I'm reading the oauth2 specs and I'm confused by unauthorized_client and access_denied error codes. They seem to express the same error condition, isn't it? At first glance(by error code) I thought one is for authentication failure and the other for authorisation failure but they are really both about authorisation failure which would translate into a http 403 status code.
unauthorized_client
The client is not authorized to request an access token
using this method.
access_denied
The resource owner or authorization server denied the
request.
unauthorized_client:
In practical sense this error might come:
If client is requesting for scope which is not allowed
Suppose you are going for Refresh token flow but Client configuration on server doesn't allow that.
Similar usecases where Client is trying to do something which is not allowed as per client config on Authz server
Now above issue occurs with fault being with Client.
access_denied
This might occur if your client is OK but
Resource owner cancelled the OAuth flow (for example when you some client hits google then a consent page occurs where Use can either allow or deny the access)
If resource server for some reason feels that this client should not be granted the access
As you can see that access_denied is caused by either Resource Owner or Server and not because of client
I hope this helps
Related
I was trying out the curity configuration for an authentication service and a token service for OAuth and OpenID Connect locally. After all the configuration, when I was trying to test it with OAuth Assistant, I get an error:
Bad request
The request could not be processed
In the terminal, I can see these two INFO logs for particular
se.curity.identityserver.util.AllowedFrameOriginUtils - Requested origin is not allowed: 'http://localhost:...'
se.curity.identityserver.controllers.authorize.AuthorizeOAuthRequestModelProvider - Could not establish the redirect uri for request and client www. If this error occurs *after* being redirected to the authentication service and back, then this error has probably occurred because the original session cookie has been lost. Ensure that the cookie named 'sessionid' was sent to the authentication service. If not, check that the user's browser is not withholding it (for example by the cookie jar becoming full) and that a reverse proxy is not interfering with it.
There is no issue with sessionid. Anyone know how to fix this issue?
I have a hobby project in mind to use battle.net login. I'm wondering how I can obtain the access token from the API after receiving the authorization code.
This is Oauth flow question rather than a battle.net question.
Currently I can successfully authorize the user for my app which is registered in dev.battle.net and then I try to use the authorization code returned from the battle.net login to obtain the access token by sending a request to https://<region>.battle.net/oauth/token.
However I keep receiving this error:
{
"error": "unauthorized",
"error_description": "An Authentication object was not found in the SecurityContext"
}
I use postman extension to send post requests to that uri. I authenticate my request with my client id and secret. I pass redirect_uri (https://localhost), granty_type (authorization_code), code(the code returned from the previous authorization step). However I keep getting the error above.
I couldn't find much about battle.net online. There are other oauth related help articles but couldn't really find my way.
Wondering if you can help me with this easy stuff. I'm just wondering what I'm skipping here.
Here is the documentation:
https://dev.battle.net/docs/read/oauth
https://localhost is added in my mashery dev account's app settings.
Me again, I resolved this problem after trying almost every combination in the universe:)
Steps to apply:
Don't use the same authorization token for different access token trials, they are not valid
Always use https on every domain you test including localhost, you
redirect_uri must be https as well.
You must use the "basic authentication" in the header of your POST request while requesting the token from the authorization code you obtained from the previous step.
This is one of the most important ones: For requesting token, Pass redirect_uri, client key and secret as POST form parameters to the authenticated request. This is interesting because it's already an authenticated request; why would i need to pass my secret again? Anyways, that's how it works.
Here are the full text:
http://hakanu.net/oauth/2017/01/26/complete-guide-of-battle-net-oauth-api-and-login-button/
This is working prototype:
https://owmatch.me
Thanks.
I wrote an API for social app in Rails. This app likes Facebook, users can block other users. If user A block user B, user B can't view profile page of user A. So what is the best HTTP code status I should return: 404, 403, 204 or 200(render nothing) ?
I much prefer to use 403 Forbidden
The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any).
If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT automatically repeat the request with the same credentials. The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials.
An origin server that wishes to "hide" the current existence of a forbidden target resource MAY instead respond with a status code of 404 (Not Found).
https://www.rfc-editor.org/rfc/rfc7231#section-6.5.3
A best practice for this is 403, however doing so will expose the fact that user has been blocked. If you don't want that, you can return 404. Github, as an example, for unauthorized access to private repos always returns 404.
I want to add authorization to my project based on this tutorial. I've got the part of retrieving an access token working. But when using the token to access a protected resource API I get a 401 unauthorized error.
The request has an authorization header with scheme Bearer and containing the access token. Like in the tutorial the API is protected with the [Authorize] attribute. During startup I setup Bearer Authentication with
UseOAuthBearerAuthentication(new Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationOptions())
It is not clear to me why the request is unauthorized. What can I check to find the cause of this problem?
After trying and checking many things, I noticed the authorization server and the resource server were using a different version of Owin and Owin.Security. After updating the older one, it worked. The tokens must have changed between the 2 versions.
I have succesfully used the shared keyrock from filab to let my on web application to authentificate users, using oauth.
When I tried it with a second application, I get an error from FILAB web page: "Bad Request"
The error occurs after the users logs in.
Is there a way to get additional information, what was wrong with the request?
I'm guessing you are using the "authorization code grant" flow defined by the OAuth2 standard and supported by Keyrock. In that scenario, you need to provide three parameters when building the authentication URL:
response_type must be code (or token when using the "implicit grant" flow), otherwise IdM will return an unsupported_response_type error.
If the client_id exists, but the redirect_url doesn't match the one provided when creating the application, then a bad request error will be raised. This error can be raised if the client_id is wrong, if the redirect_url is wrong or if both are wrong. This is your case.
If the client_id app doesn't exist, the IdM will return a 404 error page.
If any of these parameters are missing in the request, the IdM will raise an invalid_request error.
Except for the error 404, Keyrock seems to follow the OAuth2 protocol.