Message Boards

  1. Home
  2. Development
  3. GraphQL requests 401 Unauthorized with OAuth2 Bearer token

GraphQL requests 401 Unauthorized with OAuth2 Bearer token

Graziano Liberati, modified 3 Years ago.

GraphQL requests 401 Unauthorized with OAuth2 Bearer token

New Member Posts: 2 Join Date: 2/23/21 Recent Posts

Hello,

I am using Liferay 7.3 GA6, using the OAuth 2 administration panel I have configured an application as the following image.

Then I have tried to perform the following graphql calls.

1. Obtain the oauth2 token (success)

curl --location --request POST 'https://<host>/o/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=id1234' \
--data-urlencode 'client_secret=secret1234' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=<emailaddress>' \
--data-urlencode 'password=<password>'

I have replaced real data with <fake data>.

This operation is successfull and I obtain the access token and the refresh token.

2. invoke the graphql operation (failed)

curl --location --request POST 'https://<host>/o/graphql' \
--header 'Authorization: Bearer 9c7222375513be53a5ef5be5471961d9a3627c1e27ab8aceb92edc43218ea' \
--header 'Content-Type: application/json' \
--data-raw '{"query":"{\n site(siteKey: \"38413\"){\n id\n name\n }\n}","variables":{}}'

Reading the documentation I see that the access token should be passed through the authorization header. Anyway I obtain the following error

{
    "errors": [
        {
            "message": "Exception while fetching data (/site) : java.lang.SecurityException: Access denied to com.liferay.portal.kernel.service.GroupService#getGroup",
            "locations": [],
            "errorType": "DataFetchingException",
            "path": null,
            "extensions": {
                "exception": {
                    "errno": 401
                },
                "code": "Unauthorized"
            }
        }
    ],
    "data": {
        "site": null
    }
}

 

Can anyone help me on this please?

Thanks,
Graziano

oauth2 graphql infrastructure (vulcan)
thumbnail
Javier De Arcos, modified 3 Years ago.

RE: GraphQL requests 401 Unauthorized with OAuth2 Bearer token (Answer)

New Member Posts: 9 Join Date: 7/16/20 Recent Posts

Your configuration seems completely correct and a probe is that you were able to obtain the token.

Taking this into account and reading the error message could be a problem with scopes. Have you select the right scope to allow access to this information?

In this case I think you should select: User Administration -> read data on behalf

In case you need something more custom you should add a Service Access Policy strating with OAUTH2_ and you will be able to select it as a Scope for your OAUTH configuration

Graziano Liberati, modified 3 Years ago.

RE: GraphQL requests 401 Unauthorized with OAuth2 Bearer token

New Member Posts: 2 Join Date: 2/23/21 Recent Posts

Hello Javier,

I have already enabled all the scopes.

Thanks to your suggestion I have solved the problem.

The problem was that I did not added the  Service Access Policy strating with OAUTH2_ granting the access to the services.

Thanks a lot for your support! It has been very helpful!