topic Re: Error 403 when using a Client Credentials OAuth2 Token in ArcGIS REST APIs and Services Questions

Error 403 when using a Client Credentials OAuth2 Token

BillMitchell — Mon, 07 Dec 2020 18:32:54 GMT

I have a feature service on my organization's AGOL site which I want to have updated via an automated application. The feature service is secured, and shared with my organization but not publicly.

I followed the REST API instructions to create an application API key (generating the client_id and client_secret) and use those to get a token in Postman. The request succeeds and I get a token back with an expiration of 7200 [seconds]. I use the tests feature of Postman to read the token into a variable, which I then use for the subsequent request.

Moving on to the REST API Query a Feature Service instructions, I am able to put the search parameters in, I add the token as a parameter for the URL, but get an error (403) response:

{ "error": { "code": 403, "message": "You do not have permissions to access this resource or perform this operation.", "messageCode": "GWM_0003", "details": [ "You do not have permissions to access this resource or perform this operation." ] } }

The request (service id and token have been altered/redacted):

curl --location --request POST 'https://services.arcgis.com/9XXXXXXXXXZ/ArcGIS/rest/services/testingMap/FeatureServer/0/query?token=wQXsOdT_BIGLONGSTRING0FA1PHANUM3RICS80GjRU3YBsFAc4yFrPvJI2KqvCcfP6XV-fzfN9EnbV4w-RNYc_4MwC-R3dAc7ed-9ut1IywjU7Cy_PZbo-9Tz6MIlQLpcTYyWwNg..' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'f=json' \ --data-urlencode 'outFields=*' \ --data-urlencode 'returnGeometry=True' \ --data-urlencode 'outSr=4326' \ --data-urlencode 'where=1=1'

I can interact with the endpoint via a browser, and it works. I can copy the token created in my browser into Postman and the request succeeds.

How do I authorize the app to access the feature service REST endpoint so that it can run in a fully automated way?

Re: Error 403 when using a Client Credentials OAuth2 Token

JoshuaBixby — Mon, 07 Dec 2020 20:04:14 GMT

I can interact with the endpoint via a browser, and it works. I can copy the token created in my browser into Postman and the request succeeds.

The way I read the above statement, you can use a user-token in the ArcGIS API for Python and it works, but an app-token isn't. App tokens can only access AGOL services from the same owner that created and registered the app. Is the app registered under the same owner of the data you are trying to access?

Re: Error 403 when using a Client Credentials OAuth2 Token

BillMitchell — Mon, 07 Dec 2020 20:35:50 GMT

Changing the app ownership to my colleague (the feature service owner) has fixed the error.

It would be great if that caveat to client credentials, where the app owner and service owner must be the same, was mentioned in the API Developer documentation linked above.

Re: Error 403 when using a Client Credentials OAuth2 Token

JoshuaBixby — Tue, 08 Dec 2020 14:26:11 GMT

I feel your pain, I was in your exact same situation a while back, and it took me days and lots of searching to find someone on a different site with the answer. I have yet to find actual Esri documentation that states it.

Re: Error 403 when using a Client Credentials OAuth2 Token

DrewDowling — Wed, 18 Jan 2023 19:45:37 GMT

Thank you. I was stuck on this for hours.

Re: Error 403 when using a Client Credentials OAuth2 Token

BillMitchell — Wed, 18 Jan 2023 21:02:51 GMT

You're welcome! There's an ArcGIS Enterprise Ideas suggestion to introduce standard client credentials/API key behavior to allow properly scoped service users that could use your support.