Overview

Error Source: Debug Log (Runtime) / Console 

As part of OpenFin's API security strategy requires specific OpenFin API methods to be declared in the Application Manifest. These are security-sensitive API's that will operate outside the confines of the security sandbox. Please see Secured APIs for a list of the API's that are restricted.

If an application needs to use one of the secured API's it needs to be declared in the manifest file. Read Declaring APIs in an Application Manifest File how to add a secure API to the manifest. Application designers need to have entries added to the manifest file to enable the APIs that the application needs.

Desktop owners have the ability to overrule the permission for an API to be used in an application. The way the desktop own authorizes applications has changed with version 20.* of the runtime.

• Version 19.* and before of the OpenFin runtime required desktop owners explicitly need to block (opt-out) access to certain APIs for particular applications. By default all APIs are allowed unless blocked in the desktop owners file.
• Version 20.* and above employ an opt-in system where the desktop owner has to allow (opt-in) to the use of the API's. All APIs are blocked unless allowed by the desktop owner.
  • While developing on localhost the desktop owner authentication will work in the same way as version 19.*. See Development Exception for details.
  • When running on a non local host and the API is not authorized in the desktop owners file the authorization is delegated to the desktop owner via a popup at runtime. See Delegating Control for details.

Read Configuring Desktop Owners Settings to find out how to write a desktop owners file.

Potential Causes

• An API Method covered by our API security policy has been invoked that is not declared in the application manifest.
• An API Method covered by our API security policy has been blocked by the desktop owner.

Troubleshooting steps:

1. The Application Developer will need to confirm the API method that has been invoked
2. The Application Developer should check the API method has been added to the Application Manifest file (See our Declaring APIs in an application manifest file documentation or more information).
   1. if this is an OpenFin application then make sure the API is listed in the permissions entry in the startup_app section of the manifest file. 
   2. if this is a platform application is running in a view check that the API is listed in the permissions for the defaultViewOptions, the defaultWindowOtions and the Platform sections of the manifest file.
3. Once it has been verified the API is listed in the Application Configuration file, you should start checking the Desktop Owners settings.
   1. Check with the Desktop Owner that they are allowed to use the API on the desktop. 
   2. Runtime version 19.* and before
      1.  Find the Desktop owners file. found in the windows registry settings Key: HKEY_CURRENT_USER\Software\OpenFin\RVM\Settings\DesktopOwnerSettings. Will be mentioned in the RVM log file. See Desktop Owners Settings for details.
      2. Check if there is an entry in the Desktop Owners File for the application manifest 
   3. Runtime versions 20.* and above
      • If the user has clicked on "Don't Allow" on the "Review Security Permissions" popup the API will be denied until the OpenFin applicaiton has been relaunched.
      • Find the Desktop owners file. found in the windows registry settings Key: HKEY_CURRENT_USER\Software\OpenFin\RVM\Settings\DesktopOwnerSettings. Will be mentioned in the RVM log file. See Desktop Owners Settings for details.
      • Check that the desktop owners file has an entry for the applications manifest file in the applicationsSettings section and that it has the relevant API listed. See Example desktop owner settings for details.