github deployment works with manual deploy only about auth0-deploy-extensions HOT 7 CLOSED

Hi!
The error does look like Auth0 API error. It seems, the extension is getting all the files from the repo, but cannot authorize to Auth0 API to update the records.
Did you change the auth0-github-deploy generic client in some way?
Could you please re-install the extension and see if that helps?

from auth0-deploy-extensions.

hi @zxan1285 !

no we didn't make any changes in the extension itself, we installed it on the extensions tab a while ago. the only change we made recently is updating it from 2.6 to 2.8. i'm going to reinstall it and i'll let you know if it helps.

edit: it's not related to the upgrade, it happens on a tenant with 2.6 as well.

from auth0-deploy-extensions.

so, we reinstalled the the extension, updated the webhook with the new secret and created a pull request in the repository. after we merged it the webhook delivered it to the extension but the extension couldn't update the tenant. the error is the same:

{
  "statusCode": 401,
  "error": "Unauthorized",
  "message": "Invalid token",
  "attributes": {
    "error": "Invalid token"
  }
}

clicking on the re-deploy button in the row of failed deployment and clicking on the deploy button above the deployments were successful.

from auth0-deploy-extensions.

Thanks for trying @gex
and sorry for the inconvenience.

I wasn't able to reproduce the exact error so far.
Would you mind answering a few question, that could help me to investigate this?
Do you use auth0 cloud or PSaaS?
What's the region of the webtask (au, eu, us)?

Also, if you could check access_token for the extension's client, that would help alot.
To get the access_token, you need to send POST request to https://{your_domain}/oauth/token with payload

{
  "audience": "https://{your_domain}/api/v2/",
  "client_id": "auth0-github-deploy client_id",
  "client_secret": "auth0-github-deploy client_secret",
  "grant_type": "client_credentials"
}

then use that access_token to get something from API2:
GET https://{your_domain}/api/v2/clients with Authorization: Bearer {access_token} header.

from auth0-deploy-extensions.

Do you use auth0 cloud or PSaaS?

we use auth0 cloud, all 3 tenants are in the developer pro tier.

What's the region of the webtask (au, eu, us)?

the 3 tenants are in the same region (US (Prod)) and the domains of the extension are *.us8.webtask.io so i guess it's us. but that's not something we could set or can change now.

Also, if you could check access_token for the extension's client, that would help alot.

the response of the /api/v2/clients request:

{
  "statusCode": 401,
  "error": "Unauthorized",
  "message": "Invalid token",
  "attributes": {
    "error": "Invalid token"
  }
}

so i checked the content of the token (redacted the sensitive parts):

{
  "https://<our_domain>/email": "<our_email_address>",
  "iss": "https://<tenant_name>.auth0.com/",
  "sub": "<auth0-github-deploy client_id>@clients",
  "aud": "https://<tenant_name>.auth0.com/api/v2/",
  "iat": 1559146050,
  "exp": 1559232450,
  "azp": "<auth0-github-deploy client_id>",
  "gty": "client-credentials"
}

and the first line (the email) reminded me that we created a hook because we're also using the authorization extension and to add permissions to machine to machine application tokens we cannot use rules.

is it possible that we broke the auth0-github-deploy by addig a custom hook?

the template for creating new hooks is like:

module.exports = function(client, scope, audience, context, cb) {
  var access_token = {};
  access_token.scope = scope;

  // Modify scopes or add extra claims
  // access_token['https://example.com/claim'] = 'bar';
  // access_token.scope.push('extra');

  cb(null, access_token);
};

so anything created before this hook is lost because we start with an empty access token.

from auth0-deploy-extensions.

Yep, the scope is missing.
Adding

if (client.id === <auth0-github-deploy client_id>) {
    return cb(null, { scope });
  }

should fix the issue.

from auth0-deploy-extensions.

thank you @zxan1285 it solved the issue!

from auth0-deploy-extensions.