1

I'm attempting to use the Brightspace API, but I'm getting a 403 (Forbidden) response.

I've registered my application using the Manage Extensability (/d2l/lp/extensibility/home) page, I've generated a user ID and key from the API Test Tool.

Using all of this, I've installed the D2L.Extensibility.AuthSdk NuGet package in my project. Then, in the relevant class, I've created a property for a UserContext and am initializing it in the constructor like this:

_d2LUserContext = new D2LAppContextFactory()
    .Create(OrionConfiguration.D2LApplicationId, OrionConfiguration.D2LApiKey)
    .CreateUserContext(
        "censored user id",
        "censored user key",
        new HostSpec("https", OrionConfiguration.D2LUrl.Substring(8), 443)
    );

Notes:

  1. The .Substring(8) is because D2LUrl includes the URL scheme
  2. The user id and key were generated this morning, so they have not expired yet

Then, I am trying to call the API. The code for this is split up in a few methods.

private string AuthParam(string path, string method)
{
    return _d2LUserContext
        .CreateAuthenticatedTokens($"/d2l/api/lp/1.2{path}", method)
        .Select(tuple => $"{tuple.Item1}={tuple.Item2}")
        .Aggregate((acc, p) => $"{acc}&{p}");
}

public Task<UserResponse> CreateUser(UserRequest userRequest)
{
    const string path = "/users";
    return _httpUtils.Post<UserResponse>($"{path}/?{AuthParam(path, "POST")}", userRequest);
}

UserRequest is a POC#O (Plain Old C# Object) version of the model the API expects.

Here is the relevant method in the HttpUtils class - this is a wrapper around the HttpClient I wrote to get rid of some of the boilerplate in other classes.

internal async Task<T> Post<T>(string route, dynamic body)
{
    var response = await _httpClient.PostAsync(
        _baseUrl + route, 
        new StringContent(JsonConvert.SerializeObject(body), Encoding.UTF8, "application/json")
    );

    _logger.LogInformation($"POST request to {route}");
    _logger.LogInformation(await response.Content.ReadAsStringAsync());
    return JsonConvert.DeserializeObject<T>(await response.Content.ReadAsStringAsync());
}

Now, putting it all together, when I try to debug these methods getting called, I set a breakpoint the line after my POST request, and we can see I get a 403 403 error in debugger

I'm wondering why this is happening. The user that the key and id were generated from is a super administrator, so this is not a permissions issue.

piticent123
  • 193
  • 1
  • 7
  • When you created the app registration via `Manage Extensibility` you would have gotten an App ID/Key pair. When you went through the three-legged workflow to get a _User_ ID/Key pair, did you do so using your own registered App ID/Key? (I ask because the user credentials are different for each registered app that participates in that three-legged workflow with a user...) – Viktor Haag Mar 11 '20 at 18:02
  • Good question. I should've put that in the original question. Yes, I used my app's id/key to get the user id/key – piticent123 Mar 11 '20 at 18:33
  • Wait, try this -- the actual _API route_ in question has a trailing slash and the trailing slash thus needs putting in to the method you have that generates the auth token; it looks to me like what you're doing is passing a `path` that does _not_ have this trailing slash, and then putting it into the request as a side effect of when you tack on the query parameters... – Viktor Haag Mar 24 '20 at 15:34
  • That worked! Thank you so much for that. What a small detail! I'd be happy to mark your answer as accepted if you want to put that as an answer. – piticent123 Mar 24 '20 at 18:41
  • 1
    Sure -- will do -- also, please note that you really want to be using a more modern version for your API route than `1.2`... note that there are some API routes [you can use to find what versions the backend supports](https://docs.valence.desire2learn.com/res/apiprop.html#id3). Currently the [oldest fully supported API contract](https://docs.valence.desire2learn.com/about.html#api-deprecation-and-obsolescence) for the LP part of Brightspace is 1.23. – Viktor Haag Mar 24 '20 at 19:45

1 Answers1

1

The actual API route in question has a trailing slash and the trailing slash thus needs putting into the method you have that generates the authentication token/signature. It looks to me like what you're doing is passing a path that does not have this trailing slash, and then putting it into the request as a side effect of when you tack on the query parameters, so you're generating an authentication signature for one API route and then using another in the call.

Brightspace API routes are quite sensitive to that trailing slash, and unfortunately they're not always applied cleanly or consistently in routes.

Viktor Haag
  • 3,363
  • 1
  • 18
  • 21