[$60] [config] M2M token should be allowed to create v5 users

[maxceem]

When I used M2M token for DEV env locally. In the situations when user doesn't exists in V5 we create it by calling:

• POST /v5/users
• POST /v5/users/${userId}/externalProfiles

At the moment the first request returns Forbidden.

We have to make sure that M2M config that we use on DEV and PROD allowing creating users in V5.

[imcaizheng]

I think it is related the AUTH0 audience being used to create m2m token.

Initially AUTH0 audience configuration was

export AUTH0_AUDIENCE=https://u-bahn.topcoder.com
export AUTH0_AUDIENCE_FOR_BUS_API=https://m2m.topcoder-dev.com/

Recently it got changed to

export AUTH0_AUDIENCE=https://m2m.topcoder-dev.com/
export AUTH0_AUDIENCE_FOR_BUS_API=https://m2m.topcoder-dev.com/

To revert the configuration is a good way to go, but it would break some recent changes like in #73. We should fix them as well.

By the way I think it could be better to use some more meaningful names for the audience configuration. Like

export AUTH0_UBAHN_AUDIENCE=https://u-bahn.topcoder.com
export AUTH0_M2M_AUDIENCE=https://m2m.topcoder-dev.com/

[maxceem]

Thank you for your input @imcaizheng.

Agree, on renaming.

So do you think we can fix this issue by using m2m token with https://u-bahn.topcoder.com audience when requesting m2m token for POST /v5/users and POST /v5/users/${userId}/externalProfiles endpoints?

[imcaizheng]

@maxceem
If using m2m token with https://u-bahn.topcoder.com audience to request m2m token,
I am able to make a successful request for POST /v5/users ONLY after I configure the AUTH0 credential from

export AUTH0_CLIENT_ID=gZ6jt50HYHLBf4vhxjUhXPZOR7Q5lk4k
export AUTH0_CLIENT_SECRET=xxxx

to

export AUTH0_CLIENT_ID=LEyCiuOrHc7UAFoY0EAAhMulWSX7SrQ5
export AUTH0_CLIENT_SECRET=xxxx

Otherwise I would get the following error:

(node:955658) UnhandledPromiseRejectionWarning: Error: Unknown Error
    at Request._callback (/home/caizheng/my_projects/topcoder-taas-apis-fix-permission-rules/taas-apis/node_modules/tc-core-library-js/lib/auth/m2m.js:70:24)
    at Request.self.callback (/home/caizheng/my_projects/topcoder-taas-apis-fix-permission-rules/taas-apis/node_modules/request/request.js:185:22)
    at Request.emit (events.js:314:20)
    at Request.EventEmitter.emit (domain.js:483:12)
    at Request.<anonymous> (/home/caizheng/my_projects/topcoder-taas-apis-fix-permission-rules/taas-apis/node_modules/request/request.js:1154:10)
    at Request.emit (events.js:314:20)
    at Request.EventEmitter.emit (domain.js:483:12)
    at IncomingMessage.<anonymous> (/home/caizheng/my_projects/topcoder-taas-apis-fix-permission-rules/taas-apis/node_modules/request/request.js:1076:12)
    at Object.onceWrapper (events.js:420:28)
    at IncomingMessage.emit (events.js:326:22)

Despite that, we can still carry out a solution by including both audiences with their corresponding credentials, like:

export AUTH0_M2M_AUDIENCE=https://m2m.topcoder-dev.com/
export AUTH0_M2M_CLIENT_ID=gZ6jt50HYHLBf4vhxjUhXPZOR7Q5lk4k
export AUTH0_M2M_CLIENT_SECRET=xxxx
export AUTH0_UBAHN_AUDIENCE=https://u-bahn.topcoder.com
export AUTH0_UBAHN_CLIENT_ID=LEyCiuOrHc7UAFoY0EAAhMulWSX7SrQ5
export AUTH0_UBAHN_CLIENT_SECRET=xxxx

It should work well.

EDIT I think a better solution is requesting TC support for a new AUTH0 credential that can work with both audiences.

[maxceem]

Thank you @imcaizheng. Let's ask for @nkumar-topcoder input for this.
I wonder if can reuse a single M2M config for all the calls.

[nkumar-topcoder]

@maxceem @imcaizheng I agree, the current Audience gZ6jt50HYHLBf4vhxjUhXPZOR7Q5lk4k is meant to serve ubann and bus api related role access. Not sure why this issue is occurring. The token can create/update v5/users . Is this specific to your local access ? @imcaizheng

[imcaizheng]

Here are the steps with which I could reproduce the issue. @nkumar-topcoder Please try with the steps to examine if current auth0 configuration works for you.

Firstly, to help simplify the process, add the following code snippets to the end of src/common/helper.js file
so function getM2Mtoken can be called immediately after the app starts.

getM2Mtoken().then(result => {
  console.log(result)
})

1. start the app with AUTH0_AUDIENCE set to https://u-bahn.topcoder.com/. Here is the commands:

   export AUTH0_URL=https://topcoder-dev.auth0.com/oauth/token
   export AUTH0_AUDIENCE=https://u-bahn.topcoder.com/
   export TOKEN_CACHE_TIME=90
   export AUTH0_CLIENT_ID=gZ6jt50HYHLBf4vhxjUhXPZOR7Q5lk4k
   export AUTH0_CLIENT_SECRET=xxxx
   export AUTH0_PROXY_SERVER_URL=https://auth0proxy.topcoder-dev.com/token
   export AUTH0_AUDIENCE_FOR_BUS_API=https://m2m.topcoder-dev.com/
   npm start

   Output from the console are shown as

   [2020-12-26T08:49:39.103Z] app INFO : Express server listening on port 3000
   (node:1876968) UnhandledPromiseRejectionWarning: Error: Unknown Error
       at Request._callback (/home/caizheng/my_projects/topcoder-taas-apis-implement-event-handlers/taas-apis/node_modules/tc-core-library-js/lib/auth/m2m.js:70:24)
       at Request.self.callback (/home/caizheng/my_projects/topcoder-taas-apis-implement-event-handlers/taas-apis/node_modules/request/request.js:185:22)
       at Request.emit (events.js:314:20)
       at Request.EventEmitter.emit (domain.js:483:12)
       at Request.<anonymous> (/home/caizheng/my_projects/topcoder-taas-apis-implement-event-handlers/taas-apis/node_modules/request/request.js:1154:10)
       at Request.emit (events.js:314:20)
       at Request.EventEmitter.emit (domain.js:483:12)
       at IncomingMessage.<anonymous> (/home/caizheng/my_projects/topcoder-taas-apis-implement-event-handlers/taas-apis/node_modules/request/request.js:1076:12)
       at Object.onceWrapper (events.js:420:28)
       at IncomingMessage.emit (events.js:326:22)
   (node:1876968) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 1)
   (node:1876968) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

   You could see it cannot even get the token from AUTH0 API.

2. start the app with AUTH0_AUDIENCE set to https://m2m.topcoder-dev.com/. Here is the commands:

   export AUTH0_AUDIENCE=https://m2m.topcoder-dev.com/
   export AUTH0_URL=https://topcoder-dev.auth0.com/oauth/token
   export AUTH0_AUDIENCE=https://m2m.topcoder-dev.com/
   export TOKEN_CACHE_TIME=90
   export AUTH0_CLIENT_ID=gZ6jt50HYHLBf4vhxjUhXPZOR7Q5lk4k
   export AUTH0_CLIENT_SECRET=xxxx
   export AUTH0_PROXY_SERVER_URL=https://auth0proxy.topcoder-dev.com/token
   export AUTH0_AUDIENCE_FOR_BUS_API=https://m2m.topcoder-dev.com/
   npm start

   Output from the console are shown as

   [2020-12-26T08:53:52.001Z] app INFO : Express server listening on port 3000
   eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik5VSkZORGd4UlRVME5EWTBOVVkzTlRkR05qTXlRamxETmpOQk5UYzVRVUV3UlRFeU56TTJRUSJ9.eyJpc3MiOiJodHRwczovL3RvcGNvZGVyLWRldi5hdXRoMC5jb20vIiwic3ViIjoiZ1o2anQ1MEhZSExCZjR2aHhqVWhYUFpPUjdRNWxrNGtAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vbTJtLnRvcGNvZGVyLWRldi5jb20vIiwiaWF0IjoxNjA4OTAyNDcxLCJleHAiOjE2MDg5ODg4NzEsImF6cCI6ImdaNmp0NTBIWUhMQmY0dmh4alVoWFBaT1I3UTVsazRrIiwic2NvcGUiOiJyZWFkOnVzZXJfaWRwX3Rva2VucyByZWFkOmNoYWxsZW5nZXMgYWxsOmdyb3VwcyB3cml0ZTpncm91cHMgcmVhZDpncm91cHMgcmVhZDpyZXZpZXdfdHlwZSByZWFkOnJldmlldyByZWFkOnByb2plY3QgcmVhZDpidXNfdG9waWNzIHdyaXRlOmJ1c19hcGkgcmVhZDplbWFpbF90ZW1wbGF0ZXMgcmVhZDp1c2VyX3Byb2ZpbGVzIHJlYWQ6cm9sZXMgcmVhZDpwcmVmZXJlbmNlcyByZWFkOnByb2plY3QtdXNlciByZWFkOnByb2plY3QtcGVybWlzc2lvbiByZWFkOmxvb2t1cHMgcmVhZDpyZXNvdXJjZXMgcmVhZDp0ZXJtcyByZWFkOnByb2plY3RzIHJlYWQ6cHJvamVjdC1tZW1iZXJzIHJlYWQ6YWNoaWV2ZW1lbnQgcmVhZDphY2hpZXZlbWVudHNQcm92aWRlciByZWFkOmF0dHJpYnV0ZSByZWFkOmF0dHJpYnV0ZUdyb3VwIGFsbDphdHRyaWJ1dGVHcm91cCBjcmVhdGU6YXR0cmlidXRlR3JvdXAgdXBkYXRlOmF0dHJpYnV0ZUdyb3VwIHJlYWQ6b3JnYW5pemF0aW9uIHJlYWQ6cm9sZSByZWFkOnNraWxsIHJlYWQ6c2tpbGxzUHJvdmlkZXIgcmVhZDp1c2VyQXR0cmlidXRlIHJlYWQ6dXNlcnNSb2xlIHJlYWQ6dXNlcnNTa2lsbCByZWFkOmdyb3VwIGFsbDpncm91cCB1cGRhdGU6Z3JvdXAgY3JlYXRlOmdyb3VwIHJlYWQ6dXNlciByZWFkOnRhYXMtdGVhbXMgcmVhZDp0YWFzLWpvYnMgYWxsOnRhYXMtam9icyByZWFkOnRhYXMtam9iQ2FuZGlkYXRlcyBhbGw6dGFhcy1qb2JDYW5kaWRhdGVzIGFsbDp0YWFzLXJlc291cmNlQm9va2luZ3MiLCJndHkiOiJjbGllbnQtY3JlZGVudGlhbHMifQ.bx6QnwsnQOZ1YYtmJtlR-n1ciKGwWPyBKSMTLNdhA8_jii12mMX41TPgEjgAz87SVrnclA-zP9aDYA2ch2YWT_kEJb-0KR-bkt0AyXz3CMoOII-HkqKdg9xEZS2zKEFTUaSFPNdRfz4lEiZUU-tx600Mx-vaY2ECNT6mbIj-TF1KoUZ1sw-NWw3FKPXL4b3bEI_CIzIkUvajZf_aZi9BCbTenZK_OhDWeVD1o9yiz2N9Ujw1XSh6OI4mMKZ6w1IBvXUoGfCwIxW4n63kfbuQq3lT6dLBFAaHAG3gh5LFCIZLHks-9a9OqmGDawLg57vQ1_4Zb4kSB11rSm4oV8dWhw

   The token is successfully generated.

3. start the app with AUTH0_AUDIENCE set to https://u-bahn.topcoder.com and with credential set to LEyCiuOrHc7UAFoY0EAAhMulWSX7SrQ5. Here is the commands:

   export AUTH0_URL=https://topcoder-dev.auth0.com/oauth/token
   export AUTH0_AUDIENCE=https://u-bahn.topcoder.com
   export TOKEN_CACHE_TIME=90
   export AUTH0_CLIENT_ID=LEyCiuOrHc7UAFoY0EAAhMulWSX7SrQ5
   export AUTH0_CLIENT_SECRET=xxxx
   export AUTH0_PROXY_SERVER_URL=https://auth0proxy.topcoder-dev.com/token
   export AUTH0_AUDIENCE_FOR_BUS_API=https://m2m.topcoder-dev.com/
   npm start

   Output from the console are shown as

   [2020-12-26T09:09:46.283Z] app INFO : Express server listening on port 3000
   eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik5VSkZORGd4UlRVME5EWTBOVVkzTlRkR05qTXlRamxETmpOQk5UYzVRVUV3UlRFeU56TTJRUSJ9.eyJpc3MiOiJodHRwczovL3RvcGNvZGVyLWRldi5hdXRoMC5jb20vIiwic3ViIjoiTEV5Q2l1T3JIYzdVQUZvWTBFQUFoTXVsV1NYN1NyUTVAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vdS1iYWhuLnRvcGNvZGVyLmNvbSIsImlhdCI6MTYwODk3Mzc4OSwiZXhwIjoxNjA5MDYwMTg5LCJhenAiOiJMRXlDaXVPckhjN1VBRm9ZMEVBQWhNdWxXU1g3U3JRNSIsInNjb3BlIjoicmVhZDp1c2VyIGFsbDp1c2VyIGNyZWF0ZTp1c2VyIHVwZGF0ZTp1c2VyIGRlbGV0ZTp1c2VyIGFsbDphY2hpZXZlbWVudCBjcmVhdGU6YWNoaWV2ZW1lbnQgdXBkYXRlOmFjaGlldmVtZW50IHJlYWQ6YWNoaWV2ZW1lbnQgZGVsZXRlOmFjaGlldmVtZW50IHJlYWQ6YWNoaWV2ZW1lbnRzUHJvdmlkZXIgYWxsOmFjaGlldmVtZW50c1Byb3ZpZGVyIHVwZGF0ZTphY2hpZXZlbWVudHNQcm92aWRlciBkZWxldGU6YWNoaWV2ZW1lbnRzUHJvdmlkZXIgcmVhZDphdHRyaWJ1dGUgYWxsOmF0dHJpYnV0ZSB1cGRhdGU6YXR0cmlidXRlIGRlbGV0ZTphdHRyaWJ1dGUgcmVhZDphdHRyaWJ1dGVHcm91cCBhbGw6YXR0cmlidXRlR3JvdXAgY3JlYXRlOmF0dHJpYnV0ZUdyb3VwIHVwZGF0ZTphdHRyaWJ1dGVHcm91cCBkZWxldGU6YXR0cmlidXRlR3JvdXAgcmVhZDpleHRlcm5hbFByb2ZpbGUgYWxsOmV4dGVybmFsUHJvZmlsZSBjcmVhdGU6ZXh0ZXJuYWxQcm9maWxlIGRlbGV0ZTpleHRlcm5hbFByb2ZpbGUgcmVhZDpvcmdhbml6YXRpb24gYWxsOm9yZ2FuaXphdGlvbiBjcmVhdGU6b3JnYW5pemF0aW9uIGRlbGV0ZTpvcmdhbml6YXRpb24gcmVhZDpyb2xlIGFsbDpyb2xlIGNyZWF0ZTpyb2xlIHVwZGF0ZTpyb2xlIGRlbGV0ZTpyb2xlIHJlYWQ6c2tpbGwgYWxsOnNraWxsIGNyZWF0ZTpza2lsbCB1cGRhdGU6c2tpbGwgZGVsZXRlOnNraWxsIHJlYWQ6c2tpbGxzUHJvdmlkZXIgYWxsOnNraWxsc1Byb3ZpZGVyIGNyZWF0ZTpza2lsbHNQcm92aWRlciB1cGRhdGU6c2tpbGxzUHJvdmlkZXIgZGVsZXRlOnNraWxsc1Byb3ZpZGVyIHJlYWQ6dXNlckF0dHJpYnV0ZSBhbGw6dXNlckF0dHJpYnV0ZSBjcmVhdGU6dXNlckF0dHJpYnV0ZSB1cGRhdGU6dXNlckF0dHJpYnV0ZSBkZWxldGU6dXNlckF0dHJpYnV0ZSByZWFkOnVzZXJzUm9sZSBhbGw6dXNlcnNSb2xlIGNyZWF0ZTp1c2Vyc1JvbGUgdXBkYXRlOnVzZXJzUm9sZSBkZWxldGU6dXNlcnNSb2xlIHJlYWQ6dXNlcnNTa2lsbCBhbGw6dXNlcnNTa2lsbCBjcmVhdGU6dXNlcnNTa2lsbCB1cGRhdGU6dXNlcnNTa2lsbCBkZWxldGU6dXNlcnNTa2lsbCByZWFkOmdyb3VwIGFsbDpncm91cCB1cGRhdGU6Z3JvdXAgY3JlYXRlOmdyb3VwIGRlbGV0ZTpncm91cCB1cGRhdGU6ZXh0ZXJuYWxQcm9maWxlIHVwZGF0ZTpvcmdhbml6YXRpb24gY3JlYXRlOmFjaGlldmVtZW50c1Byb3ZpZGVyIGNyZWF0ZTp1cGxvYWQgdXBkYXRlOnVwbG9hZCBhbGw6dXBsb2FkIGNyZWF0ZTp0ZW1wbGF0ZSByZWFkOnVwbG9hZCByZWFkOnRlbXBsYXRlIGFsbDp0ZW1wbGF0ZSB1cGRhdGU6dGVtcGxhdGUgZGVsZXRlOnVwbG9hZCBkZWxldGU6dGVtcGxhdGUgY3JlYXRlOmF0dHJpYnV0ZSIsImd0eSI6ImNsaWVudC1jcmVkZW50aWFscyJ9.f2bWQFMG3Cfvi34oZStmC_8n0WHqp0LvpiwFc8MthLfTo-hWe9jRa_QL9PrKROIvWKRzFAVJUU77_LeQwPlB33O7dHN8u72M4Ue0EOA78KpFkRrfJHty4Bzw0yBPyPs_nNP3chB_wZ4BDCfSTAwIQ4YDXbp-PjvwTFLE4SCrigQ9DAVfu7KIDGHsaEgr2fWfQuL_81LhMwanR_lfUuqCUVegwNGEeMkhBZ20jCy9fU_ca-CrJIpzIO8784VvC-B8kBNfkgYt4ZFTpeh-KOHFdhmLkyFvfXJyPWy7dFxyU0t78gumKfhYu-1OpaFUGU2Vu6VuIYTlHcy1Gy28YaMUBg

   The token is successfully generated.

So we have two different tokens after step 2 and step 3.

Below is how the tokens were used to make requests to the v5/users api.

• with token from step 2:

  curl -X POST "https://api.topcoder-dev.com/v5/users" -H authorization:'Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik5VSkZORGd4UlRVME5EWTBOVVkzTlRkR05qTXlRamxETmpOQk5UYzVRVUV3UlRFeU56TTJRUSJ9.eyJpc3MiOiJodHRwczovL3RvcGNvZGVyLWRldi5hdXRoMC5jb20vIiwic3ViIjoiZ1o2anQ1MEhZSExCZjR2aHhqVWhYUFpPUjdRNWxrNGtAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vbTJtLnRvcGNvZGVyLWRldi5jb20vIiwiaWF0IjoxNjA4OTAyNDcxLCJleHAiOjE2MDg5ODg4NzEsImF6cCI6ImdaNmp0NTBIWUhMQmY0dmh4alVoWFBaT1I3UTVsazRrIiwic2NvcGUiOiJyZWFkOnVzZXJfaWRwX3Rva2VucyByZWFkOmNoYWxsZW5nZXMgYWxsOmdyb3VwcyB3cml0ZTpncm91cHMgcmVhZDpncm91cHMgcmVhZDpyZXZpZXdfdHlwZSByZWFkOnJldmlldyByZWFkOnByb2plY3QgcmVhZDpidXNfdG9waWNzIHdyaXRlOmJ1c19hcGkgcmVhZDplbWFpbF90ZW1wbGF0ZXMgcmVhZDp1c2VyX3Byb2ZpbGVzIHJlYWQ6cm9sZXMgcmVhZDpwcmVmZXJlbmNlcyByZWFkOnByb2plY3QtdXNlciByZWFkOnByb2plY3QtcGVybWlzc2lvbiByZWFkOmxvb2t1cHMgcmVhZDpyZXNvdXJjZXMgcmVhZDp0ZXJtcyByZWFkOnByb2plY3RzIHJlYWQ6cHJvamVjdC1tZW1iZXJzIHJlYWQ6YWNoaWV2ZW1lbnQgcmVhZDphY2hpZXZlbWVudHNQcm92aWRlciByZWFkOmF0dHJpYnV0ZSByZWFkOmF0dHJpYnV0ZUdyb3VwIGFsbDphdHRyaWJ1dGVHcm91cCBjcmVhdGU6YXR0cmlidXRlR3JvdXAgdXBkYXRlOmF0dHJpYnV0ZUdyb3VwIHJlYWQ6b3JnYW5pemF0aW9uIHJlYWQ6cm9sZSByZWFkOnNraWxsIHJlYWQ6c2tpbGxzUHJvdmlkZXIgcmVhZDp1c2VyQXR0cmlidXRlIHJlYWQ6dXNlcnNSb2xlIHJlYWQ6dXNlcnNTa2lsbCByZWFkOmdyb3VwIGFsbDpncm91cCB1cGRhdGU6Z3JvdXAgY3JlYXRlOmdyb3VwIHJlYWQ6dXNlciByZWFkOnRhYXMtdGVhbXMgcmVhZDp0YWFzLWpvYnMgYWxsOnRhYXMtam9icyByZWFkOnRhYXMtam9iQ2FuZGlkYXRlcyBhbGw6dGFhcy1qb2JDYW5kaWRhdGVzIGFsbDp0YWFzLXJlc291cmNlQm9va2luZ3MiLCJndHkiOiJjbGllbnQtY3JlZGVudGlhbHMifQ.bx6QnwsnQOZ1YYtmJtlR-n1ciKGwWPyBKSMTLNdhA8_jii12mMX41TPgEjgAz87SVrnclA-zP9aDYA2ch2YWT_kEJb-0KR-bkt0AyXz3CMoOII-HkqKdg9xEZS2zKEFTUaSFPNdRfz4lEiZUU-tx600Mx-vaY2ECNT6mbIj-TF1KoUZ1sw-NWw3FKPXL4b3bEI_CIzIkUvajZf_aZi9BCbTenZK_OhDWeVD1o9yiz2N9Ujw1XSh6OI4mMKZ6w1IBvXUoGfCwIxW4n63kfbuQq3lT6dLBFAaHAG3gh5LFCIZLHks-9a9OqmGDawLg57vQ1_4Zb4kSB11rSm4oV8dWhw' -i

  output:

  HTTP/2 403 
  date: Sat, 26 Dec 2020 09:16:34 GMT
  content-type: application/json; charset=utf-8
  content-length: 57
  access-control-allow-origin: *
  etag: W/"39-obB0Muk7aigo4Ln+Ga5fGeyh3+E"
  x-powered-by: Express
  x-ratelimit-limit: 0
  x-ratelimit-remaining: 0
  x-ratelimit-reset: 0
  
  {"message":"You are not allowed to perform this action!"}

  It means the token was rejected.

• with token from step 3:

  curl -X POST "https://api.topcoder-dev.com/v5/users" -H authorization:'Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik5VSkZORGd4UlRVME5EWTBOVVkzTlRkR05qTXlRamxETmpOQk5UYzVRVUV3UlRFeU56TTJRUSJ9.eyJpc3MiOiJodHRwczovL3RvcGNvZGVyLWRldi5hdXRoMC5jb20vIiwic3ViIjoiTEV5Q2l1T3JIYzdVQUZvWTBFQUFoTXVsV1NYN1NyUTVAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vdS1iYWhuLnRvcGNvZGVyLmNvbSIsImlhdCI6MTYwODk3Mzc4OSwiZXhwIjoxNjA5MDYwMTg5LCJhenAiOiJMRXlDaXVPckhjN1VBRm9ZMEVBQWhNdWxXU1g3U3JRNSIsInNjb3BlIjoicmVhZDp1c2VyIGFsbDp1c2VyIGNyZWF0ZTp1c2VyIHVwZGF0ZTp1c2VyIGRlbGV0ZTp1c2VyIGFsbDphY2hpZXZlbWVudCBjcmVhdGU6YWNoaWV2ZW1lbnQgdXBkYXRlOmFjaGlldmVtZW50IHJlYWQ6YWNoaWV2ZW1lbnQgZGVsZXRlOmFjaGlldmVtZW50IHJlYWQ6YWNoaWV2ZW1lbnRzUHJvdmlkZXIgYWxsOmFjaGlldmVtZW50c1Byb3ZpZGVyIHVwZGF0ZTphY2hpZXZlbWVudHNQcm92aWRlciBkZWxldGU6YWNoaWV2ZW1lbnRzUHJvdmlkZXIgcmVhZDphdHRyaWJ1dGUgYWxsOmF0dHJpYnV0ZSB1cGRhdGU6YXR0cmlidXRlIGRlbGV0ZTphdHRyaWJ1dGUgcmVhZDphdHRyaWJ1dGVHcm91cCBhbGw6YXR0cmlidXRlR3JvdXAgY3JlYXRlOmF0dHJpYnV0ZUdyb3VwIHVwZGF0ZTphdHRyaWJ1dGVHcm91cCBkZWxldGU6YXR0cmlidXRlR3JvdXAgcmVhZDpleHRlcm5hbFByb2ZpbGUgYWxsOmV4dGVybmFsUHJvZmlsZSBjcmVhdGU6ZXh0ZXJuYWxQcm9maWxlIGRlbGV0ZTpleHRlcm5hbFByb2ZpbGUgcmVhZDpvcmdhbml6YXRpb24gYWxsOm9yZ2FuaXphdGlvbiBjcmVhdGU6b3JnYW5pemF0aW9uIGRlbGV0ZTpvcmdhbml6YXRpb24gcmVhZDpyb2xlIGFsbDpyb2xlIGNyZWF0ZTpyb2xlIHVwZGF0ZTpyb2xlIGRlbGV0ZTpyb2xlIHJlYWQ6c2tpbGwgYWxsOnNraWxsIGNyZWF0ZTpza2lsbCB1cGRhdGU6c2tpbGwgZGVsZXRlOnNraWxsIHJlYWQ6c2tpbGxzUHJvdmlkZXIgYWxsOnNraWxsc1Byb3ZpZGVyIGNyZWF0ZTpza2lsbHNQcm92aWRlciB1cGRhdGU6c2tpbGxzUHJvdmlkZXIgZGVsZXRlOnNraWxsc1Byb3ZpZGVyIHJlYWQ6dXNlckF0dHJpYnV0ZSBhbGw6dXNlckF0dHJpYnV0ZSBjcmVhdGU6dXNlckF0dHJpYnV0ZSB1cGRhdGU6dXNlckF0dHJpYnV0ZSBkZWxldGU6dXNlckF0dHJpYnV0ZSByZWFkOnVzZXJzUm9sZSBhbGw6dXNlcnNSb2xlIGNyZWF0ZTp1c2Vyc1JvbGUgdXBkYXRlOnVzZXJzUm9sZSBkZWxldGU6dXNlcnNSb2xlIHJlYWQ6dXNlcnNTa2lsbCBhbGw6dXNlcnNTa2lsbCBjcmVhdGU6dXNlcnNTa2lsbCB1cGRhdGU6dXNlcnNTa2lsbCBkZWxldGU6dXNlcnNTa2lsbCByZWFkOmdyb3VwIGFsbDpncm91cCB1cGRhdGU6Z3JvdXAgY3JlYXRlOmdyb3VwIGRlbGV0ZTpncm91cCB1cGRhdGU6ZXh0ZXJuYWxQcm9maWxlIHVwZGF0ZTpvcmdhbml6YXRpb24gY3JlYXRlOmFjaGlldmVtZW50c1Byb3ZpZGVyIGNyZWF0ZTp1cGxvYWQgdXBkYXRlOnVwbG9hZCBhbGw6dXBsb2FkIGNyZWF0ZTp0ZW1wbGF0ZSByZWFkOnVwbG9hZCByZWFkOnRlbXBsYXRlIGFsbDp0ZW1wbGF0ZSB1cGRhdGU6dGVtcGxhdGUgZGVsZXRlOnVwbG9hZCBkZWxldGU6dGVtcGxhdGUgY3JlYXRlOmF0dHJpYnV0ZSIsImd0eSI6ImNsaWVudC1jcmVkZW50aWFscyJ9.f2bWQFMG3Cfvi34oZStmC_8n0WHqp0LvpiwFc8MthLfTo-hWe9jRa_QL9PrKROIvWKRzFAVJUU77_LeQwPlB33O7dHN8u72M4Ue0EOA78KpFkRrfJHty4Bzw0yBPyPs_nNP3chB_wZ4BDCfSTAwIQ4YDXbp-PjvwTFLE4SCrigQ9DAVfu7KIDGHsaEgr2fWfQuL_81LhMwanR_lfUuqCUVegwNGEeMkhBZ20jCy9fU_ca-CrJIpzIO8784VvC-B8kBNfkgYt4ZFTpeh-KOHFdhmLkyFvfXJyPWy7dFxyU0t78gumKfhYu-1OpaFUGU2Vu6VuIYTlHcy1Gy28YaMUBg' -i

  output:

  HTTP/2 400 
  date: Sat, 26 Dec 2020 09:15:59 GMT
  content-type: application/json; charset=utf-8
  content-length: 43
  access-control-allow-origin: *
  etag: W/"2b-+GGl6sDYVrZBiWeU1xxOJXmUbjM"
  x-powered-by: Express
  x-ratelimit-limit: 0
  x-ratelimit-remaining: 0
  x-ratelimit-reset: 0
  
  {"message":"\"entity.handle\" is required"}

  Though it got 400 error, it indicates at least the token was approval.

[maxceem]

Thanks @imcaizheng.

I've checked out the scope of tokens 2 and 3:

Token 2

{
  "iss": "https://topcoder-dev.auth0.com/",
  "sub": "gZ6jt50HYHLBf4vhxjUhXPZOR7Q5lk4k@clients",
  "aud": "https://m2m.topcoder-dev.com/",
  "iat": 1608902471,
  "exp": 1608988871,
  "azp": "gZ6jt50HYHLBf4vhxjUhXPZOR7Q5lk4k",
  "scope": "read:user_idp_tokens read:challenges all:groups write:groups read:groups read:review_type read:review read:project read:bus_topics write:bus_api read:email_templates read:user_profiles read:roles read:preferences read:project-user read:project-permission read:lookups read:resources read:terms read:projects read:project-members read:achievement read:achievementsProvider read:attribute read:attributeGroup all:attributeGroup create:attributeGroup update:attributeGroup read:organization read:role read:skill read:skillsProvider read:userAttribute read:usersRole read:usersSkill read:group all:group update:group create:group read:user read:taas-teams read:taas-jobs all:taas-jobs read:taas-jobCandidates all:taas-jobCandidates all:taas-resourceBookings",
  "gty": "client-credentials"
}

Token 3

{
  "iss": "https://topcoder-dev.auth0.com/",
  "sub": "LEyCiuOrHc7UAFoY0EAAhMulWSX7SrQ5@clients",
  "aud": "https://u-bahn.topcoder.com",
  "iat": 1608973789,
  "exp": 1609060189,
  "azp": "LEyCiuOrHc7UAFoY0EAAhMulWSX7SrQ5",
  "scope": "read:user all:user create:user update:user delete:user all:achievement create:achievement update:achievement read:achievement delete:achievement read:achievementsProvider all:achievementsProvider update:achievementsProvider delete:achievementsProvider read:attribute all:attribute update:attribute delete:attribute read:attributeGroup all:attributeGroup create:attributeGroup update:attributeGroup delete:attributeGroup read:externalProfile all:externalProfile create:externalProfile delete:externalProfile read:organization all:organization create:organization delete:organization read:role all:role create:role update:role delete:role read:skill all:skill create:skill update:skill delete:skill read:skillsProvider all:skillsProvider create:skillsProvider update:skillsProvider delete:skillsProvider read:userAttribute all:userAttribute create:userAttribute update:userAttribute delete:userAttribute read:usersRole all:usersRole create:usersRole update:usersRole delete:usersRole read:usersSkill all:usersSkill create:usersSkill update:usersSkill delete:usersSkill read:group all:group update:group create:group delete:group update:externalProfile update:organization create:achievementsProvider create:upload update:upload all:upload create:template read:upload read:template all:template update:template delete:upload delete:template create:attribute",
  "gty": "client-credentials"
}

Token 3 has scopes like all:user create:user update:user delete:user these scopes allows creating users in v5, see https://github.com/topcoder-platform/u-bahn-api/blob/develop/src/modules/user/route.js#L9-L28.

@nkumar-topcoder can we add these scopes to the m2m Auth config for AUTH0_CLIENT_ID=gZ6jt50HYHLBf4vhxjUhXPZOR7Q5lk4k.

[nkumar-topcoder]

@imcaizheng @maxceem all and delete user were missing and it's given now. Pls try.

[imcaizheng]

@nkumar-topcoder Are we supposed to get a new client id and client secret? If so, please send the info to my email.

[nkumar-topcoder]

@imcaizheng No, it's same gZ6jt50H...... client. Still not working ? Let me know if any scopes/roles are missing.

[imcaizheng]

@nkumar-topcoder I tried it, with the gZ6jt50HYHLBf4vhxjUhXPZOR7Q5lk4k client id, but it is still not working.

This time I got the following token

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik5VSkZORGd4UlRVME5EWTBOVVkzTlRkR05qTXlRamxETmpOQk5UYzVRVUV3UlRFeU56TTJRUSJ9.eyJpc3MiOiJodHRwczovL3RvcGNvZGVyLWRldi5hdXRoMC5jb20vIiwic3ViIjoiZ1o2anQ1MEhZSExCZjR2aHhqVWhYUFpPUjdRNWxrNGtAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vbTJtLnRvcGNvZGVyLWRldi5jb20vIiwiaWF0IjoxNjA4OTkyMTQ5LCJleHAiOjE2MDkwNzg1NDksImF6cCI6ImdaNmp0NTBIWUhMQmY0dmh4alVoWFBaT1I3UTVsazRrIiwic2NvcGUiOiJyZWFkOnVzZXJfaWRwX3Rva2VucyByZWFkOmNoYWxsZW5nZXMgYWxsOmdyb3VwcyB3cml0ZTpncm91cHMgcmVhZDpncm91cHMgcmVhZDpyZXZpZXdfdHlwZSByZWFkOnJldmlldyByZWFkOnByb2plY3QgcmVhZDpidXNfdG9waWNzIHdyaXRlOmJ1c19hcGkgcmVhZDplbWFpbF90ZW1wbGF0ZXMgcmVhZDp1c2VyX3Byb2ZpbGVzIHJlYWQ6cm9sZXMgcmVhZDpwcmVmZXJlbmNlcyByZWFkOnByb2plY3QtdXNlciByZWFkOnByb2plY3QtcGVybWlzc2lvbiByZWFkOmxvb2t1cHMgcmVhZDpyZXNvdXJjZXMgcmVhZDp0ZXJtcyByZWFkOnByb2plY3RzIHJlYWQ6cHJvamVjdC1tZW1iZXJzIHJlYWQ6YWNoaWV2ZW1lbnQgcmVhZDphY2hpZXZlbWVudHNQcm92aWRlciByZWFkOmF0dHJpYnV0ZSByZWFkOmF0dHJpYnV0ZUdyb3VwIGFsbDphdHRyaWJ1dGVHcm91cCBjcmVhdGU6YXR0cmlidXRlR3JvdXAgdXBkYXRlOmF0dHJpYnV0ZUdyb3VwIHJlYWQ6b3JnYW5pemF0aW9uIHJlYWQ6cm9sZSByZWFkOnNraWxsIHJlYWQ6c2tpbGxzUHJvdmlkZXIgcmVhZDp1c2VyQXR0cmlidXRlIHJlYWQ6dXNlcnNSb2xlIHJlYWQ6dXNlcnNTa2lsbCByZWFkOmdyb3VwIGFsbDpncm91cCB1cGRhdGU6Z3JvdXAgY3JlYXRlOmdyb3VwIHJlYWQ6dXNlciByZWFkOnRhYXMtdGVhbXMgcmVhZDp0YWFzLWpvYnMgYWxsOnRhYXMtam9icyByZWFkOnRhYXMtam9iQ2FuZGlkYXRlcyBhbGw6dGFhcy1qb2JDYW5kaWRhdGVzIGFsbDp0YWFzLXJlc291cmNlQm9va2luZ3MiLCJndHkiOiJjbGllbnQtY3JlZGVudGlhbHMifQ.QH-BvkLURCrtie1ymKibtq7buAPECPCY3BEWLVhcAJq698sqMrN4S1UiBX3x8nnZ7H82EIMlq-WHlgTc_6XOJUFBUecN47U_gTHlKC9LpN_hBMp2oywQZV9GY-Z0_ZhPWba2o7QbbiC3sEmXHW5yH1CxpRFeuPnWDWyKjlfBA4yuxx2Ul1EVVMVO_Gk7hmeq6NVfqCSez1CpqOldm5QP9aU55ADxi0CuXywJlSbUqUMySxz2s216Fg9URWcKYXYvBoMPJ0L1p2esyvb5QVEY9_dPuHrh0JngFPKPvbwZen9399VWgHgwBwQWw8w2wEdbd7NlpY8IhU5BDIdYMD_BJA

The scope inside the token are listed below:

read:user_idp_tokens
read:challenges
all:groups
write:groups
read:groups
read:review_type
read:review
read:project
read:bus_topics
write:bus_api
read:email_templates
read:user_profiles
read:roles
read:preferences
read:project-user
read:project-permission
read:lookups
read:resources
read:terms
read:projects
read:project-members
read:achievement
read:achievementsProvider
read:attribute
read:attributeGroup
all:attributeGroup
create:attributeGroup
update:attributeGroup
read:organization
read:role
read:skill
read:skillsProvider
read:userAttribute
read:usersRole
read:usersSkill
read:group
all:group
update:group
create:group
read:user
read:taas-teams
read:taas-jobs
all:taas-jobs
read:taas-jobCandidates
all:taas-jobCandidates
all:taas-resourceBookings

I compare the scopes of this new token to the scopes of the token generated before, and found they are the same. That's said, there are no changes.

[nkumar-topcoder]

@imcaizheng I will connect with the team tomorrow for exact roles/scope access.
meanwhile, i have given all scopes similar to eariler LEyCiuOrHc7UAF.. token.
pls check now

[imcaizheng]

@nkumar-topcoder
Currently, compared to client LEyCiuOrHc7UAFoY0EAAhMulWSX7SrQ5, client gZ6jt50HYHLBf4vhxjUhXPZOR7Q5lk4k does not have scopes create:user and create:externalProfile.

We should at least add scopes create:user and create:externalProfile to the client gZ6jt50HYHLBf4vhxjUhXPZOR7Q5lk4k so that we can create v5/users and create the user's external profile.

[nkumar-topcoder]

@callmekatootie we have created taas app own m2m audience, it's same as u-bhan's scope wise. But we have issues creating v5/users. What are the prerequisite ubann scopes for creating v5/users

@imcaizheng If I post a job which doesn't have v5/users it does create a v5/user, i tested this when m2m PR was merged. I will re-test this on monday.

cc: @maxceem

[callmekatootie]

But we have issues creating v5/users

Can you let me know the error that you get

Could you also provide a sample m2m token that is being generated / used...

[nkumar-topcoder]

@callmekatootie
#81 (comment)
#81 (comment)

[maxceem]

@nkumar-topcoder I've checked M2M token which is generated by gZ6jt50HYHLBf4vhxjUhXPZOR7Q5lk4k. It still doesn't have scopes which we need for creating users in V5 create:user create:externalProfile.

Here is generated token:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik5VSkZORGd4UlRVME5EWTBOVVkzTlRkR05qTXlRamxETmpOQk5UYzVRVUV3UlRFeU56TTJRUSJ9.eyJpc3MiOiJodHRwczovL3RvcGNvZGVyLWRldi5hdXRoMC5jb20vIiwic3ViIjoiZ1o2anQ1MEhZSExCZjR2aHhqVWhYUFpPUjdRNWxrNGtAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vbTJtLnRvcGNvZGVyLWRldi5jb20vIiwiaWF0IjoxNjA5MTY4ODE1LCJleHAiOjE2MDkyNTUyMTUsImF6cCI6ImdaNmp0NTBIWUhMQmY0dmh4alVoWFBaT1I3UTVsazRrIiwic2NvcGUiOiJyZWFkOnVzZXJfaWRwX3Rva2VucyByZWFkOmNoYWxsZW5nZXMgYWxsOmdyb3VwcyB3cml0ZTpncm91cHMgcmVhZDpncm91cHMgcmVhZDpyZXZpZXdfdHlwZSByZWFkOnJldmlldyByZWFkOnByb2plY3QgcmVhZDpidXNfdG9waWNzIHdyaXRlOmJ1c19hcGkgcmVhZDplbWFpbF90ZW1wbGF0ZXMgcmVhZDp1c2VyX3Byb2ZpbGVzIHJlYWQ6cm9sZXMgcmVhZDpwcmVmZXJlbmNlcyByZWFkOnByb2plY3QtdXNlciByZWFkOnByb2plY3QtcGVybWlzc2lvbiByZWFkOmxvb2t1cHMgcmVhZDpyZXNvdXJjZXMgcmVhZDp0ZXJtcyByZWFkOnByb2plY3RzIHJlYWQ6cHJvamVjdC1tZW1iZXJzIHJlYWQ6YWNoaWV2ZW1lbnQgcmVhZDphY2hpZXZlbWVudHNQcm92aWRlciByZWFkOmF0dHJpYnV0ZSByZWFkOmF0dHJpYnV0ZUdyb3VwIGFsbDphdHRyaWJ1dGVHcm91cCBjcmVhdGU6YXR0cmlidXRlR3JvdXAgdXBkYXRlOmF0dHJpYnV0ZUdyb3VwIHJlYWQ6b3JnYW5pemF0aW9uIHJlYWQ6cm9sZSByZWFkOnNraWxsIHJlYWQ6c2tpbGxzUHJvdmlkZXIgcmVhZDp1c2VyQXR0cmlidXRlIHJlYWQ6dXNlcnNSb2xlIHJlYWQ6dXNlcnNTa2lsbCByZWFkOmdyb3VwIGFsbDpncm91cCB1cGRhdGU6Z3JvdXAgY3JlYXRlOmdyb3VwIHJlYWQ6dXNlciByZWFkOnRhYXMtdGVhbXMgcmVhZDp0YWFzLWpvYnMgYWxsOnRhYXMtam9icyByZWFkOnRhYXMtam9iQ2FuZGlkYXRlcyBhbGw6dGFhcy1qb2JDYW5kaWRhdGVzIGFsbDp0YWFzLXJlc291cmNlQm9va2luZ3MiLCJndHkiOiJjbGllbnQtY3JlZGVudGlhbHMifQ.iqRa0SqYdP1KP8izxyJUIYSbn-OpNPxCqsTw5PjUeWuF-KYY37VB-jdxe_00I9v5Zoni632h4cn7nCyot5AFagDC91Uzi4rNzRD8Egh4Ajbo58EyIjh35eOg0d11V1t3-CrU7KzmLF5vpJiTiVW0V6yyl11zwohZTSUY5DJaIqpxf8eampaBS3bfbaw8FlHZADzgHw4E_s6r7EbN9j-kB1tXmieeoQdC6gV7IG22i16omQ2tmiHcKE_p3C8aV4HdQMSZxqoraXbwnAstAYZS7MFKQet81tnzZ9IJnys8MgpDxpB8IML0pRhuWG5p45Nh-olhTfJj2zZXiEOKAMUQIQ

List of scopes of this token:

read:user_idp_tokens 
read:challenges 
all:groups 
write:groups 
read:groups 
read:review_type 
read:review 
read:project 
read:bus_topics 
write:bus_api 
read:email_templates 
read:user_profiles 
read:roles 
read:preferences 
read:project-user 
read:project-permission 
read:lookups 
read:resources 
read:terms 
read:projects 
read:project-members 
read:achievement 
read:achievementsProvider 
read:attribute 
read:attributeGroup 
all:attributeGroup 
create:attributeGroup 
update:attributeGroup 
read:organization 
read:role 
read:skill 
read:skillsProvider 
read:userAttribute 
read:usersRole 
read:usersSkill 
read:group 
all:group 
update:group 
create:group 
read:user 
read:taas-teams 
read:taas-jobs 
all:taas-jobs 
read:taas-jobCandidates 
all:taas-jobCandidates 
all:taas-resourceBookings

[callmekatootie]

Yep - I need to get back on this. Could not find time today - hope to get back asap before I call it a day today. Apologies for the delay

[maxceem]

No worries, this is not super urgent.

[callmekatootie]

I am not sure I follow the entire thread but scope needed to create the user in u-bahn is create:user or all:user. Reference

According to this post it looks like, using Step 3, you were able to generate the token with that scope - and you got a 400 status code asking you to pass the handle of the user to create... So, if you have the token with the mentioned scope, then just pass the handle, along with the first name and last name parameters during user creation and you should succeed. Let me know if you need any more info from me

[imcaizheng]

@callmekatootie That fact is that we already knew the token from Step 3 can access v5/users and just want the token from Step 2 to be able to access v5/users as well.

What made us confused is that nkumar-topcoder said the token from Step 2 was already given scope create:user but actually it is not.

[callmekatootie]

Gotcha... So the only bit to do is add either the create:user or all:user scope to that client id... @nkumar-topcoder

[nkumar-topcoder]

@maxceem @imcaizheng

• Option 1 - have given all permission. Pls try now.
• Option 2 - If option-1 doesn't work then change the audience to https://u-bahn.topcoder.com with same clientId gZ6jt50HYHLB... and try. Please try this locally first. Once confirm, we need to change the config environment variables + audience in the code for ubann related functions like users, skill,externalprofile.....
• Note : https://m2m.topcoder-dev.com/ audience has taas scopes + tc-bus scopes (for ES search posting)

[maxceem]

@nkumar-topcoder here is the new token generated by gZ6jt50HYHLBf4vhxjUhXPZOR7Q5lk4k. It still doesn't have scopes we need. I guess somehow changes for scopes are not applied, maybe we need to reset something somewhere or something like that, so the scope changes are applied.

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik5VSkZORGd4UlRVME5EWTBOVVkzTlRkR05qTXlRamxETmpOQk5UYzVRVUV3UlRFeU56TTJRUSJ9.eyJpc3MiOiJodHRwczovL3RvcGNvZGVyLWRldi5hdXRoMC5jb20vIiwic3ViIjoiZ1o2anQ1MEhZSExCZjR2aHhqVWhYUFpPUjdRNWxrNGtAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vbTJtLnRvcGNvZGVyLWRldi5jb20vIiwiaWF0IjoxNjA5MTY4ODE1LCJleHAiOjE2MDkyNTUyMTUsImF6cCI6ImdaNmp0NTBIWUhMQmY0dmh4alVoWFBaT1I3UTVsazRrIiwic2NvcGUiOiJyZWFkOnVzZXJfaWRwX3Rva2VucyByZWFkOmNoYWxsZW5nZXMgYWxsOmdyb3VwcyB3cml0ZTpncm91cHMgcmVhZDpncm91cHMgcmVhZDpyZXZpZXdfdHlwZSByZWFkOnJldmlldyByZWFkOnByb2plY3QgcmVhZDpidXNfdG9waWNzIHdyaXRlOmJ1c19hcGkgcmVhZDplbWFpbF90ZW1wbGF0ZXMgcmVhZDp1c2VyX3Byb2ZpbGVzIHJlYWQ6cm9sZXMgcmVhZDpwcmVmZXJlbmNlcyByZWFkOnByb2plY3QtdXNlciByZWFkOnByb2plY3QtcGVybWlzc2lvbiByZWFkOmxvb2t1cHMgcmVhZDpyZXNvdXJjZXMgcmVhZDp0ZXJtcyByZWFkOnByb2plY3RzIHJlYWQ6cHJvamVjdC1tZW1iZXJzIHJlYWQ6YWNoaWV2ZW1lbnQgcmVhZDphY2hpZXZlbWVudHNQcm92aWRlciByZWFkOmF0dHJpYnV0ZSByZWFkOmF0dHJpYnV0ZUdyb3VwIGFsbDphdHRyaWJ1dGVHcm91cCBjcmVhdGU6YXR0cmlidXRlR3JvdXAgdXBkYXRlOmF0dHJpYnV0ZUdyb3VwIHJlYWQ6b3JnYW5pemF0aW9uIHJlYWQ6cm9sZSByZWFkOnNraWxsIHJlYWQ6c2tpbGxzUHJvdmlkZXIgcmVhZDp1c2VyQXR0cmlidXRlIHJlYWQ6dXNlcnNSb2xlIHJlYWQ6dXNlcnNTa2lsbCByZWFkOmdyb3VwIGFsbDpncm91cCB1cGRhdGU6Z3JvdXAgY3JlYXRlOmdyb3VwIHJlYWQ6dXNlciByZWFkOnRhYXMtdGVhbXMgcmVhZDp0YWFzLWpvYnMgYWxsOnRhYXMtam9icyByZWFkOnRhYXMtam9iQ2FuZGlkYXRlcyBhbGw6dGFhcy1qb2JDYW5kaWRhdGVzIGFsbDp0YWFzLXJlc291cmNlQm9va2luZ3MiLCJndHkiOiJjbGllbnQtY3JlZGVudGlhbHMifQ.iqRa0SqYdP1KP8izxyJUIYSbn-OpNPxCqsTw5PjUeWuF-KYY37VB-jdxe_00I9v5Zoni632h4cn7nCyot5AFagDC91Uzi4rNzRD8Egh4Ajbo58EyIjh35eOg0d11V1t3-CrU7KzmLF5vpJiTiVW0V6yyl11zwohZTSUY5DJaIqpxf8eampaBS3bfbaw8FlHZADzgHw4E_s6r7EbN9j-kB1tXmieeoQdC6gV7IG22i16omQ2tmiHcKE_p3C8aV4HdQMSZxqoraXbwnAstAYZS7MFKQet81tnzZ9IJnys8MgpDxpB8IML0pRhuWG5p45Nh-olhTfJj2zZXiEOKAMUQIQ

Scopes it has:

read:user_idp_tokens
read:challenges
all:groups
write:groups
read:groups
read:review_type
read:review
read:project
read:bus_topics
write:bus_api
read:email_templates
read:user_profiles
read:roles
read:preferences
read:project-user
read:project-permission
read:lookups
read:resources
read:terms
read:projects
read:project-members
read:achievement
read:achievementsProvider
read:attribute
read:attributeGroup
all:attributeGroup
create:attributeGroup
update:attributeGroup
read:organization
read:role
read:skill
read:skillsProvider
read:userAttribute
read:usersRole
read:usersSkill
read:group
all:group
update:group
create:group
read:user
read:taas-teams
read:taas-jobs
all:taas-jobs
read:taas-jobCandidates
all:taas-jobCandidates
all:taas-resourceBookings

[maxceem]

When changing audience to https://u-bahn.topcoder.com for the same client. It cannot generate a token for me and returns Unkown Error.

[nkumar-topcoder]

@maxceem ok, i will check with team. Even though i have all access some how it's not picking the scopes.

[imcaizheng]

@nkumar-topcoder
I tested option 1 and option 2 locally and got same result like maxceem mentioned.

1. With client gZ6jt50HYHLBf4vhxjUhXPZOR7Q5lk4k the generated token doesn't contains all:user or create:user.
2. With audience https://u-bahn.topcoder.com it got error instead of token from AUTH0 api.

[nkumar-topcoder]

@imcaizheng @maxceem
Please check the PR for m2m : #88
2 changes

1. config AUTH0_AUDIENCE=https://u-bahn.topcoder.com
2. helper.js line 320. Here project access should be pointing to m2m topcoder token.

And, client Id remain same : gZ6jt50HY....

This is merged and deployed to Dev branch but not verified. Request you to confirm post verification
thanks @sachin-maheshwari

[imcaizheng]

@maxceem

1. Just double check, the result config would look like:

export AUTH0_URL=https://topcoder-dev.auth0.com/oauth/token
export AUTH0_AUDIENCE=https://m2m.topcoder-dev.com/
export AUTH0_AUDIENCE_UBAHN=https://u-bahn.topcoder.com
export TOKEN_CACHE_TIME=90
export AUTH0_CLIENT_ID=gZ6jt50HYHLBf4vhxjUhXPZOR7Q5lk4k
export AUTH0_CLIENT_SECRET=xxxx
export AUTH0_PROXY_SERVER_URL=https://auth0proxy.topcoder-dev.com/token

2. I think getM2Mtoken should be renamed to getM2MToken so it looks consistent with getM2MUbahnToken.

[maxceem]

Contest https://www.topcoder.com/challenges/30161163 has been updated - it has been assigned to aaron2017.

This is an automated message for maxceem via Topcoder X

[imcaizheng]

PR created #91

[nkumar-topcoder]

@maxceem
nkumar-topcoder could you, please, confirm, that we have to use PROD audience https://u-bahn.topcoder.com not a DEV one https://u-bahn.topcoder-dev.com
Here the uban audience for dev is confusing. For dev and prod - audience is same that is https://u-bahn.topcoder.com there is no https://u-bahn.topcoder-dev.com

[maxceem]

@imcaizheng

1. Yes. Config looks good to me.

2. That's good, thanks for this.

[nkumar-topcoder]

@maxceem , @imcaizheng thanks for all your timely help.

@maxceem - i have updated dev config forAUTH0_AUDIENCE_UBAHN. Please merge.

[maxceem]

Fix looks good to me, though I cannot verify it locally.

When I'm trying to create a Job using a user that possibly doesn't exist in U-bahn, I get an error:

{
    "message": "Bad Request"
}

The same time in log I see:

JobService createJob ERROR : cannot GET /v5/users?enrich=true&externalProfile.organizationId=36ed815b-3da1-49f1-a043-aaed0a4e81ad&externalProfile.externalId=88774206 (400)

If I try to call endpoint GET https://api.topcoder-dev.com/v5/users?enrich=true&externalProfile.organizationId=36ed815b-3da1-49f1-a043-aaed0a4e81ad&externalProfile.externalId=88774206 via user pshah_manger in Postman I get:

{
    "message": "\"query.externalProfile.organizationId\" is not allowed"
}

@nkumar-topcoder @imcaizheng Do you have any ideas about this?

@callmekatootie maybe you could help us with this, why such a request could return "\"query.externalProfile.organizationId\" is not allowed"? Here is a curl:

curl --location --request GET 'https://api.topcoder-dev.com/v5/users?enrich=true&externalProfile.organizationId=36ed815b-3da1-49f1-a043-aaed0a4e81ad&externalProfile.externalId=88774206' \
--header 'Authorization: Bearer <TOKEN>'

[maxceem]

@callmekatootie Looks like this issue happens for all users now, while it worked for them previously. For any user, such a request returns an error.

[callmekatootie]

@maxceem Thank you for bringing this to my attention. We are currently migrating our code base from qldb to pgsql database and we realized now that we have not copied over the GET /users query params.

Logged it here - topcoder-archive/topcoder-platform-u-bahn-api#74. Will resolve this soon

[maxceem]

Hey, @callmekatootie do you know how soon it could be possibly fixed? Actually it's quite critical for us 😔, as we cannot test TaaS API now, while we have a scheduled release on Jan 15.

[callmekatootie]

I'll get back to you with an update later today

[callmekatootie]

@maxceem Can you try now. The issue is resolved

[imcaizheng]

@callmekatootie @maxceem I could verify the issue is resolved. All operations can be done without Bad Request errors like before.

[maxceem]

Great! Thank you, @callmekatootie.

And thank you for verifying it @imcaizheng.

[maxceem]

I've tested with using a user not in V5 and it works good, I can see that member maxceem20 is created in log:

[2021-01-06T17:26:42.334Z] helper createUbahnUser DEBUG : response body: {"id":"c74c9888-94be-4295-92e0-f816f125486a","handle":"maxceem20","firstName":"Max","lastName":"20","createdBy":"NaN","updated":"2021-01-06T17:26:42.140Z","created":"2021-01-06T17:26:42.140Z","updatedBy":null}
[2021-01-06T17:26:43.203Z] helper createUserExternalProfile DEBUG : response body: {"id":"0dd69d7d-4746-42d1-8c2f-d52f065cc4ef","organizationId":"36ed815b-3da1-49f1-a043-aaed0a4e81ad","externalId":"88774202","userId":"c74c9888-94be-4295-92e0-f816f125486a","isInactive":false,"createdBy":"NaN","updated":"2021-01-06T17:26:42.820Z","created":"2021-01-06T17:26:42.820Z","updatedBy":null,"uri":null}

Though, if after this we are trying to find this user, it's not found. Then next URL GET https://api.topcoder-dev.com/v5/users?enrich=true&externalProfile.organizationId=36ed815b-3da1-49f1-a043-aaed0a4e81ad&externalProfile.externalId=88774202 returns [].

But if we try to create the same user again, we get error 409:

{
    "message": "Conflict"
}

This is not connected with the current issue, and we would continue discussing this issue in #46.

[maxceem]

This ticket was not processed for payment. If you would like to process it for payment, please reopen it, add the tcx_FixAccepted label, and then close it again

This is an automated message for maxceem via Topcoder X

[maxceem]

Payment task has been updated: https://software.topcoder.com/review/actions/ViewProjectDetails?pid=30161163

This is an automated message for maxceem via Topcoder X