How to handle RingCentral OAuth 2.0 "Invalid application" TokenInvalid error - oauth-2.0

When using a OAuth 2.0 Bearer token with the following cURL command and receiving the following error, what does the TokenInvalid "Invalid application" error mean and how to handle this error? The application is valid in the Developer Portal and the same token is working for other API calls in an running app.
cURL Request
curl -XGET https://platform.ringcentral.com/restapi/v1.0/account/~ \
-H 'Authorization: Bearer <my_token>'
Response
401 Unauthorized
{
"errorCode" : "TokenInvalid",
"message" : "Invalid application",
"errors" : [ {
"errorCode" : "OAU-127",
"message" : "Invalid application"
} ]
}

RingCentral operates different API environments that use different application definitions (client ids and secrets). A token and application that is valid in one environment may not be valid in another.
A common reason this error can occur is when a token or application is only valid in the sandbox environment is being used in the production environment. For example, this error will be encountered when making a request to the production environment (https://platform.ringcentral.com) with a token intended for the sandbox environment (https://platform.devtest.ringcentral.com).

Related

Webpush::Unauthorized: host: fcm.googleapis.com, #<Net::HTTPForbidden 403 Forbidden readbody=true>

I am trying to integrate Web Push Notification on the Web Application I am maintaining. I am using this github repo https://github.com/zaru/webpush as my guide.
After following what is included in that guide, and run this command at my terminal:
Webpush.payload_send(message: "Test", endpoint: n.endpoint, p256dh: n.p256dh_key, auth: n.auth_key, vapid: {private_key: "gAdLtJoNQHDXsd1iYxrvttW3YybuJX4GkN8LDMbSIuw=", public_key: "BHByXuCTQs7UuoqBN2MeLjL_gUHfsuhxKkV_QOdhm9mw9Ohl3giAoxdwtwuoXqYnIbaa7UaTC1BvwS8yv_pNOAU="} )
Suddenly, I encountered this error, does someone here encountered the same error as I did? How did you resolved it? Thank you in advance.
Webpush::Unauthorized: host: fcm.googleapis.com, #<Net::HTTPForbidden 403 Forbidden readbody=true>
body:
the key in the authorization header does not correspond to the sender ID used to subscribe this user. Please ensure you are using the correct sender ID and server Key from the Firebase console.

Keycloak token exchange fails with "invalid_token" error

I have two Keycloak instances running locally. They are connected via OIDC. Everything works so far - I can login via any of Keycloak instances.
Now I am trying to setup token exchage and it fails with "invalid_token" error. I want to do "external to internal" token exchange. There are following Keycloak logs showing that Keycloak sending HTTP GET request with the token I provided to another Keycloak instance to get user info:
08:14:36,523 DEBUG http-outgoing-19 >> "GET /auth/realms/master/protocol/openid-connect/userinfo HTTP/1.1[\r][\n]"
08:14:36,523 DEBUG http-outgoing-19 >> "Authorization: Bearer eyJhbGciOiJSU...[\r][\n]"
and the response is 401:
08:14:36,530 DEBUG http-outgoing-19 << "HTTP/1.1 401 Unauthorized[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "X-XSS-Protection: 1; mode=block[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "X-Frame-Options: SAMEORIGIN[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "Referrer-Policy: no-referrer[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "Date: Tue, 24 Nov 2020 08:14:36 GMT[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "Connection: keep-alive[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "WWW-Authenticate: Bearer realm="master", error="invalid_token", error_description="Token verification failed"[\r][\n]"
The weird part is this: when I am sending the same response with curl using the same token that does not work in Keycloak - it works:
curl -X GET 'http://localhost:8050/auth/realms/master/protocol/openid-connect/userinfo' \
-H 'Authorization: Bearer eyJhbGciOiJSUzI1N...'
{"name":"r o","sub":"fff41a6f-6910-4419-8d46-7630b57ed420","email_verified":true,"preferred_username":"ttt","given_name":"r","family_name":"o"}
All permissions for token exchange set up (otherwise it does not send the request at all and it fails with another error).
What am I missing here? Any help is highly appreciated.
I figured it out. It worked using curl, because I was using localhost, and it did not work in Keycloak, because Keycloak used local IP address (192.168.X.X). The core reason is in the token that has to be exchanged. Field iss must match the IP/Host that is sending the request. In other words, in the token that I used to test token exchange, iss was equal http://localhost..., and I also used localhost in curl request. After using token that's been issued from 192.168.XX, token exchange started to work.
Actually, from a security perspective it totally makes sense. Only issuer of the token should be able to use it to get user info.

Can't get header request Rails 5 API on production stage (AWS elasticbeanstalk)

I have rails 5 API. Tested on my local it running perfect. But after deploy to elastic beanstalk I have problem, I can't getting Authentication token which I put it on header, and this is how I set token when call API and get/ read on my app :
Set when call api :
curl -H "Content-Type: application/json" -X POST http://example.com/users -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGc"
And Read/ get :
auth_header = request.headers['Authorization'] and token = auth_header.split(' ').last
Any ideas what's going on?
I resolved by using dash("-") instead of underscore("_") in the
header.
example:
authentication-token
instead of
authentication_token
It will work 100%

WebSphere Docker OAuth

I need to implement OAuth against an IBM WebSphere server. For that purpose I built a docker environment https://github.com/hhoechtl/websphere-oauth according to http://www.ibm.com/developerworks/websphere/techjournal/1305_odonnell2/1305_odonnell2.html
But if I try to get a token
curl -X POST -H "Accept-Charset: UTF-8" -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=password&client_id=LibertyRocks&client_secret=AndMakesConfigurationEasy&username=admin&password=admin' "https://192.168.99.100:9443/oauth2/endpoint/DemoProvider/token"
I get the error
{
"error_description": "CWWKS1406E: The token request had an invalid client credential. The request URI was /oauth2/endpoint/DemoProvider/token.",
"error": "invalid_client"
}
But according to my server.xml that should be correct. What am I missing?
Would you be able to turn on and provide the server trace for that invocation? The message indicates that either credentials weren't found in the request, or credentials were found but were invalid for that client. It would be useful to know which is the case here.
You can enable trace by adding this snippet to your server.xml:
<logging traceSpecification="*=info=enabled:com.ibm.ws.security.*=all=enabled:com.ibm.oauth.*=all=enabled" />
The next day it just worked, no idea why.

401 unauthorized streaming spring xd

I'm trying to follow this tutorial https://github.com/spring-projects/spring-xd-samples/tree/master/analytics-dashboard
I did the configuration on modules.yml
twitter:
consumerKey: {your-consumer-key}
consumerSecret: {your-consumer-secret}
accessToken: {your-access-token}
accessTokenSecret: {your-access-token-secret}
with my own keys and then when i run
stream create tweets --definition "twitterstream | log" --deploy
this error appear
2016-05-24T12:48:07-0500 1.3.1.RELEASE ERROR twitterSource-1-1 twitter.TwitterStreamChannelAdapter - Twitter authentication failed: 401 Authorization Required
401 error means "Authentication credentials were missing or incorrect". Make sure the credentials is correct. see https://dev.twitter.com/overview/api/response-codes

Resources