It's all about the answers!

Ask a question

403 'Missing General Scope' returned while trying to access Jazz application via direct client using a Bearer token


Saqib Niaz (711223) | asked Nov 08 '18, 4:16 a.m.
edited Nov 08 '18, 5:25 a.m.

Using CLM 6.0.6 with a Jazz authorization server (JAS).

We have developed a third party RM provider, registered our RM provider with JAS. All the Jazz applications and our application work as expected. Needs to sign on once and browser never asks for the login again.
After successful login, every application gets an access token. Later on for direct data access (rest api call) from server A to server B (both registered with same JAS), this access token can be used in Authorization header like Authorization: Bearer sdf78ui. 
When we try to access Jazz application's data directly using our access token in Authorization header, we get 403 Forbidden error. Detailed error message is as follows:
{
  "error_code": "_missing_general_scope",
  "error_message": "Your request is attempting to gain access to an application with a Bearer token, but the token has insufficient access rights.",
  "error_message_explanation": "If an application is using a Bearer token to gain access to an application, the token needs to have at least the \"general\" scope."
}
    
Can somebody help, what we are missing here?


Comments
Saqib Niaz commented Nov 08 '18, 4:19 a.m.

If I query my application's registration from JAS, I get the following data along with some other information.

    "scope": "openid profile email general",
    "grant_types": [
        "authorization_code",
        "client_credentials",
        "implicit",
        "refresh_token",
        "urn:ietf:params:oauth:grant-type:jwt-bearer"
    ],
    "preauthorized_scope": "openid profile email general",

One answer



permanent link
Saqib Niaz (711223) | answered Nov 08 '18, 5:28 a.m.

This problem is resolved, on an unauthenticated request to our resource, we were sending the redirect to the JAS. During that redirect, we were supposed to define the proper scope. 'openid profile email general' made things work in our case.

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.