Issues calling script using REST api

The error message "Not authorized" indicates that the script is encountering an authorization issue when trying to access the URI https://<servername>/D1IMAppServer/api/script/CCC_xxxx_REST_FinalizeServiceRequest. Here are some troubleshooting steps you can try to fix the authorization problem:

1. Verify Credentials and Permissions:

• • Ensure the username and password stored in the $authdata variable are correct for a user with appropriate permissions to access the specified script. Double-check for any typos.

• • In One Identity, verify if the user has the necessary roles assigned to run the CCC_xxxx_REST_FinalizeServiceRequest script through the REST API.

2. Check Web Session Validity:

• • The error might occur if the web session established with Invoke-RestMethod for login becomes invalid before reaching the $newURI line. Consider these options:
    • • Refresh Session: Add a line before the second Invoke-RestMethod call to refresh the session:
        PowerShell

        Invoke-RestMethod -Uri "https://<servername>/d1imappserver/auth/refresh" -WebSession $wsession -Method Post -UseDefaultCredentials -Headers @{Accept="application/json"}
        

        Use code with caution.

        content_copy
    • • Re-establish Session: Alternatively, re-establish the session for the specific call:
        PowerShell

        $newUri = (Invoke-RestMethod -Uri "https://<servername>/d1imappserver/auth/apphost" -Body $authJSON.ToString() -Method Post -UseDefaultCredentials -Headers @{Accept="application/json"} -SessionVariable $newSession)
        (Invoke-RestMethod -Uri "https://<servername>/D1IMAppServer/api/script/CCC_xxxx_REST_FinalizeServiceRequest" -WebSession $newSession -Method Post -ContentType application/json).uri
        

        Use code with caution.

        content_copy

3. Review One Identity Configuration:

• • Check One Identity documentation or consult their support for any specific configuration requirements for accessing scripts through the REST API.

• • Verify if additional steps are needed to authorize users for REST API access.

4. Inspect Server Response:

• • The error message suggests accessing the provided URL directly in a browser (replacing placeholders with actual values) might reveal additional information in the response body. This could offer clues about the specific authorization failure reason.

By following these steps and reviewing your script configuration, you should be able to identify the cause of the authorization issue and successfully run the script.

Additional Tips:

• • Consider using secure string variables for storing credentials to avoid storing them in plain text.

• For troubleshooting purposes, temporarily increase logging levels in One Identity to capture more details about the authorization failure.

Does it work if you add the parameter

-ContentType application/json

to your Invoke-RestMethod PowerShell command?

Execution sequence for calling script via REST API

$cred=Get-Credential
$authdata=@{AuthString="Module=DialogUser;User=abc;Password=abc"}
$authJson=ConvertTo-Json $authdata -Depth 2
Invoke-RestMethod -Uri "https://<baseurl>/AppServer/auth/apphost" -Body $authJson.ToString() -Method Post -Credential $cred -Headers @{Accept="application/json"} -SessionVariable wsession

Output: 

claims : @{schemas.oneidentity.com/.../identifier=abc; http://schemas.oneiden
tity.com/ws/2017/04/identity/claims/useruid=CCC-A025329ED8C4F043B78B4B0C45004D97;
schemas.oneidentity.com/.../module=DialogUser;
schemas.oneidentity.com/.../product=;
schemas.oneidentity.com/.../isdialogadmin=true}
passwordBased : True
moduleDisplay : System user
sessionId : ILb26jRNIrTXnBUlhrZ2
userName : abc

Next Command:

$body=@{parameters=@("IE0","23455")} | ConvertTo-Json

{
"parameters": [
"IE0",
"23455"
]
}

Invoke-RestMethod -Uri "https://<baseurl>/AppServer/api/script/CCC_LookupSiteCode_SNOW" -WebSession $wsession -Method PUT -Body $body -Headers @{Accept="application/json"}

 

Output:

Invoke-RestMethod : {"responseStatus":{"errorCode":"ArgumentException","message":"Method expected 2 parameters but got
0.","errors":[]}}
At line:1 char:1
+ Invoke-RestMethod -Uri "ashsd95030.vbechtel.com/.../api ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebExc
eption
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

Hi Markus, I'm passing correct JSON as BODY to backend script but it always says that expected parameters 2 but got 0.

$body=@{"parameters"=@("IE0","23455")} | ConvertTo-Json

{
"parameters": [
"IE0",
"23455"
]
}

Hello Markus,

thank you so much! This was the last issue. Now it works.


Cheers,
Niko

I had to trace your code by testing it line by line in PowerShell.

The reason for the acess denied lies in the fact, that you wrongly specified the SessionVariable in the initial connect. You specfied the session variable with a starting $ which is wrong.

Your login call:

Invoke-RestMethod -Uri "https://<servername>/d1imappserver/auth/apphost" -Body $authJSON.ToString() -Method Post -UseDefaultCredentials -Headers @{Accept="application/json"} -SessionVariable $wsession

Correct login call:

Invoke-RestMethod -Uri "https://<servername>/d1imappserver/auth/apphost" -Body $authJSON.ToString() -Method Post -UseDefaultCredentials -Headers @{Accept="application/json"} -SessionVariable wsession

Yes, I have also assigned it to the script.

When I test the the REST Call in the webinterface of the application server with the value mentioned in the $body, i receive the result "true":

Do you also have assigned the same program function to the script?

Hello Markus,

thanks again for the fast reply. I´` have corrected the body.

I have also assigned the program function "Common_StartScripts" for the customer script, but unfortunately no success. I have double checked, if our custom system user has the program function assigned.

Still no success.


Thanks,
Niko

If you test your body in PowerShell (always the easiest way to confirm that your body is well-formed according to the specification) you will find the resulting JSON is wrong.

Your incorrect body 

$body = @{parameters = "[3c93f2b9-5524-4b24-9477-5ce0d5510e32]"} | ConvertTo-Json

is delivering the following JSON.

{
    "parameters":  "[3c93f2b9-5524-4b24-9477-5ce0d5510e32]"
}

The correct body would be

$body = @{parameters = @("3c93f2b9-5524-4b24-9477-5ce0d5510e32")} | ConvertTo-Json

and delivers the following JSON.

{
    "parameters":  [
                       "3c93f2b9-5524-4b24-9477-5ce0d5510e32"
                   ]
}

Furthermore, I think you are seeing an access error when trying to call the script.  Please take a look at the following post.

https://www.quest.com/community/products/one-identity/f/identity-manager/21567/calling-scripts-via-application-server-restful-api-using-common_startscripts-permission-not-working