App token session request flow: SERVICE_FORBIDDEN

Hello, I’m unable to get the app token request flow described on https://developer.kaltura.com/api-docs/VPaaS-API-Getting-Started/Authorizing-With-Application-Token.html to work.

According to the documentation, it appears that I should be requesting an app token session based on a widget session, but I’m getting a “KalturaException: The access to service [appToken->startSession] is forbidden (SERVICE_FORBIDDEN)”. I’m not sure if that’s because of the widgetSession itself, the particular hash I’ve built, the roles associated with the user/app token, or what exactly. Any help would be appreciated, even simply examples of how to get this to work in other languages.

Python code:

kaltura_session = client.session.startWidgetSession(widget_id)
token_session_hash = hashlib.sha1(kaltura_session.ks + app_token.token).hexdigest()
priveleged_kaltura_session = client.appToken.startSession(app_token.id, token_session_hash)

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File ".../lib/python2.7/site-packages/KalturaClient/Plugins/Core.py", line 57471, in startSession
    resultNode = self.client.doQueue()
  File ".../lib/python2.7/site-packages/KalturaClient/Client.py", line 357, in doQueue
    resultNode = self.parsePostResult(postResult)
  File ".../lib/python2.7/site-packages/KalturaClient/Client.py", line 317, in parsePostResult
    self.throwExceptionIfError(resultNode)
  File ".../lib/python2.7/site-packages/KalturaClient/Client.py", line 385, in throwExceptionIfError
    raise exceptionObj
KalturaException: The access to service [appToken->startSession] is forbidden (SERVICE_FORBIDDEN)
The access to service [appToken->startSession] is forbidden (SERVICE_FORBIDDEN)

Hi @elliottyates,

If you already have an existing token and you need to generate a session using it then you only need:

from KalturaClient import *
from KalturaClient.Plugins.Core import *
import hashlib

partner_id=YOUR_PARTNER_ID
config = KalturaConfiguration(partner_id)
config.serviceUrl = "https://www.kaltura.com/"
client = KalturaClient(config)

id="YOUR_TOKEN_ID"
token="YOUR_TOKEN_HASH"
userId="user@example.com"

# generate a widget session in order to use the app token
widgetId = "_"+str(partner_id)
expiry = 86400

result = client.session.startWidgetSession(widgetId, expiry);
client.setKs(result.ks)
tokenHash = hashlib.sha256(result.ks.encode('ascii')+token.encode('ascii')).hexdigest()
type = KalturaSessionType.ADMIN 

# start an app token session
result = client.appToken.startSession(id, tokenHash, userId, type, expiry);
print(result.ks)

Below is a full code sample for creating an app token and then using it to start a session.

from KalturaClient import *
from KalturaClient.Plugins.Core import *
import hashlib

# generate a session in order to create the app token
partner_id=00000001
admin_secret="YOUR_ADMIN_SECRET"
userId = "user@example.com"
config = KalturaConfiguration(partner_id)
config.serviceUrl = "https://www.kaltura.com/"
client = KalturaClient(config)
ks = client.session.start(
            admin_secret,
            userId,
            KalturaSessionType.ADMIN,
            partner_id)
client.setKs(ks)

# create the app token
appToken = KalturaAppToken()
appToken.hashType = KalturaAppTokenHashType.SHA256

result = client.appToken.add(appToken);
id=result.id;
token=result.token;

# generate a widget session in order to use the app token
widgetId = "_"+str(partner_id)
expiry = 86400

result = client.session.startWidgetSession(widgetId, expiry);
client.setKs(result.ks)
tokenHash = hashlib.sha256(result.ks.encode('ascii')+token.encode('ascii')).hexdigest()
type = KalturaSessionType.ADMIN 

# start an app token session
result = client.appToken.startSession(id, tokenHash, userId, type, expiry);
print(result.ks)

Cheers,

Thank you @jess, that’s exactly what I needed. I forget the client.setKs, constantly. Seeing that many of the arguments to create the app token are optional is helpful, also.

Much appreciated.