cli-microsoft365: Bug report: 403 Forbidden on Flow Export as ZIP, the client certificate C5F9D3ED02E06B0148CD8D82B131AB1A88C74414 is not allowed
Description
Attempting to export a flow as a JSON file is successful
Attempting to export a flow as a ZIP file returns:-
Error: The client certificate 'C5F9D3ED02E06B0148CD8D82B131AB1A88C74414' is not allowed.
Running the command with the --debug parameter shows the response returned as
Request error:
{
"status": 403,
"statusText": "Forbidden",
"headers": {
"cache-control": "no-store, no-cache",
"pragma": "no-cache",
"content-length": "134",
"content-type": "application/json; charset=utf-8",
"expires": "-1",
"strict-transport-security": "max-age=31536000; includeSubDomains",
"x-ms-request-id": "uksouth:4a8ce614-110a-4ae3-bdf2-f7a5922de3e9",
"x-ms-correlation-request-id": "ec968658-55d8-41a2-bc16-801ace9c3d24",
"x-ms-ratelimit-remaining-tenant-writes": "1199",
"x-ms-routing-request-id": "UKSOUTH:20220107T170630Z:ec968658-55d8-41a2-bc16-801ace9c3d24",
"x-content-type-options": "nosniff",
"date": "Fri, 07 Jan 2022 17:06:29 GMT",
"connection": "close"
},
"error": {
"error": {
"code": "AuthorizationFailed",
"message": "The client certificate 'C5F9D3ED02E06B0148CD8D82B131AB1A88C74414' is not allowed."
}
}
}
Reference: Bug report: 403 forbidden on Flow Export #2091
Steps to reproduce
Login to M365 using the devicecode method
Get environment list succeeds
m365 flow environment list --output json | ConvertFrom-Json
Get the flow to export succeeds
$flowToExport = m365 flow list --environment $environmentName --query "[?displayName=='$flowNameToExport']" --output json | ConvertFrom-Json
Export the flow as a ZIP file fails with Error: The client certificate 'C5F9D3ED02E06B0148CD8D82B131AB1A88C74414' is not allowed.
m365 flow export --id $flowToExport.name --environment $environmentName --packageDisplayName "" --packageDescription "" --packageCreatedBy "" --packageSourceEnvironment "" --format zip --path $packageZipPathName --debug
Expected results
The flow should be exported as the named ZIP file
Actual results
Attempting to export a flow as a ZIP file returns:-
Error: The client certificate 'C5F9D3ED02E06B0148CD8D82B131AB1A88C74414' is not allowed.
But, exporting a flow as a JSON file succeeds
Diagnostics
Executing command flow export with options {"options":{"id":"6c6f8790-13a0-4b04-8d81-86bf7b315d93","environment":"Default-9b4f4fcf-59ca-4fb5-878f-4dea4046b5c6","packageDisplayName":"EEL_PAS_Core_EventOrchestration_DEV","packageDescription":"Orchestrates and controls the onward distribution of change requests submitted by users","packageCreatedBy":"Phillip Allan-Harding","packageSourceEnvironment":"Default-9b4f4fcf-59ca-4fb5-878f-4dea4046b5c6","format":"zip","path":"./EEL_PAS_Core_EventOrchestration_DEV.zip","debug":true}}
Retrieving package resources for Microsoft Flow 6c6f8790-13a0-4b04-8d81-86bf7b315d93...
Existing access token <<sanitized>> still valid. Returning...
Request:
{
"headers": {
"common": {
"Accept": "application/json, text/plain, */*"
},
"delete": {},
"get": {},
"head": {},
"post": {
"Content-Type": "application/x-www-form-urlencoded"
},
"put": {
"Content-Type": "application/x-www-form-urlencoded"
},
"patch": {
"Content-Type": "application/x-www-form-urlencoded"
},
"user-agent": "NONISV|SharePointPnP|CLIMicrosoft365/4.2.0",
"accept-encoding": "gzip, deflate",
"accept": "application/json",
"authorization": "Bearer <<sanitized>>"
},
"decompress": true,
"responseType": "json",
"url": "https://api.bap.microsoft.com/providers/Microsoft.BusinessAppPlatform/environments/Default-9b4f4fcf-59ca-4fb5-878f-4dea4046b5c6/listPackageResources?api-version=2016-11-01",
"data": {
"baseResourceIds": [
"/providers/Microsoft.Flow/flows/6c6f8790-13a0-4b04-8d81-86bf7b315d93"
]
},
"method": "post"
}
Response:
{
"status": 200,
"statusText": "OK",
"headers": {
"cache-control": "no-cache, no-store",
"pragma": "no-cache",
"content-type": "application/json; charset=utf-8",
"expires": "-1",
"vary": "Accept-Encoding",
"strict-transport-security": "max-age=31536000; includeSubDomains",
"x-ms-request-id": "uksouth:25b086a2-57aa-4f95-ba61-ba51b74bbd75",
"x-ms-correlation-request-id": "25b086a2-57aa-4f95-ba61-ba51b74bbd75",
"date": "Fri, 07 Jan 2022 18:08:46 GMT",
"connection": "close",
"content-length": "1202"
},
"data": {
"status": "Succeeded",
"baseResourceIds": [
"/providers/Microsoft.Flow/flows/6c6f8790-13a0-4b04-8d81-86bf7b315d93"
],
"resources": {
"L1BST1ZJREVSUy9NSUNST1NPRlQuRkxPVy9GTE9XUy82QzZGODc5MC0xM0EwLTRCMDQtOEQ4MS04NkJGN0IzMTVEOTM=": {
"id": "/providers/Microsoft.Flow/flows/6c6f8790-13a0-4b04-8d81-86bf7b315d93",
"name": "6c6f8790-13a0-4b04-8d81-86bf7b315d93",
"type": "Microsoft.Flow/flows",
"creationType": "Existing, New, Update",
"details": {
"displayName": "EEL_PAS_Core_EventOrchestration_DEV"
},
"configurableBy": "User",
"hierarchy": "Root",
"dependsOn": [
"L1BST1ZJREVSUy9NSUNST1NPRlQuUE9XRVJBUFBTL0FQSVMvU0hBUkVEX1NIQVJFUE9JTlRPTkxJTkU=",
"L1BST1ZJREVSUy9NSUNST1NPRlQuUE9XRVJBUFBTL0FQSVMvU0hBUkVEX1NIQVJFUE9JTlRPTkxJTkUvQ09OTkVDVElPTlMvMkIwNTgzRTFDRTAxMjU3Q0NBRkJBRUU4RTk2QjRCMzU=",
"L1BST1ZJREVSUy9NSUNST1NPRlQuUE9XRVJBUFBTL0FQSVMvU0hBUkVEX09GRklDRTM2NQ==",
"L1BST1ZJREVSUy9NSUNST1NPRlQuUE9XRVJBUFBTL0FQSVMvU0hBUkVEX09GRklDRTM2NS9DT05ORUNUSU9OUy9TSEFSRUQtT0ZGSUNFMzY1LUYyRjg2QTJDLTcxOTktNDA2RC04MDlFLUEwNDEtQjBGN0U1RjQ="
]
},
"L1BST1ZJREVSUy9NSUNST1NPRlQuUE9XRVJBUFBTL0FQSVMvU0hBUkVEX1NIQVJFUE9JTlRPTkxJTkU=": {
"id": "/providers/Microsoft.PowerApps/apis/shared_sharepointonline",
"name": "shared_sharepointonline",
"type": "Microsoft.PowerApps/apis",
"details": {
"displayName": "SharePoint",
"iconUri": "https://connectoricons-prod.azureedge.net/releases/v1.0.1539/1.0.1539.2620/sharepointonline/icon.png"
},
"configurableBy": "System",
"hierarchy": "Child",
"dependsOn": []
},
"L1BST1ZJREVSUy9NSUNST1NPRlQuUE9XRVJBUFBTL0FQSVMvU0hBUkVEX09GRklDRTM2NQ==": {
"id": "/providers/Microsoft.PowerApps/apis/shared_office365",
"name": "shared_office365",
"type": "Microsoft.PowerApps/apis",
"details": {
"displayName": "Office 365 Outlook",
"iconUri": "https://connectoricons-prod.azureedge.net/releases/v1.0.1538/1.0.1538.2621/office365/icon.png"
},
"configurableBy": "System",
"hierarchy": "Child",
"dependsOn": []
},
"L1BST1ZJREVSUy9NSUNST1NPRlQuUE9XRVJBUFBTL0FQSVMvU0hBUkVEX1NIQVJFUE9JTlRPTkxJTkUvQ09OTkVDVElPTlMvMkIwNTgzRTFDRTAxMjU3Q0NBRkJBRUU4RTk2QjRCMzU=": {
"id": "/providers/Microsoft.PowerApps/apis/shared_sharepointonline/connections/2b0583e1ce01257ccafbaee8e96b4b35",
"name": "2b0583e1ce01257ccafbaee8e96b4b35",
"type": "Microsoft.PowerApps/apis/connections",
"creationType": "Existing",
"details": {
"displayName": "p.harding@pah365.com",
"iconUri": "https://az818438.vo.msecnd.net/icons/sharepointonline.png"
},
"configurableBy": "User",
"hierarchy": "Child",
"dependsOn": [
"L1BST1ZJREVSUy9NSUNST1NPRlQuUE9XRVJBUFBTL0FQSVMvU0hBUkVEX1NIQVJFUE9JTlRPTkxJTkU="
]
},
"L1BST1ZJREVSUy9NSUNST1NPRlQuUE9XRVJBUFBTL0FQSVMvU0hBUkVEX09GRklDRTM2NS9DT05ORUNUSU9OUy9TSEFSRUQtT0ZGSUNFMzY1LUYyRjg2QTJDLTcxOTktNDA2RC04MDlFLUEwNDEtQjBGN0U1RjQ=": {
"id": "/providers/Microsoft.PowerApps/apis/shared_office365/connections/shared-office365-f2f86a2c-7199-406d-809e-a041-b0f7e5f4",
"name": "shared-office365-f2f86a2c-7199-406d-809e-a041-b0f7e5f4",
"type": "Microsoft.PowerApps/apis/connections",
"creationType": "Existing",
"details": {
"displayName": "cloudadmin@pah365.com",
"iconUri": "https://connectoricons-prod.azureedge.net/releases/v1.0.1535/1.0.1535.2607/office365/icon.png"
},
"configurableBy": "User",
"hierarchy": "Child",
"dependsOn": [
"L1BST1ZJREVSUy9NSUNST1NPRlQuUE9XRVJBUFBTL0FQSVMvU0hBUkVEX09GRklDRTM2NQ=="
]
}
}
}
}
Initiating package export for Microsoft Flow 6c6f8790-13a0-4b04-8d81-86bf7b315d93...
Existing access token <<sanitized>> still valid. Returning...
Request:
{
"headers": {
"common": {
"Accept": "application/json, text/plain, */*"
},
"delete": {},
"get": {},
"head": {},
"post": {
"Content-Type": "application/x-www-form-urlencoded"
},
"put": {
"Content-Type": "application/x-www-form-urlencoded"
},
"patch": {
"Content-Type": "application/x-www-form-urlencoded"
},
"user-agent": "NONISV|SharePointPnP|CLIMicrosoft365/4.2.0",
"accept-encoding": "gzip, deflate",
"accept": "application/json",
"authorization": "Bearer <<sanitized>>"
},
"decompress": true,
"responseType": "json",
"url": "https://management.azure.com/providers/Microsoft.BusinessAppPlatform/environments/Default-9b4f4fcf-59ca-4fb5-878f-4dea4046b5c6/exportPackage?api-version=2016-11-01",
"data": {
"includedResourceIds": [
"/providers/Microsoft.Flow/flows/6c6f8790-13a0-4b04-8d81-86bf7b315d93"
],
"details": {
"displayName": "EEL_PAS_Core_EventOrchestration_DEV",
"description": "Orchestrates and controls the onward distribution of change requests submitted by users",
"creator": "Phillip Allan-Harding",
"sourceEnvironment": "Default-9b4f4fcf-59ca-4fb5-878f-4dea4046b5c6"
},
"resources": {
"L1BST1ZJREVSUy9NSUNST1NPRlQuRkxPVy9GTE9XUy82QzZGODc5MC0xM0EwLTRCMDQtOEQ4MS04NkJGN0IzMTVEOTM=": {
"id": "/providers/Microsoft.Flow/flows/6c6f8790-13a0-4b04-8d81-86bf7b315d93",
"name": "6c6f8790-13a0-4b04-8d81-86bf7b315d93",
"type": "Microsoft.Flow/flows",
"creationType": "Existing, New, Update",
"details": {
"displayName": "EEL_PAS_Core_EventOrchestration_DEV"
},
"configurableBy": "User",
"hierarchy": "Root",
"dependsOn": [
"L1BST1ZJREVSUy9NSUNST1NPRlQuUE9XRVJBUFBTL0FQSVMvU0hBUkVEX1NIQVJFUE9JTlRPTkxJTkU=",
"L1BST1ZJREVSUy9NSUNST1NPRlQuUE9XRVJBUFBTL0FQSVMvU0hBUkVEX1NIQVJFUE9JTlRPTkxJTkUvQ09OTkVDVElPTlMvMkIwNTgzRTFDRTAxMjU3Q0NBRkJBRUU4RTk2QjRCMzU=",
"L1BST1ZJREVSUy9NSUNST1NPRlQuUE9XRVJBUFBTL0FQSVMvU0hBUkVEX09GRklDRTM2NQ==",
"L1BST1ZJREVSUy9NSUNST1NPRlQuUE9XRVJBUFBTL0FQSVMvU0hBUkVEX09GRklDRTM2NS9DT05ORUNUSU9OUy9TSEFSRUQtT0ZGSUNFMzY1LUYyRjg2QTJDLTcxOTktNDA2RC04MDlFLUEwNDEtQjBGN0U1RjQ="
],
"suggestedCreationType": "Update"
},
"L1BST1ZJREVSUy9NSUNST1NPRlQuUE9XRVJBUFBTL0FQSVMvU0hBUkVEX1NIQVJFUE9JTlRPTkxJTkU=": {
"id": "/providers/Microsoft.PowerApps/apis/shared_sharepointonline",
"name": "shared_sharepointonline",
"type": "Microsoft.PowerApps/apis",
"details": {
"displayName": "SharePoint",
"iconUri": "https://connectoricons-prod.azureedge.net/releases/v1.0.1539/1.0.1539.2620/sharepointonline/icon.png"
},
"configurableBy": "System",
"hierarchy": "Child",
"dependsOn": [],
"suggestedCreationType": "Existing"
},
"L1BST1ZJREVSUy9NSUNST1NPRlQuUE9XRVJBUFBTL0FQSVMvU0hBUkVEX09GRklDRTM2NQ==": {
"id": "/providers/Microsoft.PowerApps/apis/shared_office365",
"name": "shared_office365",
"type": "Microsoft.PowerApps/apis",
"details": {
"displayName": "Office 365 Outlook",
"iconUri": "https://connectoricons-prod.azureedge.net/releases/v1.0.1538/1.0.1538.2621/office365/icon.png"
},
"configurableBy": "System",
"hierarchy": "Child",
"dependsOn": [],
"suggestedCreationType": "Existing"
},
"L1BST1ZJREVSUy9NSUNST1NPRlQuUE9XRVJBUFBTL0FQSVMvU0hBUkVEX1NIQVJFUE9JTlRPTkxJTkUvQ09OTkVDVElPTlMvMkIwNTgzRTFDRTAxMjU3Q0NBRkJBRUU4RTk2QjRCMzU=": {
"id": "/providers/Microsoft.PowerApps/apis/shared_sharepointonline/connections/2b0583e1ce01257ccafbaee8e96b4b35",
"name": "2b0583e1ce01257ccafbaee8e96b4b35",
"type": "Microsoft.PowerApps/apis/connections",
"creationType": "Existing",
"details": {
"displayName": "p.harding@pah365.com",
"iconUri": "https://az818438.vo.msecnd.net/icons/sharepointonline.png"
},
"configurableBy": "User",
"hierarchy": "Child",
"dependsOn": [
"L1BST1ZJREVSUy9NSUNST1NPRlQuUE9XRVJBUFBTL0FQSVMvU0hBUkVEX1NIQVJFUE9JTlRPTkxJTkU="
],
"suggestedCreationType": "Existing"
},
"L1BST1ZJREVSUy9NSUNST1NPRlQuUE9XRVJBUFBTL0FQSVMvU0hBUkVEX09GRklDRTM2NS9DT05ORUNUSU9OUy9TSEFSRUQtT0ZGSUNFMzY1LUYyRjg2QTJDLTcxOTktNDA2RC04MDlFLUEwNDEtQjBGN0U1RjQ=": {
"id": "/providers/Microsoft.PowerApps/apis/shared_office365/connections/shared-office365-f2f86a2c-7199-406d-809e-a041-b0f7e5f4",
"name": "shared-office365-f2f86a2c-7199-406d-809e-a041-b0f7e5f4",
"type": "Microsoft.PowerApps/apis/connections",
"creationType": "Existing",
"details": {
"displayName": "cloudadmin@pah365.com",
"iconUri": "https://connectoricons-prod.azureedge.net/releases/v1.0.1535/1.0.1535.2607/office365/icon.png"
},
"configurableBy": "User",
"hierarchy": "Child",
"dependsOn": [
"L1BST1ZJREVSUy9NSUNST1NPRlQuUE9XRVJBUFBTL0FQSVMvU0hBUkVEX09GRklDRTM2NQ=="
],
"suggestedCreationType": "Existing"
}
}
},
"method": "post"
}
Request error:
{
"status": 403,
"statusText": "Forbidden",
"headers": {
"cache-control": "no-store, no-cache",
"pragma": "no-cache",
"content-length": "134",
"content-type": "application/json; charset=utf-8",
"expires": "-1",
"strict-transport-security": "max-age=31536000; includeSubDomains",
"x-ms-request-id": "uksouth:f41bc1ab-975b-4e4d-a60b-5d90366a1629",
"x-ms-correlation-request-id": "1d869409-5f4e-4c6d-9a7f-6b5fd0a61512",
"x-ms-ratelimit-remaining-tenant-writes": "1199",
"x-ms-routing-request-id": "UKSOUTH:20220107T180847Z:1d869409-5f4e-4c6d-9a7f-6b5fd0a61512",
"x-content-type-options": "nosniff",
"date": "Fri, 07 Jan 2022 18:08:46 GMT",
"connection": "close"
},
"error": {
"error": {
"code": "AuthorizationFailed",
"message": "The client certificate 'C5F9D3ED02E06B0148CD8D82B131AB1A88C74414' is not allowed."
}
}
}
CLI for Microsoft 365 version
Tested on 3.11.0, 3.13.0, 4.1.0, 4.2.0
nodejs version
14.17.6
Operating system (environment)
macOS
Shell
PowerShell
cli doctor
{
"os": {
"platform": "darwin",
"version": "Darwin Kernel Version 20.6.0: Mon Aug 30 06:12:21 PDT 2021; root:xnu-7195.141.6~3/RELEASE_X86_64",
"release": "20.6.0"
},
"cliVersion": "4.2.0",
"nodeVersion": "v14.17.6",
"cliAadAppId": "31359c7f-bd7e-475c-86db-fdb8c937548e",
"cliAadAppTenant": "common",
"authMode": "DeviceCode",
"cliEnvironment": "",
"roles": [],
"scopes": [
"AllSites.FullControl",
"AppCatalog.ReadWrite.All",
"ChannelMember.ReadWrite.All",
"ChannelMessage.Read.All",
"ChannelMessage.Send",
"ChannelSettings.ReadWrite.All",
"Chat.Read",
"Directory.AccessAsUser.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All",
"IdentityProvider.ReadWrite.All",
"Mail.ReadWrite",
"Mail.Send",
"Policy.Read.All",
"Reports.Read.All",
"ServiceMessage.Read.All",
"Tasks.ReadWrite",
"Team.Create",
"TeamMember.ReadWrite.All",
"TeamsApp.ReadWrite.All",
"TeamsAppInstallation.ReadWriteForUser",
"TeamSettings.ReadWrite.All",
"TeamsTab.ReadWrite.All",
"TermStore.ReadWrite.All",
"User.Invite.All",
"User.ReadWrite.All",
"profile",
"openid",
"email",
"user_impersonation",
"user_impersonation"
]
}
Additional Info
Last known to be working correctly on 20/12/2021
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 1
- Comments: 21 (19 by maintainers)
Commits related to this issue
- Changed to graph url. Solves #2923 — committed to appieschot/cli-microsoft365 by appieschot 2 years ago
Bit more detective work (sorry) 😉
The
listPackagesrequest is sent toapi.bap.microsoft.comwith an access token whoseaudienceishttps://management.azure.com/The
exportPackagerequest is sent tomanagement.azure.comwith an access token whoseaudienceishttps://management.azure.com– no trailing backslashBoth access tokens are identical except for the
audienceUsing Postman if I send the
exportPackagerequest toapi.bap.microsoft.comusing the access token withaudience=https://management.azure.com/– with trailing backslash – it succeeds with responsegreat find @phillipharding ! We should totally fix the trailing backslash but once #2914 is implemented we should be able to tackle it as well
Just a heads up that I ran into exactly this today as well. I think last week this still worked.
(The client certificate C5F9D3ED02E06B0148CD8D82B131AB1A88C74414 lead me here…)
Don’t worry, i’ll try and carve out some time for further testing from my side 🦾
Thanks @appieschot would love to test that but don’t really have capacity right now, I have repeated my tests described in https://github.com/pnp/cli-microsoft365/issues/2923#issuecomment-1009036088 and that still works
Will have a look upcoming days
There should not be a region for that URL; however there is a difference between GOV tenants etc.
It doesn’t seem like the region is expressed in the URL so we should be said. That said, we can implement the necessary change in a beta and check with our users across the globe to help us confirm that it works as intended for everyone.
Let’s wait for @appieschot to respond, as I believe he might have some useful input here.
Doing some investigation in the Power Automate UI;
The
listPackagesrequest URL ishttps://api.bap.microsoft.com/providers/Microsoft.BusinessAppPlatform/environments/Default-9b4f4fcf-59ca-4fb5-878f-4dea4046b5c6/listPackageResources?api-version=2016-11-01in the Power Automate UI which matches the CLIThe
exportPackagerequest URL ishttps://api.bap.microsoft.com/providers/Microsoft.BusinessAppPlatform/environments/Default-9b4f4fcf-59ca-4fb5-878f-4dea4046b5c6/exportPackage?api-version=2016-11-01in the Power Automate UI but the CLI request URL forexportPackageishttps://management.azure.com/providers/Microsoft.BusinessAppPlatform/environments/Default-9b4f4fcf-59ca-4fb5-878f-4dea4046b5c6/exportPackage?api-version=2016-11-01That’s a productive few lines of code @Jwaegebaert…
Closing this one as fixed as a side effect of #3393.
Sure yes, this is also fixed, thanks again
Hmm, looks like this might be simpler then initially thought; changing the URL to
api.bapsolves the issue on my side. @pstrindlund or @phillipharding any change you can validate my findings? You can find the code here: https://github.com/appieschot/cli-microsoft365/tree/feature/issue-2923 (oh and sanity check this current version does not allow to export json; only the zip file) if this works ill implement properly 😉)@waldekmastykarz. I can confirm that this bug remains in US West region (commercial tenants) this week. Any estimates on when next release will be that will include the fix?
@phillipharding, based on your research, if I understand it correctly, all we need to do is to replace the host in the
exportPackagerequest frommanagement.azure.comtoapi.bap.microsoft.com, correct?