My Products
Help
adrianm
PARTNER

Scope in native app authentication

by adrianm

How does scope work with native app authentication.

 

This one works

&scope=openid%20email%20offline_access

but this one

&scope=openid%20email%20offline_access%20vismanet_erp_service_api%3Aread

gives "Error page: invalid_scope Invalid scope"

 

Will the scope automatically inherit the user's access rights?

 

When I try to use the token I get error "Invalid audience"

{"ExceptionType":"IPPException","ExceptionMessage":"Invalid audience","ExceptionFaultCode":"12010","ExceptionMessageID":"12010_7eda3119-34de-4029-bc6a-8994d406dd19","ExceptionDetails":""}

In the JWT Token I see my ClientId as "aud"

8 REPLIES 8

by Suzdar Ibrahim

Hi Adrian!

 

vismanet_erp_service_api is an API used for machine-to-machine integrations (client_credentials). Its scopes cannot be used with user authorization. I'm assuming your native application is interactive which means you have to use the Visma.net ERP interactive scopes (For instance: vismanet_erp_interactive_api:read). The scopes from the interactive API will ask the user for approval during the authentication process. So if you have read scopes it will prompt the user to approve (given that the user has API user role in Visma admin as explained here).



I hope that explains your question.

 

/ Suzdar

adrianm
PARTNER

by adrianm

Ah, that makes sense. Thank you.

 

I tried "vismanet_erp_interactive_api:read" which worked but fetching the token failed with "invalid_tenant"

POST: https://connect.visma.com/connect/token
Headers: {
    Accept: application/json
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 236
}
code=<code>&redirect_uri=http%3A%2F%2Flocalhost%3A49817%2F&client_id=<clientId>&code_verifier=CBoX5tXzqbeLItJ8KS92m9GcxiFzwBXmEkQY9u_Q8fw&grant_type=authorization_code
Response: 400 Bad Request
Headers: {
    Transfer-Encoding: chunked
    Connection: keep-alive
    Pragma: no-cache
    Cache-Control: no-store, no-cache, max-age=0
    Date: Mon, 22 Jan 2024 10:46:42 GMT
    Server: nginx
    Content-Type: application/json; charset=UTF-8
}
{"error":"invalid_tenant"}

by Suzdar Ibrahim

Do you have a way of retrieving the tenant_id? When authenticating you should come to a page like this:

 

Screenshot_62.png

 

adrianm
PARTNER

by adrianm

I get a dialog like this

adrianm_0-1705924604920.png

Tried several different organisations with same result. One of them was "d0510770-7d18-11ed-9891-0693d8a7c3dd" which I can access  in the appstore. One thing to note is that I don't always get the approve prompt after I select company.

by Suzdar Ibrahim

Do you receive an error code (guid)? If you receive one you can check in Developer Portal for a more detailed error message. I've tried this in Postman now and should be working fine, does your user have "API User" role in Visma admin in each respective company?

 

Screenshot_65.png

Accepted solution
adrianm
PARTNER

by adrianm

Found the problem. I was not API user. Once added it works fine.

 

You should probably redirect with &error=<message> instead of success with an unusable code 🙂

by Suzdar Ibrahim

Great! 

 

Thanks for the feedback. Will let the team know 😀.

adrianm
PARTNER

by adrianm

There is no error message. The browser is redirected with a code

 

http://localhost:49817/?code=<code>&scope=email openid&state=xd4Eqv9V8vF6oEe-Un5p3yeaY4UDhRIYM0nizrrJyls&session_state=85Pp6M-t1M_5NShtMj8YCq8xheMP0cbkU-p3tFhPpHs.3B69200BADC85FE3E6C48367D8838FB7&iss=https%3A%2F%2Fconnect.visma.com

 

It is when I use the code to retrieve the token I get the error message I showed earlier.