Unable to get the current-user detail from the API token

We have integrated our app with Superoffice. We get a token from Speroffice admin user of a company using Oauth and use his token for administrative tasks. However at the point of authentication, we have to make sure the user is an admin and want to use the API /api/v1/User/current to get the user role. BUt it throws the following error.

Message": "Client '' has not been granted access rights to 'Cust31895' web service 'User.GetUser': Application Token is required",
 
Do we have any other option here to check if the token belongs to an admin or not? Any help on this would be appreciated.

RE: Unable to get the current-user detail from the API token

Hello,

One of the claims returned by the OAuth process is "is_administrator", which you could use to determine if the user is an administrator.

See  this article on all the other claims that are returned.

Getting the user role is somewhat tricky, since that is stored on the user entity/object, which can't be accessed by external apps, so you whould have to do a custom search using the associate id to get the user's role.

For example:

https://sod.superoffice.com/CustXXXX/api/v1/Archive/InternalUsers?$filter=associateDbId eq <associateId>
Av: David Hollegien 30. aug 2021

RE: Unable to get the current-user detail from the API token

Dear OneFlow,

The exception you observe ("Application Token is required".) does not appear when accessing SuperOffice web services using an OAuth access token. It's observed when using the ticket credential without a application token as headers.

Authorization SOTicket {{7T:X1y2Z3...}}
SO-AppToken {{App-Secret}}

If you were using an access token, the error would appear as:

{
  "Error": true,
  "ErrorType": "UnauthorizedAccessException",
  "Message": "Client 'YOUR CLIENT NAME' has not been granted access rights to 'Cust12345' web service 'User.GetUser': Application is not authorized - Denied",
  "FriendlyMessage": null,
  "ErrorSource": "SuperOffice.Online.ConfigOverride"
}

 

The OAuth access token comes in the same body as the the JWT payload (which contains the ticket and IsAdministrator claim), and is used like:

Authorization Bearer {{8A:Cust12345...}}

Notice the different prefixes.

With proper headers you can access the user/currentPrincipal endpoint to obtain details about the current user. 

When accessing /api/v1/User/currentPrincipal, role information is observed in the following properties:

"RoleId": 1,
"RoleName": "User level 0",

These names can change, but generally level 0 is an admin. There is more information about Roles in the SuperOffice Admin help file.

Hope this helps!

Av: Tony Yates 30. aug 2021