Kaltura API: Use of appToken gives "access to service [schedule_scheduleevent->list] is forbidden"

Hello. We’ve been using Kaltura API (Python) successfully for about a year, authenticating with:

   config = KalturaConfiguration()
   self.client = KalturaClient(config)
   ks = self.client.session.start(
       app.config['KALTURA_ADMIN_SECRET'],
       app.config['KALTURA_UNIQUE_USER_ID'],
       KalturaSessionType.ADMIN,
       app.config['KALTURA_PARTNER_ID'],
       app.config['KALTURA_EXPIRY'],
       'appId:appName-appDomain',
   )
   self.client.setKs(ks)

I now want to use an appToken to authenticate. The code above was replaced with:

   config = KalturaConfiguration()
   self.client = KalturaClient(config)
   result = self.client.session.startWidgetSession(
       expiry=app.config['KALTURA_EXPIRY'],
       widgetId=f"_{app.config['KALTURA_PARTNER_ID']}",
   )
   self.client.setKs(result.ks)
   token_hash = hashlib.sha256((result.ks + app.config['KALTURA_APP_TOKEN']).encode('ascii')).hexdigest()
   result = self.client.appToken.startSession(
       id=app.config['KALTURA_APP_TOKEN_ID'],
       tokenHash=token_hash,
       userId=app.config['KALTURA_APP_TOKEN_USER_ID'],
       type=KalturaSessionType.ADMIN,
       expiry=app.config['KALTURA_EXPIRY'],
       sessionPrivileges='list:*',
   )

The session starts successfully but, when making an API call, I get:

The access to service [schedule_scheduleevent->list] is forbidden (SERVICE_FORBIDDEN)

I verified the “sessionPrivileges” and “type” of the appToken and all looks right. What am I missing?

Thank you!

Figure this out yet? I am having the exact same problem

Hi @eberfinn ,

Below is a full example. This code will:

  • Create an appToken of type 2 (ADMIN)
  • Generate a session using said appToken and set the returned KS on the client
  • Call schedule.scheduleEvent.list()

See inline comment about restricting the API actions allowed with the token.

from KalturaClient import *
from KalturaClient.Plugins.Core import *
from KalturaClient.Plugins.Schedule import *
import hashlib

partner_id=000000
admin_secret=""
userId = "user@example.com"
config = KalturaConfiguration(partner_id)
config.serviceUrl = "https://www.kaltura.com/"
client = KalturaClient(config)
ks = client.session.start(
            admin_secret,
            userId,
            KalturaSessionType.ADMIN,
            partner_id)
client.setKs(ks)

# create the app token
appToken = KalturaAppToken()
appToken.hashType = KalturaAppTokenHashType.SHA256

# if you wish to restrict privileges such that only the `scheduleEvent` service actions could be used with this token, you can create a role by calling userRole.add() with
# userRole:permissionNames=SCHEDULE_EVENT_BASE,SCHEDULE_EVENT_MANAGE,SCHEDULE_RESOURCE_MANAGE,SCHEDULE_RESOURCE_BASE
# userRole:name=NAME, e.g: MY_SCHEDULE_ROLE
# userRole:systemName=NAME, e.g: MY_SCHEDULE_ROLE
# This would allow all event scheduling operations, naturally, you could refine this further to only allow read only operations.
# see https://developer.kaltura.com/api-docs/VPaaS-API-Getting-Started/application-tokens.html#set-a-user-role for more details.


# appToken.sessionPrivileges = 'setrole:MY_SCHEDULE_ROLE'

result = client.appToken.add(appToken);
id=result.id;
token=result.token;

# generate a widget session in order to use the app token
widgetId = "_"+str(partner_id)
expiry = 86400

result = client.session.startWidgetSession(widgetId, expiry);
client.setKs(result.ks)
tokenHash = hashlib.sha256(result.ks.encode('ascii')+token.encode('ascii')).hexdigest()
type = KalturaSessionType.ADMIN

# start an app token session
result = client.appToken.startSession(id, tokenHash, userId, type, expiry);
# set the resulting KS on the client
client.setKs(result.ks)

filter = KalturaScheduleEventFilter()
pager = KalturaFilterPager()

result = client.schedule.scheduleEvent.list(filter, pager)
# if you set sessionPrivileges as described above when calling appToken.add(), the below call will fail
#result = client.media.list(filter, pager)

print(result)

Cheers,