Closed jgaehring closed 2 years ago
Maybe you already tried this, but I wonder if it's related to this change?
https://github.com/farmOS/farmOS/commit/a86166d
We explicitly set the redirect URI for the farm_client
OAuth client to https://farmOS.app
(not sure if the capital OS
matters?)
I see in the error message it says (emphasis mine):
The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.
Ah actually, that commit was July 22nd, but you opened this originally on June 30th, so maybe they are unrelated. Still... might want to check the redirect URI in Field Kit to make sure that's set up properly, otherwise it might lead to another issue anyway.
Hmm, I saw that message too and did wonder about the redirection URI. Although I don't think we send that URI from FK, with the password authorization flow we use.
I'll have to look into this further next week. Right now I'm wrapping up #454, which is a huge chunk towards finishing the alpha release! It will also allow me to commit my first (mostly) working version of FK in a while, so we can actually try to reproduce this on other machines, which seems key. :crossed_fingers:
Cross-linking this issue with farmOS/farmOS.js#35, since that issue is also concerned with OAuth, and will also require some of @paul121's counsel.
It will be interesting to see if this issue persists in the dev deployments (#468).
Also, going over old issues, but would it make sense to consider #435 along with the other OAuth stuff here?
So one potential issue here could be if we're trying to perform the refresh_token
grant as the Drupal admin user (user id = 1). I've opened an issue for that: https://www.drupal.org/project/farm/issues/3241690 But after chatting a bit with @jgaehring it seems like this was happening for "normal" users as well.
So I pulled the latest farmOS-client 2.0.0-alpha.1 into my local and took a peek at all this in my debugger. What's interesting is that the server is not seeing any of the body payload for the refresh_token
grant, so it defaults to the implicit
grant type (which we have disabled). This logic here: https://git.drupalcode.org/project/simple_oauth/-/blob/5.x/src/Controller/Oauth2Token.php#L45.
The password
grant goes through fine though. It seems like the difference is the Content-Type
header.
The initial password
grant is sent as a Content-Type: 'application/www-form-urlencoded'
: https://github.com/farmOS/farmOS.js/blob/3f0a27a42e7d2f79eb542151cdea77b4133076f7/src/connect/oauth.js#L177
But the refresh_token
grant is sent as Content-Type: 'application/json'
: https://github.com/farmOS/farmOS.js/blob/3f0a27a42e7d2f79eb542151cdea77b4133076f7/src/connect/oauth.js#L62
Does it seem like this could be the issue? Have to run, but I think the next step would be to try manually crafting the refresh_token
grant as a www/form-urlencoded
from the browser and see if that works!
Does it seem like this could be the issue? Have to run, but I think the next step would be to try manually crafting the
refresh_token
grant as awww/form-urlencoded
from the browser and see if that works!
Oh this sounds very plausible!
The request to refresh the token is already setting the Content-Type
explicitly, so I think it would be a cinch to change that in the header. The only other consideration then is the request body. We can't just send it as JSON, but it should be easy enough to send as an instance of URLSearchParams
, which it seems, if I read the axios docs correxctly, will automatically set the Content-Type
for us. So instead of all those refreshOpts
we're passing as the second argument to axios()
currently, we just pass the params to axios.post()
like such:
const refreshParams = new URLSearchParams();
refreshParams.append('grant_type', 'refresh_token');
refreshParams.append('client_id', clientId);
refreshParams.append('refresh_token', token);
axios.post(accessTokenUri, refreshParams);
No headers required! Just need to test it out and make sure it works.
Just pushed a WIP commit with these changes, but still haven't tested: jgaehring/farmOS.js@5ef1f2e.
Resolved by jgaehring/farmOS.js@f63d062.
When the OAuth
access_token
expires and Field Kit (via farmOS.js) tries to refresh the token, it fails (full error response further below).I think this is probably a server issue, but I wanted to put some notes here for future reference and as a reminder to follow-up when we're closer to a beta for FK 2.x. @paul121 and I did a little troubleshooting today but couldn't zero in on the issue, in part because he couldn't reproduce the same error on his machine to debug. I've got a lot of unstaged changes still locally so we probably need to wait til those are committed before pursuing again.
Next Steps
develop
branchfarm_client
settings are the sameJSON Dump
Copy and pasting some JSON from requests/responses to and from
/oauth/token
: