My company develops a web app that requires 3rd party authentication with Outlook 365, to have access mail, calendar and contacts.
We managed to get several users from various tenancies connected through OAuth using the normal OAuth flow and the endpoints:
https://login.microsoftonline.com/common/oauth2/authorize
https://login.microsoftonline.com/common/oauth2/token
But one user constantly fails at login with the error:
{
"line":"398",
"file":"oauth_server.js",
"message":"Error in OAuth Server: temporarily_unavailable",
"time":{"$date":1436988123251},
"level":"warn"
}
It only happens for his tenancy, and only on our production servers (he can successfully connect with our test servers).
All the settings are analogous for the production app and the test app in the AzureAd portal.
This error states that the microsoft servers are unavailable, yet they manage to connect any other account, which tends to prove that this message is inacurate...
Would anyone have a clue about this?
This solved my problem:
I went to the AzureAd management portal,
went to the configuration page of my app,
changed the APP ID URI to something random
saved,
tried to connect with this account, successfully!
set back the APP ID URI to its original value.
Still works. I do not know why. Something must have been stuck in the pipe...
Related
I am setting up the DocuSign rest connector in power apps. I have other API's that working well this same way.
I want to get this setup to sweep completed files on a scheduled.
I started by going through this tutorial and tried the same setup. But when I try to test the connector I don't get prompted for credentials. We use SSO - so the window comes up and goes away without an error message.
https://www.docusign.com.au/blog/get-the-flow-sending-docusign-envelopes-microsoft-power-automate
I then tried to create a connection in in power automate Data/Connections and get an error message after entering my dev credentials. The clientid (integration key) and the secret match.
OAuth2 authorization flow failed for service 'Generic Oauth 2'. OAuth 2 sign in failed to exchange code for access token. Client ID and secret sent in form body.. Response status code=NotFound. Response body: { "statusCode": 404, "message": "Resource not found" } Client ID and secret sent in Basic authorization header.. Response status code=NotFound. Response body: { "statusCode": 404, "message": "Resource not found" }
The setup looks correct. It seems like a reference problem = like the production account and the developer account are not in sync or something. I have the same email address for both production and developer accounts and we use SSO - maybe its trying to reference production and not the developer account when its logging in? Just guessing.
I have a ticket with them, but they have note been able to help so far and they are on AEST time and I won't be able to get a response back from them for another couple of days :(
(I tried using the DocuSign Git repo API to create the connection as well - same problem)
Anyone have problems like this or know a solution? Anything else I can look at. This seems all straight forward -standard OAuth setup.
Using this setup like in the article for the demo (dev) account.
DEMO:
IKey: Integration Key [captured earlier]
Secret Key: Secret Key [captured earlier]
Authorization URL (DEMO): https://account-d.docusign.com/oauth/auth
Token URL (DEMO): https://account-d.docusign.com/oauth/token
Refresh URL (DEMO): https://account-d.docusign.com/oauth/token
Scope: signature extended
This will connect to a single DocuSign user (like a "service account"). It will not prompt each user for their credentials. You will need 1 generic user setup within your DocuSign account, without SSO (you can setup an exception user in DocuSign admin. This is best practice when setting up SSO as a fallback in case SSO fails to login as well).
The envelope will be sent from that generic user, not the actual user. This is common practice with some "system level" integrations.
Also, are you connecting a DocuSign "demo" or production account?
I ask because there's two connectors for power automate - "DocuSign" (for production) and "Docusign Demo" (for demo). I would recommend doing it all in demo first, as the "client id" (aka "integration key") needs to go through a go-live process to be promoted from demo to prod (see the link in the guide).
I am developing a web-based application that will allow my trusted staff to edit the titles, descriptions, tags, etc. of my YouTube channel. In attempting to "Opt In" to my own application, I was sent to the callback URI with an error message:
You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure. You can let the app developer know that this app doesn't comply with one or more Google validation rules.
Some history - when I first attempted to obtain a code to exchange to an authorization token, it actually worked! However, as I was writing the code to harvest the code and exchange it for the authorization token, I repeated the "Opt In" process multiple times. Before I was ever able to perfect my code to exchange the code for an authorization token, I began getting the error message to the effect that the app is insecure and cannot be signed in to.
More history - after reading a Stack Overflow article describing something similar, I deleted the project, created a new project, generated a new Client ID and Client Secret, and then repeated the test with the same failure.
I am the only Test User of the app. I can't find any notification in my console alerting me to nature of the security issue triggering the failures. I have reviewed the OAuth policies at
OAuth 2.0 Policies
and cannot find anything even remotely wrong.
What is wrong and how can I fix it?
I also had the same issue.
For me, it turned out that my redirect_uri is not valid. The redirect_uri that gives error:
http://localhost:8000api/vi/oauth/google
What are wrong in my case:
I should put a / before api.
vi is different from what I registered on GCP. It should be v1
I would suggest you to print out the redirect_uri when your app is performing code exchange, and verify every single characters carefully.
Additionally, check out the documentation of Redirect URI validation rules on Google to see if your redirect_uri comply with all the rules.
You probably changed the port where the project is running or you did not define the address where the project is running in Google Cloud.
Google Cloud → APIs and Services → Credentials → OAuth 2 Client ID → change Authorized JavaScript origin to the port that your app runs on the local or shared host.
The URL may take time to define, so it may not work right away, so you can also create a new credential.
For me the redirect_uri was correct, but as a result of an error, the access code was requested for a different client ID.
I'm using the MSAL framework in an iOS app. It's all works well when I authenticate against our inside ADFS server that only needs username/password. The public facing server requires a client certificate. From the public Internet, when I hit the Graph API without a token, I get redirected to a page that says a certificate is required and to select one to use. There is nothing to select and I can't do anything other than exit at that point. I see the same behavior with MacOS and Safari. Am I missing something or should this work?
I am getting the below error while login with google through Keycloak.
401. That’s an error.
Error: deleted_client
The OAuth client was deleted.
Request Details That’s all we know.
The application you are using has a client id created via google developers console. The client id in question was deleted your going to have to create a new client id and recompile your application.
That is assuming this "keyCloak" is your own application if not then you should contact the developer of the application they have a problem
With yammer OAuth, is it possible to register an app on an external yammer network and then authenticate users against this external network, rather than the primary network?
update 9/30/2014 -- to clarify, my goal is to use yammer oauth as a gateway to my own (python based) application, allowing only users of the external network in.
i've got this working on a non-SSO primary & external network combo. after the external network user successfully signs in via yammer, and they are redirected to my callback url, i make a call to /networks/current. i can then check to see if the target external network id appears in their list, and if so let them in.
when i switch my application to use API credentials for an app registered on an SSO enabled primary network & non-SSO external network, and try to login with an external network user, things stop working. after the yammer sign in process completed (note: yammer kicks them out to the SSO endpoint and sign in is completed there), and the user is redirected back to my app, i get a 403 forbidden error. the process never makes it to my call to get their networks...if i try logging in with a user of the primary (SSO enabled network), it works (my custom login fails them since they are not a member of the correct network).
You need to globalize your SSO App to get things work. For this you need to raise a request to the Yammer helpdesk.
I tried this same implementation recently and didn't work because the userID (of the authenticated user) that's associated with the external network's access token is the home network's UserID. I worked around it by:
Opening Chrome
Sign into the external network
Right click -> Inspect Element
Click Network Tab
Refresh page
Doubleclick on any row containing ‘…./api/v1/…’
Click headers tab in side panel
Token is found in “Authorization: Bearer …”
You can then pass that bearer token in your REST request header
NOTE: Mine was an SSO enabled network so your mileage may differ :)