invalid_credentials in production environment about sso-devise-omniauth-provider HOT 11 CLOSED

It says 'Invalid credentials'. When you switched to production mode, I guess your database would have changed too. I dont see a log for the access token request in the provider log. That probably means that you have registered a client with the provider but not updated the secret in your client configuration.

Can you check?

After the authorize request /admin/auth/admin/authorize call, omniauth sends a token request. Something like this (taken from my log file)

Started POST "/oauth/token" for 127.0.0.1 at 2011-12-05 17:51:16 +0530
  Processing by AuthController#access_token as */*
  Parameters: {"grant_type"=>"authorization_code", "code"=>"a791438a832aacb118f2b78278adc231", "client_id"=>"YE0NYveQGoFsNLX220Dy5g", "client_secret"=>"aqpGBedDnHFyp5MmgT8KErr9D015ScmaY8r3vHg5C0", "redirect_uri"=>"http://localhost:3001/auth/joshid/callback"}

This means that the client_secret is not configured properly.

from sso-devise-omniauth-provider.

Thanks for the early reply!

As you say, it is missing the POST after the authorize request. The thing is that I already added the Client with the corresponding app id and secret to the provider DB, and do not find more differences between my local app and the one in the server (they are in the same git repo). I tested the my local client with the remote provider and had the same problem that the one in the server.

I will try to find why the provider is refusing the client credentials.

from sso-devise-omniauth-provider.

I also noticed that when you don't have registered the client in the provider app, the error message is:

In the provider:

Started GET "/auth/admin/authorize?response_type=code&client_id=testing&redirect_uri=http%3A%2F%2Flocalhost%3A3001%2Fauth%2Fadmin%2Fcallback" for 127.0.0.1 at 2012-04-26 11:16:38 -0300
  Processing by AuthController#authorize as HTML
  Parameters: {"response_type"=>"code", "client_id"=>"testing", "redirect_uri"=>"http://localhost:3001/auth/admin/callback"}
  User Load (0.8ms)  SELECT `users`.* FROM `users` WHERE `users`.`id` = 1 LIMIT 1
  SQL (0.7ms)  DELETE FROM `access_grants` WHERE (created_at < '2012-04-23 14:16:38')
  Client Load (0.5ms)  SELECT `clients`.* FROM `clients` WHERE `clients`.`app_id` = 'testing' LIMIT 1
   (0.2ms)  BEGIN
  SQL (0.6ms)  INSERT INTO `access_grants` (`access_token`, `access_token_expires_at`, `client_id`, `code`, `created_at`, `refresh_token`, `updated_at`, `user_id`) VALUES ('9a3ab6ee3a47f53545d8effc56a58f38', NULL, NULL, '8baa3cc9017af5cf17183dd5fb79c736', '2012-04-26 14:16:38', '5882cf35c804797ad3d021458b9897a5', '2012-04-26 14:16:38', 1)
   (87.1ms)  COMMIT
Redirected to http://localhost:3001/auth/admin/callback?code=8baa3cc9017af5cf17183dd5fb79c736&response_type=code
Completed 302 Found in 532ms


Started POST "/oauth/token" for 127.0.0.1 at 2012-04-26 11:16:38 -0300
  Processing by AuthController#access_token as */*
  Parameters: {"grant_type"=>"authorization_code", "code"=>"8baa3cc9017af5cf17183dd5fb79c736", "client_id"=>"testing", "client_secret"=>"testing", "redirect_uri"=>"http://localhost:3001/auth/admin/callback"}
  Client Load (0.6ms)  SELECT `clients`.* FROM `clients` WHERE (app_id = 'testing' AND app_secret = 'testing') LIMIT 1
Completed 200 OK in 16ms (Views: 6.5ms | ActiveRecord: 2.1ms)

And in the client:

Started GET "/auth/admin" for 127.0.0.1 at 2012-04-26 11:16:27 -0300
(admin) Callback phase initiated.
(admin) Authentication failure! invalid_credentials: OAuth2::Error, Could not find application: 
{"error":"Could not find application"}


Started GET "/auth/admin/callback?code=8baa3cc9017af5cf17183dd5fb79c736&response_type=code" for 127.0.0.1 at 2012-04-26 11:16:38 -0300

OAuth2::Error (Could not find application: 
{"error":"Could not find application"}):

So I think that provider app has another problem that is causing OAuth to miss the "POST" part.

from sso-devise-omniauth-provider.

Ok, I noticed that when my local app try to authenticate with the server provider it gets:

Authentication failure! invalid_credentials: OAuth2::Error

Seems like OAuth2 is having some problems, maybe like the one mentioned in https://groups.google.com/forum/#!msg/oauth2-dev/tRZoAC_9ZKY/m69MPzO3eJAJ ?

UPDATE: Forget this lead, the redirect was not working in the local app. I tried again using the server provider an server client and the problem persists after re-doing the apps.

from sso-devise-omniauth-provider.

Not sure if this is related, as this is during refresh tokens, not
authentication.

The most common mistake I have made when trying this again is registering
the client but not updating the configuration consumer secret :) Is it
possible to shared the code, so that I can test it out?

On Thu, Apr 26, 2012 at 8:26 PM, Rodrigo Fernandez <
[email protected]

wrote:

Ok, I noticed that when my local app try to authenticate with the server
provider it gets:

Authentication failure! invalid_credentials: OAuth2::Error

Seems like OAuth2 is having some problems, maybe like the one mentioned in
https://groups.google.com/forum/#!msg/oauth2-dev/tRZoAC_9ZKY/m69MPzO3eJAJ?

---

Reply to this email directly or view it on GitHub:

#12 (comment)

from sso-devise-omniauth-provider.

Sadly, I cannot share the code. I asked a teammate to test it by himself, and it worked locally for him too. We will have to check the production environment that we are deploying, and check what is happening there.
So, if the Omniauth gem is the one responsible of sending the Token, we just have to check it and see what is happening.

Thanks for everything! I will keep this in check for new updates.

from sso-devise-omniauth-provider.

It seems that I am not the only one, here are two more that used this implementation and had the same "invalid_credentials" problem:

http://groups.google.com/group/omniauth/browse_thread/thread/27d28e2f0c126314#

http://groups.google.com/group/omniauth/browse_thread/thread/b56ca34b65dfa8f4

I emailed Matt hoping that he has some other lead to follow.

Greetings,

from sso-devise-omniauth-provider.

Well, I cornered the problem to one line (in the oauth client):

in "build_access_token" in omniauth/strategies/oauth2.rb (omniauth-oauth2 gem):
client.auth_code.get_token(verifier, {:redirect_uri => callback_url}.merge(token_params.to_hash(:symbolize_keys => true)))

In the server that method triggers an ::OAuth2::Error exception.

And we can find that method in the oauth2 gem (lib/oauth2/client.rb):

116     # Initializes an AccessToken by making a request to the token endpoint
117     #
118     # @param [Hash] params a Hash of params for the token endpoint
119     # @param [Hash] access token options, to pass to the AccessToken object
120     # @return [AccessToken] the initalized AccessToken
121     def get_token(params, access_token_opts={})
122       opts = {:raise_errors => options[:raise_errors], :parse => params.delete(:parse)}
123       if options[:token_method] == :post
124         headers = params.delete(:headers)
125         opts[:body] = params
126         opts[:headers] =  {'Content-Type' => 'application/x-www-form-urlencoded'}
127         opts[:headers].merge!(headers) if headers
128       else
129         opts[:params] = params
130       end
131       response = request(options[:token_method], token_url, opts)
132       raise Error.new(response) if options[:raise_errors] && !(response.parsed.is_a?(Hash) && response.parsed['access_token'])
133       AccessToken.from_hash(self, response.parsed.merge(access_token_opts))
134     end

UPDATE: OAuth2 seems to give a 404 error:

OmniAuth Error (invalid_credentials): #<OAuth2::Error: <!DOCTYPE html>
<html>
<head>
  <title>The page you were looking for doesn't exist (404)</title>
  <style type="text/css">
    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
    div.dialog {
      width: 25em;
      padding: 0 4em;
      margin: 4em auto 0 auto;
      border: 1px solid #ccc;
      border-right-color: #999;
      border-bottom-color: #999;
    }
    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
  </style>
</head>

<body>
  <!-- This file lives in public/404.html -->
  <div class="dialog">
    <h1>The page you were looking for doesn't exist.</h1>
    <p>You may have mistyped the address or the page may have moved.</p>
  </div>
</body>
</html>

from sso-devise-omniauth-provider.

Ok, I figured it out the source of the problem.

The oauth provider app did not have his own domain, so it was placed in like "http://somepage.com/provider". In that case, some paths of the gems were not well defined, searching in "http://somepage.com/oauth/token" and similar urls.

We solved the problem creating a subdomain for the provider app.

Also, I managed to fix the missing Started POST "/oauth/token" adding all the paths that I found in the internet that could be configured for the oauth client:

In lib/provider.rb:

      option :client_options, {
        :site =>  ::CUSTOM_PROVIDER_URL,
        :authorize_url => "#{::CUSTOM_PROVIDER_URL}/auth/admin/authorize",
        :authorize_path     => '/auth/admin/authorize',
        :access_token_url => "#{::CUSTOM_PROVIDER_URL}/auth/admin/access_token",
        :access_token_path  => '/auth/admin/access_token',
        :request_token_url=> "#{::CUSTOM_PROVIDER_URL}/oauth/token",
        :request_token_path => '/oauth/token',
        :token_url=> "#{::CUSTOM_PROVIDER_URL}/oauth/token",
        :token_path => '/oauth/token',
        :ssl => {:ca_path => "/etc/ssl/certs"}
      }

But still got an 404 error from the OAuth2 gem =/.

Thanks for all the help!

from sso-devise-omniauth-provider.

Rodrigo,
Slick! This is a good catch. I think the request_token url is wrong.
Shouldn't it be

:request_token_url=> "#{::CUSTOM_PROVIDER_URL}/auth/admin/oauth/token",
:request_token_path => '/auth/admin/oauth/token',

Maybe thats why you are getting the 404? If I have mis-understood, do
update the ticket, so it helps others too!

On Tue, May 1, 2012 at 10:10 AM, Rodrigo Fernandez <
[email protected]

wrote:

Ok, I figured it out the source of the problem.

The oauth provider app did not have his own domain, so it was placed in
like "http://somepage.com/provider". In that case, some paths of the gems
were not well defined, searching in "http://somepage.com/oauth/token" and
similar urls.

We solved the problem creating a subdomain for the provider app.

Also, I managed to fix the missing Started POST "/oauth/token" adding all
the paths that I found in the internet that could be configured for the
oauth client:

In lib/provider.rb:

     option :client_options, {
       :site =>  ::CUSTOM_PROVIDER_URL,
       :authorize_url => "#{::CUSTOM_PROVIDER_URL}/auth/admin/authorize",
       :authorize_path     => '/auth/admin/authorize',
       :access_token_url =>
"#{::CUSTOM_PROVIDER_URL}/auth/admin/access_token",
       :access_token_path  => '/auth/admin/access_token',
       :request_token_url=> "#{::CUSTOM_PROVIDER_URL}/oauth/token",
       :request_token_path => '/oauth/token',
       :token_url=> "#{::CUSTOM_PROVIDER_URL}/oauth/token",
       :token_path => '/oauth/token',
       :ssl => {:ca_path => "/etc/ssl/certs"}
     }

But still got an 404 error from the OAuth2 gem =/.

Thanks for all the help!

---

Reply to this email directly or view it on GitHub:

#12 (comment)

from sso-devise-omniauth-provider.

Gautam, the request_token_url and request_token_path variables were fine. The whole system worked out-of-the-box when changing it to a subdomain instead of the subdirectory. Later I am gonna check if the solutions mentioned in 1 works to configure the project ENV correctly.

Greetings!

from sso-devise-omniauth-provider.