When I googled NotBeforeError JWT Error, it says that it is an error that occurs when you try to use the issued token while it has not yet been activated.
When you have an inactive token, you do not have permission to access a specific resource, so I thought it might be 403.
If the issued token has not been activated yet, it will not pass authentication, so I think that 400 or other codes may be more suitable than 403.
I would say it is a 401 error. I use 401 for situations where the request does not have a valid credential. In your case, there is no valid token. I reserve 403 for situations where there is a valid token in the request, but it doesn't have the required permissions.
The difference is in how the client should react to these errors:
When you get a 401 it is information to the client that the user needs to authenticate. The reason why is not relevant — maybe the token has expired, maybe there's no token, or maybe it violates nbf.
When you get a 403 it is information that the user needs to present stronger credentials. Usually in this case, reauthenticating won't help and the user needs other ways of fixing the problem.
Related
I have some code that looks at "Basic Authorization" requests from many different sites.
I want to know if I can make the following assumptions:
A successful response (credentials are correct) will always have response code 200 OK
A failed response (incorrect credentials) will always have response code 401 Unauthorized
Are the above fair assumptions, or is the success/fail conditions configurable per site?
No, there are other possible response codes.
According to the official spec, there can also be the error code 407.
Also, on MDN:
If a (proxy) server receives invalid credentials, it should respond with a 401 Unauthorized or with a 407 Proxy Authentication Required, and the user may send a new request or replace the Authorization header field.
If a (proxy) server receives valid credentials that are inadequate to access a given resource, the server should respond with the 403 Forbidden status code. Unlike 401 Unauthorized or 407 Proxy Authentication Required, authentication is impossible for this user and browsers will not propose a new attempt.
In all cases, the server may prefer returning a 404 Not Found status code, to hide the existence of the page to a user without adequate privileges or not correctly authenticated.
Besides that, I'm quite sure that an actual successful attempt will result in status code 200.
The response of Authentication grand code for the request which i pass is 200 Ok. But am getting an html response in that. i couldn't find any code. Can You please help me.?
https://account-d.docusign.com/oauth/auth?response_type=code&scope=signature&client_id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXfeeb89&redirect_uri=https://localhost:44330/callback
This is the request which i send. But not receiving the authentication code. But It shows 200 OK.
In the admin tool, check that your integration key is set to use Authorization Code grant, not Implicit grant.
Also check that you've authorized your exact callback URI for your integration key.
If you're not getting any errors from DocuSign, then authenticate yourself and the your browser will then be redirected to your redirect uri, in this case https://localhost:44330/callback
I am trying to get access token for granting my sageone api request but before that I need to get the authorization code. But when I am trying to get one I got an error on my callback url that "email is already in use"
here is the request url
`https://www.sageone.com/oauth2/auth/central?filter=apiv3.1&client_id={{MY_CLIENT_ID}}&response_type=code&redirect_uri=http://localhost:85/test.php&scope=full_access&state=1234`
After visit above link I prompted to login to my sage account when I logged in then I redirected to the callback url which I provided in the above request and got below errors in parameters
http://localhost:85/test.php?error=Invalid+request&reason=Email+already+in+use&state=1234
any can body can suggest anything here
Email already in use usually happens in a situation, where you have logged into the Sage One/Accounting application in the browser for a different country in the past. There is a valid cookie for the user, but the application looks for the user in the wrong country.
Use this URL to reset the cookie: https://www.sageone.com/?clear. Call it before you go to https://www.sageone.com/oauth2/auth/central and this should be fixed.
Note: for more documentation about this behaviour, check out the FAQs: https://developer.sage.com/api/accounting/guides/faq/.
I always have this error when I follow ryan's tutorial to how to use Doorkeeper to protect rest API:
OAuth2::Error: invalid_grant: The provided authorization grant is
invalid, expired, revoked, does not match the redirection URI used in
the authorization request, or was issued to another client.
{"error":"invalid_grant","error_description":"The provided
authorization grant is invalid, expired, revoked, does not match the
redirection URI used in the authorization request, or was issued to
another client."}
when I'm in the phase of parsing token. What is the problem and how I can fix this ?
I have an habit of adjusting my time 20 minutes ahead and it's the source of this problem. Change back the time by synchronizing, now everything works :)
I'm writing a REST-ish API service the provides the ability to interact with the end user's data in other 3rd party services (themselves REST APIs) via OAuth. A common example might be publishing data from my service to a third-party service such as Facebook or Twitter.
Suppose, for example, I perform an OAuth dance with the end user and Facebook, resulting in some short-term access token that my service can use to interact with the user's Facebook account. If that access token expires and the user attempts to use my service to publish to Facebook, what sort of error do I return to the user?
401 doesn't seem quite right to me; it seems that 401 would apply to the user's auth state with MY service. 403 seems much more appropriate, but also quite generic.
401 is the way to go. Two excerpts from the RFC2616 which defines the HTTP protocol:
Section 10.4.2 (about 401):
If the request already included Authorization credentials, then the 401
response indicates that authorization has been refused for those
credentials.
This seems to be appropriate for expired tokens. There are authentication credentials, but they're refused, so the user agent must re-authenticate.
Section 10.4.4 (about 403):
The server understood the request, but is refusing to fulfill it.
Authorization will not help and the request SHOULD NOT be repeated.
This should be used when the resource can't be accessed despite the user credentials. Could be a website/API that works only on US being hit by a asian IP or a webpage that has been declared harmful and was deactivated (so the content WAS found, but the server is denying serving it).
On OAuth2, the recommended workflow depends on how the token is being passed. If passed by the Authorization header, the server may return a 401. When passed via query string parameter, the most appropriate response is a 400 Bad Request (unfortunately, the most generic one HTTP has). This is defined by section 5.2 of the OAuth2 spec https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-26
There's nothing wrong with being generic, and it sounds like a 403 status would be relevant - there is nothing stopping you from providing a more human readable version that elaborates in a bit more detail why.
I think the following is a comprehensive list if you have some level of ambition when it comes to error responses.
400 Bad Request
For requests that are malformed, for example if a parameter requires an int between 0-9 and 11 has been sent. You can return this, and in the response body specify parameter x requires a value between 0 and 9
401 Unauthorized
Used only for authorization issues. The signature may be wrong, the nonce may have been used before, the timestamp that was sent is not within an acceptable time window, again, use the response body to specify more exactly why you respond with this. For the sake of clarify use this only for OAuth related errors.
403 Forbidden
Expressly to signify that an operation that is well formed, and authorized, is not possible at all (either right now, or ever). Take for example if a resource has been locked for editing by another user: use the response body to say something along the lines of Another person is editing this right now, you'll have to wait mmkay?.
403 Forbidden can also have to do with trying to reach resources. Say for example that a user has access to a resource /resource/101212/properties.json but not to /resource/999/properties.json, then you can simply state: Forbidden due to access rights in the response body.
404 Not Found
The requested resource does not exist. Or the URL simply does not successfully map to an API in your service. Specify in response body.
405 Method Not Allowed
This is to represent that the API can not be called with for example GET but another method must be used. When this is returned also you MUST return the extra response header Allow: POST, PUT, etc.