Hello,
I created a third-party app and I’m issuing tokens using the client credentials grant to call the platform API.
I have provided my third-party app’s service user with all necessary permissions for enrollment and space management.
The issue is: when I use a service user that was created as a guest user in the organization to call the preregister API, it does not work.
APIs that require enrollment or space RID do not work. If I issue a token for a regular user with the same permissions, the API works as expected.
My goal is to use Functions to call the platform API and manage permissions for users, groups, and projects. When I create a TPA client in Functions and call the API via the SDK, it works in preview but not in workshop actions, so I switched to using a webhook. I registered the webhook and imported it in TS v1. Using the webhook, some APIs work, but those that require enrollment or space RID still do not. Even though I provide the correct RID, I get a 404 error stating that the enrollment or space cannot be found.
Hi,
there is a way to achieve this, however on our stack it has been done by Palantir, so I don’t know what backend setting they did to enable it.
On our stack we have a special group “preregister-admin” where our TPA is a member and we are able to pre-register users with it, even though it’s not part of the same realm.
@Ben Can you explain which permission this group grants to the user?
1 Like
Thanks for the reply — that’s encouraging. I’m an intern and don’t have much time to resolve this. If there are any other engineers besides Ben who might be able to help, could you please @mention them in this thread so I can follow up directly? Thank you.
This is actually a bug which is now resolved. The fix might take some time to propagate to your Foundry environment (today up to the next few days).
2 Likes
Thanks for the response. I want to confirm a few things:
- Is it a bug that creating a platform SDK client in Functions using a TPA client credentials token (instead of the Functions runtime client) works in preview but fails in workshop actions, or is this intentionally blocked for security reasons?
- If it is a bug, has it been fixed? If it is not a bug, what is the reason it’s blocked (security policy, scope/claim differences, membership restrictions, etc.)?
- What is the recommended way to call the platform API from Functions using a TPA access token? I prefer using the SDK if possible— is that supported/recommended, or should I use direct HTTP requests with the token?