POST OAuth/GetGrants

Returns all grants for a specified user, optionally filtered by application.

Requirements

  • Roles: Admin, Grant Admin, Auditor, Application Owner. See OAuth roles for more information.
  • Token scope:  Admin

Headers

  • Content type: Content-Type:application/json.

  • Token: The bearer access token that you received. For example, Authorization:Bearer 4MyGeneratedBearerTknz==. For more information, see Passing a bearer token in your API calls.

Parameters

Input parameters

Name

Description

GranteePrefixedUniversal

string

(Required) The prefixed universal ID of the user (grantee) whose grants are being looked up.

The prefixed universal ID can be found from the identity value returned from POST Authorize/OAuth or the PrefixedUniversal value returned from POST Identity/Browse.

ApplicationId

string

ID of the application to filter the results by.

Returns

Response description

Name

Description

HTTP 200

See OAuth result codes.

A Grants object is returned with the following values:

  • AccessIssuedOn: The time that the grant was issued. Appears in the .NET JavaScriptSerializer or JSON format.
  • AccessIssuedOnISO8601: The corresponding issuance time of the grant. Appears in the Universal Time Coordinated (UTC) format, including time zone.
  • AccessIssuedOnUnixTime: The corresponding issuance time of the access token. Appears in the Epoch format.
  • Application: Name of the API integration the grant applies to.
  • Expires: The grant expiration time in the .NET JavaScriptSerializer or JSON format. After this time, you can no longer refresh the token.
  • ExpiresISO8601: The corresponding grant expiration time in the Universal Time Coordinated (UTC) including time zone.
  • ExpiresUnixTime: The corresponding grant expiration time Epoch format. For example, the number of seconds since January 1st, 1970 at UTC.
  • GrantIssuedOn: The grant authorization time. Appears in the .NET JavaScriptSerializer or JSON format.
  • GrantIssuedOnISO8601: The corresponding grant authorization time. Appears in the Universal Time Coordinated (UTC), including time zone.
  • GrantIssuedOnUnixTime: The grant authorization time stamp. Appears in the Epoch format.
  • Scope: The access token scope that is the authorized range of resources that GranteePrefixedUniversal can use.
  • ValidFor: The number of seconds that VedAuth issued for this token. For example, 7776000 is 90 days. The value matches expires_in from an Authorize response, such as POST Authorize/OAuth.

HTTP 400

For invalid requests, this call returns HTTP 400 Bad Request and the following data in the message body:

  • Error

    • invalid_request: The request is missing a required parameter or is otherwise malformed.

  • Error_description: If available, additional information about how to retry the request.

HTTP 401

For authentication errors, this call returns HTTP 401 Unauthorized and the following data in the message body:

  • Error

    • invalid_token: The access token is missing, or the provided token is expired, revoked, malformed, or invalid for other reasons.

    • insufficient_rights: The underlying user account does not have sufficient permissions for this request.

  • error_description: If available, additional information about how to retry the request.

HTTP 403

If the response is HTTP 403 Forbidden, the requester's token does not include the admin scope. Call POST Authorize/OAuth with the correct scope and restriction. Update the header with the new token and retry.

  • Error

    • insufficient_scope: The request requires a greater scope than provided by the access token.

  • error_description: If available, additional information about how to retry the request.

Example

Request

POST /vedsdk/oauth/getgrants HTTP/1.1
Host: tpp-server-url
Content-Type: application/json
Accept: application/json
Authorization: Bearer 4MyGeneratedBearerTknz==

{
  "GranteePrefixedUniversal": "local:{5a32c46e-e7d8-404d-9987-2e68c0928219}"
}
			

Response

{
  "Grants": [
    {
      "AccessIssuedOn": "/Date(1668623132853)/",
      "AccessIssuedOnISO8601": "2022-11-16T18:25:32Z",
      "AccessIssuedOnUnixTime": 1668623133,
      "Application": "VenafiMMCCodeSigning",
      "Expires": "/Date(1697394332853)/",
      "ExpiresISO8601": "2023-10-15T18:25:32Z",
      "ExpiresUnixTime": 1697394333,
      "GrantIssuedOn": "/Date(1668623132853)/",
      "GrantIssuedOnISO8601": "2022-11-16T18:25:32Z",
      "GrantIssuedOnUnixTime": 1668623133,
      "GranteePrefixedUniversal": "local:{5a32c46e-e7d8-404d-9987-2e68c0928219}",
      "Scope": {
        "ScopeList": [
          {
            "RestrictionList": [
              "admin",
              "approve",
              "delete",
              "manage"
            ],
            "Scope": "codesign"
          },
          {
            "RestrictionList": [
              "delete",
              "manage"
            ],
            "Scope": "configuration"
          },
          {
            "RestrictionList": [
              "manage"
            ],
            "Scope": "security"
          }
        ]
      },
      "ValidFor": 7776000
    }
  ],
  "Result": 0,
  "Success": true
}