XeroAPI / xoauth

A CLI tool for obtaining JWTs from OpenId Connect providers
MIT License
49 stars 16 forks source link

oidc Error: state parameters don't match #27

Open jacobg opened 3 years ago

jacobg commented 3 years ago

These are the saved settings:

Authority: "https://identity.xero.com"
Client id: "<REDACTED>"
Grant type: "authorization_code"
Scopes: "openid, offline_access, accounting.transactions, accounting.contacts"

When I run xoath connect, the command line shows this error: oidc Error: state parameters don't match

And the browser window that opened says:

Sorry, something went wrong
Error code: 500
Error: unauthorized_client : Invalid redirect_uri
jacobg commented 3 years ago

Resolved:

👉 Remember: make sure you've added http://localhost:8080/callback as a redirect_uri in your identity provider's portal
igorclark commented 2 years ago

Hi there,

I'm trying to create a new Xero web app and use this tool to initially-authorize it, which worked great in the past (i.e. a year or more ago).

Now I'm just getting this error, most times it happens as soon as I run xoauth connect <app>, it runs Opening browser window, the login screen comes up but it says oidc Error: state parameters don't match before the browser can even load the login page.

Some times it manages to open the browser without failing and then waits for 5 or even more seconds but then just bombs out with that error, regardless of whether I've started trying to log in or not, but it says nothing about invalid redirect_uri or anything else, it just dies.

[igor@igors-mac-mini ~ 59599]$ xoauth setup <app>
? What's the Authority? https://identity.xero.com
? What's your client_id? <client_id>
? Select Grant Type: authorization_code
? What's your client_secret? ************************************************
Enter scopes (type `d` to finish)
Scopes are [openid offline_access]
? Add scope (`d` when done) accounting.transactions
Scopes are [openid offline_access accounting.transactions]
? Add scope (`d` when done) accounting.contacts
Scopes are [openid offline_access accounting.transactions accounting.contacts]
? Add scope (`d` when done) accounting.settings
Scopes are [openid offline_access accounting.transactions accounting.contacts accounting.settings]
? Add scope (`d` when done) d
✅ Saved settings for "<app>"

Authority: "https://identity.xero.com"
Client id: "<client_id>"
Grant type: "authorization_code"
Scopes: "openid, offline_access, accounting.transactions, accounting.contacts, accounting.settings"

👉 Remember: make sure you've added http://localhost:8080/callback as a redirect_uri in your identity provider's portal

[igor@igors-mac-mini ~ 59600]$ xoauth connect <app>
Requesting OIDC metadata from https://identity.xero.com/.well-known/openid-configuration
Received OIDC metadata for authority: https://identity.xero.com
Opening browser window
oidc Error: state parameters don't match

[igor@igors-mac-mini ~ 59601]$ xoauth connect <app>
Requesting OIDC metadata from https://identity.xero.com/.well-known/openid-configuration
Received OIDC metadata for authority: https://identity.xero.com
Opening browser window
oidc Error: state parameters don't match

[igor@igors-mac-mini ~ 59602]$ time xoauth connect <app>
Requesting OIDC metadata from https://identity.xero.com/.well-known/openid-configuration
Received OIDC metadata for authority: https://identity.xero.com
Opening browser window
oidc Error: state parameters don't match

real    0m3.258s
user    0m0.110s
sys     0m0.117s
[igor@igors-mac-mini ~ 59603]$ time xoauth connect <app>
Requesting OIDC metadata from https://identity.xero.com/.well-known/openid-configuration
Received OIDC metadata for authority: https://identity.xero.com
Opening browser window
oidc Error: state parameters don't match

real    0m9.720s
user    0m0.110s
sys     0m0.118s

Any ideas what's happening, or any workarounds? I'm on macOS 10.15.7, still on Catalina, i.e. the same as I was on when it worked last year, apart from some security updates. I've tried deleting and re-creating the Xero app 4 times with no effect.

Kinda stuck without this! Thanks 👍