403 forbidden for some endpoints and not others
kyle-mcknight opened this issue · 5 comments
Bug
When requesting assets for a character that my app has access to, I receive an unexpected 403 forbidden error with a message of "authentication failure".
Using the exact same token, I can make a request to the characters endpoint and get back the character info for the one that I also want to get assets for.
Request
Request URL: https://esi.evetech.net/v5/characters/<CHARACTER_ID>/assets/
Request Method: GET
Status Code: 403
Referrer Policy: strict-origin-when-cross-origin
Request headers:
authority: esi.evetech.net
:method: GET
:path: /v5/characters/<CHARACTER_ID>/assets/
:scheme: https
accept: application/json, text/plain, /
accept-encoding: gzip, deflate, br
accept-language: en,en-US;q=0.9,ja-JP;q=0.8,ja;q=0.7
authorization: Bearer --ACCESS TOKEN FROM SSO LOGIN--
dnt: 1
origin: http://localhost:4200
referer: http://localhost:4200/
sec-ch-ua: "Google Chrome";v="111", "Not(A:Brand";v="8", "Chromium";v="111"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Response
json{"error":"authentication failure"}
Response headers
ccess-control-allow-credentials: true
access-control-allow-headers: Content-Type,Authorization,If-None-Match,X-User-Agent
access-control-allow-methods: GET,HEAD,OPTIONS
access-control-allow-origin: *
access-control-expose-headers: Content-Type,Warning,ETag,X-Pages,X-ESI-Error-Limit-Remain,X-ESI-Error-Limit-Reset
access-control-max-age: 600
allow: GET,HEAD,OPTIONS
content-language: en-us
content-length: 34
content-type: application/json; charset=utf-8
date: Mon, 10 Apr 2023 18:28:33 GMT
strict-transport-security: max-age=31536000
vary: Accept-Language
x-esi-error-limit-remain: 96
x-esi-error-limit-reset: 27
Status Code
403
Date: Fri, 27 Apr 2018 07:22:48 GMT
Expires:
Last-Modified:
X-ESI-Request-ID: dcc736af-a73a-4c99-add5-8d66e197cec6
ETag:
Expected
Please provide either the expected return code, correct response body, header value, or some combination thereof. E.g.:
200
Checklist
Check all boxes that apply to this issue:
- [x ] Bug description is provided
- [ x] Request path is provided
- [ x] Response status code is provided
- [ x] Response headers are provided
- [ x] Response body is provided
- [ x] Expected response is provided
ESI tokens are scoped to a single character, pretty sure this is working as intended.
ESI tokens are scoped to a single character, pretty sure this is working as intended.
@CarbonAlabel That token has the read assets scope though for that character that I'm attempting to read the assets for...
When I log in with the character to my app the first time, I approve all the scopes and those included the read assets. The decoded jwt shows the scopes.
@Blacksmoke16 please re-open...
@kyle-mcknight Sure it's not a duplicate of #1089?
@Blacksmoke16 I'll give that a shot tomorrow and then report back if need be. Thank you.
@Blacksmoke16 That was it, thank you very much.