Response erroneously reporting that our marketplace app scopes have changed.
We require that users of our marketplace app have access to the NXT Extensibility role. At least two orgs have now reported that even though they are admin users they are getting a message from us telling them that they do not have the role.
We make a call to the NXT Data Integration API in order to determine if they have the NXT Extensibility role. In one case the API response was
{"title":"Forbidden","status":403,"detail":"This application has insufficient scope to perform the operation. This application's scopes configuration is either insufficient for the request, the organization's Blackbaud Marketplace admin hasn't yet approved the application's updated access configuration, or the scope can't be granted in this environment because the environment doesn't contain the product capability being requested. Learn more: https://developer.blackbaud.com/skyapi/docs/applications/scopes. Required scope access for this SKY API operation: 'rnxt.r'."}
When we asked them to check the marketplace there was no new scope (we also had not changed the scope).
I have created a case 020843609 if anybody here from Blackbaud cares to weigh in that would be great.
I appreciate that this is a difficult one as it is not generally repeatable (at least by us). I have the user's permission to supply their details in order to repeat the error.
Answers
-
Hey hey. Such a coincidence. I'm actually experiencing a very similar issue but with the Education Core endpoints. This just started for me as well. Haven't opened a ticket yet. I tried to update the scope as well but to no avail.
{"title":"Forbidden","status":403,"detail":"This application has insufficient scope to perform the operation. This application's scopes configuration is either insufficient for the request, the organization's Blackbaud Marketplace admin hasn't yet approved the application's updated access configuration, or the scope can't be granted in this environment because the environment doesn't contain the product capability being requested. Learn more: https://developer.blackbaud.com/skyapi/docs/applications/scopes. Required scope access for this SKY API operation: 'eduk.w'. Current scope access: eduk.r."}
0 -
Hey @David Zeidman, I've asked Support to forward the bug to our team. I didn't see an App ID in the support conversation I saw, but I did see track down some 403s from two customers associated with one of the apps on your account.
Responding here as it may help others running into this.
1) For the customer seeing your scope error: the root cause is that this customer doesn't have Raiser's Edge NXT in this environment, so they are unable to grant the access your app is asking for. This is also why their Marketplace Manage page doesn't indicate that they have any scopes to approve—they can't. I have a feeling that this customer simply connected your application to the wrong environment.
When this customer connected your application, they would have been presented with this message on their Connect screen.
We can likely improve the user and developer experience here. We still allow the customer to connect an application in this state, which we might want to reconsider. I'll pass this along to the team.
2) The second customer's issue does appear to be related to permissions. The authorizing user is a Legal Entity admin, but they are not a Product/Solution admin. Once I get the bug, I'll pass this along to the Raiser's Edge team to confirm.
@Nick Marchese, make sure that the customer's Marketplace Admin visits the Marketplace's Manage page after you change your app's scopes. We require customers to be in the loop when an application requests changes to what they can access. If the customer doesn't see changes to approve (like in David's case), it might mean that they don't have BEM. Side note: While the API response does indicate which scopes the customer has granted, you can also confirm what Access/Scopes that a customer has approved by looking at your application's [View Environments] page.
0 -
Hey there. My example is actually in a Developer Cohort account, so there is no place to approve the scope change. Can you confirm how to proceed?
0 -
I see. You're right, scope changes immediately take effect in the SKY Developer Cohort. The only remaining piece is the access token itself. Scope access is tied to the access token issued to your application. You can see your token's issued scopes in the OAuth 2.0 Token endpoint response (
scopeproperty). If your access token was issued before your scope change, then your application will need to obtain a new access token to acquire updated access. Just to be clear, the user doesn't need to re-authorize your application. New access tokens issued by refresh token exchanges will also have updated access. If that's not what you're seeing, you'll need to file a ticket so we can investigate.0 -
Hey there. Understood. Thanks. I have obtained a new token, I believe, but the issue remains. I can't get through to support via Chat Central, so I'll email the SKY team and hope for the best!
0 -
@David Zeidman We resolved this error on my end because for some reason the application ID got mixed up, even though it was consistently working prior to that. Not sure if you resolved this or not, but wanted to circle back.
0 -
@Nick Marchese Thanks for the follow up. We resolved it because our client has an education production which they somehow used to set up our app. I am really not sure how that happened to be honest. There are no scopes for education set so that is why it was out of scope. On the other hand, you would think that if there were no scopes set they would not be able to authenticate against it to start with…
0
Categories
- All Categories
- 1 Blackbaud Agents for Good™
- Raiser's Edge NXT test
- 6 Blackbaud Community Help
- 211 bbcon®
- 1.4K Blackbaud Altru®
- 403 Blackbaud Award Management™ and Blackbaud Stewardship Management™
- 1.2K Blackbaud CRM™ and Blackbaud Internet Solutions™
- 16 donorCentrics®
- 360 Blackbaud eTapestry®
- 2.6K Blackbaud Financial Edge NXT®
- 661 Blackbaud Grantmaking™
- 583 Blackbaud Education Management Solutions for Higher Education
- 3.3K Blackbaud Education Management Solutions for K-12 Schools
- 947 Blackbaud Luminate Online® and Blackbaud TeamRaiser®
- 84 JustGiving® from Blackbaud®
- 6.8K Blackbaud Raiser's Edge NXT®
- 3.8K SKY Developer
- 251 ResearchPoint™
- 120 Blackbaud Tuition Management™
- 165 Organizational Best Practices
- 243 Member Lounge (Just for Fun)
- 37 Blackbaud Community Challenges
- 37 PowerUp Challenges
- 3 (Closed) PowerUp Challenge: Grid View Batch
- 3 (Closed) PowerUp Challenge: Chat for Blackbaud AI
- 3 (Closed) PowerUp Challenge: Data Health
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Product Update Briefing
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Standard Reports+
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Email Marketing
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Gift Management
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Event Management
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Home Page
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Standard Reports
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Query
- 804 Community News
- 3K Jobs Board
- 57 Blackbaud SKY® Reporting Announcements
- 47 Blackbaud CRM Higher Ed Product Advisory Group (HE PAG)
- 19 Blackbaud CRM Product Advisory Group (BBCRM PAG)