search

Widen / cloudfront-auth

An AWS CloudFront Lambda@Edge function to authenticate requests using Google Apps, Microsoft, Auth0, OKTA, and GitHub login
ISC License
625 stars 148 forks source link

No code or state found. #13

Closed Vad1mo closed 6 years ago

Vad1mo commented 6 years ago

thank you for the library.

I have a problem that I receive a 401 error with No code or state found. I also don't see anything in the logs except the Test that I execute on the lambda.

The website was already setup and working with cloudfront. I have the feeling that the lambda isn't triggered or there are any logs. Do you have an idea what that could be?

Vad1mo commented 6 years ago

I finally found the logs as they where located in the edge region where the requests comes from and not where lambda function is.

However I now inspected the logs and receive bad-verification-code back from GitHub. Which is strange. I verified that the ID and Secret they are both correct transmitted to github. 

data: 'error=bad_verification_code&error_description=The+code+passed+is+incorrect+or+expired.&error_uri=https%3A%2F%2Fdeveloper.github.com%2Fapps%2Fmanaging-oauth-apps%2Ftroubleshooting-oauth-app-access-token-request-errors%2F%23bad-verification-code'

What might be the problem?

payton commented 6 years ago

Just to make sure I understand this correctly, the library was working as expected earlier, but you are now receiving a bad verification code error?

Issue 11 had a no code found error. It may be helpful to read my response there although this issue isn't exactly the same. I would suggest trying out the debugger so we can verify which steps are occuring as expected and where it falls apart https://github.com/Widen/cloudfront-auth/wiki/Debug-&-Test.

Vad1mo commented 6 years ago

I had a static website (just an index.html) that is working correctly without auth. So far I couldn't make the edge auth part work. Because I see No code or state found. and because I am not redirected to Github to login.

I have a naked domain let call it sandbox.com that contains a static website. Now I want to put the whole website behind the github. 

{
    "AUTH_REQUEST": {
        "client_id": "8ef9551f809d9c4cf65a",
        "redirect_uri": "https://sandbox.com/_callback",
        "scope": "read:org user:email"
    },
    "TOKEN_REQUEST": {
        "client_id": "8ef9551f809d9c4cfxxx",
        "client_secret": "xxxxx",
        "redirect_uri": "https://sandbox.com/_callback"
    },
    "DISTRIBUTION": "E1MCTRP3Z03ANB",
    "AUTHN": "GITHUB",
    "PRIVATE_KEY": "-----BEGIN RSA PRIVATE KEY-----OMITTED-----END RSA PRIVATE KEY-----\n",
    "PUBLIC_KEY": "-----BEGIN PUBLIC KEY-----OMITTED-----END PUBLIC KEY-----\n",
    "SESSION_DURATION": 36000,
    "CALLBACK_PATH": "/",
    "ORGANIZATION": "a-team",
    "AUTHORIZATION_ENDPOINT": "https://github.com/login/oauth/authorize",
    "TOKEN_ENDPOINT": "https://github.com/login/oauth/access_token"
}

GitHub is configured to redirect to https://sandbox.com/_callbackas well.

This are the logs:


15:01:40 START RequestId: 434a4a98-af8a-11e8-9667-51404dd513da Version: 15

15:01:40 2018-09-03T15:01:40.417Z   434a4a98-af8a-11e8-9667-51404dd513da    Starting Authorization Process

15:01:40 2018-09-03T15:01:40.452Z   434a4a98-af8a-11e8-9667-51404dd513da    Callback from GitHub received:

15:01:40 2018-09-03T15:01:40.471Z   434a4a98-af8a-11e8-9667-51404dd513da    Requesting access token.

15:01:40 2018-09-03T15:01:40.805Z   434a4a98-af8a-11e8-9667-51404dd513da    { status: 200, statusText: 'OK', headers: { server: 'GitHub.com', date: 'Mon, 03 Sep 2018 15:01:40 GMT', 'content-type': 'application/x-www-form-urlencoded; charset=utf-8', 'transfer-encoding': 'chunked', connection: 'close', status: '200 OK', 'cache-control': 'no-cache', vary: 'X-PJAX', '

15:01:40 END RequestId: 434a4a98-af8a-11e8-9667-51404dd513da

15:01:40 REPORT RequestId: 434a4a98-af8a-11e8-9667-51404dd513da Duration: 435.39 ms Billed Duration: 450 ms Memory Size: 128 MB Max Memory Used: 28 MB

This is the full request and response from github.

{
    status: 200,
    statusText: 'OK',
    headers: {
        server: 'GitHub.com',
        date: 'Mon, 03 Sep 2018 15:01:40 GMT',
        'content-type': 'application/x-www-form-urlencoded; charset=utf-8',
        'transfer-encoding': 'chunked',
        connection: 'close',
        status: '200 OK',
        'cache-control': 'no-cache',
        vary: 'X-PJAX',
        'set-cookie': ['has_recent_activity=1; path=/; expires=Mon, 03 Sep 2018 16:01:40 -0000',
            'ignored_unsupported_browser_notice=false; path=/'
        ],
        'x-request-id': 'f757a913-0291-4ffb-88ce-9fd90eebd465',
        'x-runtime': '0.014039',
        'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
        'x-frame-options': 'deny',
        'x-content-type-options': 'nosniff',
        'x-xss-protection': '1; mode=block',
        'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
        'expect-ct': 'max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"',
        'content-security-policy': 'default-src \'none\'; base-uri \'self\'; block-all-mixed-content; connect-src \'self\' uploads.github.com status.github.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com; font-src assets-cdn.github.com; form-action \'self\' github.com gist.github.com; frame-ancestors \'none\'; frame-src render.githubusercontent.com; img-src \'self\' data: assets-cdn.github.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; manifest-src \'self\'; media-src \'none\'; script-src assets-cdn.github.com; style-src \'unsafe-inline\' assets-cdn.github.com',
        'x-runtime-rack': '0.021058',
        'x-github-request-id': 'BCB2:5E22:1573B36:28FF82C:5B8D4CD4'
    },
    config: {
        adapter: [Function: httpAdapter],
        transformRequest: {
            '0': [Function: transformRequest]
        },
        transformResponse: {
            '0': [Function: transformResponse]
        },
        timeout: 0,
        xsrfCookieName: 'XSRF-TOKEN',
        xsrfHeaderName: 'X-XSRF-TOKEN',
        maxContentLength: -1,
        validateStatus: [Function: validateStatus],
        headers: {
            Accept: 'application/json, text/plain, */*',
            'Content-Type': 'application/x-www-form-urlencoded',
            'User-Agent': 'axios/0.17.1',
            'Content-Length': 156
        },
        method: 'post',
        url: 'https://github.com/login/oauth/access_token',
        data: 'client_id=8ef9551f809d9c4cfXXX&client_secret=XXXX&redirect_uri=https%3A%2F%2Fsandbox.com%2F_callback&code=&state='
    },
    request: ClientRequest {
        domain: null,
        _events: {
            socket: [Object],
            abort: [Function],
            aborted: [Function],
            error: [Function],
            timeout: [Function],
            prefinish: [Function: requestOnPrefinish]
        },
        _eventsCount: 6,
        _maxListeners: undefined,
        output: [],
        outputEncodings: [],
        outputCallbacks: [],
        outputSize: 0,
        writable: true,
        _last: true,
        upgrading: false,
        chunkedEncoding: false,
        shouldKeepAlive: false,
        useChunkedEncodingByDefault: true,
        sendDate: false,
        _removedHeader: {
            'content-length': false
        },
        _contentLength: null,
        _hasBody: true,
        _trailer: '',
        finished: true,
        _headerSent: true,
        socket: TLSSocket {
            _tlsOptions: [Object],
            _secureEstablished: true,
            _securePending: false,
            _newSessionPending: false,
            _controlReleased: true,
            _SNICallback: null,
            servername: null,
            npnProtocol: undefined,
            alpnProtocol: false,
            authorized: true,
            authorizationError: null,
            encrypted: true,
            _events: [Object],
            _eventsCount: 9,
            connecting: false,
            _hadError: false,
            _handle: null,
            _parent: null,
            _host: 'github.com',
            _readableState: [Object],
            readable: false,
            domain: null,
            _maxListeners: undefined,
            _writableState: [Object],
            writable: false,
            allowHalfOpen: false,
            destroyed: true,
            _bytesDispatched: 375,
            _sockname: null,
            _pendingData: null,
            _pendingEncoding: '',
            server: undefined,
            _server: null,
            ssl: null,
            _requestCert: true,
            _rejectUnauthorized: true,
            parser: null,
            _httpMessage: [Circular],
            read: [Function],
            _consuming: true,
            _idleNext: null,
            _idlePrev: null,
            _idleTimeout: -1
        },
        connection: TLSSocket {
            _tlsOptions: [Object],
            _secureEstablished: true,
            _securePending: false,
            _newSessionPending: false,
            _controlReleased: true,
            _SNICallback: null,
            servername: null,
            npnProtocol: undefined,
            alpnProtocol: false,
            authorized: true,
            authorizationError: null,
            encrypted: true,
            _events: [Object],
            _eventsCount: 9,
            connecting: false,
            _hadError: false,
            _handle: null,
            _parent: null,
            _host: 'github.com',
            _readableState: [Object],
            readable: false,
            domain: null,
            _maxListeners: undefined,
            _writableState: [Object],
            writable: false,
            allowHalfOpen: false,
            destroyed: true,
            _bytesDispatched: 375,
            _sockname: null,
            _pendingData: null,
            _pendingEncoding: '',
            server: undefined,
            _server: null,
            ssl: null,
            _requestCert: true,
            _rejectUnauthorized: true,
            parser: null,
            _httpMessage: [Circular],
            read: [Function],
            _consuming: true,
            _idleNext: null,
            _idlePrev: null,
            _idleTimeout: -1
        },
        _header: 'POST /login/oauth/access_token HTTP/1.1\r\nAccept: application/json, text/plain, */*\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: axios/0.17.1\r\nContent-Length: 156\r\nHost: github.com\r\nConnection: close\r\n\r\n',
        _headers: {
            accept: 'application/json, text/plain, */*',
            'content-type': 'application/x-www-form-urlencoded',
            'user-agent': 'axios/0.17.1',
            'content-length': 156,
            host: 'github.com'
        },
        _headerNames: {
            accept: 'Accept',
            'content-type': 'Content-Type',
            'user-agent': 'User-Agent',
            'content-length': 'Content-Length',
            host: 'Host'
        },
        _onPendingData: null,
        agent: Agent {
            domain: null,
            _events: [Object],
            _eventsCount: 1,
            _maxListeners: undefined,
            defaultPort: 443,
            protocol: 'https:',
            options: [Object],
            requests: {},
            sockets: [Object],
            freeSockets: {},
            keepAliveMsecs: 1000,
            keepAlive: false,
            maxSockets: Infinity,
            maxFreeSockets: 256,
            maxCachedSessions: 100,
            _sessionCache: [Object]
        },
        socketPath: undefined,
        timeout: undefined,
        method: 'POST',
        path: '/login/oauth/access_token',
        _ended: true,
        _redirectable: Writable {
            _writableState: [Object],
            writable: true,
            domain: null,
            _events: [Object],
            _eventsCount: 2,
            _maxListeners: undefined,
            _options: [Object],
            _redirectCount: 0,
            _requestBodyLength: 156,
            _requestBodyBuffers: [],
            _onNativeResponse: [Function],
            _currentRequest: [Circular],
            _currentUrl: 'https://github.com/login/oauth/access_token'
        },
        parser: null,
        res: IncomingMessage {
            _readableState: [Object],
            readable: false,
            domain: null,
            _events: [Object],
            _eventsCount: 3,
            _maxListeners: undefined,
            socket: [Object],
            connection: [Object],
            httpVersionMajor: 1,
            httpVersionMinor: 1,
            httpVersion: '1.1',
            complete: true,
            headers: [Object],
            rawHeaders: [Object],
            trailers: {},
            rawTrailers: [],
            upgrade: false,
            url: '',
            method: null,
            statusCode: 200,
            statusMessage: 'OK',
            client: [Object],
            _consuming: true,
            _dumped: false,
            req: [Circular],
            responseUrl: 'https://github.com/login/oauth/access_token',
            read: [Function]
        }
    },
    data: 'error=bad_verification_code&error_description=The+code+passed+is+incorrect+or+expired.&error_uri=https%3A%2F%2Fdeveloper.github.com%2Fapps%2Fmanaging-oauth-apps%2Ftroubleshooting-oauth-app-access-token-request-errors%2F%23bad-verification-code'
}
Vad1mo commented 6 years ago

the CALLBACK_PATH was not set matching the redirect. Its kind of confusing all the redundant setting sin the config.json. However it works now.

payton commented 6 years ago

Thank you for the feedback! I'm glad you were able to get it working.