Why do API calls of service users (via Developer Console) don't work ? (Permissions missing or empty response)

Ask the Community
1

I’ve setup an application in Developer Console, which created a service user. This service user has some permissions over some object, but when I try to perform an API call with it, it returns an empty response or an “unauthorized” response.

Why ? What is the configuration I need to make this API call to work ?

1 Like
2

The permissions of the service users depends on the configuration of the developer console application.

There are 3 level of permission control:

  • The application scope : This is defined in the Developer Console configuration itself. It defines if the service user has any “scope” defined, or if once authenticated, it has access to the whole platform (like a standard user).

If the service user is “unscoped” then it there is no additional control:

image
image1213×510 23.2 KB

image
image1410×318 14.4 KB

If the service user is scoped, then there are further controls. (see OAuth scope just below)

  • The OAuth Scope: This is defined in the Developer Console app, and defines the resources that it can access: projects, ontology resources, type of Platform APIs (Ontology, datasets, etc.)

    image
    image1161×396 25.2 KB

    image
    image1124×157 7.45 KB

    image
    image1146×536 49.1 KB

  • The Authorization time scope: when you resolve the client_id/client_secret for a token, you can request a particular scope (list of operations), like scope = ['someservice:someperms', ... ]

Note: what you can find in Control panel doesn’t apply to service users, but applies to the user OAuth-ing via this application.

image
image716×633 51.7 KB

Now, what are the restrictions that applies on a given token, depending on the configuration …

  • The application scope is “scoped”
    • OAuth scope is defined
      • Authorization time scope is defined
        • ==> you get a token with the intersection of the OAuth and Authorization scopes
      • Authorization time scope is not defined
        • ==> you get a token with the OAuth scope
    • OAuth scoped is not defined
      • Authorization time scope is defined
        • ==> you get a token with the Authorization scope only
      • Authorization time scope is not defined
        • ==> you get a token with NO scope. This token can’t be used to perform valid API calls.
  • The application scope is “unscoped”
    • ==> No limit on the token. Like if I were to generate my own token.

See https://www.palantir.com/docs/foundry/developer-console/application-scopes#application-scopes for more details