OAuth login with google fails and always returns "Try signing in with a different account", however it works pretty fine in development.
I have created credentials for my OAuth service
Added the development and production domains:
http://localhost:3000
https://affiliatenetwork.help
Authorized redirect URIs
http://localhost:3000/api/auth/callback/google
https://affiliatenetwork.help/api/auth/callback/google
Set the app to production mode
OAuth consent screen
Scopes
but login only works in a development environment
When I used debug mode "checks.state argument is missing" Error has been raised
[next-auth][error][OAUTH_CALLBACK_ERROR]
https://next-auth.js.org/errors#oauth_callback_error checks.state argument is missing {
error: TypeError: checks.state argument is missing
at Client.callback (/home/emadu/arab-deals/node_modules/openid-client/lib/client.js:387:13)
at oAuthCallback (/home/emadu/arab-deals/node_modules/next-auth/core/lib/oauth/callback.js:127:29)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Object.callback (/home/emadu/arab-deals/node_modules/next-auth/core/routes/callback.js:52:11)
at async AuthHandlerInternal (/home/emadu/arab-deals/node_modules/next-auth/core/index.js:167:28)
at async AuthHandler (/home/emadu/arab-deals/node_modules/next-auth/core/index.js:309:28)
at async NextAuthHandler (/home/emadu/arab-deals/node_modules/next-auth/next/index.js:24:20)
at async /home/emadu/arab-deals/node_modules/next-auth/next/index.js:50:32
at async Object.apiResolver (/home/emadu/arab-deals/node_modules/next/dist/server/api-utils/node.js:363:9)
at async DevServer.runApi (/home/emadu/arab-deals/node_modules/next/dist/server/next-server.js:474:9) {
name: 'OAuthCallbackError',
code: undefined
},
providerId: 'google',
message: 'checks.state argument is missing'
}
Related
I'm trying to authenticate to my Auth0 tenant via the Swagger UI (auto-generated by Swashbuckle.AspNetCore) using client credentials.
I'm getting the following error:
Auth ErrorError, error: access_denied, description: Non-global clients
are not allowed access to APIv1
Here's a screen shot:
Open API spec looks like this:
"securitySchemes": {
"auth0": {
"type": "oauth2",
"flows": {
"clientCredentials": {
"tokenUrl": "https://example.auth0.com/oauth/token"
},
"authorizationCode": {
"authorizationUrl": "https://example.auth0.com/authorize?audience=test",
"tokenUrl": "https://example.auth0.com/oauth/token",
"scopes": { }
}
}
}
}
I suspect this has something to do with the audience not being specified. I was having a similar issue with authorization code flow, but manged to get this working by appending the audience as a query-string param to the authorizationUrl (as shown above). Unfortunately the same trick doesn't work with client credential flow (i.e. attempting to append the audience to the tokenUrl). I need to support client credential flow, as one or more of the routes need to be locked down to M2M tokens only.
Interestingly, it works if I use the global client ID / secret (found under the advanced settings of the tenant), but I'm not sure if we should use this...
Anyone else ran into this issue and if so, any luck with finding a solution?
I am trying to get an OAuth token using an hardcoded approach in NodeJs. I have retrieved the AUTHORIZATION_CODE from the https://developers.google.com/oauthplayground/ by following the instruction of the following article: https://medium.com/#nickroach_50526/sending-emails-with-node-js-using-smtp-gmail-and-oauth2-316fe9c790a1.
The OAuth's playground returns me so far a HTTP 500 when I am trying to exchange the authorization code against the access and refresh tokens. So I have tried an another approach consisting of create a program destined to log my tokens. Hence I could use them in other applications.
Here my snippet:
const {google} = require('googleapis');
const app= require("express")();
const oauth2Client = new google.auth.OAuth2(
"CLIENT_ID",
"CLIENT_SECRET",
"REDIRECT_URI"
);
app.get("/getToken", async (req,res)=>{
const tokens = await oauth2Client.getToken(
"AUTHORIZATION_CODE"
)
console.log("tokens: ", tokens)
oauth2Client.setCredentials(tokens);
res.send(tokens, oauth2Client)
})
When I launch the program, my console returns me: " UnhandledPromiseRejectionWarning: Error: redirect_uri_mismatch
at Gaxios._request".
I can't understand why since my redirect's UI is effectively entered in my https://console.developers.google.com/apis/credentials/oauthclient/Id.com?project=Project_Name's page.
What I am missing to retrieve a token in an hardcoded way?
I was facing the same issue here. By trial & error, i found that here you need to provide the same uri provided to generateAuthUrl() method, if you are generating it using this.
I tried to create a react native app with OAuth login in my rails app.
I have this react native setup
const config = {
issuer: 'http://app.domain.tld',
clientId: '85bb84b9cb0528b1f64b7c77586507b3ca5e69b11abe36ae1e54e88a6150c21e',
clientSecret: '0d3c0713437e0028a121a0c2294cc9a72f4eb5609416935a2860e20f176c7855',
redirectUrl: 'com.domain://com.domain',
responseType: 'code',
scopes: [],
dangerouslyAllowInsecureHttpRequests: __DEV__,
// clientAuthMethod: 'post',
serviceConfiguration: {
authorizationEndpoint: 'http://app.domain.tld/oauth/authorize',
tokenEndpoint: 'http://app.domain.tld/oauth/token',
// revocationEndpoint: 'http://app.domain.tld/oauth/revoke'
},
additionalParameters: {
approval_prompt: 'force'
}
}
// use the client to make the auth request and receive the authState
try {
const result = await authorize(config)
// result includes accessToken, accessTokenExpirationDate and refreshToken
console.log('result', result)
} catch (error) {
console.log('error', error.message)
}
the oaut app looks like this:
When I press the button to login in my app, I get a browser window where I can login in my rails app and got redirected to the authorize page for the oauth app. After I authorize my app, I got redirected to the app with the message "Network error". With that message I can't find out whats wrong, maybe anyone can help me.
In the server logs I can see this:
Redirected to com.domain://com.domain?code=54f3b4c03ea3724522f9a7983e2ea1b9037336076cd52cb875f9654d5d79784a&state=8xmiicVcPKN980ZDZUwBnw
in the debugger-ui i get this error log:
error Error: Network error
at createErrorFromErrorData (ReactNativeART.js:10)
at ActivityIndicator.js:72
at MessageQueue.__invokeCallback (ReactNativeART.js:472)
at blob:http://localhost:8081/1fccf34b-97b0-4c42-81fa-f0e1391a3ad3:2358
at MessageQueue.__guard (ReactNativeART.js:373)
at MessageQueue.invokeCallbackAndReturnFlushedQueue (blob:http://localhost:8081/1fccf34b-97b0-4c42-81fa-f0e1391a3ad3:2357)
at debuggerWorker.js:80
so i think there is something wrong. The app didn't make any further request to the server to obtain the access_token. Whats wrong?
Use this in config:
dangerouslyAllowInsecureHttpRequests: true,
Question
How would we test a Doorkeeper oauth2 implementation for a Zapier cli app?
Background
I have a Rails 3 app. I am trying to create a Zapier client for the application and I decided to use OAuth. Thus I configured doorkeeper to generate a JWT. All looks good, I am able to authorize and get token using the redirects.
I am not sure how to test the app purely through the console. Wouldn't it require some way to authorize using username/password?
I got an app generated from the template with some minor differences.
it('can fetch an access token', (done) => {
const bundle = {
inputData: {
// In production, Zapier passes along whatever code your API set in the query params when it redirects
// the user's browser to the `redirect_uri`
code: 'one_time_code',
subdomain: 'ducks'
},
environment: {
CLIENT_ID: process.env.CLIENT_ID,
CLIENT_SECRET: process.env.CLIENT_SECRET
}
};
appTester(App.authentication.oauth2Config.getAccessToken, bundle)
.then((result) => {
result.access_token.should.eql('a_token');
result.refresh_token.should.eql('a_refresh_token');
done();
})
.catch(done);
});
results in something like this:
1) oauth2 app can fetch an access token:
Got 401 calling POST https://ducks.<domain>.com/oauth/token, triggering auth refresh.
What happened:
Starting POST request to https://ducks.<domain>.com/oauth/token
Received 401 code from https://ducks.<domain>.com/oauth/token after 1425ms
Received content "{"error":"invalid_request","error_description":"The request is missing a required parameter, include"
Got 401 calling POST https://ducks.<domain>.com/oauth/token, triggering auth refresh.
Which should be because the user is not logged in the request made in the test console...
How can I make the user login? Or should the tests be changed?
I have setup my facebook auth per passportjs docs:
var passport = require('passport')
, FacebookStrategy = require('passport-facebook').Strategy;
passport.use(new FacebookStrategy({
clientID: FACEBOOK_APP_ID,
clientSecret: FACEBOOK_APP_SECRET,
callbackURL: "http://www.example.com/facebook/callback"
},
function(accessToken, refreshToken, profile, done) { ... });
}
));
app.get('/login/facebook', passport.authenticate('facebook'))
.get('/facebook/callback', passport.authenticate('facebook', {successRedirect: '/', failureRedirect: '/login'}));
All this works fine. However, there are cases (such as token expiration) when I want to automatically redirect the user to the page that the user was on before initiating the login request. So I tried to plumb a query string param through the login request (from client to server to facebook and back). But I cant see a way to specify that in the callbackURL.
Furthermore, when I tried hard-coding some context param to the config callbackURL (eg: "http://www.example.com/facebook/callback?redir=lastUserPage") I get an OAuth parse error. Interestingly enough, Facebook does respond correctly with the access code as well as the redir param, but it fails with OAUTH exception:
FacebookTokenError: Error validating verification code. Please make sure your redirect_uri is identical to the one you used in the OAuth dialog request
at Strategy.parseErrorResponse (C:\Sources\node_modules\passport-facebook\lib\strategy.js:198:12)
at Strategy.OAuth2Strategy._createOAuthError (C:\Sources\node_modules\passport-facebook\node_modules\passport-oauth2\lib\strategy.js:345:16)
at C:\Sources\node_modules\passport-facebook\node_modules\passport-oauth2\lib\strategy.js:171:43
at C:\Sources\node_modules\passport-facebook\node_modules\passport-oauth2\node_modules\oauth\lib\oauth2.js:177:18
at passBackControl (C:\Sources\node_modules\passport-facebook\node_modules\passport-oauth2\node_modules\oauth\lib\oauth2.js:124:9)
at IncomingMessage.<anonymous> (C:\Sources\node_modules\passport-facebook\node_modules\passport-oauth2\node_modules\oauth\lib\oauth2.js:143:7)
at IncomingMessage.emit (events.js:117:20)
at _stream_readable.js:943:16
at process._tickCallback (node.js:419:13)
Note that I had this working using WIF before. I don't see any security concerns with passing additional query string parameters through the OAuth process..
Any idea how I can get past this?
I'm not sure how to do what you're asking, but for your desired end goal you could:
Save a cookie before authenticating
Authenticate the user
on the resulting callback page, check for the cookie and redirect if present.
Wouldn't this work just as easily?