LIfeTimeServices call returns "Insufficient permissions"

We are using LifeTimeServices to get list of users and roles.
We are autheticating with admin account. AuthenticationService.Authentication_GetToken returns some token, than we fill WebServiceSimpleAuthentication structure with username, password and that token, and pass it to UserManagementService.User_List.

That call returns empty data and this error info: 
Failed to perform WS call.
Insufficient permissions to perform WS call.

Can anyone advise what can be the problem?

Same question here.

Hi Igor, hi Grigory,

Sorry for the late reply.

AuthenticationService.Authentication_GetToken(username, password) will return you an authentication token, which is valid for 5 minutes.

Once you have that token, you can just call UserManagementService.User_List() with the token, i.e., the Authentication field only carries the token, and both the username and password are empty. For additional security, you can pass the username as well, which the platform will validate to ensure that the token was issued for that user.

The behaviour described above is the expected one. However, we have detected an implementation issue affecting that additional layer of security mechanism, which caused that "Failed to perform WS call" error to occur, i.e., the error occurred when the API would be used with a username and a token.

This issue was detected in and it affects other versions as well.

We have already fixed the issue in versions and 9.1.400.0 of the platform, so please ask your OutSystems Platform Administrator to update your LifeTime environment to one of these versions. 

Keep in mind that LifeTime is fully backwards compatible, so it will work just as well even if you don't (or can't) upgrade your (Dev, QA, Production) environments at the same time.

If you really can't upgrade your LifeTime installation at this time, you may try to workaround your problem by including just the token in the Authentication field, or by entering a valid username/password combination.

Thanks, Ricardo! 

User_List() works fine if I only use token keeping username/password field empty.