search

Daniel-Krzyczkowski / Cars-Island-On-Azure

Cars Island is a fake car rental company which used Microsoft Azure cloud services to implement the system for managing car renting.
MIT License
290 stars 147 forks source link

Help - Getting Error 500 when I include the access token #3

Open lawrenceong001 opened 3 years ago

lawrenceong001 commented 3 years ago

hello Daniel,

Tks for providing this example -- it has been very educational so far!

I have managed to replicate the api and had been trying to use it. so far, using the swagger interface, I'm able to execute cars get all without using any authorization (since it allowed anonymous).

To execute the post car reservation, I first generated a token using this link: https://<tenantname>.b2clogin.com/<tenantname>.onmicrosoft.com/oauth2/v2.0/authorize?p=<userflowname>&client_id=<clientid>&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=https://<tenantname>.onmicrosoft.com/<clientid>/<scopename>&response_type=code&prompt=login. From there, I get a JWT, which I then fed into a post command: https://<tenantname>.b2clogin.com/<tenantname>.onmicrosoft.com/{{policy-name}}/oauth2/v2.0/token, with a body that contained: grant_type=authorization_code &client_id=<application-ID> &scope=https://<tenant-name>.onmicrosoft.com/api/read &code=<jwt from previous call>.. &redirect_uri=https://jwt.ms &client_secret=<generatedsecretforapi>

This then returned an access token, which when I fed it into jwt.ms I do see the "access_as_user" scope. image

I then proceeded to enter "Bearer " with the access token using the Authorize button on top.

However, when I try to post the car reservation, I get the 500 error : 

{
  "Id": "5b5aeb9f-eaec-4f5b-b056-4dd8d34e9be2",
  "Status": 500,
  "Code": null,
  "Links": null,
  "Title": "Some kind of error occurred in the API.  Please use the id and contact our support team if the problem persists.",
  "Detail": null
}

the command shown was: 

curl -X POST "https://localhost:44375/api/CarReservation" -H  "accept: */*" -H  "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrNHh5b2pORnVtMWtsMll0djhkbE5QNC1jNTdkTzZRR1RWQndhTmsifQ.eyJpc3MiOiJodHRwczovL291dHNpZGU3MjU2MjIxLmIyY2xvZ2luLmNvbS8zYTFlNzYyOS05OGUzLTRmMjEtODc4OC04NzI1MGNlNzQ3OTEvdjIuMC8iLCJleHAiOjE2MTQ5NzI3MDgsIm5iZik2OTEwOCwiYXVkIjoiZjVlYTdiYjUtODE4OS00MTgyLWJmZTQtNmZjZGZhMzNiNTRiIiwiaWRwX2FjY2Vzc190b2tlbiI6InlhMjkuYTBBZkg2U01CaEh1UjRoVDFUbzdnTWZLb3FxWTVnRUtVMlNsV1lxcTM0SHdqcVNYLVEzOTlMUGpUVmhjWEYtYUl2aGVZVGxRbW8wTkhjcUs2a0tiR0lwMFFTWkJia1lqd1BYb1FaVmNjQ3I1cDhNbUdjbXVkX0xLeGdmOWtDT3RmMG82OUQxY2E1YVdoWEtLS0RyTUlZeVl2SFFuU3JrZyIsImdpdmVuX25hbWUiOiJMYXdyZW5jZSAobGF3cmVuY2VvbmcuZGV2KSIsImZhbWlseV9uYW1lIjoiT25nIiwibmFtZSI6Ikxhd3JlbmNlIE9uZyIsImlkcCI6Imdvb2dsZS5jb20iLCJvaWQiOiJkZWJjwN2VhNTA3MTA4MDUiLCJjaXR5Ijoib3R0YXdhIiwic3RhdGUiOiJPTiIsImVtYWlscyI6WyJsYX9uZy5kZXZAZ21haWwuY29tIl0sInRmcCI6IkIyQ18xX3NpZ251cF9zaWduaW4iLCJub25jZSI6ImRlZmF1bHROb25jZSIsInNjcCI6ImFjY2Vzc19hc191c2VyIiwiYXpwIjoiZjVlYTdiYjUtODE4OS00MTgyLWJmZTQtNmZjZGZhMzNiNTRiIiwidmVyIjoiMS4wIiwiaWF0IjoxNjE0OTY5MTA4I6MTYxNDfQ.U9ux_gPjjf5gv6KLyKDQ9VwONLcwL0WLB3mssg5kQfpyEjjqjQ3qwMtJwBwuaOyhnFqwvoynJxWOK6rRBFOEnk2qn6hzmYmvz4c1DA_sj1JqHQoL9WriuhVKvwijsjvZTU2YS03YzJjLTRjZjgtYWU2Ny0wN2VhNTA3MTA4MDUiLCJzdWdyZW5jZWIiOiJkZWJjZTU2YS03YzJjLTRjZjgtYWU2Ny070NTlucEk87SGbDXYl2bVFF8pbk6C8qWxF_p1AlAyZbfqqZI_ryw4oEn3Bh8TYWEHuaTEcvHvgXp_yVzz9KpK5IYkdwHEtUDlGT2orLsOcIfutqz1-0cvp5Se2NfOF7ASvJ0ZSTCr_3Xo_prwDfUtXYk7uLDJnxyTKHkCVkEjhKTPTzDKVL66ic6CErraaQTHqe9ugKx2YJAcbt-iqkit-w" -H  "Content-Type: application/json" -d "{\"carId\":\"5b5aeb9f-eaec-4f5b-b056-4dd8d34e9be2\",\"rentFrom\":\"2021-03-05T19:29:00.915Z\",\"rentTo\":\"2021-03-06T19:29:00.915Z\"}"

interestingly, the cars get all will also fail now when I include the token -- the swagger interface will include the header as well even though it doesn't seem like it's needed.

would you have any suggestions on what I can do to alleviate this issue?

thanks again Lawrence

Daniel-Krzyczkowski commented 3 years ago

Hello Lawrence,

Thank you for a kind words, I am happy that you like this project. It is hard for me to say what is exactly wrong with your configuration but I have a suggestion. Please put debug breakpoint in this line:

https://github.com/Daniel-Krzyczkowski/Cars-Island-On-Azure/blob/4810a70b5e1a4d3951fe39a2a7ccdfcbe1a5a206/src/web-api/CarsIsland.API/Middleware/ApiExceptionMiddleware.cs#L36

This is exception middleware and you should catch the exception details. Could you please try to check what is the exception's message?

lawrenceong001 commented 3 years ago

Hi Daniel,

curiously, the 500 error seem to have gone away by itself, as the application doesn't throw that error anymore. it does, still however, return an unauthorized error when I try to post, following the same process above.

is there a way we can decode the [Authorize] process to see where the error is occurring? or do you have some suggestions on how to resolve it?

thanks Lawrence

lawrenceong001 commented 3 years ago

Hi again Daniel,

I was able to replicate the error -- it seems that when I add the word Bearer to the access token it would then throw this error. if I skipped the Bearer I would simply get the Unauthorized error.

the error I get when I include Bearer and the access token during POST is: "Session has not been configured for this application or request"

image

thoughts?

tks Lawrence

Daniel-Krzyczkowski commented 3 years ago

Hi Lawrence, How do you send the token to the API? Do you follow below convention? httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", <<token>>);

lawrenceong001 commented 3 years ago

Hi Lawrence, How do you send the token to the API? Do you follow below convention? httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", <<token>>);

Hi Daniel,

I simply used the swagger interface to test the API. here are the steps I followed:

  1. logged in to MS using: https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/oauth2/v2.0/authorize?p=<policy-name>&client_id=<client-id>&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=https://<tenant-name>.onmicrosoft.com/<client-id>/access_as_user&response_type=code&prompt=login
  2. when I get the id token, then used Postman to get the access token using this POST Url: https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/{{policy-name}}/oauth2/v2.0/token, with the payload: grant_type=authorization_code&client_id=<client-id>&scope=https://<tenant-name>.onmicrosoft.com/<client-id>/access_as_user&code=<id-token>&redirect_uri=https://jwt.ms&client_secret=<client-secret>
  3. I check using jwt.ms that the access token received did contain the scp
  4. I then used the Swagger interface to put in the access token I received in this format Bearer <access-token>

and I then performed the steps in Swagger using "try this out" for both get(all) cars and Post carReservation.

does this help?

tks Lawrence

rrer-art commented 1 year ago

hello guys. sorry for distrurbing. did you managed to solve this? i faced with the same..