Message Boards
GraphQL requests 401 Unauthorized with OAuth2 Bearer token
GraphQL requests 401 Unauthorized with OAuth2 Bearer token
New Member Posts: 2 Join Date: 2/23/21 Recent PostsHello,
I am using Liferay 7.3 GA6, using the OAuth 2 administration panel I have configured an application as the following image.
Then I have tried to perform the following graphql calls.
1. Obtain the oauth2 token (success)
curl --location --request POST 'https://<host>/o/oauth2/token'
\
--header 'Content-Type: application/x-www-form-urlencoded'
\
--data-urlencode 'client_id=id1234' \
--data-urlencode
'client_secret=secret1234' \
--data-urlencode
'grant_type=password' \
--data-urlencode
'username=<emailaddress>' \
--data-urlencode 'password=<password>'
I have replaced real data with <fake data>.
This operation is successfull and I obtain the access token and the refresh token.
2. invoke the graphql operation (failed)
curl --location --request POST 'https://<host>/o/graphql'
\
--header 'Authorization: Bearer
9c7222375513be53a5ef5be5471961d9a3627c1e27ab8aceb92edc43218ea'
\
--header 'Content-Type: application/json' \
--data-raw
'{"query":"{\n site(siteKey: \"38413\"){\n
id\n name\n }\n}","variables":{}}'
Reading the documentation I see that the access token should be passed through the authorization header. Anyway I obtain the following error
{
"errors": [
{
"message": "Exception while fetching data (/site) : java.lang.SecurityException: Access denied to com.liferay.portal.kernel.service.GroupService#getGroup",
"locations": [],
"errorType": "DataFetchingException",
"path": null,
"extensions": {
"exception": {
"errno": 401
},
"code": "Unauthorized"
}
}
],
"data": {
"site": null
}
}
Can anyone help me on this please?
Thanks,
Graziano
RE: GraphQL requests 401 Unauthorized with OAuth2 Bearer token (Answer)
New Member Posts: 9 Join Date: 7/16/20 Recent PostsYour configuration seems completely correct and a probe is that you were able to obtain the token.
Taking this into account and reading the error message could be a problem with scopes. Have you select the right scope to allow access to this information?
In this case I think you should select: User Administration -> read data on behalf
In case you need something more custom you should add a Service Access Policy strating with OAUTH2_ and you will be able to select it as a Scope for your OAUTH configuration
RE: GraphQL requests 401 Unauthorized with OAuth2 Bearer token
New Member Posts: 2 Join Date: 2/23/21 Recent PostsHello Javier,
I have already enabled all the scopes.
Thanks to your suggestion I have solved the problem.
The problem was that I did not added the Service Access Policy strating with OAUTH2_ granting the access to the services.
Thanks a lot for your support! It has been very helpful!