search

esi / esi-issues

Issue tracking and feature requests for ESI
https://esi.evetech.net/
207 stars 23 forks source link

Authorization failure when token is too long #1089

Open BitSec01 opened 5 years ago

BitSec01 commented 5 years ago

Bug

Make your application request an access token using all scopes currently available and then use that token on any endpoint.

Make sure you are logged in to https://login.eveonline.com beforehand.

Request

First authorize yourself using SSOv2 and ALL scopes available. Then make an request to any endpoint using the token you got.

Response

{ "error": "authentication failure" }

Workaround

Just don't request all scopes. It is highly unlikely that you would need them all.

Expected

The output of the endpoint you are sending your request to.

Checklist

Check all boxes that apply to this issue:

jowrjowr commented 5 years ago

SSO bug.

pls refile here: https://github.com/ccpgames/sso-issues

lukasni commented 5 years ago

Reopening since it seems to be an error specifically with using an SSO token on ESI.

Summarizing a discussion from Slack to add relevant info:

Simple and effective workaround: Don't request tokens with all scopes.

Blacksmoke16 commented 5 years ago

GESI requests all scopes and I haven't heard of anyone having this issue. Using the V2 SSO stuff tho.

lukasni commented 5 years ago

GESI requests all scopes and I haven't heard of anyone having this issue. Using the V2 SSO stuff tho.

@RamonRobben is also using V2, otherwise the scope list wouldn't affect the token length anyways. Is GESI requesting publicData and esi-corporations.read_outposts.v1, too? Guessing you might not be requesting those since they are pointless.

BitSec01 commented 5 years ago

Then the issue seems easy to fix. Just remove publicDataand esi-corporations.read_outposts.v1 from the scope list.

p.s by removing it from the scope list I mean whoever is developing this API should remove them from even being an option to select for your application.

Blacksmoke16 commented 5 years ago

I just looked. Yea, those are the only 2 its not requesting since they're not used on any route. So that would prob be why this error doesn't happen.

But yea, prob can be removed from the dev app UI at this point.

lukasni commented 5 years ago

publicData does have a reason to exist and can't be removed. There's just no point in including it if you have any other scopes. It exists so people can get a refresh token for character verification without requesting any private scopes.

ghost commented 5 years ago

The outpost scope should def be gone though, that's an oversight. It doesn't solve the underlying problem with token length though.

GENiALi commented 5 years ago

I have the same problem. Everything works fine with fewer scopes, but not with all scopes. EVE SSO/ESI verify with Angular/TypeScript

lukasni commented 5 years ago

@GENiALi same recommendation for you until this gets fixed, don't request the publicData and esi-corporations.read_outposts.v1 scopes since they don't serve any purpose in your request.

ghost commented 5 years ago

I've hidden the read_outposts and write_structures scopes because they're no longer used. At some point in the future, probably about 9 months from now, I'll for-reals delete them.

I'll put a blog out about it in a few weeks once I've spoken to the sso guys and know exactly what the plan is, but in the mean time if you guys wanna get out ahead of this, stop adding those scopes to your login URLs now and the transition should be seamless for you.

This doesn't solve the underlying problem of a token length limit, just a bit of cleanup.

akazakou commented 3 years ago

Confirm that still actual

CarbonAlabel commented 3 years ago

Updated list of useless scopes:

mateuszkrasucki commented 3 years ago

Internal issues: EO-13248, EO-13249

Blacksmoke16 commented 3 years ago

https://github.com/ccpgames/sso-issues/issues/63 might be related.

noxamos commented 2 years ago

The issue is still happening as of today. This post just saved me after hours of work trying to figure out what was wrong

Rakdos8 commented 2 years ago

All of my token went invalid today with the error message : authentication failure Starting at 2021-12-30 11:08:19 to 2021-12-30 11:47:15 (UTC) and probably beyond

sergey-program commented 2 years ago

Confirm that still actual

clanofartisans commented 1 year ago

I'm running into this issue as well.

zboyet commented 1 year ago

Wasted a good chunk of time figuring out what was going on until I stumbled upon this

antihax commented 1 year ago

For all running into this issue, see the workaround. You should only request the scopes you need and not everything and the kitchen sink. You can always expand upon later as you add features.

kwladyka commented 9 months ago

the bug still exist

wfjsw commented 1 month ago

This happens again. Could CCP please stop putting more thing into the token without fixing this issue? I'm leaning towards an edge where there is no spare scope for me to remove.

Dusty-Meg commented 1 month ago

Don't request all scopes in one token. A lot of the scopes are barely used and can just be split out to multiple tokens.

guiguilechat commented 1 month ago

Yeah, you should only request the scopes you are likely to use. Even when requesting all the usable scopes there is no problem AFAIK.

wfjsw commented 1 month ago

Yeah, you should only request the scopes you are likely to use.

I generally use all of them, in batches.

Even when requesting all the usable scopes there is no problem AFAIK.

I figured out it works in most cases, but not in the cases when character length is excessively long.

I do agree it should be splited to multiple tokens, but the current architecture limits me from doing so.

guiguilechat commented 1 month ago

I have several "dev keys" which are bascally the same, but with different scopes. When a batch needs a key, it resolves the existing keys for that used with the required scope. this allows users to only provide scopes they accept to.