1

I'm trying to use Azure's sample code for issuing and verifying Verifiable Credentials in Nodejs. I've followed the tutorial, and manage to setup a Verifiable Credential preview, as in the example. But when I run the run.sh script and I scan the generated qr code in my microsoft-authenticator app I get the following exception in my app:

INFO/DID_SDK/: HttpError: 403 body: {"requestId":"myRequestId", "date":"currentDate", "mscv":"myMscv", "error":{"code":"Forbidden", "message":"Unable to access Keyvault resource with given credentials."}}

ksadjad
  • 593
  • 8
  • 20

1 Answers1

1

The error 403 forbidden usually occurs if you don't have required permissions to access the requested resource (in your case Key Vault).

Please check whether you have set access policies for the Key Vault before setting up verifiable credentials. If not, set it like below:

Go to Azure portal -> Go to key vault settings -> Access policies -> Add access policies -> User -> Select account -> Add key permissions.

![image

You should not modify the keys and secrets once created. Modifying keys and secrets will invalidate credentials. Check this Microsoft Article.

Make sure to set access policies in your key vault for both the administrator account of the Azure AD Verifiable Credentials service and for the Request Service API principal that you created.

There is also a possibility to get this error if firewall policy is enabled.

Turn on Azure Key Vault logging that will give you the reason behind the error ( Access policy/Firewall policy).

Based on the reason, you can troubleshoot by following the below reference:

HTTP 403: Troubleshooting - Azure Key Vault | Microsoft Docs

AZIdentity | Key Vault Firewall access by Azure App Services

Sridevi
  • 10,599
  • 1
  • 4
  • 17
  • I haven't modified any key or credential, also I have assigned all the "Key Premissions" that are available for me (plus all the "Secret Permissions" and "Certificate Permissions") to my own account and also my app (before your response it was just the way you described, after your response I increased hoping it will fix my issue). but that didn't help. Also I don't have any firewall. – ksadjad Jun 09 '22 at 12:41
  • Have you enabled Azure Key Vault logging and checked? – Sridevi Jun 09 '22 at 12:58
  • yeah, I'm getting this "resultDescription": "The user, group or application 'appid=3db474b9-6a0c-4840-96ac-1fceb342124f;oid=SOME_OID;iss=SOME_ISSUER' does not have keys sign permission on key vault 'KEY_VAULT;location=westeurope'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" The problem is the appId mentioned here, was in the microsoft sample code. I didn't change that. But if I do, and change it to my own appId, I can't generate the QR code anymore. – ksadjad Jun 09 '22 at 13:29
  • You have to replace the **`AppID`** provided in Microsoft code sample with your **own AppID**. As the provided **`AppID`** does n't have **[Sign](https://i.imgur.com/5aXvJxr.png)** key permission, error occurred. – Sridevi Jun 09 '22 at 14:10
  • If you modify it now, it will invalidate the credentials and you can't generate the QR code. – Sridevi Jun 09 '22 at 14:13
  • As I've mentioned earlier, if I change the `scopes` value to have my appId instead of the one provided by microsoft, I'll get `Failed to authenticate the request.` on generating QR code. And I've added the appId from my microsoft to my keyvault, so no problem in that area, but still no luck – ksadjad Jun 09 '22 at 14:17
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/245456/discussion-between-sridevimachavarapu-mt-and-ksadjad). – Sridevi Jun 09 '22 at 14:17