Keycloak does not refresh the token - authentication

I'm trying to refresh a token but Keycloak returns a 400 Bad Request error with following message:
{
"error": "invalid_grant",
"error_description": "Invalid refresh token"
}
I successfully get the refresh token in a request like this:
curl --location --request POST 'http://localhost:8080/auth/realms/my_realm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'username=my_user' \
--data-urlencode 'password=my_password' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_id=my_client_id' \
--data-urlencode 'client_secret=my_client_secret'
So I get a JWT response with access token and refresh token. Both of them appear to be valid as I load them in jwt.io.
But when I try to use the refresh token I get previous error. The request is like this:
curl --location --request POST 'http://localhost:8080/auth/realms/my_realm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=my_client_id' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token=my_refresh_token' \
--data-urlencode 'client_secret=my_client_secret'
In Keycloak's log there is no clue of what the problem is.
Waht could be the cause? Or at least, is there a way to get more info on the cause of the error from Keycloak' response or log?
EDIT:
I have implemented an User Storage Provider SPI so it does the authentication against an external DB but it doesn't manage users into Keycloak. Is it needed that the token owner user exists in Keycloak so refreshing the token works?
Thanks.

Finally it was an issue in my User Storage Provider SPI. It was necessary to implement following method as Keycloak takes the user ID from the refresh token and look for the user by such ID:
public UserModel getUserById(String id, RealmModel realm) {
StorageId storageId = new StorageId(id);
String username = storageId.getExternalId();
return getUserByUsername(username, realm);
}

Related

Cognito Service Authentication returns valid JWT but subsequent JWT validations fail

I have a lambda that accepts a username and password and returns a JWT. The code (seen below) basically uses cognito adminInitiateAuth() to use the username and password to get the JWT.
let USER_POOL_CLIENT_ID = "6adc4ziG7GCzYmMwhWWVnJySbP";
let USER_POOL_ID = "us-east-1_upxvqiJUP";
AWS.config.update({region: 'us-east-1'});
const cognito = new AWS.CognitoIdentityServiceProvider();
let params = {
AuthFlow: "ADMIN_NO_SRP_AUTH",
ClientId: USER_POOL_CLIENT_ID,
UserPoolId: USER_POOL_ID,
AuthParameters: {
USERNAME: event.username,
PASSWORD: event.password
}
};
//console.log(`${JSON.stringify(params)}`);
const jwtContainer = await cognito.adminInitiateAuth(params).promise();
console.log(`jwtContainer = ${JSON.stringify(jwtContainer)}`);
This seems to work and, in fact, does return a valid JWT with a kid decoded by jwt.io. Whenever I attempt to use the JWT on a different endpoint that is JWT protected (as seen below) I get an error:
curl -v https://myapi.execute-api.us-east-1.amazonaws.com/reset-service-auth-password \
-H 'Accept-Language: en-US,en;q=0.9' \
-X POST \
-d '{"password": "xyz123","confirmPassword": "22221"}' \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Origin: http://localhost:8080" \
-H 'Authorization: Bearer jwtdataxxxxxxxxxxxxxxxx'
But when I execute the above I get this error:
www-authenticate: Bearer scope="aws.cognito.signin.user.admin" error="invalid_token" error_description="unable to find an appropriate key in the JWKS. Ensure a "kid" is provided in the JWT, and that your JWKS has a supported cert available for this ID"
I checked my JWKS and the kid in the JWT is in fact in the JWKS. I am not sure what to do next or what is really wrong.
My authorizer expects the scope aws.cognito.signin.user.admin and my client does not require a secret. Please ask any clarification that you might need to help me with this issue.
I've had the same issue today. I hope you figured it out since then but, just in case, and for others...
I followed the same investigation steps that you did. I was convinced there was something wrong with AWS. There's not.
In my case, the token was generated against our production pool, but a development endpoint leaked in the config, and we were trying to authenticate on a wrong endpoint.
So my guess is that you got something similar: recheck your URLs, there's probably a mismatch between your pool ID and the API you request.

Watson speech to text authentication

I am trying to get Transcribe from Microphone working on my server as a starting point.
The code is straightforward but I am having trouble with the token.
on IBMcloud I created a IAM-Service id with Access Policies
Viewer, Reader 14 Speech to Text service in all resource groups
created an apikey from that
created the token file
curl -k -X POST --output token \
--header "Content-Type: application/x-www-form-urlencoded" \
--header "Accept: application/json" \
--data-urlencode "grant_type=urn:ibm:params:oauth:grant-type:apikey" \
--data-urlencode "apikey={apikey}" \
"https://iam.cloud.ibm.com/identity/token"
the response has 'access_token' but the javascript SDK 0.38.1 looks for 'accessToken'
when I start microphone I get a socket error 'wss://stream.watsonplatform.net/speech-to-text/api/v1/recognize"
I checked token expiration.
I confirmed it is an auth problem:
curl -X GET "https://stream.watsonplatform.net/speech-to-text/api/v1/models?access_token="{accessToken}"
responds "unauthorized"
I have researched and am unsure what to do next. My best guess is I am generating the token improperly.
I would leave the token generation to the code. All the SDKs have an IAMAuthenticator component. The full documentation for Node.js is here. It has a very simple example where you pass in the API key:
import { IamAuthenticator } from 'ibm-cloud-sdk-core';
const authenticator = new IamAuthenticator({
apikey: '{apikey}',
});
Thereafter, you instantiate the service, e.g., STT.

USER.SUBMIT_FORM_DATA: Event filter Fails for UPDATE Outgoing WebHook call

I can register events with USER.SUBMIT_FORM_DATA no problem, also I can Update (PUT) all the other event filters without errors. USER.SUBMIT_FORM_DATA fails when using PUT to update. Reproduced error in PowerShell, Curl and Postman. I also noticed Swagger does not have USER.SUBMIT_FORM_DATA available in the array. This is what's available:
CONVERSATION.CREATE
CONVERSATION.UPDATE
CONVERSATION.ADD_ITEM
CONVERSATION.UPDATE_ITEM
USER.USER_UPDATED
USER.USER_SETTING_UPDATED
Request:
curl -L -X PUT 'https://circuitsandbox.net/rest/v2/webhooks/IdHere' \
-H 'accept: application/json' \
-H 'authorization: Bearer Token\
-H 'content-type: application/x-www-form-urlencoded' \
--data-urlencode 'url=https://webhook.site/IdHere' \
--data-urlencode 'filter=USER.SUBMIT_FORM_DATA'
Error:
{
"errorDescription": "the request contains invalid data",
"validationErrors": [
"The request array with name ::= [filter] and content value ::=[USER.SUBMIT_FORM_DATA]does not match the expression ::= [CONVERSATION.CREATE||CONVERSATION.UPDATE||CONVERSATION.ADD_ITEM||CONVERSATION.UPDATE_ITEM||USER.USER_UPDATED||USER.USER_SETTING_UPDATED]."
],
"errorCode": "400"
}
Sorry, that is a bug in the endpoint, I added a fix which will be available with the next release.

Getting "You don't have a required scope to access the endpoint" when inserting script

I'm developing an app, for store fronts and want to get some analytics in checkout. So I want to inject a script in that scope of checkout. When I try to insert it I'm getting "You don't have a required scope to access the endpoint" but I have updated the scopes to checkoutcontent to modify. Not sure what else is wrong
Trying to insert script via an app, getting 403 even though I updated the OAuth scopes to include, Check out content and Checkout
curl --request POST \
--url https://api.bigcommerce.com/stores/{store_hash}/v3/content/scripts \
--header 'accept: application/json' \
--header 'content-type: application/json' \
--header 'x-auth-client: XXXXX' \
--header 'x-auth-token: XXXXX' \
--data '{"name":"Test Scripts Tag","description":"Test Scripts Tag","html":"<script src=\\\"https://Somedestination/Test.js\\\"></script>","src":"https://Somedestination/Test.js","auto_uninstall":true,"load_method":"default","location":"footer","visibility":"checkout","kind":"src"}'
Getting below error, while expecting a status=200
status: 403,You don't have a required scope to access the endpoint
The html field shouldn't be included when using src, could you try removing it?
The only errors I was receiving in testing were due to malformed HTML in the html field with the error code 422. It may also be worth trying to create a new API account to rule out scoping causing this.

Uber API "POST /requests/estimate" response POST "code":"unauthorized"

i'll try to get data by following API calling:
Uber API -- POST /requests/estimate
curl -X POST \
-H 'Authorization: Bearer JA.VUNmGAAAAAAAEgASAAAABwAIAAwAAAAAAAAAEgAAAAAAAAG8AAAAFAAAAAAADgAQAAQAAAAIAAwAAAAOAAAAkAAAABwAAAAEAAAAEAAAAHK_p1D73ZBrTyH5MuBCGAhsAAAA28z3l42QLSOiQE_6m1J30O4ZQjwpDR_rVf5o41ONOluUZohTYhXEhHNBCLkDO0mXJV39hE2RkcsIRm9ICi_UMVGESeHsQ_uRsX_yD1EDoUbcdHa0Yhf8XGOJkFz1-IB5x9Ivq6SxHpmREeExDAAAAGRcztTG8GDUTlDYpSQAAABiMGQ4NTgwMy0zOGEwLTQyYjMtODA2ZS03YTRjZjhlMTk2ZWU' \
-H 'Accept-Language: en_US' \
-H 'Content-Type: application/json' \
-d '{
"start_latitude": 37.7752278,
"start_longitude": -122.4197513,
"end_latitude": 37.7773228,
"end_longitude": -122.4272052
}' "https://api.uber.com/v1.2/requests/estimate?scope=request
Response
{"code":"unauthorized","message":"This endpoint requires at least one of the following scopes: profile, request, request.delegate, request.delegate.tos_accept, surge_accept"}%
While Below API are working Fine
/products
/estimates/price
/estimates/time
this is old API. New one looks like this.
GET /v1.2/estimates/price