Last updated on AUGUST 31, 2022
Applies to:
Oracle Fusion Payables Cloud Service - Version 11.13.19.01.0 and laterInformation in this document applies to any platform.
Symptoms
On : 11.13.19.01.0 version, Manage Invoices
REST API access 403 forbidden error
Unable to invoke any REST endpoints part of 19a Oracle ERP Cloud
ERROR
-----------------------
403 Forbidden
STEPS
-----------------------
The issue can be reproduced at will with the following steps:
1. submit a request on the REST resource
2. receive "403 Forbidden" HTTP status code
BUSINESS IMPACT
-----------------------
The issue has the following business impact:
Due to this issue, users cannot submit a request on the REST resource
Changes
Cause
Sign InTo view full details, sign in with your My Oracle Support account.
RegisterDon't have a My Oracle Support account? Click to get started!
In this DocumentSymptomsChangesCauseSolutionReferences
My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.
I am using a new Application to get my Daily Extract files but the request is failing with 403 Forbidden error.
{
"type": "//www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.4",
"title": "Forbidden",
"status": "403",
"detail": "Authentication was provided, but the authenticated user is not permitted to perform the requested operation."
}
Resolution:
The error indicates that you don't have authorization to perform the request. Follow the steps below to grant permission.
1. In OFS, navigate to Configuration > Applications and select the application you are using for this request.
2. Under API access, locate the API (in this example Core API). Click to edit and select 'Available entities'.
3. Locate the entity related to the request and update the permission from 'Hidden' to 'Read-Only' (for this Daily Extract example), or Read-write (if applicable to the request you are sending).
The HTTP 403 Forbidden error most commonly occurs when private DNS is enabled for an API Gateway interface VPC endpoint that's associated with a VPC. In this scenario, all requests from the VPC to API Gateway APIs resolve to that interface VPC endpoint. However, it's not possible to connect to public APIs using a VPC endpoint.
The private DNS name of a VPC endpoint is in the format *.execute-api..amazonaws.com. This format matches the API Gateway default invoke URL for public and private APIs. For example, the default invoke URL of a public API is //abcd1234.execute-api.us-east-1.amazonaws.com where abcd1234 is the API ID and us-east-1 is the AWS Region of the API.
When a private DNS is enabled on a VPC endpoint, the API's invoke URL is covered by the private DNS name *.execute-api.us-east-1.amazonaws.com where * is a placeholder for the API ID. When a DNS query is resolved for a public API from inside a VPC, the resolved DNS points to the private IP of the associated VPC endpoint instead of the public IP of the public API. The API call is then routed to the public API through the VPC endpoint instead of routing it through the internet. Because VPC endpoints can route traffic only to private APIs, the result is an HTTP 403 error.
If private DNS isn't enabled for your interface VPC endpoint, or there is no endpoint in your VPC, go to the Connect to public APIs when private DNS isn't enabled section.
Resolution
Confirm that a private DNS is enabled for an interface VPC endpoint associated with your VPC
Connect to public APIs with private DNS enabled
Connect to public APIs when private DNS isn't enabled
If private DNS isn't enabled in the interface VPC endpoint, or there is no endpoint in your Amazon Virtual Private Cloud (Amazon VPC) configuration, confirm that the following is true:
When your VPC has permission to access your public APIs, use public DNS to connect to your public APIs. For more information, see Controlling and managing access to a REST API in API Gateway.
(Optional) Change the private DNS setting for an interface VPC endpoint
Users can change the private DNS setting for an interface VPC endpoint at any time. Changing this setting affects the resolution of an API's stage URL to the private IP of the interface VPC endpoint.
Note: Changing the private DNS setting affects how users can connect to private APIs and public APIs from a VPC.