webapi admin authentication

[jaykobi]

Preconditions

magento 2.4-develop

The devdocs clearly state that authenticated admin users can access the rest api.

http://devdocs.magento.com/guides/v2.0/get-started/authentication/gs-authentication.html

Resources for which administrators or integrators are authorized. For example, if administrators are authorized for the Magento_Customer::group resource, they can make a GET /V1/customerGroups/:id call.

But this does not work.

Steps to reproduce

1. Install magento 2.1.5 from composer archive
2. Log into you new admin account
3. Open domain.com/rest/V1/customers/1 in the same browser in a new tab.

Expected result

A response saying that this customer does not exist.

Actual result

A response saying me I have no acccess rights.

<response> <message>Consumer is not authorized to access %resources</message> <parameters> <resources>Magento_Customer::customer</resources> </parameters> </response>

[amansrivastava]

You need to provide header value to call rest API.
Try this on Postman or other tool with header value and it will work for you.

[jaykobi]

Header value in the form of an Integration (Bearer XXXX, which is what I already can do) or header value in the form of an admin user authentication?
I need information about the current logged in user in the api.

[jaykobi]

Ok, I see, It simply does not wotk like this. I need to use a token.

[jaykobi]

No, wait. It should be possible to just use the admin session. It is also clearly stated on the link I posted above

JavaScript widget on the Magento storefront or Magento Admin :
Registered users use session-based authentication to log in to the Magento storefront or Magento Admin.

[amansrivastava]

Customers can access resources that are configured with anonymous or self permission in the webapi.xml configuration file.

Admins can access resources that are assigned to their Magento Admin profile.

Try {domain.com}/rest/V1/customers/me after login to your magento portal.

[jaykobi]

Admins can access resources that are assigned to their Magento Admin profile.

This is exactly what I say does not work. In the example above, in a freshly installed magento 2.1.5 the admin user created on install with role "Administrators" ist not allowed to access {domain.com}/rest/V1/customers/1.

Can you please verify in your installation that you can

1. Log into magento as admin user with role "Administrators"
2. Access rest api resources in another tab, session based

[rafaelstz]

@skymeissner I guess that these samples will help you:
https://gist.github.com/rafaelstz/ecab668b80fece4d9acdb9c5358b3173

[DrewKolstad]

@skymeissner, were you ever able to figure this out?

I am having the same issues. I also see where the documentation clearly indicates that session-based authentication works to access admin resources.

[jaykobi]

Hi @DrewK289 ,

I did not get this to work, and I don't think it's possible at the moment. I switched to token based authentication, which works fine but I don't have info about logged-in admin user.