Application Scope Violated error

[klaaskox]

Hi,

We have been using this client for years (it's the best 🥇), but today we are not able to communicate with EO anymore. When reading or creating data we get "Application Scope Violated" errors. We did not change anything in our code. Has anyone experienced this before? What could cause this all of a sudden?

Thanks!

[cihanarik]

Hi, Could be permission issue on authenticated user. Check if your authenticator user has enough grants for relevant endpoint

30 Eyl 2024 Pzt 14:17 tarihinde klaaskox @.***> şunu yazdı:

Hi,

We have been using this client for years (it's the best 🥇), but today we are not able to communicate with EO anymore. When reading or creating data we get "Application Scope Violated" errors. We did not change anything in our code. Has anyone experienced this before? What could cause this all of a sudden?

Thanks!

— Reply to this email directly, view it on GitHub https://github.com/picqer/exact-php-client/issues/659, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFGXBZ7VISY7BWCHI7R77LZZEXMDAVCNFSM6AAAAABPDBREIGVHI2DSMVQWIX3LMV43ASLTON2WKOZSGU2TMMZTHAZTENY . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[klaaskox]

Authentication is done with client id / secret. Is it possible to check specific grants?

[Koenstell]

We are seeing the same thing happening:

Picqer\Financials\Exact\ApiException

Error 403: Forbidden - Application Scope Violated. Cannot read 'organization.administration' scope. (Reason: > AppScopeViolated: Application Scope Violated. Cannot read 'organization.administration' scope.)

Nothing changed to our code, started happening out of the blue. Also no apparent issues with the API endpoint for that matter.

[klaaskox]

Our problem was caused by a change on the ExactOnline side. App scopes have recently become mandatory for security reasons. For some reason we missed that announcement. You will have to do a data & security review in the exact online app store. Since we only use the app internally (and therefore not in the app store), you can also use an app under a developers license. In that case, the review is not necessary.

No idea if your problem has the same cause, but maybe this will help you.

[Koenstell]

Thanks for your quick answer. Do you happen to have a reference to this announcement or change? Need to investigate how to deal with this.

[klaaskox]

No I searched for the announcement, but could not find it. I found out about it by asking a question via the support section. They told me about it.

[klaaskox]

I can send you the complete response they send me (in dutch)

[Koenstell]

That would be great (im Dutch too so that's fine).

[klaaskox]

Onderwerp 403 - Forbidden - Application Scope Violated

Beschrijving

Sinds vandaag ontvangen we bij alle requests die we naar de API doen "403 - Forbidden - Application Scope Violated" errors. De koppeling die we gebruiken werkt al jarenlang probleemloos. Er is ook niets gewijzigd aan de instellingen / gebruikers. Waar kan dit door komen?

Oplossing

In september vorig jaar werd aangekondigd dat alle app-scopes vanwege beveiligingsredenen verplicht worden gesteld. Je hebt hier vorige maand ook een mail over ontvangen. Het is nu de periode dat de scopes worden enforced.

Leg de app naast de reference documentation en controleer welke API’s en endpoints door de app worden gebruikt. In de referentiedocumentatie vind je welke scopes bij welke endpoints horen. Als je alleen “GET”-verzoeken doet voor een specifiek endpoint, kun je de scopes instellen op “lezen”. Als je ook gegevens verzend via “POST”, “PUT” of “DELETE”, moet de scope worden ingesteld op “beheren”.

Volg de volgende stappen om de data- en beveiligingsreview in de appstore te doorlopen:

1) Ga naar de appstore via [partners > exact online app store > log in > exact online app store: log in].

2) Klik op je app en selecteer tabblad “Laten beoordelen”.

3) Bewerk stap 1: “Data & Security Review”.

4) Pas de scopes aan zoals nodig.

5) Klik bovenaan de pagina op “Verstuur”.

De beoordeling wordt dan spoedig gedaan. Contacteer de leverancier van de koppeling indien de app niet onder je eigen licentie staat geregistreerd.

Ik hoop je hiermee voldoende te hebben geinformeerd.

Een fijne dag toegewenst!

[Koenstell]

Just to circle back here, it is indeed a matter of making sure the OAuth2 application that is configured in your account (the one you use to interact with the API) has access to the scopes you use.

In our case we had no access anymore to this application so we simply created a new one. Also, depending how you use it you don't need to put it up for review with Exact.

[remkobrenters]

@klaaskox can you confirm the answer of @Koenstell was sufficient and helped you resolve the scope issue?

[klaaskox]

@remkobrenters, yes, @Koenstell used the same solution as I did:

Our problem was caused by a change on the ExactOnline side. App scopes have recently become mandatory for security reasons. For some reason we missed that announcement. You will have to do a data & security review in the exact online app store. Since we only use the app internally (and therefore not in the app store), you can also use an app under a developers license. In that case, the review is not necessary.

No idea if your problem has the same cause, but maybe this will help you.