I am attempting to call the Business Central Admin Center API, but I keep receiving a 403 Forbidden error. It could be a misconfigured endpoint or an alternative method to obtain the required token.
I'm authorizing the same way I would if I were using oauth2 to communicate with a BC API.
I have attempted the following Postman endpoints after successfully receiving an access token:
https://api.businesscentral.dynamics.com/admin/v2.11/applications/environments
https://api.businesscentral.dynamics.com/admin/v2.11/applications/businesscentral/environments
In both cases, however, I receive the 403 Forbidden error.
Calls to standard BC APIs appear to function as expected.
Does anyone know what I'm doing incorrectly or what I'm missing?
1st UPDATE
Now, the registered application uses delegated permissions and has access to all APIs within BC.
Similar to before, retrieving a token is successful, but the subsequent call results in a "Forbidden" error.
REQUEST (from Fiddler)
GET https://api.businesscentral.dynamics.com/admin/v2.11/applications/environments HTTP/1.1
Host: api.businesscentral.dynamics.com
Authorization: Bearer <my token>
Accept: application/json
RESPONSE (from Fiddler)
HTTP/1.1 403 Forbidden
Content-Length: 0
ms-correlation-x: 8d8d7e1c-cc1e-4866-9c1f-9708533dabd0
Access-Control-Allow-Headers: Origin, X-Requested-With, Authorization
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: ms-correlation-x
x-content-type-options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Thu, 07 Apr 2022 10:31:35 GMT
If I examine the token with jwt.io, I can't seem to find the part that describes which API the token gives access to, which could be the or part of the problem?
UPDATE 2
I don't get it, regardless of what I try, the access_token I get, doesn't include any info about what it grants access to.
I register an app and create delegated API permission for Business Central (user_impersonation and Financials.ReadWrite.All). Then I create a secret.
I use the following C# code to get a token:
var client_id = "<client_guid>";
var client_secret = "<client_secret>";
var tenant_id = "<tenant_guid>";
var token_url = "https://login.microsoftonline.com/" + tenant_id + "/oauth2/v2.0/token";
var client = new HttpClient();
var content = new StringContent(
"grant_type=client_credentials"+
"&scope=https://api.businesscentral.dynamics.com/.default"+
"&client_id="+ HttpUtility.UrlEncode(client_id) +
"&client_secret="+ HttpUtility.UrlEncode(client_secret));
content.Headers.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue("application/x-www-form-urlencoded");
var response = await client.PostAsync(token_url, content);
The value in the "access_token" attribute i get from the response, doesn't describe any of the permissions I created when explored with jwt.io. What am I doing wrong here?
My app permissions look like this: