Client credentials flow for technical user

christian.eppler · May 22, 2023, 9:58am

Hello,

we want to use a technical user for our external application to get access to the dataevents and the data of a project.

For this we have create a technical user with the owner role and we have used the OAuth client credentials flow with the scope “pantaris:api-v2” to get a access token in the form of a Bearer token.

The problem now is that i can use this Bearer to acces for example “api.pantaris-latest.de/v2/files/XX”(200) but i have no rights on “download.pantaris-latest.de/”(401) and i also can not get a dataEventToken(403).
Is there anything I am doing wrong, maybe i use the wrong scope or is this not working with the technical user?

NOTE: We test it on pantaris LATEST.

Thanks in advandace for all help.

thomas.schuerle · May 22, 2023, 11:37am

Hi @christian.eppler and welcome in the forum,

right now the service-accounts are only implemented on api-v2 and third-party IAM.

So access/permission errors on other service like the file-service and data-events are fine.

Gona add this points to our todo-list before releasing this feature, if they are not already there

christian.eppler · May 22, 2023, 2:17pm

@thomas.schuerle Ok thanks for the fast answer. Is there a source of information where I can see if this change is implemented?

Another question which is connected to this is. It seem to me that the AMQP data event connection not work anymore since today?

Thanks in advance.

thomas.schuerle · May 22, 2023, 3:03pm

We provide information about changes here: Documentation | PANTARIS and for app-developers also deprecation notes here: Deprecations - PANTARIS.
However, we do not provide change information on test and staging system (like pantaris-latest).

Today we changed our infrastructure provider on latest. Looks like the interface has broken during that change. Will post an update, once working again. (Funny enaugh it’s still working on https)

marcel.mager · May 23, 2023, 9:29am

Is there any news, if AMQP is working again on pantaris-latest.de?

thomas.schuerle · May 23, 2023, 10:16am

Yes, It’s working since yesterday evening again @marcel.mager

christian.eppler · May 30, 2023, 12:18pm

Hello @thomas.schuerle with the normal user token i was able to setup a AMQP connection on latests (until i can use the technical user). But i can not connect to pantarie.io but if i look here Documentation | PANTARIS it should exist there. Or do i understand it not correct and this feature is not deployed on prod?

thomas.schuerle · May 30, 2023, 1:14pm

no, it’s not available on production yet

christian.eppler · May 30, 2023, 1:36pm

Only to be sure what ist then the meaning of:
cite: * API: Add AMQP interface for data-event (Documentation | PANTARIS)
In this case only an interface without the functionality?

thomas.schuerle · May 31, 2023, 9:14am

My last post was a bit short, sorry for the confusion. It’s was meant on the whole aspects of this topic including the Oauth things.

Service accounts / OAuth are limited to latest yet
AMQP-Interface was available on production, but is facing issues right now. Which are expected to be fixed on the next release at 17th of June

thomas.schuerle · June 19, 2023, 11:31am

AMQP is working again

gregor.schaefer · August 25, 2023, 12:28pm

How do you guys create a Token with the auth flow? I am trying this in Thunderclient/Postman with the following configuration. But I still get NOT_AUTHORIZED when I try to fetch devices or projects. What am I doing wrong?

thomas.schuerle · August 28, 2023, 6:42am

NOT_AUTHORIZED indicates the token was either not given or invalid or given in a wrong way.

From your screen, I assume you need to change Token Prefix from Token to Bearer. The token prefix is used for calponia tokens while oauth tokens are given with Bearer

gregor.schaefer · August 28, 2023, 6:57am

Ok thanks for the advice. Now I get another error.

trying to fetch project information

https://api.pantaris-latest.de/v2/projects/{ID}

{
  "error": {
    "id": "4147ef01cac10bb4532512776d83114d",
    "status": 500,
    "code": "INTERNAL_SERVER_ERROR",
    "title": "An unexpected error occurred",
    "detail": "An unexpected error occurred while processing this request (4147ef01cac10bb4532512776d83114d)"
  }
}

Technical user is owner of the project.
Anything that i missed?

per.guth · September 8, 2023, 8:09am

I could reproduce the error. We’re analyzing it. I’ll keep you posted.

per.guth · October 4, 2023, 10:24am

This error should be resolved by now.

external.evgeny.burm · October 4, 2023, 10:42am

Hello,
There is error when request to API https://api.pantaris-latest.de/v2/data-event-tokens with tech user OAuth token:

{
“error”: {
“status”: 403,
“code”: “PERMISSION_DENIED”,
“title”: “Permission to execute this request was denied”,
“detail”: “The authorized user does not have the permission to execute this request.”
}
}

Another API works fine. Does this endpoint support OAuth authentication?

thomas.schuerle · October 4, 2023, 10:51am

No, this endpoint does not support OAuth authentication, but you can simply connect to data-events using a valid Oauth token.

external.evgeny.burm · December 1, 2023, 3:39pm

Hello Thomas,

I tried to subscribe for AMQP endpoint with OAuth token obtained for technical user.
But received next exception:

RabbitMQ.Client.Exceptions.AuthenticationFailureException: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.

Do you have any documentation about how to access data events with tech user? Is any specific scope should be requested for token?

thomas.schuerle · December 4, 2023, 7:18am

Pretty much the same, like with other tokens.

Obtain a token with

{
        client_id: technicalUser.clientId,
        client_secret: technicalUser.clientSecret!,
        scope: `pantaris:api-v2`,
        grant_type: 'client_credentials',
}

and pass it as username to the exchange. See docs for informations like URLs.