Getting the error "The security token included in the request is invalid" using aws-amplify in the following scenarios
Fully Authenticated app tested it for 30 min, kept idle for another 30 min, got the error.
Questions is: If the token expired, lib should be in a position to request the new token or throw a message to authenticate again.
Related
When I googled NotBeforeError JWT Error, it says that it is an error that occurs when you try to use the issued token while it has not yet been activated.
When you have an inactive token, you do not have permission to access a specific resource, so I thought it might be 403.
If the issued token has not been activated yet, it will not pass authentication, so I think that 400 or other codes may be more suitable than 403.
I would say it is a 401 error. I use 401 for situations where the request does not have a valid credential. In your case, there is no valid token. I reserve 403 for situations where there is a valid token in the request, but it doesn't have the required permissions.
The difference is in how the client should react to these errors:
When you get a 401 it is information to the client that the user needs to authenticate. The reason why is not relevant — maybe the token has expired, maybe there's no token, or maybe it violates nbf.
When you get a 403 it is information that the user needs to present stronger credentials. Usually in this case, reauthenticating won't help and the user needs other ways of fixing the problem.
Using the ADAL library with a government account, the authorization token request fails due to a server timeout. The token is needed to make EWS calls to the server. The authority being used is "https://logon.microsoftonline.us". The resource is "https://outlook.office.us".
There is no issue when retrieving a token from a public tenant (our company tenant) and our product. We receive the token using ""https://logon.microsoftonline.com". The resource is "https://outlook.office.com".
We can access the server with the same credentials at "https://owa.us.af.mil/f5-w-{REDACTED}/adfs/ls/?client-request-id={REDACTED}". But ADAL times out with "https://federation.us.af.mil/adfs/ls/?login_hint={REDACTED}.af.mil&client-request-id={REDACTED}&username={REDACTED}.af.mil&wa=wsignin1.0&wtrealm={REDACTED}"
Does the government server have the proper ADFS configuration? If so, what would be the probable solution?
Is our tenant setup correctly? Do we need a public tenant for public app access and a government tenant for government clients? Or can those be interchangeable?
We setup a public and a government AAD app to handle token requests. We thought that could have been the issue. No change. I also did several variations on the authority and resources used in the request. No change. I even tapped into ADAL and use our HTTPS protocol instead of the standard Apple HTTPS protocol.
Below is the context setup and token call method used.
let authContext = ADAuthenticationContext(authority: authority, validateAuthority: true, error: &error)
authContext?.credentialsType = AD_CREDENTIALS_EMBEDDED
authContext?.acquireToken(withResource: self.resource, clientId: self.clientId, redirectUri: self.redirectUri,
userId: self.userID!, completionBlock: { result in })
The token request will always timeout at this point:
ADAL 2.7.5 iOS Sim 12.1 [2018-12-12 17:14:38 - F06F784C-7F5B-4231-BE34-714AF8204357] -webAuthDidFailWithError: Error Domain=NSURLErrorDomain Code=-1001 "The request timed out." UserInfo={NSUnderlyingError=0x600002fa5380 {Error Domain=kCFErrorDomainCFNetwork Code=-1001 "The request timed out." UserInfo={NSErrorFailingURLStringKey=https://federation.us.af.mil/adfs/ls/?login_hint={REDACTED}.af.mil&client-request-id={REDACTED}&username={REDACTED}.af.mil&wa=wsignin1.0&wtrealm={REDACTED}
The user experiences a pop up window with a blank screen. The window would normally show text asking for permission to use the app. A timeout message hits about 60 seconds later.
apologies for the delayed response on this. Instead of outlook.office365.us, the resource you should be using is either portal.apps.mil or outlook-dod.office365.us.
Does that help?
I've registered as a developer with eBay and created an app.
I generated an Oauth (not Auth'n'Auth)
Using Postman to generate a simple request (image) and recieving an error for token invalidity
Error: Invalid access token. Check the value of the Authorization HTTP request header.
What am I doing wrong here?
If your token is for "sandbox" environment, make sure you use sandbox API endpoints for your requests as well.
Instead of https://api.ebay.com/buy/browse/v1/...,
try https://api.sandbox.ebay.com/buy/browse/v1/....
One of the issues which might have happened is:
The access token might have expired
Use the refresh token to refresh the access token when it expires — you know when to do this when your call to the API returns a status code of 401 and the above body you saw in Postman.
I'm trying to acquire a 2 legged oauth2 access token for google's storage api through a service account.
The relevant documentation is contained here:
https://developers.google.com/identity/protocols/OAuth2ServiceAccount
I first tried attempted to acquire the token through their HTTP/REST api. I eventually gave up being unable to get past a 400 response with the following details:
{ "error" : "invalid_grant" }
I then turned to the recommended method: using the java Google api client library (I'm using scala).
val credentialBuilder = new GoogleCredential.Builder()
.setTransport(GoogleNetHttpTransport.newTrustedTransport())
.setJsonFactory(JacksonFactory.getDefaultInstance())
.setServiceAccountId(Configuration.GoogleAPI.ServiceAccount.email)
.setServiceAccountPrivateKeyFromP12File(new File(Configuration.GoogleAPI.ServiceAccount.pkcs12))
.setServiceAccountScopes(Collections.singleton(StorageScopes.DEVSTORAGE_FULL_CONTROL))
def updateToken = {
val credential = credentialBuilder.build()
credential.refreshToken()
// ... do stuff here with token
}
Running the above, I get a TokenResponseException, with a payload identical to the error I was getting directly accessing the REST api. 400 Bad Request, invalid_grant error.
Doing some research (on both stackoverflow and elsewhere), I find that the most common reasons for this error message are:
1) The local clock is not synced with Google's servers. I suspected this even back when I was using the REST api because I've encountered this issue for other services before. I'm fairly sure its not a clock issue however, because I have repeatedly synced my clocks with an external ntp server:
sudo ntpdate -s ntp.ubuntu.com
2) The other common cause for this error is setting the service account client ID incorrectly. Most people set it to their service account client id (ending with "apps.googleusercontent.com") instead of their service account client email. Its pretty clear that this isn't the problem, since I'm correctly pointing to the email (the docs instructed this, so I followed the directions), ending with "#developer.gserviceaccount.com".
I'm stuck. I've checked the user documentation, the javadocs, various forums. The error message isn't very helpful (probably designed that way, since it's a security endpoint).
What other possible causes for this error exist? What can I do to get my service account access token?
If you are using OAuth2.0 to access a google analytics account then there could be one more reason of getting invalid_grant. As per developer docs:
If the application attempts to use an invalidated refresh token, an
invalid_grant error response is returned. The limit for each unique
pair of OAuth 2.0 client and Google Analytics account is 25 refresh
tokens (note that this limit is subject to change). If the application
continues to request refresh tokens for the same Client/Account pair,
once the 26th token is issued, the 1st refresh token that was
previously issued will become invalid. The 27th requested refresh
token would invalidate the 2nd previously issued token and so on.
INFO: com.google.api.client.auth.oauth2.TokenResponseException: 400 OK
{
"error" : "invalid_grant"
}
my code is
GoogleCredential credential = new GoogleCredential.Builder()
.setTransport(httpTransport)
.setJsonFactory(js)
.setServiceAccountId(emailId)
.setServiceAccountScopes(scopes)
.setServiceAccountPrivateKeyFromP12File(new File(privateKeyPath)).build();
System.out.println("SERVICE ACCOUNT SERVLET CALLED");
credential.refreshToken();
this method is running fine but suddenly it starts to give error.
Possible reasons:
1) I was having a similar problem caused by the time on my server being incorrect. Make sure your system clock is synchronized.
2) You should reuse the access token you get after the first successful authentication. You will get an invalid_grant error if your previous token has not expired yet. Cache it somewhere so you can reuse it.
3) Make sure that you pass the access token, and not refresh token as that fails. When you run, it turns the OAUth2 refresh token into an access token and passes that to the service. If you pass the raw refresh token, this is not acceptable for API access without turning it into a short-lived access token.
4) You might have reached the refresh token limit. Certain Google APIs have this, some explanation you can find here: https://developers.google.com/compute/docs/authentication
5) You also can revoke it. Go to your Google API Console ( https://code.google.com/apis/console/ ) and revoke your Client Secret under Client ID for installed applications. Be sure to also update your code with the new Client Secret