403 forbidden for some endpoints and not others

Question

403 forbidden for some endpoints and not others

kyle-mcknight opened this issue a year ago · 5 comments

Bug

When requesting assets for a character that my app has access to, I receive an unexpected 403 forbidden error with a message of "authentication failure".

Using the exact same token, I can make a request to the characters endpoint and get back the character info for the one that I also want to get assets for.

Request

Request URL: https://esi.evetech.net/v5/characters/<CHARACTER_ID>/assets/
Request Method: GET
Status Code: 403
Referrer Policy: strict-origin-when-cross-origin

Request headers:

authority: esi.evetech.net
:method: GET
:path: /v5/characters/<CHARACTER_ID>/assets/
:scheme: https
accept: application/json, text/plain, /
accept-encoding: gzip, deflate, br
accept-language: en,en-US;q=0.9,ja-JP;q=0.8,ja;q=0.7
authorization: Bearer --ACCESS TOKEN FROM SSO LOGIN--
dnt: 1
origin: http://localhost:4200
referer: http://localhost:4200/
sec-ch-ua: "Google Chrome";v="111", "Not(A:Brand";v="8", "Chromium";v="111"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36

Response

json{"error":"authentication failure"}

Response headers

ccess-control-allow-credentials: true
access-control-allow-headers: Content-Type,Authorization,If-None-Match,X-User-Agent
access-control-allow-methods: GET,HEAD,OPTIONS
access-control-allow-origin: *
access-control-expose-headers: Content-Type,Warning,ETag,X-Pages,X-ESI-Error-Limit-Remain,X-ESI-Error-Limit-Reset
access-control-max-age: 600
allow: GET,HEAD,OPTIONS
content-language: en-us
content-length: 34
content-type: application/json; charset=utf-8
date: Mon, 10 Apr 2023 18:28:33 GMT
strict-transport-security: max-age=31536000
vary: Accept-Language
x-esi-error-limit-remain: 96
x-esi-error-limit-reset: 27

Status Code

403

Date: Fri, 27 Apr 2018 07:22:48 GMT
Expires:
Last-Modified:
X-ESI-Request-ID: dcc736af-a73a-4c99-add5-8d66e197cec6
ETag:

Expected

Please provide either the expected return code, correct response body, header value, or some combination thereof. E.g.:

200

Checklist

Check all boxes that apply to this issue:

[x ] Bug description is provided
[ x] Request path is provided
[ x] Response status code is provided
[ x] Response headers are provided
[ x] Response body is provided
[ x] Expected response is provided

Answer 1 · 2023-04-10T22:36:31.000Z

ESI tokens are scoped to a single character, pretty sure this is working as intended.

Answer 2 · 2023-04-11T01:17:16.000Z

ESI tokens are scoped to a single character, pretty sure this is working as intended.

@CarbonAlabel That token has the read assets scope though for that character that I'm attempting to read the assets for...

When I log in with the character to my app the first time, I approve all the scopes and those included the read assets. The decoded jwt shows the scopes.

@Blacksmoke16 please re-open...

Answer 3 · 2023-04-11T01:25:47.000Z

@kyle-mcknight Sure it's not a duplicate of #1089?

Answer 4 · 2023-04-11T01:26:54.000Z

@Blacksmoke16 I'll give that a shot tomorrow and then report back if need be. Thank you.

Answer 5 · 2023-04-11T13:04:41.000Z

@Blacksmoke16 That was it, thank you very much.