I'm trying to hit the /guilds/{guildId} endpoint, and I've created a bot and installed it on the server I'm trying to access and even granted it admin access, but I'm still getting a "missing access" error:
In this case, Error 403 either means that the Bot is not in a guild with that id or that there is no guild with the id you provided in the URL.
Make sure, you copied the id of the correct server.
Double check if you are using the correct token and if you're posting to the right guild.
If the bot has administrator, it simply has access to all channels. This error means that the bot user either does not have permission or is not in that guild.
Related
I am trying to make a call to /guilds/guild.id/channels endpoint after retrieving a user's guild data that is provided after they successfully authenticate with my app using the Discord's OAuth flow.
My OAuth permissions include email and guilds.
After receiving an access_token I am able to make a call to /users/#me/guilds. However, when I try to iterate over this to access each guild's list of channels using the /guilds/guild.id/channels endpoint I receive a {"message": "401: Unauthorized", "code": 0}. I pass the same access_token in the header of this request.
My question is about the limitations of the Discord API when authenticating with OAuth. The documentation says
Unlike the normal OAuth2 flow, bot accounts have full access to all API routes without using bearer tokens
So can I make an API call to /guilds/guild.id/channels using my access_token?
Or do I have to do this through a bot? And if a bot is required then that means in order to make a call to /guilds/guild.id/channels the bot must first be added to the guild, right?
I believe you falsely assumed that the guilds OAuth2 scope will give you full access to the guilds of the user. This is not the case, the guilds scope only grants the access token permission to view a list of all the user's guilds and basic information of these guilds (guild ID, avatar, name, flags, the user's permission, and whether the user's the owner).
This does not include giving you access to see the guild's channels. The only endpoint guilds scope gives you is /users/#me/guilds which you already know. I believe this is due to user privacy concerns since it unnecessarily lets you to view the channels list from non-related guilds. Most cases when the guilds scope is used, it is to verify if the user's in a certain guild; useful for bot dashboards.
The only way to retrieve a list of channels requires you to have a bot in the guild and use the /guilds/<guild.id>/channels while identifying as your bot.
To see what the OAuth2 scopes actually grants you, it's documented here: https://discord.com/developers/docs/topics/oauth2#shared-resources-oauth2-scopes.
I use Graph Explorer to test it.
API: GET /users/{userPrincipalName}/insights/shared, return 403.
API: GET /users/{userPrincipalName}/insights/used, return 200 and used documents.
Both API required same permission:
Sites.Read.All, Sites.ReadWrite.All
Anyone can help on it?
If you call GET /users/{id | userPrincipalName}/insights/shared, please make sure you have the Sites.Read.All or Sites.ReadWrite.All application permissions (don't forget to grant admin consent for this permission), because no users are logged in at the /users endpoint. Then you need to use the client credential flow to get the access token.
Update:
When you use Graph Explorer to test, because you need to log in as a user, you actually use the token obtained by the userName/Password flow. according to the document: Only the user can make requests using the user's id or principal name.
When you log in to a user, you can only use the id or principal name of the logged in user. You cannot use the id of other users, otherwise, a 403 error will be reported. But when you use other tools such as postman for testing, because you do not log in as a user, but use the application as the service principal to make a request, so, you can get a list of shared documents from other users.
Summarized in one sentence: As long as you are logged in as a user, you can only get the list of shared documents of the logged-in user. If you want to get the list of shared documents from other users, , don't log in users.
I use
https://graph.microsoft.com/v1.0/teams/team_id/channels/channel_id/messages
to get messages in channel and post message to channel, but I get an error when I want to get these messages
UnknownError
When I post messages to channel , it shows Unauthorized.
My code
$headers = array(
"Content-Type: application/json",
"Authorization: Bearer {$_SESSION["access_token"]}",
);
$post_params = json_encode(array(
"body"=>array("content"=>"Hello World")
));
Azure Permission
This api only supports delegated permissions, you need to grant ChannelMessage.Read.All delegated permissions, and then grant admin consent for the permissions.
Several APIs including "List Channel Messages" are Protected APIs. It doesn't matter whether your admin gave you permission or not. Microsoft itself must give you permission too.
More info
https://learn.microsoft.com/en-us/graph/teams-protected-apis#:~:text=Microsoft%20Teams%20APIs%20in%20Microsoft,before%20you%20can%20use%20them.
Permission request form (Yes I know the form below looks ridiculous unfortunately that's the only way you request permission, the link is also given in the page above)
https://aka.ms/teamsgraph/requestaccess
You can access the list of channel messages via GRAPH with right permission (ChannelMessages.Read.All) and if you use the BETA endpoint of it. This is not a good idea for production btw but will solve the issue so you dont need to request this from MS.
For this you have to request the endpoint with a loggedIn user. (Delegated)
I am trying to fetch the MS Teams roaster / user profile.
Below are the sequence of Postman calls I am making:
Generated Access Token:
https://login.microsoftonline.com/botframework.com/oauth2/v2.0/token
Generated User Access Token:
https://login.microsoftonline.com/{{TenantId}}/oauth2/v2.0/token Get
My Joined Team: https://graph.microsoft.com/v1.0/me/joinedTeams
Get Internal Team
Id:https://graph.microsoft.com/v1.0/teams/{{TeamId}}/channels
Fetch Roster/user
profile:https://{{ServiceUrl}}/v3/conversations/{{tId}}/members/
Everything was working fine, but today I am getting 403 forbidden error
{
"error": {
"code": "BotNotInConversationRoster",
"message": "The bot is not part of the conversation roster."
}
}
Please note that I am able to communicate with the bot.
Below are the permissions that I have provided for delegate and application
Directory.Read.All
Group.Read.All
Group.ReadWrite.All
User.Read
User.Read.All
User.ReadBasic.All
Any suggestions to fix the same?
Notice that your last call, the one to "serviceurl", is NOT part of the Graph, obviously. As a result, it's authentication is different. In this case, Teams is authenticating it as a bot, and it needs certain rights. For instance, the bot MUST be installed to the Team in question in order to get the roster for that Team. You say it was working before - is that in the same Team? If not, the bot needs to be added to that Team. If "yes", then perhaps the bot was removed from the Team by someone?
You must install your bot as an app in a team before you can call this API. Sending it messages via a webhook does not count. It must be an app installed in the team. Because the bot is retrieving personal information, it needs to be added to that context before the API will work.
See:
Bot Overview - https://learn.microsoft.com/en-us/microsoftteams/platform/bots/what-are-bots
Bot Context - https://learn.microsoft.com/en-us/microsoftteams/platform/bots/how-to/get-teams-context?tabs=dotnet
I get JSON response {"errorCode": "USER_DOES_NOT_BELONG_TO_SPECIFIED_ACCOUNT", "message": "The specified User is not a member of the specified Account."} when we deployed application on a new SF sandbox with a different DocuSign account. Obviously I have changed the user/password and integration key for the new account. And after I make token request I get access token back, but I can not make post request due to above.
Can you guys help me understand why is this?
Users who want to send documents need a DocuSign account. It sounds like you've changed the username and password credentials however it is still pointing to the previous account hence the error. To resolve you need to update the integration to point to the new account.