Recent searches


No recent searches

OAuth with specific scopes not work



Posted Mar 23, 2022

Hi I follow the document here to gain access token with scopes "tickets:read users:read auditlogs:read".

After oauth flow completed, I got the response with

endpoint: /api/v2/ticket.json and /api/v2/ticket_audit.json
response:
{"error":"Forbidden","description":"You are missing the following required scopes: read"}"

But If I change the requesting scopes to only "read", it works fine.

I am wondering if there's anything I overlook and need to revise ?

thanks!


0

10

10 comments

image avatar

Eric Nelson

Zendesk Developer Advocacy

Hey Mike,

Are you wrapping the scopes in an array? If not I'd try that "scopes": ["tickets:read", "users:read", "auditlogs:read"].

Let me know if this doesn't fix your issue!

0


Hi Eric, thanks for your reply.

the setting with array does not work either.

But after I re-testing again with scope: "tickets:read users:read auditlogs:read" both in authorization and token retrieval API, it works now.

BTW, when I use `scopes: ["tickets:read", "users:read", "auditlogs:read"]` as parameters for authorization and token retrieval, the consent page displayed without any scopes shown. Then I can get access_token successfully, but failed to get user profile with 403 forbidden error.

thanks for your help, I think I will use the space delimited string as scope while applying authorization.

0


Hi Eric, 

The scopes for access token retrieval works now.

But there's an issue for `ticket_audits` retrieval.

When I use "tickets:read auditlogs:read users:read" as my requested scopes and get access token successfully, I can use this token to get tickets, list tickets via get endpoint.

But for ticket_audits endpoint, the response is 403 with response:

{
  "error": "Forbidden",
  "description": "You are missing the following required scopes: read"
}

And from all document mentioned with scope, none of them bring up scope about ticket_audits.

Can you help check if there's an issue for this scope ? Thanks.

0


image avatar

Greg Katechis

Zendesk Developer Advocacy

Hi again Mike! A colleague and I just did some testing and it turns out the ticket audits endpoint requires global read scoping in your token. My guess is that it's because ticket_audits can contain additional data that isn't being explicitly scoped in the token. I'll send a request along to one of the two teams that would be required to make a decision on adding additional scopes to try and get that added. I'll let you know when I hear back from them if that's something that will be possible down the line.
 
Let me know if you have an additional questions!

0


Hi Greg Katechis,

Thanks for you reply, on my testing, there is no specific scope for incremental export API either.

it would be appreciated if you can send Incremental Export API scope to discuss as well. 

Thanks!

0


Hi Greg Katechis

I have a similar issue when trying to 

  • GET /api/v2/ticket_fields

error is 

{
  "error": "Forbidden",
  "description": "You are missing the following required scopes: read"
}

For getting the Oauth access token I use a code approach with scope tickets:read.

I can get the tickets list, but other request fails. What scope should I use for getting ticket_fields?

0


image avatar

Greg Katechis

Zendesk Developer Advocacy

Hi Viktor! After doing some investigation on my end, it looks like access to the ticket_fields API requires global read access. I can look into this as a possible feature request for the future, for the time being it appears that you will need the global read access for now. 

0


Hi, can anyone confirm whether or not the `tickets:read` scope will work for making GET requests to the incremental exports API? (/api/v2/incremental/tickets) I've searched for this in documentation but haven't found anything. Thanks!

0


image avatar

Christopher Kennedy

Zendesk Developer Advocacy

Hi Kirsten,
 
Incremental export API requests also require global read access.

0


If you are encountering a 403 Forbidden error in 2024 - when sending a GET request for OAuth authentication, you should use this URL structure, which requires passing the scope as a URL parameter:

https://{subdomain}.zendesk.com/oauth/authorizations/new?response_type=code&redirect_uri={your_redirect_url}&client_id={your_unique_identifier}&scope=read%20write


Documentation link here 

1


Please sign in to leave a comment.

Didn't find what you're looking for?

New post