Solved: Re: Scope in native app authentication

adrianm · ‎22-01-2024

How does scope work with native app authentication.

This one works

&scope=openid%20email%20offline_access

but this one

&scope=openid%20email%20offline_access%20vismanet_erp_service_api%3Aread

gives "Error page: invalid_scope Invalid scope"

Will the scope automatically inherit the user's access rights?

When I try to use the token I get error "Invalid audience"

{"ExceptionType":"IPPException","ExceptionMessage":"Invalid audience","ExceptionFaultCode":"12010","ExceptionMessageID":"12010_7eda3119-34de-4029-bc6a-8994d406dd19","ExceptionDetails":""}

In the JWT Token I see my ClientId as "aud"

Suzdar Ibrahim · ‎22-01-2024

Hi Adrian!

vismanet_erp_service_api is an API used for machine-to-machine integrations (client_credentials). Its scopes cannot be used with user authorization. I'm assuming your native application is interactive which means you have to use the Visma.net ERP interactive scopes (For instance: vismanet_erp_interactive_api:read). The scopes from the interactive API will ask the user for approval during the authentication process. So if you have read scopes it will prompt the user to approve (given that the user has API user role in Visma admin as explained here).

I hope that explains your question.

/ Suzdar

adrianm · ‎22-01-2024

Ah, that makes sense. Thank you.

I tried "vismanet_erp_interactive_api:read" which worked but fetching the token failed with "invalid_tenant"

POST: https://connect.visma.com/connect/token
Headers: {
    Accept: application/json
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 236
}
code=<code>&redirect_uri=http%3A%2F%2Flocalhost%3A49817%2F&client_id=<clientId>&code_verifier=CBoX5tXzqbeLItJ8KS92m9GcxiFzwBXmEkQY9u_Q8fw&grant_type=authorization_code
Response: 400 Bad Request
Headers: {
    Transfer-Encoding: chunked
    Connection: keep-alive
    Pragma: no-cache
    Cache-Control: no-store, no-cache, max-age=0
    Date: Mon, 22 Jan 2024 10:46:42 GMT
    Server: nginx
    Content-Type: application/json; charset=UTF-8
}
{"error":"invalid_tenant"}

Suzdar Ibrahim · ‎22-01-2024

Do you have a way of retrieving the tenant_id? When authenticating you should come to a page like this:

adrianm · ‎22-01-2024

I get a dialog like this

Tried several different organisations with same result. One of them was "d0510770-7d18-11ed-9891-0693d8a7c3dd" which I can access in the appstore. One thing to note is that I don't always get the approve prompt after I select company.

Suzdar Ibrahim · ‎22-01-2024

Do you receive an error code (guid)? If you receive one you can check in Developer Portal for a more detailed error message. I've tried this in Postman now and should be working fine, does your user have "API User" role in Visma admin in each respective company?

adrianm · ‎22-01-2024

Found the problem. I was not API user. Once added it works fine.

You should probably redirect with &error=<message> instead of success with an unusable code 🙂

Suzdar Ibrahim · ‎22-01-2024

Great!

Thanks for the feedback. Will let the team know 😀.

adrianm · ‎22-01-2024

There is no error message. The browser is redirected with a code

http://localhost:49817/?code=<code>&scope=email openid&state=xd4Eqv9V8vF6oEe-Un5p3yeaY4UDhRIYM0nizrrJyls&session_state=85Pp6M-t1M_5NShtMj8YCq8xheMP0cbkU-p3tFhPpHs.3B69200BADC85FE3E6C48367D8838FB7&iss=https%3A%2F%2Fconnect.visma.com

It is when I use the code to retrieve the token I get the error message I showed earlier.

Scope in native app authentication

Useful pages

About Visma

Contact us

Follow us