Issues calling script using REST api

Hey everyone,
I am trying to run a PowerShell script which calls a customer One Identity Script leveraging the REST api. One Identity V7.1.2 is used. At the variable $newUri the PowerShell script throws out an Authorization Issue:

Code:
--Setting authentication--
$authdata = @{AuthString="Module=DialogUser;User=<user>;Password=<password>."}
$authJSON = ConvertTo-JSON $authdata -Depth 2

--Login against the Application server--
Invoke-RestMethod -Uri "https://<servername>/d1imappserver/auth/apphost" -Body $authJSON.ToString() -Method Post -UseDefaultCredentials -Headers @{Accept="application/json"} -SessionVariable $wsession

--> Issue starts here
$newURI = (Invoke-RestMethod -Uri "https://<servername>/D1IMAppServer/api/script/CCC_xxxx_REST_FinalizeServiceRequest" -WebSession $wsession -Method Post -ContentType application/json).uri

--Logout--
Invoke-RestMethod -Uri "https://<servername>/d1imappserver/auth/logout" -WebSession $wsession -Method Post

ErrorMessage:
Invoke-RestMethod : Snapshot of ExecuteScriptRequest generated by ServiceStack on 05.12.2017 10:44:46
view json datasource from original url: https://<servername>/D1IMAppServer/api/script/CCC_xxxx_REST_FinalizeServiceRequest? in other
formats: json xml csv jsv
This reports json data source
Close Window Response StatusError CodeUnauthorizedMessageNot authorized
At line:2 char:12
+ $newURI = (Invoke-RestMethod -Uri "https://<servername> ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand


Can anyone support in this case?

 

Thanks in advance,

Niko

  • When you take a look at the RestAPI documentation https://support.oneidentity.com/technical-documents/identity-manager/8.0/rest-api-reference-guide/14#TOPIC-863120 you will find that two things are wrong here.

    First, you have to use the HTTP method PUT and not POST like you do. Secondly, the result of a script call does not contain a property uri. You can use result instead.

  • In reply to Markus Weiss-Ehlers:

    Hello Markus,
    thanks for the fast reply. I changed the HTTP method to PUT and at the $newURI variable i changed it to .result.

    $body = @{parameters = "[3c93f2b9-5524-4b24-9477-5ce0d5510e32]"} | ConvertTo-Json

    $newURI = (Invoke-RestMethod -Uri "https://<servername>/D1IMAppServer/api/script/CCC_helpLine_REST_FinalizeServiceRequest" -WebSession $wsession -Method Put-ContentType application/json).result

    Unfortunately the error message still appears.

    Is the structure of the $body and $newURI correct or do I have to change the order of the parameters?



    Thanks,
    Niko
  • In reply to nikola.stijak:

    If you test your body in PowerShell (always the easiest way to confirm that your body is well-formed according to the specification) you will find the resulting JSON is wrong.

    Your incorrect body 

    $body = @{parameters = "[3c93f2b9-5524-4b24-9477-5ce0d5510e32]"} | ConvertTo-Json

    is delivering the following JSON.

    {
        "parameters":  "[3c93f2b9-5524-4b24-9477-5ce0d5510e32]"
    }

    The correct body would be

    $body = @{parameters = @("3c93f2b9-5524-4b24-9477-5ce0d5510e32")} | ConvertTo-Json

    and delivers the following JSON.

    {
        "parameters":  [
                           "3c93f2b9-5524-4b24-9477-5ce0d5510e32"
                       ]
    }

    Furthermore, I think you are seeing an access error when trying to call the script.  Please take a look at the following post.

    https://www.quest.com/community/products/one-identity/f/identity-manager/21567/calling-scripts-via-application-server-restful-api-using-common_startscripts-permission-not-working

  • In reply to Markus Weiss-Ehlers:

    Hello Markus,

    thanks again for the fast reply. I´` have corrected the body.

    I have also assigned the program function "Common_StartScripts" for the customer script, but unfortunately no success. I have double checked, if our custom system user has the program function assigned.

    Still no success.


    Thanks,
    Niko
  • In reply to nikola.stijak:

    Do you also have assigned the same program function to the script?
  • In reply to Markus Weiss-Ehlers:

    Yes, I have also assigned it to the script.

    When I test the the REST Call in the webinterface of the application server with the value mentioned in the $body, i receive the result "true":

  • In reply to nikola.stijak:

    I had to trace your code by testing it line by line in PowerShell.

    The reason for the acess denied lies in the fact, that you wrongly specified the SessionVariable in the initial connect. You specfied the session variable with a starting $ which is wrong.

    Your login call:

    Invoke-RestMethod -Uri "https://<servername>/d1imappserver/auth/apphost" -Body $authJSON.ToString() -Method Post -UseDefaultCredentials -Headers @{Accept="application/json"} -SessionVariable $wsession

    Correct login call:

    Invoke-RestMethod -Uri "https://<servername>/d1imappserver/auth/apphost" -Body $authJSON.ToString() -Method Post -UseDefaultCredentials -Headers @{Accept="application/json"} -SessionVariable wsession

  • In reply to Markus Weiss-Ehlers:

    Hello Markus,

    thank you so much! This was the last issue. Now it works.


    Cheers,
    Niko