Reputation: 849
Business Central Admin Center API
I'm trying to call the Admin Center API of Business Central, but I keep getting 403 Forbidden error. I'm not sure what the problem is - it could be incorrect endpoint or another way to get the required token.
I'm authorizing the same way as I would if I were to communicate with a BC API through oauth2.
I have been trying with the following endpoints in Postman after successfully receiving an access token:
https://api.businesscentral.dynamics.com/admin/v2.11/applications/environments
https://api.businesscentral.dynamics.com/admin/v2.11/applications/businesscentral/environments
But in both cases I get the 403 Forbidden error.
Calls to regular BC API's seems to be working as expected.
Does anyone have an idea as to what I'm doing wrong or missing here?
UPDATE 1
I have now changed the registered app to use delegated permissions and have permissions to any API within BC.
Retrieving a token goes fine, just like before, but the next call results in a "Forbidden" error, just like before as well.
REQUEST (from Fiddler)
GET https://api.businesscentral.dynamics.com/admin/v2.11/applications/environments HTTP/1.1
Host: api.businesscentral.dynamics.com
Authorization: Bearer <my token>
Accept: application/json
RESPONSE (from Fiddler)
HTTP/1.1 403 Forbidden
Content-Length: 0
ms-correlation-x: 8d8d7e1c-cc1e-4866-9c1f-9708533dabd0
Access-Control-Allow-Headers: Origin, X-Requested-With, Authorization
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: ms-correlation-x
x-content-type-options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Thu, 07 Apr 2022 10:31:35 GMT
If I examine the token with jwt.io, I can't seem to find the part that describes which API the token gives access to, which could be the or part of the problem?
UPDATE 2
I don't get it, regardless of what I try, the access_token I get, doesn't include any info about what it grants access to.
I register an app and create delegated API permission for Business Central (user_impersonation and Financials.ReadWrite.All). Then I create a secret.
I use the following C# code to get a token:
var client_id = "<client_guid>";
var client_secret = "<client_secret>";
var tenant_id = "<tenant_guid>";
var token_url = "https://login.microsoftonline.com/" + tenant_id + "/oauth2/v2.0/token";
var client = new HttpClient();
var content = new StringContent(
"grant_type=client_credentials"+
"&scope=https://api.businesscentral.dynamics.com/.default"+
"&client_id="+ HttpUtility.UrlEncode(client_id) +
"&client_secret="+ HttpUtility.UrlEncode(client_secret));
content.Headers.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue("application/x-www-form-urlencoded");
var response = await client.PostAsync(token_url, content);
The value in the "access_token" attribute i get from the response, doesn't describe any of the permissions I created when explored with jwt.io. What am I doing wrong here?
My app permissions look like this:
Upvotes: 0
Views: 1537
Answers (1)
Reputation: 16570
It could indicate that the permissions assigned in your access token are incorrect.
If you have the a copy of a token, you can check it on jwt.io.
I use the PowerShell module MSAL.PS to retrieve my access tokens with this scope:
https://api.businesscentral.dynamics.com/.default
Here is a link describing the required setup for Business Central Admin Center API
Upvotes: 0
Related Questions
- Dynamics Business 365 Central API and Postman
- Why do I always get 'The server has rejected the client credentials.' when I call business central api?
- Azure AD B2C Authenticating in backend web API built with dotnet core 5.0
- Where to find the environment name for business central APIs in dynamics 365
- Authorize Dynamics 365 Business Central API
- Not able to access APIS of Microsoft Dynamics 365 Business Central
- Dynamics Business Central Azure AD ADAL Unauthorized
- Azure B2C authentication and admin login
- Connect to Dynamics 365 Customer Engagement web services using OAuth
- Authenticate to Dynamics 365 On premise