Getting unauthorized response when trying to use impersonation API

railto · July 26, 2017, 5:45pm

Hi There,

I’m trying to get up and running with the impersonation API however having issues with it returning unauthorized for every single request when I try it.

I’ve tried with curl and also a simple node script (pasted below) using the documentation but still no dice.
Wondering if anyone else has come across this and how they resolved it. I’ve had impersonation enabled on the tenant so can’t be that.

Thanks in advance,

Mark

const request = require('request');

const options = {
    method: 'POST',
    url: 'https://MY_DOMAIN.eu.auth0.com/users/USER_ID/impersonate',
    headers: {
        'authorization': 'Bearer MANAGEMENT_TOKEN',
        'content-type': 'application/json',
    },
    body: {
        'protocol': 'oauth2',
        'impersonator_id': 'IMPERSONATOR_ID',
        'client_id': 'CLIENT_ID',
        'additionalParameters': {
            'response_type': 'code',
            'scope': 'openid',
        },
    },
    json: true,
};

request(options, function(error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});

railto · July 28, 2017, 9:39pm

Is anyone able to help with this?

benm · August 1, 2017, 11:59pm

Make sure you have the legacy settings enabled and you are using the Global Client ID/Secret, NOT the Client Id and Client secret for a Client you’ve created. You can find the Global Client ID and Global Client Secret here: https://manage.auth0.com/#/account/advanced

railto · August 2, 2017, 1:02am

Hi Benm,

I’ve updated the request for getting the management token to use the global client id and password but instead am getting the following response:{ error: 'access_denied', error_description: 'Client is not authorized to access "https://transpoco-auth.eu.auth0.com/api/v2/". You might probably want to create a "client-grant" associated to this API. See: https://auth0.com/docs/api/v2#!/Client_Grants/post_client_grants' }

railto · August 2, 2017, 2:51am

Sorted now, was a combination of this and having the audience set to the V2 which was throwing it off, removed the audience claim and used the global credentials and it worked.

Had a call with @abhishek.hingnikar where we discovered that was what was causing the issue.

railto · July 28, 2017, 9:39pm

Is anyone able to help with this?

Abhishek_Hingnikar1 · July 31, 2017, 9:51pm

Hi Mark,
Can you share the exact error you are receiving? I believe that you are redacting the values in the payload, would it be possible to share an example of the complete payload (except the Management Token) ? And the claims by decoding the management api token in http://jwt.io/

railto · July 31, 2017, 9:58pm

Hi There, the exact error that I get is:
“Unauthorized”

I am unable to provide any other details for the payload however I know that the details being used in the payload are correct as this is not the first time I’ve used the Auth0 API, all our calls to Auth0 are over the API and not with the SDK.

Abhishek_Hingnikar1 · July 31, 2017, 11:03pm

This is weird, I believe impersonation might be disabled on your account, I’ll go ahead and check that and get back to you assap.

Abhishek_Hingnikar1 · August 1, 2017, 6:07am

Impersonation is enabled, I believe the error is being caused either due to a wrong / obsolete token or either client_id or client_secret is wrong. Can we hop on a call to debug this? I’ll dm you the details on twitter.

railto · August 1, 2017, 4:25pm

Thank’s Abhishek. I’ve checked all credentials and everything seems correct, I’ve updated my test script to pull a fresh management token however still getting the same.
Would appreciate having a call, I look forward to getting the details from you so we can resolve this.

Mark

Abhishek_Hingnikar1 · August 1, 2017, 11:31pm

I tweeted you from _mathdotrandom, can we move the convo to dm for the meeting details and add our learnings here ?