<{{Subtitle_Weight}} class="prominent-subhead {{Show_Subtitle}}"> {{Header_Subtitle}}

Known Issue: 403 Forbidden error when registering or refreshing an instance of the REST Service Type

~~repeating-content.html~~

Symptoms

When you register or refresh an instance of the REST Service type, you receive an error like Unhandled Exception while describing service (Inner: The remote server returned an error: (403) Forbidden). This error occurs when you use OAuth as the authentication mode for the Service Instance.  

Cause

K2 uses the Authentication Mode specified for the Service Instance to retrieve the Swagger descriptor file at registration/refresh time, as well as at runtime to interact with the targeted system. If you use OAuth authentication, the Auth Headers for the specified OAuth resource are sent as auth headers to retrieve the descriptor file. If the descriptor file is located in a storage location that does not recognize the auth headers you will receive the 403 Forbidden error, because the system hosting the descriptor file does not accept the authentication headers used by the system that the REST service will connect to at runtime. 

Example

Suppose you created a Swagger descriptor file to interact with SalesForce APIs. You host the descriptor file as an anonymous file in Azure Blob Storage, and configure OAuth as the Authentication Mode for the Service Instance, using values for the SalesForce instance you will be connecting to at runtime. When you attempt to complete the service instance registration procedure, you receive the 403 Forbidden error. This is because Azure does not accept the OAuth authentication headers that are used to connect to SalesForce. 

Workarounds

Two workarounds are currently known for this issue: 

  • Host the Swagger file in the same system that the REST Service Instance will connect to. For the SalesForce example described above, you should host the Swagger Descriptor file directly in SalesForce so that the same OAuth Authentication Headers are used to retrieve the Swagger file, and to authenticate with the system that the Swagger file exposes. If your Swagger descriptor file exposes the MS Graph API that requires OAuth, you should host the Swagger descriptor file in an O365 location that uses the same authentication.
  • Host the Swagger file in a system that will ignore the authentication header, such as Google FireBase or GitHub's Raw file URL feature.