Google oauth scope changed during authentication, but scope is same - google-oauth

I created an app that requires google scopes, and it was working until now. I get this error:
Error
ERROR:Scope has changed from "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile https://mail.google.com" to "https://mail.google.com/ https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile".
BEFORE:
"https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile
https://mail.google.com"
AFTER:
"https://mail.google.com/
https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile"
As far as I can see the scope did NOT change. There are 3 scopes before and after, but only the order has changed.
The python code for this is here:
try:
credentials = oauth.fetch_token('https://accounts.google.com/o/oauth2/token',
authorization_response = full_authorization_response_url,
client_secret=client_secret)
except Exception as e:
import traceback
print(traceback.format_exc())
credentials = 'ERROR:'+str(e)
if type(credentials) in (str,unicode):
return "Error<br>"+credentials
it's that last line that seems to be relevant. So google is saying the scope changed, but I can't see why, or how to fix it, since it hasn't changed.


I found that relaxing the token scope on the server solved this problem. It apparently expects the same scopes in the same order, unless you add this line:
os.environ['OAUTHLIB_RELAX_TOKEN_SCOPE'] = '1'

Related

intermittent error from rally 'Not authorized to perform action: Invalid key' for POST request in chrome extension

I developed a chrome extension using Rally's WSAPI v2.0, and it basically does the following things:
get user and project, and store them
get current iteration everytime
send a post request to create a workitem
For the THIRD step, I sometimes get error ["Not authorized to perform action: Invalid key"] since end of last month.
[updated]Error can be reproduced everytime if I log in Rally website via SSO before using the extension to send requests via apikey.
What's the best practice to send subsequent requests via apikey in my extension since I can't control end users' habits?
I did see some similar posts but none of them is helpful... and in case it helps:
I'm adding ZSESSIONID:apikey in my request header, instead of user /
password to authenticate, so I believe no security token is needed
(https://comm.support.ca.com/kb/api-key-and-oauth-client-faq/kb000011568)
url starts with https://rally1.rallydev.com/slm/webservice/v2.0/
issue is fixed after clearing cookies for
https://rally1.rallydev.com/, but somehow it appears again some time
later
I checked the cookie when the issue was reproduced, and found one with name of ZSESSIONID and its value became something else rather than the apikey. Not sure if that matters though...
code for request:
function initXHR(method, url, apikey, cbFunc) {
let httpRequest = new XMLHttpRequest();
...
httpRequest.open(method, url);
httpRequest.setRequestHeader('Content-Type', ' application\/json');
httpRequest.setRequestHeader('Accept', ' application\/json');
httpRequest.setRequestHeader('ZSESSIONID', apikey);
httpRequest.onreadystatechange = function() {
...
};
return httpRequest;
}
...
usReq = initXHR ('POST', baseURL+'hierarchicalrequirement/create', apikey, function(){...});
Anyone has any idea / suggestion? Thanks a million!

I've seen this error when the API key had both read-only and full-access grants configured. I would start by making sure your key only has the full-access grant.

aurelia-authentication OAuth2 response state value differs

I'm attempting an implementation of aurelia-authentication with an OIDC provider (IdentityServer4) and seem to be running into an issue with logging a user out.
The short of it is I'm not able to logout users successfully using the authService.logout function mentioned in the OIDC configuration section (https://aurelia-authentication.spoonx.org/oidc.html).
In looking into it a bit further I've tracked it down to a promise rejection in the logout function which provides the message: "OAuth2 response state value differs"
if (logoutResponse.state !== stateValue) {
return Promise.reject('OAuth2 response state value differs');
}
logoutReponse seems to be the culprit as it's coming through as an object with the state property named incorrectly {/login?state: "qAIxYwKqLHYJtyar2PfdvaROWT1O56P7"}.
I can actually change the if statement to:
if (logoutResponse['/login?state'] !== stateValue) {
return Promise.reject('OAuth2 response state value differs');
}
which seems to be working fine, but requires us to modify the aurelia-authentication source directly.
Any thoughts from anyone as to why the "state" property is coming through as a relative path instead of just "state"?

So after spending more time on this I was able to track the issue down and find a solution.
The solution was to change the aurelia-authentication authConfig postLogoutRedirectUri value to just the root page (http://localhost:8080). Additionally, I needed to define that URI under the PostLogoutRedirectUris within my IdentityServer4 Client definition.
logoutResponse was then coming through correctly with a property named state property that holds the correct value and permits the redirect successfully.

how to use Token refresh in tymondesigns/jwt-auth?

case in Laravel5.
When I get tips it says "token expire", how can I refresh and get new token?
I have been use JWTAuth::refresh($oldToken) but it doesn't work.
What is the best way?

When was the last time you updated/installed the package? Version 0.5.2 was released a few days ago that fixed the issue with tokens not refreshing properly. Try running a composer update and see if that fixes your issue.
I found that this was an issue with the package. I submitted a pull request to fix it.
The token was being validated and and error is thrown before it got a chance to refresh the token.

May be this code can help to get new token :
public function refreshToken(Request $request)
{
$odlToken = $request->input('token');
if(!$odlToken)
return response()->json(null);
$token = JWTAuth::refresh($odlToken);
return response()->json(compact('token'));
}

How do I test if provider credentials are valid in apache libcloud?

I was trying to create a driver for openstack using apache libcloud. It doesn't raise any error even if the user credentials are wrong. So When i checked the faq i found an answer as given in the link
Apache libcloud FAQ
But it doesn't seem to be effective since querying each time to check whether the user is authenticated will reduce the performance if the query returns a bulk of data.
When i checked the response i got from the api there is a field called driver.connection.auth_user_info and i found that the field is empty if the user is not authenticated. So can i use this method as a standard? Any help is appreciated

An openstack driver for libcloud is already available:
from libcloud.compute.types import Provider
from libcloud.compute.providers import get_driver
os = get_driver(Provider.OPENSTACK)
params = {'key': 'username', 'ex_force_service_region':'regionOne',
'ex_force_service_name':'nova', 'ex_force_auth_version':'2.0_password',
'ex_force_auth_url':'http://127.0.0.1:5000',
'ex_force_service_type':'compute', 'secret':'password',
'ex_tenant_name':'tenant'}
driver = os(**params)
But libcloud does not check the credentials by just creating the driver object. Instead, the creds will be validated only when a request is sent. If the internal exception InvalidCredsError is thrown the credentials are invalid, and an own variable could be set:
from libcloud.common.types import InvalidCredsError
validcreds = False
try:
nodes = driver.list_nodes()
if nodes.count >= 0:
validcreds = True
except InvalidCredsError:
print "Invalid credentials"
except Exception as e:
print str(e)
I would not rely on the internal variable auth_user_info because it could change over time.

speedy_c2dm: NoMethodError (undefined method `gsub' for nil:NilClass)

I set up speedy_c2dm to send "push" messages to android devices.
The gem was working fine, but now I get this NoMethodError message when I call
SpeedyC2DM::API.send_notification(options)
the options parameter is good, I have verified this.
From the ruby-doc I got the following code from the gem:
def get_auth_token(email, password)
data = "accountType=HOSTED_OR_GOOGLE&Email=#{email}&Passwd=#{password}&service=ac2dm"
headers = { "Content-type" => "application/x-www-form-urlencoded",
"Content-length" => "#{data.length}"}
uri = URI.parse(AUTH_URL)
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
response, body = http.post(uri.path, data, headers)
return body.split("\n")[2].gsub("Auth=", "")
end
You can see that the last line uses gsub, so I believe the problem is in the authentication method.
I have changed the password of the account since I created this, I updated the file with the password, initializers/speedy_c2dm.rb:
C2DM_API_EMAIL = "myemail#gmail.com"
C2DM_API_PASSWORD = "mynewpassword"
SpeedyC2DM::API.set_account(C2DM_API_EMAIL, C2DM_API_PASSWORD)
Can this be causing the error? That I changed the password even though I updated this file?
(Google doesn't let me to go back to the old password, I have to create a new one different from the old ones if I change it again)
Its the only thing I can think of since I didn't modify the gem's code.
How can I fix it? C2DM is deprecated now, but its supposed to keep working for old users. I don't want to migrate to GCM if I don't need to, everything is set up to work with C2DM
Any other ideas to fix it are welcome.

The problem was fixed after I removed the "two step verification" for logging in to my email.
This change can be made in the account configuration of gmail.