Trying to use PATCH with Microsoft HTTP

Carol Grant

I've been trying to get a HTTP request using the Microsoft connector to work for a while now and I've been having problems with the Authorization and Subscription Key. I have read the Tutorial a dozen times and it has some confusing parts when you are using it in Power Automate. I am NEW to this token stuff.

I got a token from Postman which I know expires after 60 minutes, I'll deal with refreshing the token after I figure this out.

In the Authorization line after Bearer is my token from Postman. Nothing added to it although I did read that maybe I needed to add this: The value must have the format: Basic <base 64-encoded Application ID:Application secret> I tried adding that and still didn't work.

Then in my Bb-Api-Subscription-Key Compose is my key from my application. It's not encoded.

I'm currently getting the error “Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription.”

Alex Wong

@Carol Grant
This is my HTTP PATCH:

this is what authorization token should look like: (i changed out some of the alphanumeric so this isn't real, but want you to see what the token looks like)

eyJhbGciOiJnYWxlbnRpdHluYW1lIjoEVjZzVkxIM0FtU1JTbUZqMk04Wm5wWHU3WSIsInR5cCI6IkpXVCJ9.eyJhcHBsaWNhdGlvbmlkIjoiZDNjZThlYzQtYTk2Ny00Mjk5LTljMmMtNzI4MWNlZWU3NmZlIiwiZW52aXJvbm1lbnRpZCI6InAtaHpwbVA2dGFrVXIiwiZW52aXJvbm1lbnRpZCI6InAtaZW50bmFtZSI6IkZJREYgTlhUIFByb2R1Y3Rpb24gRW52aXJvbm1lbnQiLCJsZWdhbGVudGl0eWlkIjoicC1mUVFsWV9nMHIwR2MwXzRvM1J4dWFnIiwibGVnYWxlbnRpdHluYW1lIjoiRnJpZW5kcyBvZiB0aGUgSXNyYWVsIERlZmVuc2UgRm9yY2VzIC0gTmV3IFlvcmsiLCJtb2RlIjoiRnVsbCIsInpvbmUiOiJwLXVzYTAxIiwibmFtZWlkIjoiMDUwZTliMGMtYTA2Ni00NDAzLWExZjItMjg2ODExODExM2ZmIiwianRpIjoiMGJjYzAxODctN2UxZi00YWU2LTgyNWMtN2JhYTkxM2JiYmE4IiwiZXhwIjoxNzIwMDE1NDQyLCJpIiwiZW52aXJvbm1lbnRpZCI6InAtah0dHBzOi8vb2F1dGgyLnNreS5ibGFja2JhdWQuY29tLyIsImF1ZCI6ImJsYWNrYmF1ZCJ9.Rp4uj8_3N1uE5amxpp7j4sA--X9Yc4ISntLOBjdTHmnxf0WPrd9HE_NUru8ogBof5UVn7hf4MwNat7_jlMdTtB6h-aN32LNA1UOeiVbpNxQcbfUGtXyAUTVzFLvmF-5hqJbIiKF2s4S3sNF7z-_Ea1iP8URTyosn6iuqV9s-q3-91IPsrx4bo7QRr-CzMTWxjdQyI787Uej_gU5HPUYs_sIiwiZW52aXJvbm1lbnRpZCI6InAtamWNlALQHWE0GjL3sOORAZmcubxPmfpMLSxWwtnVM2hOJ5HtYRGLirjpyGHXw0CsaTV7FIiwiZW52aXJvbm1lbnRpZCI6InAtaOA

Ben Lambert

@Carol Grant

The “Basic <base 64-encoded Application ID:Application secret>” is what is known as “Basic authorization” (essentially, it's the “username + password” of your SKY application). It is the authorization protocol used when calling the OAuth /token endpoint (to acquire an access token from an authorization code, or to refresh an expired access token). It's not the authorization protocol used when calling the SKY API (that's the OAuth “Bearer” protocol).

As Alex's post shows, if you have an access token from Postman you can provide it in the Authorization header as “Bearer YOURACCESSTOKEN”.

That said, from the error message you report I think the problem is with your API key not the access token?

(and all of this hassle is because of the issue using PATCH endpoints with the SKY Add-ins connector, which is a bug on the Microsoft side that I know Blackbaud is still pushing them to fix)

Alex Wong

@Ben Lambert
There shouldn't be colon after “Bearer”, if you use the SKY API Console, and look at the header:

You can see the colon is to separate the field/value pair in the header, which is Authroization:

Ben Lambert

@Alex Wong
Argh! You're right Alex, my mistake I was totally thinking about something else (need more coffee this morning). I removed that comment from my post.

Sorry for the confusion Carol!

Carol Grant

@Ben Lambert @Alex Wong - thank you both!

I don't see anything wrong with the way I'm calling it. My token does look like Alex's, begins with “eyJhbGciOiJSUzI1NiIsImt….”, it's pasted in from Postman.

Maybe it's my application. I created an application called “Postman” for testing purposes. Added it to the Environment. I'm using that Client ID and the application secret from that to get my token in Postman.

Then in the flow, I'm putting the same application secret into the Bb-Api-Subscription-Key. Is that correct or should I be using a different client secret?

Alex Wong

@Carol Grant
Then Ben is spot on, your issue is with the Subscription Key, which is not the application secret.

You find subscription key under developer account > My subscription

Carol Grant

@Alex Wong now I'm getting “Encountered internal server error. The tracking Id is 'c1684193-0514-4811-94b1-5694fe46a153'.”

I tried a different assignment ID and same error. I looked at Common Issues and it said to look at the Blackbaud Status page. LOL- I don't think the server is down.

Alex Wong

@Carol Grant
your auth token expired, get a new one from postman for now and try again

Carol Grant

@Alex Wong- I finally figured out that I did not give my application the SCOPE for Limited or Full Data Access. That's something I didn't need to do before. It was on No Data Access so my token wasn't working. I recreated the token after authorizing the change in scope for the application.

Rookie mistake but it WORKS now! Thank you and @Ben Lambert for chiming in.

Carol Grant

@Alex Wong - Hi Alex, I figured I would continue on this post about the token refresh. I'm having issues refreshing the token I use for this PATCH http request. I'm searched this forum for any answers, read the tutorial and I did come across your Refresh token http call. This worked for me once but the token I got back did not work.

I get my token from Postman which is good for 60 minutes. Works great. Then a little before the 60 minutes is over I go to this flow with this call. I'm putting the refresh token from Postman into the refresh_token=Output. It's a shorter code- only one line. Is this correct or do I put in my original token?

Or do I even need this if I have the Postman refresh token button clicked. It will refresh the token after expiration, then I can use that one. Such a newbie with this!

Alex Wong

@Carol Grant
I think best to automate and forget.

So use postman to get 60-min auth-token and 365-day refresh-token.

create a SharePoint list (or anywhere else you like that's secure and no one unauthorized have access) and save these 2 token to it.

create a flow that runs every 59 minutes (you can always refresh the auth-token using refresh-token in each flow before you need to use PATCH, BUT creating this 59min recurring flow will allow you to just get the auth-token in SP list and use right away without worrying about refreshing first, there is pro/con of this, you can gauge yourselves).

The refresh HTTP action is like this:

use a Parse JSON on the body of the HTTP dynamic content

{

"type": "object",

"properties": {

"access_token": {

"type": "string"

},

"token_type": {

"type": "string"

},

"expires_in": {

"type": "integer"

},

"refresh_token": {

"type": "string"

},

"environment_id": {

"type": "string"

},

"environment_name": {

"type": "string"

},

"legal_entity_id": {

"type": "string"

},

"legal_entity_name": {

"type": "string"

},

"user_id": {

"type": "string"

},

"email": {

"type": "string"

},

"family_name": {

"type": "string"

},

"given_name": {

"type": "string"

},

"refresh_token_expires_in": {

"type": "integer"

}

}

}

Use the above JSON schema.

Then your auth-token is @{body('Parse_JSON_of_Refresh_Auth_Body')?['access_token']}

and your new refresh-token is @{body('Parse_JSON_of_Refresh_Auth_Body')?['refresh_token']}

which you can save/overwrite the auth-token and refresh-token in your SP list.

Carol Grant

@Alex Wong- thank you! Is the refresh token from Postman shorter than a regular access token? I want to make sure I'm putting the right token into the POST refresh token area.

Alex Wong

@Carol Grant
yes a lot shorter. 32 alphanumeric characters to be exact