Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

403 'Missing General Scope' returned while trying to access Jazz application via direct client using a Bearer token

Questions
Tags
Users
Badges
Saqib Niaz
(711223) edited
Nov 08 '18, 5:25 a.m.

Using CLM 6.0.6 with a Jazz authorization server (JAS).

We have developed a third party RM provider, registered our RM provider with JAS. All the Jazz applications and our application work as expected. Needs to sign on once and browser never asks for the login again.
After successful login, every application gets an access token. Later on for direct data access (rest api call) from server A to server B (both registered with same JAS), this access token can be used in Authorization header like Authorization: Bearer sdf78ui. 
When we try to access Jazz application's data directly using our access token in Authorization header, we get 403 Forbidden error. Detailed error message is as follows: 
{
  "error_code": "_missing_general_scope",
  "error_message": "Your request is attempting to gain access to an application with a Bearer token, but the token has insufficient access rights.",
  "error_message_explanation": "If an application is using a Bearer token to gain access to an application, the token needs to have at least the \"general\" scope."
}
Can somebody help, what we are missing here?

0 votes

Comments
Saqib Niaz
Nov 08 '18, 4:19 a.m.

If I query my application's registration from JAS, I get the following data along with some other information.

    "scope": "openid profile email general",
    "grant_types": [
        "authorization_code",
        "client_credentials",
        "implicit",
        "refresh_token",
        "urn:ietf:params:oauth:grant-type:jwt-bearer"
    ],
    "preauthorized_scope": "openid profile email general",

1 answer
2,399 views
0 votes

One answer

Permanent link
Saqib Niaz
(711223) Nov 08 '18, 5:28 a.m.

This problem is resolved, on an unauthenticated request to our resource, we were sending the redirect to the JAS. During that redirect, we were supposed to define the proper scope. 'openid profile email general' made things work in our case.

0 votes

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 10,938
× 7,497
× 29

Question asked: Nov 08 '18, 4:16 a.m.

Question was seen: 2,399 times

Last updated: Nov 08 '18, 5:28 a.m.

Confirmation Cancel Confirm