I am facing the same issue as this question
Slack API Opening a New DM (Scopes and Permissions)
I have these permissions assigned
ok error needed provided
-- ----- ------ --------
False missing_scope im:write identify,channels:read,users:read
The self-answer in the other question implies that I need to use the bot token, instead. I don't think I have a bot token (and am not the application administrator so I can't get in), but it seems like I should be able to submit this with the user token as well.
When scopes are added a Slack app has to be re-installed into the workspace (using the OAuth 2.0 process) to activate those changes.
Related
I tried to receive all events for an Microsoft 365 User. It's a business license and a add an App with all User/Mail/Calendar Permissions (also consent granted) to Api permissions.
When running this command or some similar like in the documentation I got 403
Client error: `GET https://graph.microsoft.com/v1.0/users/xxxxxxxxxxxxxxxxxxxx/events` resulted in a `403 Forbidden` re
sponse:
{"error":{"code":"ErrorAccessDenied","message":"Access is denied. Check credentials and try again."}}
What did I do wrong? I also tried the Graph Explorer (with logged in user).
Are the permissions you are assigning delegated or application permissions?
If you are using application permissions for your App Registration then you need to give access on the user's calendar to the app (probably by using a new service principal on exchange online).
If you are using delegated permissions then you should check the access token you are getting for validation in jwt.ms
Bear in mind that Graph explorer with logged in user needs different permissions than your App Registration. ( it's a different app registration altogether )
Seems like I had the same issue https://learn.microsoft.com/en-us/answers/questions/1165285/microsoft-graph-get-outlook-calendar-events-403?page=1&orderby=Helpful&comment=answer-1168253#newest-answer-comment
The fix was to remove all the other permissions and just give it
I'm currently trying implement an app to read calendars only for a group that's permitted to the app. The idea behind this is that when I want to add a another calendar all I'd have to do is add the object to a specific o365 group. I'm taking the application approach over delegation that way I don't have anything actually logging in to utilize the app. Ultimately I'd like to stay away from any of the *.All permissions for security reasons.
Steps taken :
- created o365 group
- added resource objects and one user service account (just for testing) to the group
- registered app
- generated secret
- assigned group to the app
- granted admin consent to groups.selected via the azure portal
When I run a GET for group/{id}/members :
{'error': {'code': 'Authorization_RequestDenied', 'message': 'Insufficient privileges to complete the operation.', 'innerError': {'request-id': '473410a8-4db4-49d6-8d2c-92b9fbd4edb1', 'date': '2020-03-05T14:59:28'}}}
As per the docs
https://learn.microsoft.com/en-us/graph/api/group-list-members?view=graph-rest-1.0&tabs=http
If you are using Application permissions to Get Members for a group. you will need User.Read.All, Group.Read.All, Directory.Read.All.
The usual issue is not granting that permissions to the application in Portal.azure.com and admin consenting it.
If you're confident with that. Then I'd eliminate your code as being the issue by using something like postman with your app id and client secret. We have a sample Postman collection here https://learn.microsoft.com/en-us/graph/use-postman . for delegated permissions you can use our Graph Explorer playground.
MS docs says:
Note: This permission is exposed in the Azure portal for a feature that is not available for general use. Do not use this permission as it is subject to change.
https://learn.microsoft.com/en-us/graph/permissions-reference
When I was trying to connect my IBM Watson chatbot to slack, I noticed that slack has optimized their App options for connection and integration, where they generate only 'Bot User OAuth Access Token'.
But IBM Watson slack integration process still asking in the second step: both: OAuth access token and User OAuth Access Token.
I tried to use the same token but doesn't work, I get my chatbot app on my slack workspace but no interaction.
My question is: how can I integrate my IBM Watson to slack with this new changes?
Have you thought about using a different system to Watson? I had a Bot powered by it but jumped shipped when it became difficult to use OAuth.
Finally, it works ;)
I tried to redo it again by understanding the new process, guess what? I find that slack has added again the 'OAuth access token'=> but if you keep following the IBM Watson slack integration steps you will keep facing problems (since it's not updated yet).
Here the steps I had followed:
1) Go to slack and create your app(https://api.slack.com/start)=> click [start Here] => at the bottom of page click [create a slack app]
2) You will be redirected to Building Apps for Slack page.=> click [Bot] widget.
3) Click [review scope to add]=> in the second section_ Scopes_ fill out:
*Bot Token Scopes with :(app_mentions: read, chat:write, im:read ,im: write).
*User Token Scopes with:(im:read, im:write)
4)In same page go to the top f page and click [install App to workspace]=> click [Allow]
5)Then you'll be redirected to OAuth Tokens & Redirect URLs page, copy the 'OAuth Access Token' and 'Bot User OAuth Access Token'=> go to IBM WATSON SLACK INTEGRATION STEP2 and fill it=> you will need also to fill verification token by copy it from slack >basic information> App Credentials section > Verification Token.
6)Follow steps 3 and 4 as mentioned in IBM WATSON SLACK INTEGRATION.
And OPPPAAA you have your bot app in your slack space work in app menu ^__^.
P.S In 6) you may receive in the top of slack page notification ( reinstall .....), just do by clicking in the notification or you will face PB in your app test.
I am trying to set channel topics with a bot user token, but I'm getting the missing_scope error:
{
ok: false,
error: 'missing_scope',
needed: 'channels:write',
provided: 'identify,bot:basic'
}
It works if I provide the "OAuth Access Token" (instead of "Bot User OAuth Access Token") from https://api.slack.com/apps/:appId/oauth, but this is a poor solution because the message that gets printed in the channel says that the app installer set the channel topic, not the bot user.
But, the docs say that bots can call channels.setTopic with a bot token, and they don't need channels:write:
What gives? Are there different kinds of bot tokens? Am I doing something wrong? As far as I can tell, I cannot set additional permissions for my bot user.
It also says on the the same documentation page:
Only user tokens may use this method. Bot user tokens will not work.
And since it does indeed not work as you say I am guessing the mention of the bot token in the above table is a documentation mistake.
If you want to be 100% sure I would advise to ask the Slack team directly.
I'm wondering if we just found a bug in the MS Graph API. I'm trying to access a different user's inbox mail rules via MS Graph. Here's what I did:
1.) Registered an application on the V1 Azure AD Endpoint, with ALL delegated permissions (including MailBoxSettings.Read and MailBoxSettings.ReadWrite)
2.) Granted access to the application using a global admin account
3.) Got a Graph Bearer Token for the tenant & proper permissions:
4.) Delegated mailbox access (full access) to my Global Admin account in Exchange Online settings:
5.) Verified that I have access to the users inbox via Graph:
6.) Attempting to list messagerules for this user fails:
Note that retrieving the current (global admin) user's mail rules works without an issue:
GET /https://graph.microsoft.com/v1.0/me/mailfolders/inbox/messageRules
This tells me that there is probably a bug in MS Graph - or am I maybe missing something?
Thanks in advance
Ben
I have tried this, and I have get the same error. As my understand, we can not get the other's email rules. If you want to use this case, we can submit this issue on the github Issue
To read other users emaill inbox you need Application Type permission set rather than Delegated access.
Follow this link
https://learn.microsoft.com/en-us/graph/auth-v2-service