityProvider.Middlewares.ExceptionHandlerMiddleware
RequestId - 0HMVR44A0F0S5:00000002
RequestPath - /connect/authorize/callback
ConnectionId - 0HMVR44A0F0S5
Request_Ipv4Address - xxxx
Request_UserAgent - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Request_Method - GET
Request_Path - /connect/authorize/callback
Request_Host - connect.visma.com
Request_ClientId - xxxx
CorrelationId - 3e98b89f-xxxx
UserId - b0be87dc-xxxx
SessionId - af9151a4-xxxx
IdentityProvider - Visma Connect
TenantId - null
Timestamp - 12/13/2023 14:12:05 +00:00
Level - Error
ExceptionSource - VismaConnect.Dal.ConnectDb
ExceptionType - VismaConnect.Dal.ConnectDb.Connector.ConnectDbException
ExceptionMessage - Failed to update tenant consent for user b0be87dc-xxxx, client xxxx and tenant 0feb108a-xxxx
StackTrace - at VismaConnect.Dal.ConnectDb.Services.UserTenantConsentDbService.UpdateAsync(Guid userId, String clientIdentity, Guid tenantId, IEnumerable`1 scopes) in /tc-agent/work/d20c03d2a8e0d24e/src/VismaConnect.Dal.ConnectDb/Services/UserTenantConsentDbService.cs:line 81

Any clue?

Hi,

There is an issue with the link that you posted yesterday, could you please compare your calls to these examples:

Authorize:

GET https://connect.visma.com/connect/authorize
?client_id=ClientID
&response_type=code
&scope=openid
&redirect_uri=http://localhost
&code_challenge=iMnq5o6zALKXGivsnlom_0F5_WYda32GHkxlV7mq7hQ
&code_challenge_method=S256

Token:

curl --request POST --url https://connect.visma.com/connect/token
--header 'content-type: application/x-www-form-urlencoded'  
--data 'grant_type=authorization_code
&redirect_uri=http://localhost
&code=94c99b73c13c1e39f7b0a7d259628338
&client_id=ClientID
&code_verifier=verifier'

Why is there a `code_challenge`? That only applies to PKCE which we don't intend to use.

What type of application/authentication are you intending to set up? 

Grant type = Authorization code

The currently used call to `authorize` is (replacing the client ID):

https://connect.visma.com/connect/authorize?response_type=code&client_id=xxxx&redirect_uri=https%3A%2F%2Fdcloud%3A44362%2Fapp%2Fsetup%2Fdatabases%2Fnew%2Fvismanet%2Ftoken&state=INVANTIVE-fb5bc40483ad402e97d4821eeae71ce9&scope=openid+email+profile+vismanet_erp_interactive_api%3Aread+vismanet_erp_interactive_api%3Acreate+vismanet_erp_interactive_api%3Aupdate+vismanet_erp_interactive_api%3Adelete

The URL provided is correct. The bug reported seems to be user-specific. I have tried the link with another Visma .net user and now it does work. So the tenant consent update error is specific for this user, who has consented with other OAuth settings before.

The above error also happens when we open the OAuth URL (similar to https://connect.visma.com/connect/authorize?response_type=code&client_id=xxxxxx&redirect_uri=https%3...) from an Incognito session.