I managed to get Auth0 somewhat working for my Vue.js app. The Quickstart Guide was straight forward.
So what happened is that I managed to use the login functionality and was prompted with the Auth0 Login dialog. I used my google account to do a quick-login. That also worked. My google account was now visible as a new user in my Auth0 Dashboard.
However after the login I was returned to my Vue.js app but the authorization was not successful it seems.
The network tab tells me the following:
{"error":"access_denied","error_description":"Unauthorized"}
I was wondering if I have to give the user some roles or permissions before he is considered as 'authorized'? My impression was that this will be true by default and only restricted if I start defining roles in the Auth0 Dashboard.
Please enlighten me!
PS: I am using the non-implict login dialog provided by Auth0 while I am working on a SPA. I read that might cause troubles?
PS 2:
And the Raw Data of the 'Failed Exchange' Log:
{
"date": "2020-08-24T10:43:52.005Z",
"type": "feacft",
"description": "Unauthorized",
"connection_id": "",
"client_id": "<Client_ID>",
"client_name": null,
"ip": "85.197.56.111",
"user_agent": "Chrome 83.0.4103 / Linux 0.0.0",
"details": {
"code": "*************T8a"
},
"hostname": "alemanni-game.eu.auth0.com",
"user_id": "",
"user_name": "",
"log_id": "90020200824104353383000015217913666506642073534760747026",
"_id": "90020200824104353383000015217913666506642073534760747026",
"isMobile": false
}
I had this issue and was finally able to find out the cause of this issue. I came across this question while I was searching for the solution to this problem but it hadn't been answered. As I was able to solve the problem, so I decided to answer this question.
In my case, the problem was that the token endpoint was returning the status code of 401 with unauthorized/access denied error and this seems to be the problem in your case too.
Problem was because of the incorrect value of "Token Endpoint Authentication Method" in the application settings.
In the case of single page applications, its value should be "None" but it was incorrectly set to "POST".
It seems that we cannot change its value, so I just created a new application and selected "Single Page Web Applications" as the application type. This solved the issue.
Related
I've been at this for days and the documentation just isn't clear to me, maybe I'm just not reading it correctly.
I have a blazor WASM app (https://localhost:5001) that pulls data from an api. The api needs to be authenticated so I want to just pass the access token inside the header.
Inside the OneLogin admin dashboard I've created an OIDC app called "testApp", the Token Endpoint is None (PKCE).
Setting up oidcauthentication on blazor was super simple. I originall just used the
builder.Services.AddOidcAuthentication(options =>
{
builder.Configuration.Bind("OneLogin", options.ProviderOptions);
})
However I quickly realized I had no way to add an audience. So I followed this guide ..
auth0 oidc for blazor
and this github for the actual code I modified to create a custom provideroptions that has an audience string
github repo
And I also had no issues setting it up. However, where I get stuck is how seemingly complicated OneLogin's side of the setup is.
Reading their docs onelogin api auth docs, there are no modern examples of setting it up past the postman import. Downloading the import file offers a fairly organized set of apis however I can't figure out what needs to go where.
First I created an Api Auth Server
{
"description": "API",
"configuration": {
"access_token_expiration_minutes": 20,
"refresh_token_expiration_minutes": 20,
"resource_identifier": "https://localhost:5005",
"audiences": [
"https://localhost:5005/worker",
"https://localhost:5005/user"
]
},
"name": "API"
}
then I created a scope
{ "value": "custom:scope",
"description": "A custom scope" }
then I added api auth server client. I went to the admin panel and grabbed the app id from the url. https://{domain}.onelogin.com/apps/{appId}/edit/#configuration
and added an api auth server
which gave me this back from the postman api
[
{
"name": "TestApp",
"app_id": 1111111,
"scopes": [
{
"id": 172,
"description": "A custom scope",
"value": "custom:scope"
}
],
"api_auth_id": 1246001
}]
So from this point it looks like I have everything I need? Except I still can't get it to create an access token. I go back to my application and use the modified service and add my audience to my appsettings.json
"OneLogin": {
"Authority": "https://{domain}.onelogin.com/oidc/2/",
"ClientId": "{clientId from onelogin}",
"ResponseType": "code",
"DefaultScopes": "openid profile groups",
"Audience": "https://localhost:5005"
Except it still doesn't add the extra audience to the access token causing my api calls to fail when I add the access token inside the header. If anyone can figure out where I've gone wrong I'd be incredibly grateful.
woot. Figured it out myself. I had everything right but I had the audience wrong. In their docs they discuss having multiple audiences like example.com/blah and example.com/bleh but having the audience as just example.com and then having different scopes PER web service actually is working fine.
So when I create example2.com and add it to the audience both my api's will be able to be accessed.
I have a project in Google Cloud Platform that uses OAuth 2.0 and a few scopes from Google. All was working well until recently when I noticed my users were seeing "App is not verified" when logging in with Google.
Visiting the OAuth consent form at https://console.cloud.google.com/apis/credentials/consent, I could see that it wanted me to enter new privacy and terms & conditions URLs, which I did. But clicking on Submit For Verification and going through the subsequent popup resulted in no feedback.
Looking in devtools, I could see that the call to the submitReview endpoint was resulting in this:
{
"error": {
"code": 400,
"message": "Request contains an invalid argument.",
"status": "INVALID_ARGUMENT"
}
}
The request body sent by the Google form was:
{"brandId":"XXXXXXXXXXXXXX","scopeRationale":"My rationale was here","additionalInfo":"","contactEmail":"email#domain.com","pendingScopes":[]}
Note that pendingScopes was actually empty (I'm not requesting any new scopes).
Any ideas?
If you've never been to the new OAuth consent screen configuration before, you need to add all the scopes your app is requesting: https://support.google.com/cloud/answer/6158849?hl=en#userconsent
I recently started using the foursquare API, but suddenly I get "Consumer disabled" error responses.
So far, the only API call I've been doing is one to browse some venues:
https://api.foursquare.com/v2/venues/search?ll=51.222816,3.224778&query=Friet&radius=200&limit=10&categoryId=4d4b7105d754a06374d81259&client_id=app_id&client_secret=app_secret&v=20161116
These are the parameters I am sending:
ll:51.222816,3.224778
query:Friet
radius:200
limit:10
categoryId:4d4b7105d754a06374d81259
client_id:app_id
client_secret:app_secret
v:20161116
At first everything went well, then I started working on some other part and now I'm back to foursquare and getting the following response (with 403 http status code):
{
"meta": {
"code": 403,
"errorType": "not_authorized",
"errorDetail": "Consumer disabled."
},
"response": {}
}
I've searched my emails, but I didn't recieve any warnings or notifications on why this might be happening. Anyone had any experience with this?
One thing that may be of importance: Since I'm in development and there is no site for the project yet I can not provide a privacy policy url in the app settings. Because there is none, yet.
Edit: this is my client ID: 1VXNUT53J2OMMTMKA4E3UBKYLQQCI1GC3CRCCBPSQK1BWQFG
try resetting your API secret at (https://foursquare.com/developers/app/CLIENT_ID/reset)
That error could happen if there's suspicious behavior on an API key - but you would've gotten an email first.
Update: I see this key flagged as disabled. I re-enabled so should be working now. I'll run through the logs and try to figure out how/why this happened.
I'm playing with the interactive web sdk at https://ucwa.skype.com/websdk. I'm signed in successfully with a Azure AD login. With the F12 Tool I can see, that I have got a valid oauth token.
Now I take this token and trying to get a person object via a GET request like this: _https://webpoolam30e08.infra.lync.com/ucwa/oauth/v1/applications/113782897528/me
This is the result:
{
"uri": "sip:xxx#yyy.de",
"name": "john doe",
"_links": {
"self": {
"href": "/ucwa/oauth/v1/applications/111364079681/me"
}
},
"rel": "me"
}
What I expect are more information about me like this:
{
"uri": "sip:xxx#yyy.de",
"name": "john doe",
"emailAddresses": [
"xxx"
],
"company": "my company name",
"workPhoneNumber": "tel:+123456789",
"endpointUri": "sip:xxx;opaque=user:epid:4JNzkgeuabct-CSuIgYV8gAA;gruu",
"_links": {
"self": {
"href": "/ucwa/oauth/v1/applications/113782897528/me"
},
"note": {
"href": "/ucwa/oauth/v1/applications/113782897528/me/note"
},
"presence": {
"href": "/ucwa/oauth/v1/applications/113782897528/me/presence"
},
"location": {
"href": "/ucwa/oauth/v1/applications/113782897528/me/location"
},
"reportMyActivity": {
"href": "/ucwa/oauth/v1/applications/113782897528/me/reportMyActivity"
},
"photo": {
"href": "/ucwa/oauth/v1/applications/113782897528/photos/xxxx"
}
},
"rel": "me"
}
I found out that the result depends on the application id. If I open the Office365 web portal (_https://outlook.office.com/owa) and search for an valid application id with the F12 tool, then I get the expected result. Even with the OAuth token that I got from the interactive web sdk example. So this can not be an security or permission issue??
I grant access to all permissions in the azure management portal.
Also very strange is that I get different status codes with the same oauth token for this two very similar request
_https://webpoolam30e08.infra.lync.com/ucwa/oauth/v1/applications/113782897528/me/presence
-> 200 OK
_https://webpoolam30e08.infra.lync.com/ucwa/oauth/v1/applications/112861033140/me/presence
-> 403 Forbidden
{
"code": "Forbidden",
"message": "The requested operation isn't allowed."
}
So why is there a difference between both applications and what is required to get the same results? Is anything missing in the azure configuration?
Thanks for help
UCWA and to a larger extent Skype for Business Online are in a preview phase which may help explain why you are seeing a different result set between the two applications. When logging into the O365 portal as your user you are most likely getting supplemental information from Exchange or the portal is able to receive more information from UCWA using internal APIs (and permissions) not publicly exposed.
If I remember correctly and your request example above is a follows:
/ucwa/oauth/v1/applications/113782897528/me/presence - O365 Portal
/ucwa/oauth/v1/applications/112861033140/me/presence - Non-Portal
What you are seeing is that Presence is not currently enabled (a better term might be the API is not publicly exposed) for UCWA when using Online clients.
Access to presence is available in preview mode through the "Read/write Skype user information (preview)" Delegated Permission. You might not have access to it, but here's a picture of what it looks like in Azure AD if you do:
I created a UCWA-based native app that connects to SfB Online and allows you to set your presence:
https://github.com/tamhinsf/ucwa-sfbo-console
Just follow the README to register your own app and plug in your settings into my code. I output the result of each API call onto the console so you can see what's going on.
I've also made fork of the Interactive Web SDK Samples you've been using that consolidates the Azure AD settings into a single file. You might want a local copy to more closely inspect and modify the calls:
https://github.com/tamhinsf/skype-web-sdk-samples
Sharing the token like that between applications seems like a security violation. The token is provided for a specific resource and the server likely validates that the token you are providing matches the scopes that the application was created with.
What scenario are you trying to perform by sharing the token?
I've set up a Google Compute Engine Instance and I want to be able to turn it on and off using a script on my home computer. I see that there's an API that lets me do that by sending a POST request like this:
curl --data '' https://www.googleapis.com/compute/v1/projects/my-project/zones/asia-east1-a/instances/my-instance/stop
but the response I get from that is this:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "required",
"message": "Login Required",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Login Required"
}
}
So I'm trying to see how I can allow my script authorisation to use the API on the compute engine without having user interaction. How do I do this?
It looks like Google requires OAuth 2.0 authentication, but it seems really complex.
The closest thing I can find in Google's docs is this page but I can't work out how to make it a bunch of curl statements.
This SO thread gets closer, but glancing over the scripts there - it looks like they need user interaction.
I think you need Application Default Credentials. Have you seen this page?
https://developers.google.com/identity/protocols/application-default-credentials