403, 'ConsentRequired', 'Missing required data_access consent'

[OUCyf]

Greeting,
I'm new using Globus, and there is problem when I run Minimal File Transfer Script from https://globus-sdk-python.readthedocs.io/en/stable/examples/minimal_transfer_script.html.

Error:

TransferAPIError: ('POST', 'https://transfer.api.globus.org/v0.10/transfer', 'Bearer', 403, 'ConsentRequired', 'Missing required data_access consent', 'WZ7g3pFrU')

I set our lab's source_endpoint_id, and move data to my Mac. Maybe the problem is the consent for my lab, and the following is the consent：

But when I use command-line to transfer data, everything is ok！

Best,
Fu

[sirosen]

Hi there, thanks for reporting this! I believe that you're seeing normal behavior, but for a specific case which the example script doesn't explain.
I need to think more about what we do to improve the docs...

That error is thrown when a collection requires explicit consent for operations to run against it.
There's some utility in the SDK for parsing these errors and making them actionable, but there are still significant parts which you would need to fill in.

First, here's the section on parsing ConsentRequired errors. You can identify them like so:

try:
    # do some operations
except globus_sdk.TransferAPIError as err:
    if err.info.consent_required:
        print(
            "Got a ConsentRequired error with scopes:",
            err.info.consent_required.required_scopes,
        )
    else:
        raise

That is, once you have caught an API error, check if err.info.consent_required to see if it's the right type, and if it is, you'll have useful data in required_scopes.

So far, this is maybe non-obvious but it's "easy enough", but the next step can be difficult for some applications.
You need the user (in this case, you) to do a new login flow with the required_scopes from above, and then you need to start using the Transfer API token from that login flow.

If your initial login flow was done with a native app like the SDK tutorial shows, you'll probably have a line like so:

auth_client.oauth2_start_flow()

The correct modification is just

# where `required_scopes` is the value we got from exception handling earlier on a
# ConsentRequired error
auth_client.oauth2_start_flow(requested_scopes=required_scopes)

In the globus-cli, the way we've solved this is that tokens are stored using globus_sdk.tokenstorage, and we have a dedicated command (globus session consent) which updates the tokens which are in storage.
In effect, the globus-cli error handler looks like this:

try:
    # do some operations
except globus_sdk.TransferAPIError as err:
    if err.info.consent_required:
        print("Error: ConsentRequired during Transfer operation")
        print("Please run the following command and then try again:")
        print()
        print(f"    globus session consent '{err.info.consent_required.required_scopes}'")
        print()
    else:
        raise

Depending on the exact nature of your code (a script, an application, etc), this may or may not be easy for you to handle in a similar way.

I would recommend that if you are not already using it that you start using globus_sdk.tokenstorage -- it will probably make it easier for you to follow the pattern we've established with the globus-cli. This example shows some pretty complete usage, so it might be a good jumping-off point for you.

---

I'm keeping this open because I think we should do something on that example page to document what I've written here. Possibly we should add a second larger example to the same page to handle this case.

[sirosen]

We have detailed handling examples going out in our next release, and currently visible here:
https://globus-sdk-python.readthedocs.io/en/latest/examples/minimal_transfer_script/index.html

As such, I think we're able to close this as resolved.