A few hours ago I was able to access my default storage bucket without any problems. However, now I can't. I receive the following message:
Error Domain=FIRStorageErrorDomain Code=-13021 "User does not have permission to access gs://MY_BUCKET_NAME/data.json." UserInfo={object=data.json, ResponseBody={
"error": {
"code": 403,
"message": "Permission denied. Could not perform this operation"
}
Here's my bucket rules:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
I don't know what to do. Can someone help?
Note: I'm on the Blaze plan. firebase-storage#system.gserviceaccount.com is added to my default Firebase Storage bucket.
Your rules require that a user be signed into your app in order to read or write any file in the bucket. I would expect that the only reason why you would get that message is if there was no user signed in, or somehow you are trying to access a bucket that is not in the same project as the signed in user.
Related
I am able to read channel messages as long as I am a member of a particular channel but I am unable to read channel messages in which I am not a member but I am a global administrator with following delegated permissions.Can anybody help?
ChannelMessage.Read.All, Group.Read.All, Group.ReadWrite.All
When I am trying to execute I am getting the following response
{
"error": {
"code": "Forbidden",
"message": "Forbidden",
"innerError": {
"date": "2020-09-10T04:37:36",
"request-id": "727d898d-ee3e-484d-b2b6-46582834ca9c",
"client-request-id": "727d898d-ee3e-484d-b2b6-46582834ca9c"
}
}
}
You'll need to use Application rather than Delegated permissions for this. When you're using Delegated permissions, you can only access Channels you are a member of (i.e. the same Channels you see in the Teams app).
Note that these are Protected APIs, so you'll need to request access before you can use them (above and beyond the normal Admin Consent flow).
I am trying to subscribe to Microsoft Teams Presence API for a particular user.
Request Url:
https://graph.microsoft.com/beta/subscriptions
Request Body
{
'changeType': 'created,updated',
'notificationUrl': 'https://<domain-name>/presence-notify/',
'resource': '/communications/presences/{id}',
'expirationDateTime': '2020-09-10T07:37:13Z',
'clientState': 'secretClientState'
}
Response
{
"error": {
"code": "ExtensionError",
"message": "Operation: Create; Exception: [Status Code: Forbidden; Reason: The request is not authorized for this user or application.]",
"innerError": {
"date": "2020-09-09T11:27:27",
"request-id": "c563f94d-3c10-4c09-be35-0d1993d9a112"
}
}
}
The following delegated permissions were requested and granted by admin:
Presence.Read
Presence.Read.All
Client Certificate Pic
Finally i am able to solve the issue. As the error mentioned The request is not authorized for this user or application. So i thought there might be an issue with Access Token. Actually i was calling API on behalf of App i.e token with grant_type as client_credentials. Rather i should have called API on behalf of User i.e token with grant_type as password as it is clearly mentioned in documentation that
permissions are delegated. I didn't use any encryptionCertificate still subscription was successful.
You need to specify the encryptionCertificate. From the documentation:
presence subscriptions require encryption. Subscription creation will fail if encryptionCertificate is not specified.
In the manifest of my application registration I've configured to retrieve the given_name and family_name claims (through the UI, the resulting manifest looks like this):
"idToken": [
{
"name": "family_name",
"source": "user",
"essential": false,
"additionalProperties": []
},
{
"name": "given_name",
"source": "user",
"essential": false,
"additionalProperties": []
}
],
During the redirect I add the profile scope along with the given_name and family_name scopes, which results in the following error.
Message contains error: 'invalid_client', error_description: 'AADSTS650053: The application 'REDACTED' asked for scope 'given_name' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.
Any ideas? As I understand that is what is required to configure these optional claims on the v2.0 endpoint as described here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#v20-specific-optional-claims-set
You should only use the profile 'scope', which should result in you receiving the given_name and family_name 'claims'. That's standard behaviour for an Authorization Server, which will then either:
Return the name details directly in the id token
Or allow you to send an access token to the user info endpoint to get the name details
However, Azure v2 is very Microsoft specific, and user info lookup can be painful and involve sending a separate type of token to the Graph user info endpoint. Hopefully you won't have to deal with that and you will get the name details directly in the id token.
I had a scenario where my API (which only received an access token) needed to get user info, and I solved it via steps 14 - 18 of this write up, but it's a convoluted solution.
Once you configure optional claims for your application through the UI or application manifest. you need to provide profile Delegated permissions for the application.
I'm having issue with one of my Microsoft Graph Token.
When I debug it, I can see in the JSON Web Token Payload that the token is indeed for the Microsoft Graph API aud = https://graph.microsoft.com and it seems I have the appropriate scopes scp = Mail.ReadWrite Mail.Send User.Read.
Though when retrieving an email using GET https://graph.microsoft.com/1.0/me/messages/<ID_HERE> or trying to create a new one POST https://graph.microsoft.com/1.0/me/messages I get the following error:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again., The process failed to get the correct properties.",
"innerError": {
"request-id": "---",
"date": "---"
}
}
}
I'm not sure how I could fix this. Any help appreciated. Thanks!
I recommend you use get-rolegroupmember "organization management" cmdlet to check if your administrator has the organization management permission.
If your administrator doesn't have the permission, I recommend you use add-rolegroupmember cmdlet to add your administrator to this group to check the result. Also, you can check with a user that has the same permission as this person to see if you get a result and if the problem is on your end or the user's end.
I am attempting to create an upload session in the special app folder for my OneDrive app using the Graph API. My app have the following permissions:
Files.ReadWrite
Files.ReadWrite.AppFolder
offline_access
The request looks like this
https://graph.microsoft.com/v1.0/users/xxxxxx96-2e02-4300-8ab0-a05d73xxxxxx/drive/special/approot:/documentname.docx:/createUploadSession
gives the following error:
{
"error": {
"code": "itemNotFound",
"message": "The resource could not be found.",
"innerError": {
"request-id": "7447aa01-6685-4af0-998a-64abc9b14825",
"date": "2017-04-06T10:07:46"
}
}
}
I can create an upload session on the normal root folder without any errors:
graph.microsoft.com/v1.0/users/xxxxxx96-2e02-4300-8ab0-a05d73xxxxxx/drive/root:/documentname.docx:/createUploadSession
result:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.uploadSession",
"expirationDateTime": "2017-04-06T10:32:48.5252565Z",
"nextExpectedRanges": [
"0-"
],
"uploadUrl": "......."
}
The createuploadsession method does not support special/approot. As mentioned in the documentation, these are the only paths to use:
POST /drive/root:/{path_to_item}:/createUploadSession
POST /drive/items/{parent_item_id}:/{filename}:/createUploadSession
Just wanted to clarify, since people are sometimes referring to this thread still: This syntax actually is supported. Due to the flexibility of OData syntax/support, the docs are not always 100% comprehensive about every request path that works.
I believe the actual issue is that Files.ReadWrite.AppFolder is not supported on ODB/SPO/business accounts yet (as of 2022) - it is only for personal/MSA accounts. However, there is work in progress to bring this support to SPO in the future.
The two scopes that are mentioned above are:
Files.ReadWrite - grants access to content on the caller's mysite only
Files.ReadWrite.AppFolder - has no effect on SPO/business
Files.ReadWrite.All should work in the short term, until Files.ReadWrite.AppFolder is implemented on SPO/ODB.