I am getting 500 internal server error while trying to configure google sign in with my Cognito user pool, steps followed are from here.
There is no error message in response to the requested API.
I'm finding it very difficult to troubleshoot the issue. Only thing observed from response headers is
x-cache: Error from CloudFront
The error is from token endpoint URL: oAuth2/token
Request URL: https://mydomainurl/oauth2/token
Request Method : POST
Headers:
Content-Type: application/x-www-form-urlencoded
Form body:
grant_type: authorization_code
client_id: cognito_app_client_id_here
code: AUTH_CODE
redirect_uri: https://redirect-url
Received response headers:
access-control-allow-credentials: true
access-control-allow-origin: https://mydomainurl
cache-control: no-cache, no-store, max-age=0, must-revalidate
content-type: application/json;charset=UTF-8
date: Fri, 08 Nov 2019 08:10:28 GMT
expires: 0
pragma: no-cache
server: Server
status: 500
strict-transport-security: max-age=31536000 ; includeSubDomains
vary: Origin
via: 1.1 1111111222333.cloudfront.net (CloudFront)
x-amz-cf-id: DirdxkYdQojw7EE8fw-_Kta_nHfBIQBN9VpT2qTg3WGoj2a_8yh3RA==
x-amz-cf-pop: BLR50-C3
x-amz-cognito-request-id: 97468dc9-8957-4a35-8780-1a7f5d9e3c56
x-cache: Error from cloudfront
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
Does anyone know how to resolve the above error?
Where to view any error logs if generated by CloudFront distribution or by
CloudWatch for the above request?
I had a similar problem with a web app hosted on S3, distributed by CloudFront, with OAuth2 user authentication via Cognito.
In my case, the web app was a single-page application with routing. The app was hosted at https://example.com but my callback URL was at https://example.com/login. Since the login process involved navigating away from the app then redirecting back, it resulted in a 404 Not Found on the S3 side since there was no resource at s3://example.com/login, subsequently causing the x-cache: Error from cloudfront as seen in the response headers of the original question.
The fix was to edit the CloudFront distribution and add a custom error response, mapping 404 Not Found to a response path of /index.html and response code 200 Ok.
Related
I'm trying to collect and download my lifelog user data. The first step into doing this is getting a user-access token. I am encountering problems while requesting authorization.
From the sony developer authenticization page I am told to input the following code into my API explorer:
https://platform.lifelog.sonymobile.com/oauth/2/authorize?client_id=YOUR_CLIENT_ID&scope=lifelog.profile.read+lifelog.activities.read+lifelog.locations.read
I am supposed to receive the authorization code as such:
https://YOUR_CALLBACK_URL?code=abcdef
However, this is what the current situation is actually like:
I have replaced my actual client ID below with MY_CLIENT_ID for security reasons
INPUT:
GET /oauth/2/authorize?client_id=MY_CLIENT_ID&scope=lifelog.profile.read%2Blifelog.activities.read%2Blifelog.locations.read HTTP/1.1
Authorization:
Bearer kN2Kj5BThn5ZvBnAAPM-8JU0TlU
Host:
platform.lifelog.sonymobile.com
X-Target-URI:
https://platform.lifelog.sonymobile.com
Connection:
Keep-Alive
RESPONSE:
HTTP/1.1 302 Found
Content-Length:
196
Location:
https://auth.lifelog.sonymobile.com/oauth/2/authorize?scope=lifelog.profile.read+lifelog.activities.read+lifelog.locations.read&client_id=MY_CLIENT_ID
Access-Control-Max-Age:
3628800
X-Amz-Cf-Id:
HILH9w3eOm-6ebs_74ghegYQyWS4xyqA1l0gXPRJuuubsoZ6eiiS3g==
Access-Control-Allow-Methods:
GET, PUT, POST, DELETE
X-Request-Id:
76caccfc976d40259ef30415d10980e9
Connection:
keep-alive
Server:
Apigee Router
X-Cache:
Miss from cloudfront
X-Powered-By:
Express
Access-Control-Allow-Headers:
origin, x-requested-with, accept
Date:
Sun, 22 Jan 2017 03:00:42 GMT
Access-Control-Allow-Origin:
*
Vary:
Accept
Via:
1.1 dc698cd00b7ec82887573cfaba9ecca6.cloudfront.net (CloudFront)
Content-Type:
text/plain; charset=utf-8
Found. Redirecting to https://auth.lifelog.sonymobile.com/oauth/2/authorize?scope=lifelog.profile.read+lifelog.activities.read+lifelog.locations.read&client_id=MY_CLIENT_ID
Nowhere can I see the authorization code in the above code. I even tried copying and pasting the URL (on the last line) into my browser, it says "localhost.com took too long to respond"
This is where I input my request
I am not sure whether it is an issue with the callback URL. I don't have an actual website or app made, I just used the default localhost
I am a beginner in this and would really appreciate all help.
I've build a web api service with basic authentication and using a global DelegatingHandler implementation which I hook up to the web API GlobalConfiguration, in order to extract the username:password credentials from the request and hook an IPrincipal to the HttpContext if the credentials map to a valid user.
I've tested my api thoroughly on localhost and it's working fine, but not quite when hosted on IIS on a VPS.
I've hooked up remote debugging on the VPS in order to inspect whats going on and it turns out that whenever I include the authorization header to my request, the breakpoints I have set on the message handler are not getting hit, meaning that the request does not reach the handler. If I remove the Authorization header from the request, the breakpoint is getting hit and the handler is able to process it.
Since the message handlers are the first that will process the request in the pipeline (from what I know of, correct me if I'm wrong) I guess there must be an IIS or setup issue that I'm not aware of that messes the authentication process.
Fiddler Request Headers
GET http://myip/api/v1/route/parameter HTTP/1.1
Content-Type: application/json; charset=utf-8
Authorization: Basic ZHJpdmVyOjEwMTAyMDAz
Host: myip
Fiddler Response Headers
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
WWW-Authenticate: Basic realm="myip"
X-Powered-By: ASP.NET
Date: Mon, 22 Aug 2016 15:04:15 GMT
Content-Length: 61
{"Message":"Authorization has been denied for this request."}
What could be possibly be wrong, where should I look at for a solution?
EDIT
Had to disable Basic Authentication from the Authentication menu on the right pane setting for the IIS application.
I'm attempting to create a bridge between another service (as a data source) and Microsoft Power BI. However, I can't get the REST API to work properly.
So far I've succeeded in creating a web application in Azure AD, getting the Client ID and secret, receiving an access token for the API, but after this all I get is 403 Forbidden with no error message. However, if I try to access the API with an expired token, I get an error message telling me that the token is expired.
I've read some posts on the subject, but they all suggest that the REST API cannot be accessed without having a user log in and access Power BI first, which isn't possible in a service-to-service application.
How do I properly access the service without any user interaction?
Here are the requests and responses, censored a little bit.
Request 1:
POST /[our domain].com/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: flight-uxoptin=true; stsservicecookie=ests; x-ms-gateway-slice=productiona; stsservicecookie=ests
Host: login.microsoftonline.com
Connection: close
User-Agent: Paw/2.3 (Macintosh; OS X/10.11.3) GCDHTTPRequest
Content-Length: 203
grant_type=client_credentials&client_id=[client id]&client_secret=[client secret]&resource=https%3A%2F%2Fanalysis.windows.net%2Fpowerbi%2Fapi
Response 1:
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
x-ms-request-id: 52d6713c-d50b-4073-b030-aa10e33fdf27
client-request-id: 3aef4765-d602-46a6-a8ce-4b7792f678e5
x-ms-gateway-service-instanceid: ESTSFE_IN_209
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: x-ms-gateway-slice=productiona; path=/; secure; HttpOnly
Set-Cookie: stsservicecookie=ests; path=/
X-Powered-By: ASP.NET
Date: Wed, 24 Feb 2016 08:24:29 GMT
Connection: close
Content-Length: 1243
{"token_type":"Bearer","expires_in":"3599","expires_on":"1456305870","not_before":"1456301970","resource":"https://analysis.windows.net/powerbi/api","access_token":"[access token]"}
Request 2:
GET /v1.0/myorg/datasets HTTP/1.1
Authorization: Bearer [access token]
Content-Length: 0
Host: api.powerbi.com
Connection: close
User-Agent: Paw/2.3 (Macintosh; OS X/10.11.3) GCDHTTPRequest
Response 2:
HTTP/1.1 403 Forbidden
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: deny
X-Content-Type-Options: nosniff
RequestId: 803cc0cb-c65d-4212-9ab8-aed4ffa9862a
Date: Wed, 24 Feb 2016 08:25:13 GMT
Connection: close
The APIs you're using require a user's access token. They access content in a user's account. So if you don't have the access token, you'll keep getting forbidden. So what you need to do is get the access token with the user the first time. Then store the refresh token. Then use the refresh token to get new access tokens as needed. If the refresh token expires, you need to ask the user to sign in again.
I am trying to get the installed app to work with Oauth2 on Reddit's api. I am using Windows runtime api's httpclient to make requests, and webauthenticationbroker to get the code to do the GET request to receive the token. I requested a token by using this:
https://www.reddit.com/api/v1/authorize?client_id=" + client_id + "&response_type=code&state=" + "testing" + "&redirect_uri=http://abcd.com&duration=" + "permanent" + "&scope=" + "vote,identity"
And got a code back, so I used POST on this (with the content type being: application/x-www-form-urlencoded):
https://www.reddit.com/api/v1/access_token
with the body being this:
grant_type=https://oauth.reddit.com/grants/installed_client&\
device_id="+id + "&code=" + code
(code and id is the code received in the first step and id is a generated UUID)
Then I got something like this back:
{"access_token": "--5e65dP1dI_1vgLbqvi7zRB6cnU", "token_type": "bearer", "expires_in": 3600, "scope": "*"}
So I extracted the token and got this:
--5e65dP1dI_1vgLbqvi7zRB6cnU
Then I tried to do a GET request on https://oauth.reddit.com/api/v1/me with these headers:
{
User-Agent: (testUWP client by /u/bored_reddit_user)
Authorization: bearer --5e65dP1dI_1vgLbqvi7zRB6cnU
}
I got these headers back with status code 403 reason phrase forbidden:
{
Connection: keep-alive
Server: cloudflare-nginx
Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
Transfer-Encoding: chunked
cache-control: max-age=0, must-revalidate
x-ua-compatible: IE=edge
CF-RAY: 23f5127a6a2911a1-SJC
Date: Tue, 03 Nov 2015 03:42:58 GMT
x-frame-options: SAMEORIGIN
access-control-allow-origin: *
X-Moose: majestic
x-reddit-tracking: https://pixel.redditmedia.com/pixel/of_destiny.png?v=BZoi0ikdGrSYn9U9xM6GWeYcRRb0W50fSQuGYb1Q8Oe7E5WVB6qTA4hRqlx9vDfpLOKzpE3Z5Wo%3D
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
access-control-expose-headers: X-Reddit-Tracking, X-Moose
}{
Content-Type: application/json; charset=UTF-8
}
and this content:
{"explanation": "Please log in to do that.", "reason": "USER_REQUIRED"}
I am at a loss as to what I'm doing wrong, can anyone help me out?
This wiki page on the reddit github gives a pretty good overview of reddit's implementation of OAuth2 and the different grant_types and what circumstances they are appropriate for. This page has some more information. I'm suspecting that reddit doesn't want you storing the client secret in an app that you install on a user's device since you can't keep it secure, and a user could figure out your CLIENT_ID.
I'm glad my comment could point you in the right direction, if you could accept this answer, I'd appreciate the rep.
I've a DotnetOpenAuth authorization server which works great on my localhost. However after publishing it my refresh access token request is blocked.
The request for a accesstoken, with success
POST https://myurl/identity/oauth/token HTTP/1.1
Authorization: Basic dsjSDLFJKSKLJesww
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: DotNetOpenAuth.Core/4.2.1.13026
Host: myhost
Cache-Control: no-store,no-cache
Pragma: no-cache
Content-Length: 86
Expect: 100-continue
Connection: Keep-Alive
username=theusername&password=fancypassword&scope=somescope&grant_type=password
The refresh request:
POST https://myurl/identity/oauth/token HTTP/1.1
Authorization: Basic dsjSDLFJKSKLJesww
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: DotNetOpenAuth.Core/4.2.1.13026
Host: myhost
Cache-Control: no-store,no-cache
Pragma: no-cache
Content-Length: 272
Expect: 100-continue
refresh_token=_ttH%21IAAAAGiYhlufAaXURH5P2oDOnPYgJx7YhoR33isvZkPPvlyUgQAAAAHoBYyDMLhq1qwGHHH2uGrLoHZli77XHbCnSFJSKLFJ3kl2j3klj2kljKFSJKLSJKL#$k3ljfsklfjl2
And the response:
Technical Information (for support personnel)
Error Code: 403 Forbidden. The server denied the specified Uniform
Resource Locator (URL). Contact the server administrator. (12202)
Any help, guidelines, pointers in any direction, would be very much appriciated!
I changed the url/username/password/scope/base64/refreshtoken for this example.
Their seems to be a setting in the TMG Forefront - Authentication Delegation which blocked the request.
Method used by Forefront TMG to authenticate to the published Web
server:
No delegation, and the client cannot authenticate directly
No delegation, but client may authenticate directly
It was set to option 1 after changing it to 2 the request is no longer blocked!