I’m working on a project that involves integrating Bentley iTwin private iModels into a CesiumJS application. I’ve made progress with authentication using the client_credentials grant type and can successfully retrieve an access token. However, when I attempt to create a 3D Tileset from the iModelId, I’m having 403: InsufficientPermissions.
Is there an example or best practice for integrating iModels that require authentication with CesiumJS?
Hi @gabrielschettino, thanks for the interest in the new integration! Glad to see it’s getting use so fast!
Right now authentication is up to you/the application wrapping CesiumJS, all we need is the access token which I assume you have already seen from the example.
Authorization with the iTwin Platform can currently be done in 3 different ways. Two of these ways, Web app and Native/SPA, rely on User login and will use that user’s access for iTwins and iModels. The third way, Service apps (which I’m guessing is what you’re trying to use) rely on the “Service user” for access.
In order for a Service App to have access to an iTwin, and thus it’s iModels, you need to add that “Service User” to the iTwins you want it to have access to using the Access Control API.
When you create or view your service app you should see a Client email. This is the email you need to use to add that “Service User” to the iTwins you want it to have access to. Once the service user is added through the API you can manage it’s roles and permissions the same as you would any other users.
Given that the integration is so new I’m not sure I can recommend or refer to a specific “best practice” yet but I hope that helps give some more guidance. If you have any more questions please do ask! We want to make this as easy as possible for devs to use and get started with.
It turns out my Service App wasn’t added at the “Service User”.
However, whenever I try to add the Service App to the iTwin using the Access Control API, i still get the 403 Error: InsufficientPermissions.
I tried into a different account, and it turns out I can’t even see the user management page, due to an unknown reason.
Any ideas on what might be happening? Anyhow, Thank You so much for clarifying all the information you provided.
@gabrielschettino
First, can you check the actual network request that’s failing in DevTools? When I was testing I sometimes saw some more details for the reason requests fail in the response that we are not propagating in the error that’s thrown in the console.
Second, can you confirm you’re creating the access token you’re requesting with the itwin_platform scope? if not I think all requests will fail.
Third, are you trying to use the service app’s auth token to add the service app itself to an iTwin? That won’t work because that service user won’t have access yet. You will need to use a different token like your own user token. I found an easy way is to just open the docs and use the “Try it out” button on the request you want
Alternatively you can go through the UI on Connect. Click Manage for the Team Members. Then Add and enter the client email, assign a role and Add the user. This is the same thing the API would call without you needing to do the actual API calls.
As a side note the role you give the service user can (and maybe should) be fairly restrictive. As an example these are all that’s needed for the sandcastle examples
Hopefully that helps and you’re able to get started. Ideally I believe we plan to publish some formal tutorials around this process so you asking questions is super helpful. It’s good to know what we need to provide more information on.
Turns out that i forgot to mention that i was trying to create the 3D Tiles from a Bentley Sample generated at the iTwin Test, at developer.bentley.com, the Coffs Harbor example to be more exact.
All the iModels you create at that page are set up by some workflow, and the project owner when you check on Connect is something else than you. So that’s why i wasn’t able to set roles and add users by the e-mails. As shown here:
