Solved: AccessDeniedError using OCC API /products/.../refe...

Former Member · ‎2018 Jul 20

Hello,

My referenced products API works fine when I'm not logged as client, based on explanation from old question:

 POST /authorizationserver/oauth/token?client_id=***&client_secret=***&grant_type=client_credentials

I got 200:

 {
       "access_token": "d139215c-e2ca-45ca-910d-13dcc5e9b407",
       "token_type": "bearer",
       "expires_in": 38072,
       "scope": "basic openid"
 }

... and next hen I retrieve my referenced products with access_token:

 GET /rest/v2/{{baseSiteId}}/products/300611184/references?referenceType=ACCESSORIES&access_token=d139215c-e2ca-45ca-910d-13dcc5e9b407

... i got 200 with referenced products:

 {
     "references": [
         {
             "referenceType": "ACCESSORIES",
             "target": {
                 "availableForPickup": true,
                 "baseOptions": [
                     {
                         "options": [
                             {
                                 "code": "300611196",
                                 "priceData": {
 ...

But, when my user is logged in, I got AccessDeniedError error. The scenario is as follow:

 POST /authorizationserver/oauth/token?client_id=***&client_secret=***&grant_type=password&username=***&password=***

I got 200 with another access_token:

 {
     "access_token": "ef6d3337-b1ea-4b24-b8ef-28526afe526e",
     "token_type": "bearer",
     "refresh_token": "281abf8d-550b-4256-a44b-e7427bf61d03",
     "expires_in": 37886,
     "scope": "basic openid"
 }

When I try to retrieve referenced products using new access_token:

 /rest/v2/{{baseSiteId}}/products/300611184/references?referenceType=ACCESSORIES&access_token=ef6d3337-b1ea-4b24-b8ef-28526afe526e

I got 401 AccessDeniedError:

 {
     "errors": [
         {
             "message": "Access is denied",
             "type": "AccessDeniedError"
         }
     ]
 }

Environment is Hybris 6.6 (OOTB), B2C accelerator, apparel-uk site, registered client is assigned to standard "customergroup" role. My OAuth client has ROLE_TRUSTED_CLIENT role.

The questions are:

why user with wider permissions (registered client) has no access to resource which is available for user with narrower permissions (anonymous)
should I assign registered client to any additional particular group to see referenced products?
it is possible that registered client "references" request requires any recommendation rule engine which is not configured?
any other suggestions?

former_member747843 · ‎2018 Jul 23

Hi
It looks like endpoint for references is only available for ROLE_TRUSTED_CLIENT.
When you get token for OAuth client (grant_type=client_credentials) which has ROLE_TRUSTED_CLIENT you have access to this endpoint.
When you get token for user (grant_type=password) your roles are taken from group to which this user belong e.g. ROLE_CUSTOMERGROUP (so in this case you don't have ROLE_TRUSTED_CLIENT)

To fix it you can change endpoint permissions in : ycommercewebservices/web/src/de/hybris/platform/ycommercewebservices/v2/controller/ProductsController.java

     @Secured("ROLE_TRUSTED_CLIENT")
     @RequestMapping(value = "/{productCode}/references", method = RequestMethod.GET)
     @ResponseBody
     public ProductReferenceListWsDTO exportProductReferences

You can remove annotation Secured (then this endpoint will be available for everybody) or add there needed roles.

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My Account

My Account

AccessDeniedError using OCC API /products/.../references when logged as client

Know the answer?

Need more details?

Accepted Solutions (1)

Accepted Solutions (1)

Answers (0)