I'm using OAuth2.0 User-Agent Authentication flow to get the access & refresh tokens so that I can use the Foce.com REST API over remote access. Now, the problem is that I'm able to authorize successfully and recieve the tokens, but while using those tokens just after authorizing my client application, I'm recieving a java.net.ConnectException: Connection refused error.
Following Steps I'm doing
Redirecting to
https://login.salesforce.com/services/oauth2/authorize?response_type=token&client_id={my_client_id}&redirect_uri={my_redirect_uri}&state=myState
Authorizing the app in salesforce and then receiving back the access token and refresh tokens in the hash of the redirect_uri as
{my_redirect_uri}#access_token={my_access_token}&refresh_token={my_refresh_token}&instance_url=https%3A%2F%2Fap1.salesforce.com&id=https%3A%2F%2Flogin.salesforce.com%2Fid%2F00D90000000gscOEAQ%2F00590000000sdtJAAQ&issued_at=1351151192815&signature={my_signature_value}&state=myState
&scope=id+api+refresh_token
Now I'm using the REST API using the same access token by doing a POST to
https://ap1.salesforce.com/services/data/v20.0/sobjects/Lead/
with request headers:
Content-Type: application/json
Authorization: OAuth {my_access_token}
I have not escaped the access token while sending the post as it needs to be done when using CURL. Is that needed when using HttpClient Java API also?
The response that I'm getting is "java.net.ConnectException: Connection refused error."
Can someone please let me know what I'm doing wrong or how I can debug it further ?? Is there any way to see whats happening at Salesforce end? Some logs may be ?
I'm getting the exact same connection refused error if I try OAuth Refresh Token Process also.
Sorry for the noise.
I was getting "invalid_grant" with "expired access/refresh token" while validating the customer secret using the Refresh Token Procedure but since it was secured transmission so all I was getting in Java was "Connection Refused" with no detailed error message.
I got to know the detailed error by Setting up SSL Proxy in Charles as described here. After that I was able to see the request parameters and response send to https://ap1.salesforce.com which was earlier not readable.
Related
I added additional API to the Duende IdentityServer 6.2 as described here. Then I tried to access it from a sample App, using typed httpClient using their own library called AccessTokenManagement (aka Identity.Model) pretty much following their simple example. I use Authorization Code flow, everything pretty much simple and default.
It works well until both server and client are on the same dev machine under localhost. As soon as I publish IdentityServer to IIS, the API stops to work, while the rest still works well (I can be authenticated, and I see in the Fiddler that token exchanges work normally).
The call to API consists from two calls:
Calling to /connect/token using refresh token. Server returns access token.
Calling my endpoint using this new access token.
The flow fails on the step 1. Call to /connect/token is already unauthorized and I can't understand why. The "good" and "bad" calls looks the same, I cannot see any differences. Previous call moment ago to /connect/userinfo consists of the same two steps and it works. Logs on both server and client give no clues.
No reverse proxies, just good plain simple URI. Automatic key management is enabled and the keys are in the SQL table, common for dev and published server. Asp.Net Core Data Protection is enabled and keys are also common.
Relevant parts of logs are below. I noticed that "No endpoint entry found for request path" is specific to IdentityServer and it doesn't actually mean that endpoint was not found. It was found but not processed. I also noticed reacher response headers from bad request and log entry about "Cookie signed-in" in good request but not sure what does it mean and whether it's relevant.
I'm running out of ideas.
Bad response from IIS while trying to get new Access Token:
Proper response while developing:
///////Relevant part of log for BAD request
|Duende.AccessTokenManagement.OpenIdConnect.UserAccessAccessTokenManagementService|Token for user test#test.com needs refreshing.
|Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler|AuthenticationScheme: cookie was successfully authenticated.
|Duende.AccessTokenManagement.OpenIdConnect.UserTokenEndpointService|refresh token request to: https://auth.mysite.org/connect/token
|Duende.AccessTokenManagement.OpenIdConnect.UserAccessAccessTokenManagementService|Error refreshing access token. Error = Unauthorized
|System.Net.Http.HttpClient.IdsService.ClientHandler|Sending HTTP request POST https://auth.mysite.org/mycontroller/myaction
|System.Net.Http.HttpClient.IdsService.ClientHandler|Received HTTP response headers after 117.7278ms - 401
///////Same part of GOOD request
|Duende.AccessTokenManagement.OpenIdConnect.UserAccessAccessTokenManagementService|Token for user test#test.com needs refreshing.
|Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler|AuthenticationScheme: Cookies was successfully authenticated.
|Duende.AccessTokenManagement.OpenIdConnect.UserTokenEndpointService|refresh token request to: https://localhost:5001/connect/token
|Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler|AuthenticationScheme: Cookies signed in.
|System.Net.Http.HttpClient.IdsService.ClientHandler|Sending HTTP request POST https://localhost:5001/mycontroller/myaction
|System.Net.Http.HttpClient.IdsService.ClientHandler|Received HTTP response headers after 1994.9611ms - 200
///////Server log during BAD request
Duende.IdentityServer.Hosting.EndpointRouter No endpoint entry found for request path: "/mycontroller/myaction"
Duende.IdentityServer.Hosting.LocalApiAuthentication.LocalApiAuthenticationHandler HandleAuthenticateAsync called
Duende.IdentityServer.Hosting.LocalApiAuthentication.LocalApiAuthenticationHandler AuthenticationScheme: "IdentityServerAccessToken" was not authenticated.
Duende.IdentityServer.Hosting.LocalApiAuthentication.LocalApiAuthenticationHandler AuthenticationScheme: "IdentityServerAccessToken" was challenged.
Okay, found it. Thankfully, looked at Fiddler's WebView and had seen familiar picture!
Then, found this topic. The solution was disabling Basic authentication in IIS settings. Access token request has basic authentication header and it seems like IIS intercepts it. Still a bit unclear why other parts of flow worked.
I am trying to get access token from api https://api.amazon.com/auth/o2/token
POST /auth/o2/token HTTP/l.l
Host: api.amazon.com
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
grant_type=refresh_token
&refresh_token=Aztr|...
&client_id=foodev
&client_secret=Y76SDl2F
But after POST request I get 500 server error.
Is it because my app is in draft status? or I am missing something while making request?
If it because of draft status then when the status will get change? any thoughts on this.
Thank you for your help in advance.
The documentation is wrong. I was getting the same exact error and came across this comment on a github issue which mentioned that the data has to be passed into the body of the request, not as query string parameters. Sure enough, this worked for me and I was able to get an access token. So just to clarify: grant_type, refresh_token, client_id, and client_secret should be passed into the body of the POST request to https://api.amazon.com/auth/o2/token and NOT as query string parameters.
Draft status will not keep you from requesting and receiving the access token.
Here are a few things to check as not much can be derived from the example post request from the documentation:
Did you configure AWS IAM role / policy / user properly
Did you use the correct IAM ARN when registering the application
Are you using the correct LWA credentials (I am assuming you're not passing foodev and Y76SDl2F as those are example parameters)
Have you self authorized the application (are you using the refresh token generated
for the authorized application)
Are you 'assuming the role' before the token exchange -- this is a very important step
and is very different in comparison to how access was handled with MWS -- if
you have not, the server will reject the token exchange regardless if the refresh
token is correct. More on that here
This is a non-exhaustive list, just some common issues I have seen other developers have with getting the access token during development, if these don't work you'll need to work with support as they can see the requests hitting the token endpoint.
We have a basic IdentityServer implementation using ClientCredentials. When a token is requested with an invalid secret, we're receiving an invalid_client error with a 400 BadRequest status. What is the best way to override this response and return a 401 unauthorized? We have a remote device accessing our api which expects a 401 for authentication errors.
One option is to work with another project that works as a facade in the middle, connects to the /connect/token methods and then gives a different response having 401. Here are some links:
https://microservices.io/patterns/apigateway.html
How to setup a Web API Facade pattern
Background
I have a simple NodeJS server hosted on localhost/Heroku which handles JWT authentication for adding data to the registered user amongst other (unrelated) things.
Here's the GitHub: https://github.com/mlee93dev/pw-keychain-server
I also have a simple Angular2 client on localhost/Heroku for this server:
https://github.com/mlee93dev/pw-keychain-app
Currently, I have my JWT access tokens configured to last only 5 seconds in my server for development purposes.
I have my CORS stuff configured to the best of my knowledge as shown below in server.js:
CORS configuration pic
The Problem
On Postman I test the POST request and I get the expected response - a JWT expiration error:
Postman POST pic
However I don't get the same response on my client - rather, I get a 'JWT must be provided' error:
Client POST pic
As you can see in the pic above, I know I'm actually attaching a token as I console.log it. Here's a pic of the code:
Client POST code pic
So what's confusing me more is that my DELETE request (for logging out) also implements the same x-auth token to request code, and it works in both Postman + client, as seen here:
DELETE error response
DELETE code
So yeah, I'm pretty confused. My guess is I have to configure my CORS some more to allow x-auth header on POST requests specifically somehow? Even though I think it should do that already with my current configuration.
You are providing the body in post request instead of headers.
Angular POST request
So in your post request just do the following
this.http.post(yoururl, {},{headers:new Headers({'x-auth':token})})...
And it should work.
So in my google cloud project I generated a Web Client ID, and follow the steps in
https://developers.google.com/adwords/api/docs/guides/oauth_playground
to get the authentication token.
In my #endpoints.api(allowed_client_ids=) I've put the client id inside it. Then in OAuth2 playground I sent a http request using the authentication token which I have acquired (e.g: Bearer ya29.bwL-f-hz-wcxFq_i-IlEQaJDiinwIP7ad7CaZoRkJRdGrsxxs4Wc9ZeNOgVlhD69zOQk) to the API.
But the problem is, it did not recognize the token, and said it is an invalid token. To compare with, I put endpoints.API_EXPLORER_CLIENT_ID together inside the allowed_clients_ids=, and when I tested it using API Explorer it just works. So am I doing something wrong?
You have specify your own client id and client secret. see this
screenshot