Integrations and APIs for Service

Get Involved. Join the Conversation.

Topic

    Julie F
    OSC-CREST-00028 You are forbidden to access this site.Answered
    Topic posted June 28, 2019 by Julie FBronze Trophy: 5,000+ Points, last edited June 28, 2019, tagged Connect PHP, REST 
    95 Views, 10 Comments
    Title:
    OSC-CREST-00028 You are forbidden to access this site.
    Summary:
    API to update custom objects gives 403 Forbidden error
    Content:

    We have set these two configurations settings correctly for our domain:

    SEC_PAPI_INTEG_HOSTS_REST

    PAPI_CORS_DOMAIN_LIST

    We have given a user specifically set up permissions for our custom objects and have also tried with a full admin account.

    We keep getting 403 Forbidden error which shows OSC-CREST-00028 You are forbidden to access this site.

    Best Comment

    Julie F

    Against all advice, what worked for us in the end was un-setting SEC_PAPI_INTEG_HOSTS_REST and leaving it blank!

    Comment

     

    • Sebastiaan Draaisma

      Did you use a wildcard *domain.com ?
      With a wildcard you are able to catch http & https requests

    • Sebastiaan Draaisma

      Also check the version you are using in your REST request to see if you are using 1.3 or 1.4

      rest/connect/v1.3

      The cause is the required header OSvC-CREST-Application-Context is not being used, which is mandatory in version 1.4. You can still use version 1.3 without using this header though.

      See: Unable to access version 1.4 of the REST API

    • Julie F

      Thanks for the suggestions. Tried v1.3 but still got the same problem.

      Before I put in the config settings I could do GETs successfully from Postman. We are only using https:

    • Sebastiaan Draaisma

      You could try the Audit log in the configuration settings to see which recent changes have been made to configurations. It may give a clue as to why it stopped working.
      Other than that... maybe an account setting? (locked, password change etc)

    • Julie F

      I also tried with v1.4 specifically because we already use the OSvC-CREST-Application-Context header which is effectively just a comment field that we use to show where it is coming from. Same 403 though.

    • Sebastiaan Draaisma

      Then I'm afraid I'm out of ideas... Hopefully someone else will be able to tell you what it could be.

    • Julie F

      Thanks. Will post solution when it starts working.

    • Vlad

      Is the user making the HTTP request through Postman, or from an external website?

    • Julie F

      Against all advice, what worked for us in the end was un-setting SEC_PAPI_INTEG_HOSTS_REST and leaving it blank!

    • Vlad

      That means the user was using a different IP address than what was defined in SEC_PAPI_INTEG_HOSTS_REST, or they were behind a proxy.

      You can find the user's IP address if you search for the HTTP request in the web log:
      Answer Link: Requesting a Web Log