When going through Epic's App Orchard Oauth flow , any misconfiguration of the app results in an error which says "INVALID_CLIENID".
One issue is that error text is confusing because it isn't the clientId that is incorrect for some other config parameters (could be an incorrect redirect_uri for example).
Another issue is that such error response comes back with status code 200 - indicating successful request.
Is there a way to get an error code indicating a failed request ? Some code in the 4xx range
For INVALID-CLIENT-ID, in the current version of the software you just need to check all of the different causes.
Common causes of the INVALID-CLIENT-ID error include:
Providing an actual invalid client ID.
Providing a redirect_uri that isn't associated with your client.
Performing a FHIR interaction (read/search) on a resource that isn't listed in the FHIR API Scope for your client.
Related
I have an error on KNIME. I am trying to scrape the tweets from twitter but I have this error:
<< ERROR Twitter Search 0:2 Execute failed: 400:The
request was invalid. An accompanying error message will explain why.
This is the status code will be returned during version 1.0 rate
limiting (https://dev.twitter.com/pages/rate-limiting). In API v1.1, a
request without authentication is considered invalid and you will get
this response. message - Bad Authentication data. code - 215>>
This errors is due to you are issuing your request without authentication, first you need to authenticate against twitter and after you're be able to issue the request properly.
I'm integrating to Google OpenID Connect as a relying party, using the authorization code flow. If I send in an invalid parameter in the AuthenticationRequest, e.g. an invalid value for scope, Google presents the error in a web page saying e.g. "Some requested scopes were invalid...".
The OpenID Connect spec (and the OAuth spec) clearly states that: "Unless the Redirection URI is invalid, the Authorization Server returns the Client to the Redirection URI specified in the Authorization Request with the appropriate error and state parameters."
Am I doing something wrong in my request, or am I misinterpreting the specification, or are Google just not conformant when it comes to sending error responses?
Sounds to me like Google is a little non-conformant here:
Step 10 of my blog post shows the standards based behaviour
As a developer of an OIDC client you need to accept that some invalid input will be displayed in the browser:
Invalid client_id / redirect_uri
I tend to use an invalid scope to test error responses - it is handy for that - and I guess you're doing the same.
Solutions from the big cloud vendors often have this type of annoyance - when all that we want as consumers is a standards based solution.
I've successfully implemented Discord's OAuth2 flow using the authorization code grant type into my application. The end user navigates to Discord's OAuth2 link for my bot, authorizes its access, and Discord redirects them back to my site with a code querystring. The bot then exchanges this code for an access token by querying Discord's API. Documentation on this process is available here for reference.
However, roughly every 50-100 requests to the exchange endpoint, I receive a 403 with the error invalid_grant and the description Invalid "code" in request. Frankly, I don't understand how the code just provided by Discord's system is instantly invalid. The same user can complete the process again and no error is returned the second time.
Out of desperation, I tried toggling on the option in the Developers Dashboard named Requires OAuth2 Code Grant seeing that it said "if your application requires multiple scopes," but it made no effect. I've also tried endless debugging, but the circumstances under each occurrence are apparently random. Oddly enough, I can't find anyone with the same issue online.
Below is the request I'm making in Node.js using the superagent library. It matches the documentation and works perfectly, other than the response randomly being the error described.
superagent.post('https://discordapp.com/api/v6/oauth2/token')
.type('x-www-form-urlencoded')
.set('Content-Type', 'application/x-www-form-urlencoded')
.send({
client_id: process.env.BOT_ID,
client_secret: process.env.BOT_SECRET,
grant_type: 'authorization_code',
code,
redirect_uri: process.env.OAUTH2_REDIRECT_URI,
scope: 'identify guilds.join',
});
I can confirm that all variables match their expected values. The value of redirect_uri matches that of redirect_uri in the original URL used. code is the value of the code querystring returned through the OAuth2 flow.
What (if anything) am I doing wrong that's causing the error?
Update 1:
Discord has directed me to the API GitHub repo, and I found the issue closed here. Commented and will update here if I receive any helpful info or resolve the issue completely (hopefully the case).
Ran into the same issue using nodejs. Leaving here notes for prosperity:
On Node, if there is no explicit app.head() handler, the .post() handler receives all head requests
Several Android phones, upon being redirected from discord, first send a head request to the endpoint
Meaning:
The user authenticates on discord, then through the redirect back, does a head request. This pulls discord with the code, BUT directly afterwards it also does a post request, which will fail (as you already used the code once), and possibly un-authenticates the user.
Solution for my specific issue was an explicit .head handler for all callback endpoints, which basically just returned the same headers (a redirect) as the post one did, but without calling discord.
Hope this helps.
did you use the OAuth2 link to invite your bot to your server - with the correct permissions? If so, in your main.js file did you define the token?
I.e. bot.login(“YOUR_TOKEN_HERE”)
I would recommend not toggling the ‘Requires OAuth2 Code Grant’ as it is a pain to do anything with in the beginning.
Please let me know of any progress :)
I have succesfully used the shared keyrock from filab to let my on web application to authentificate users, using oauth.
When I tried it with a second application, I get an error from FILAB web page: "Bad Request"
The error occurs after the users logs in.
Is there a way to get additional information, what was wrong with the request?
I'm guessing you are using the "authorization code grant" flow defined by the OAuth2 standard and supported by Keyrock. In that scenario, you need to provide three parameters when building the authentication URL:
response_type must be code (or token when using the "implicit grant" flow), otherwise IdM will return an unsupported_response_type error.
If the client_id exists, but the redirect_url doesn't match the one provided when creating the application, then a bad request error will be raised. This error can be raised if the client_id is wrong, if the redirect_url is wrong or if both are wrong. This is your case.
If the client_id app doesn't exist, the IdM will return a 404 error page.
If any of these parameters are missing in the request, the IdM will raise an invalid_request error.
Except for the error 404, Keyrock seems to follow the OAuth2 protocol.
When going through the Intuit technical review, Intuit has indicated that we need to check within our app to make sure the OAuth token is still valid.
So far I've found at least two different return codes that can happen when an OAuth token is invalid - are there more than just two? What other return codes should we be looking for?
Found so far:
HTTP 401 Unauthorized
HTTP 200 OK + a ErrorCode 3200
The only HTTP status that should be used is 401 Unauthorized. Any other response status is either a bug or a faulty implementation of the specification on Intuit's side.
It may be that the token is valid, just not for the resource that you are trying to access. In these cases it is good to be pragmatic and really specify for the API consumer WHY they get a 401. It is perhaps this scenario that Intuit covers with a 200 + error code. But this is just a guess.
Keith,
keep in mind you should not have to check to see if a token is invalid, you should always know. If the customer disconnects then they are sent to an OpenId endpoint with the realm where you can find them on your side and disconnect them.
Alternatively if you disconnect, then you know its invalid.
But yes this is a bug it should only be unauthorized. I just wanted to pointout that you should know the state before calling under normal use cases.
Jarred