invalid_credentials in production environment

joshsoftware / sso-devise-omniauth-provider

A devise Omniauth server which handles Single Sign On

http://blog.joshsoftware.com/2010/12/16/multiple-applications-with-devise-omniauth-and-single-sign-on/

MIT License

251 stars 74 forks source link

invalid_credentials in production environment #12

Closed rfernand closed 11 years ago

rfernand commented 12 years ago

I implemented a little project configured with localhost in development mode with any problem. But when i tried in production mode in a private server (using, for example, http://somepage.com/admin as provider and http://somepage.com/app as client) it refused to work. It was the same code, just changed the url paths and the environment from development to production (i have apache + passenger so it has to be done like that).

The only output that I got in the client app was:

Started GET "/auth/admin" for 201.214.176.162 at Wed Apr 25 18:00:42 -0400 2012

Started GET "/auth/admin/callback?code=c80833e3d0d985231d7836f4b06582da&response_type=code" for 201.214.176.162 at Wed Apr 25 18:00:43 -0400 2012

Started GET "/auth/failure?message=invalid_credentials&strategy=admin" for 201.214.176.162 at Wed Apr 25 18:00:43 -0400 2012
  Processing by UserSessionsController#failure as HTML
  Parameters: {"strategy"=>"admin", "message"=>"invalid_credentials"}

And in the provider:

Started GET "/admin/auth/admin/authorize?response_type=code&client_id=testing&redirect_uri=http://somepage.com/app/auth/admin/callback" for (obscured_IP) at Wed Apr 25 18:07:23 -0400 2012
  Processing by AuthController#authorize as HTML
  Parameters: {"response_type"=>"code", "client_id"=>"testing", "redirect_uri"=>"http://somepage.com/app/auth/admin/callback"}
  User Load (0.3ms)  SELECT `users`.* FROM `users` WHERE `users`.`id` = 1 LIMIT 1
  SQL (0.3ms)  DELETE FROM `access_grants` WHERE (created_at < '2012-04-22 22:07:23')
  Client Load (0.1ms)  SELECT `clients`.* FROM `clients` WHERE `clients`.`app_id` = 'testing' LIMIT 1
   (0.1ms)  BEGIN
  SQL (0.2ms)  INSERT INTO `access_grants` (`access_token`, `access_token_expires_at`, `client_id`, `code`, `created_at`, `refresh_token`, `updated_at`, `user_id`) VALUES ('e010594d4992edc3d8a6865c418f0dc2', NULL, 2, '22f08adc1a6b7308035eca5818904478', '2012-04-25 22:07:23', '3f6aef46957e7dcfb8ac6be57acb20e3', '2012-04-25 22:07:23', 1)
   (3.1ms)  COMMIT
Redirected to http://somepage.com/app/auth/admin/callback?code=22f08adc1a6b7308035eca5818904478&response_type=code
Completed 302 Found in 11ms

gautamrege commented 12 years ago

It says 'Invalid credentials'. When you switched to production mode, I guess your database would have changed too. I dont see a log for the access token request in the provider log. That probably means that you have registered a client with the provider but not updated the secret in your client configuration.

Can you check?

After the authorize request /admin/auth/admin/authorize call, omniauth sends a token request. Something like this (taken from my log file)

Started POST "/oauth/token" for 127.0.0.1 at 2011-12-05 17:51:16 +0530
  Processing by AuthController#access_token as */*
  Parameters: {"grant_type"=>"authorization_code", "code"=>"a791438a832aacb118f2b78278adc231", "client_id"=>"YE0NYveQGoFsNLX220Dy5g", "client_secret"=>"aqpGBedDnHFyp5MmgT8KErr9D015ScmaY8r3vHg5C0", "redirect_uri"=>"http://localhost:3001/auth/joshid/callback"}

This means that the client_secret is not configured properly.

rfernand commented 12 years ago

Thanks for the early reply!

As you say, it is missing the POST after the authorize request. The thing is that I already added the Client with the corresponding app id and secret to the provider DB, and do not find more differences between my local app and the one in the server (they are in the same git repo). I tested the my local client with the remote provider and had the same problem that the one in the server.

I will try to find why the provider is refusing the client credentials.

rfernand commented 12 years ago

I also noticed that when you don't have registered the client in the provider app, the error message is:

In the provider:

Started GET "/auth/admin/authorize?response_type=code&client_id=testing&redirect_uri=http%3A%2F%2Flocalhost%3A3001%2Fauth%2Fadmin%2Fcallback" for 127.0.0.1 at 2012-04-26 11:16:38 -0300
  Processing by AuthController#authorize as HTML
  Parameters: {"response_type"=>"code", "client_id"=>"testing", "redirect_uri"=>"http://localhost:3001/auth/admin/callback"}
  User Load (0.8ms)  SELECT `users`.* FROM `users` WHERE `users`.`id` = 1 LIMIT 1
  SQL (0.7ms)  DELETE FROM `access_grants` WHERE (created_at < '2012-04-23 14:16:38')
  Client Load (0.5ms)  SELECT `clients`.* FROM `clients` WHERE `clients`.`app_id` = 'testing' LIMIT 1
   (0.2ms)  BEGIN
  SQL (0.6ms)  INSERT INTO `access_grants` (`access_token`, `access_token_expires_at`, `client_id`, `code`, `created_at`, `refresh_token`, `updated_at`, `user_id`) VALUES ('9a3ab6ee3a47f53545d8effc56a58f38', NULL, NULL, '8baa3cc9017af5cf17183dd5fb79c736', '2012-04-26 14:16:38', '5882cf35c804797ad3d021458b9897a5', '2012-04-26 14:16:38', 1)
   (87.1ms)  COMMIT
Redirected to http://localhost:3001/auth/admin/callback?code=8baa3cc9017af5cf17183dd5fb79c736&response_type=code
Completed 302 Found in 532ms

Started POST "/oauth/token" for 127.0.0.1 at 2012-04-26 11:16:38 -0300
  Processing by AuthController#access_token as */*
  Parameters: {"grant_type"=>"authorization_code", "code"=>"8baa3cc9017af5cf17183dd5fb79c736", "client_id"=>"testing", "client_secret"=>"testing", "redirect_uri"=>"http://localhost:3001/auth/admin/callback"}
  Client Load (0.6ms)  SELECT `clients`.* FROM `clients` WHERE (app_id = 'testing' AND app_secret = 'testing') LIMIT 1
Completed 200 OK in 16ms (Views: 6.5ms | ActiveRecord: 2.1ms)

And in the client:

Started GET "/auth/admin" for 127.0.0.1 at 2012-04-26 11:16:27 -0300
(admin) Callback phase initiated.
(admin) Authentication failure! invalid_credentials: OAuth2::Error, Could not find application: 
{"error":"Could not find application"}

Started GET "/auth/admin/callback?code=8baa3cc9017af5cf17183dd5fb79c736&response_type=code" for 127.0.0.1 at 2012-04-26 11:16:38 -0300

OAuth2::Error (Could not find application: 
{"error":"Could not find application"}):

So I think that provider app has another problem that is causing OAuth to miss the "POST" part.

rfernand commented 12 years ago

Ok, I noticed that when my local app try to authenticate with the server provider it gets:

Authentication failure! invalid_credentials: OAuth2::Error

Seems like OAuth2 is having some problems, maybe like the one mentioned in https://groups.google.com/forum/#!msg/oauth2-dev/tRZoAC_9ZKY/m69MPzO3eJAJ ?

UPDATE: Forget this lead, the redirect was not working in the local app. I tried again using the server provider an server client and the problem persists after re-doing the apps.

gautamrege commented 12 years ago

Not sure if this is related, as this is during refresh tokens, not authentication.

The most common mistake I have made when trying this again is registering the client but not updating the configuration consumer secret :) Is it possible to shared the code, so that I can test it out?

On Thu, Apr 26, 2012 at 8:26 PM, Rodrigo Fernandez < reply@reply.github.com

wrote:

Ok, I noticed that when my local app try to authenticate with the server provider it gets:
Authentication failure! invalid_credentials: OAuth2::Error
Seems like OAuth2 is having some problems, maybe like the one mentioned in https://groups.google.com/forum/#!msg/oauth2-dev/tRZoAC_9ZKY/m69MPzO3eJAJ?

Reply to this email directly or view it on GitHub:

https://github.com/joshsoftware/sso-devise-omniauth-provider/issues/12#issuecomment-5358377

rfernand commented 12 years ago

Sadly, I cannot share the code. I asked a teammate to test it by himself, and it worked locally for him too. We will have to check the production environment that we are deploying, and check what is happening there. So, if the Omniauth gem is the one responsible of sending the Token, we just have to check it and see what is happening.

Thanks for everything! I will keep this in check for new updates.

rfernand commented 12 years ago

It seems that I am not the only one, here are two more that used this implementation and had the same "invalid_credentials" problem:

http://groups.google.com/group/omniauth/browse_thread/thread/27d28e2f0c126314#

http://groups.google.com/group/omniauth/browse_thread/thread/b56ca34b65dfa8f4

I emailed Matt hoping that he has some other lead to follow.

Greetings,

rfernand commented 12 years ago

Well, I cornered the problem to one line (in the oauth client):

in "build_access_token" in omniauth/strategies/oauth2.rb (omniauth-oauth2 gem):
client.auth_code.get_token(verifier, {:redirect_uri => callback_url}.merge(token_params.to_hash(:symbolize_keys => true)))

In the server that method triggers an ::OAuth2::Error exception.

And we can find that method in the oauth2 gem (lib/oauth2/client.rb):

116     # Initializes an AccessToken by making a request to the token endpoint
117     #
118     # @param [Hash] params a Hash of params for the token endpoint
119     # @param [Hash] access token options, to pass to the AccessToken object
120     # @return [AccessToken] the initalized AccessToken
121     def get_token(params, access_token_opts={})
122       opts = {:raise_errors => options[:raise_errors], :parse => params.delete(:parse)}
123       if options[:token_method] == :post
124         headers = params.delete(:headers)
125         opts[:body] = params
126         opts[:headers] =  {'Content-Type' => 'application/x-www-form-urlencoded'}
127         opts[:headers].merge!(headers) if headers
128       else
129         opts[:params] = params
130       end
131       response = request(options[:token_method], token_url, opts)
132       raise Error.new(response) if options[:raise_errors] && !(response.parsed.is_a?(Hash) && response.parsed['access_token'])
133       AccessToken.from_hash(self, response.parsed.merge(access_token_opts))
134     end

UPDATE: OAuth2 seems to give a 404 error:

OmniAuth Error (invalid_credentials): #<OAuth2::Error: <!DOCTYPE html>
<html>
<head>
  <title>The page you were looking for doesn't exist (404)</title>
  <style type="text/css">
    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
    div.dialog {
      width: 25em;
      padding: 0 4em;
      margin: 4em auto 0 auto;
      border: 1px solid #ccc;
      border-right-color: #999;
      border-bottom-color: #999;
    }
    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
  </style>
</head>

<body>
  <!-- This file lives in public/404.html -->
  <div class="dialog">
    <h1>The page you were looking for doesn't exist.</h1>
    <p>You may have mistyped the address or the page may have moved.</p>
  </div>
</body>
</html>

rfernand commented 12 years ago

Ok, I figured it out the source of the problem.

The oauth provider app did not have his own domain, so it was placed in like "http://somepage.com/provider". In that case, some paths of the gems were not well defined, searching in "http://somepage.com/oauth/token" and similar urls.

We solved the problem creating a subdomain for the provider app.

Also, I managed to fix the missing Started POST "/oauth/token" adding all the paths that I found in the internet that could be configured for the oauth client:

In lib/provider.rb:

      option :client_options, {
        :site =>  ::CUSTOM_PROVIDER_URL,
        :authorize_url => "#{::CUSTOM_PROVIDER_URL}/auth/admin/authorize",
        :authorize_path     => '/auth/admin/authorize',
        :access_token_url => "#{::CUSTOM_PROVIDER_URL}/auth/admin/access_token",
        :access_token_path  => '/auth/admin/access_token',
        :request_token_url=> "#{::CUSTOM_PROVIDER_URL}/oauth/token",
        :request_token_path => '/oauth/token',
        :token_url=> "#{::CUSTOM_PROVIDER_URL}/oauth/token",
        :token_path => '/oauth/token',
        :ssl => {:ca_path => "/etc/ssl/certs"}
      }

But still got an 404 error from the OAuth2 gem =/.

Thanks for all the help!

gautamrege commented 12 years ago

Rodrigo, Slick! This is a good catch. I think the request_token url is wrong. Shouldn't it be

:request_token_url=> "#{::CUSTOM_PROVIDER_URL}/auth/admin/oauth/token",
:request_token_path => '/auth/admin/oauth/token',

Maybe thats why you are getting the 404? If I have mis-understood, do update the ticket, so it helps others too!

On Tue, May 1, 2012 at 10:10 AM, Rodrigo Fernandez < reply@reply.github.com

wrote:

Ok, I figured it out the source of the problem.

The oauth provider app did not have his own domain, so it was placed in like "http://somepage.com/provider". In that case, some paths of the gems were not well defined, searching in "http://somepage.com/oauth/token" and similar urls.

We solved the problem creating a subdomain for the provider app.

Also, I managed to fix the missing Started POST "/oauth/token" adding all the paths that I found in the internet that could be configured for the oauth client:

In lib/provider.rb:
     option :client_options, {
       :site =>  ::CUSTOM_PROVIDER_URL,
       :authorize_url => "#{::CUSTOM_PROVIDER_URL}/auth/admin/authorize",
       :authorize_path     => '/auth/admin/authorize',
       :access_token_url =>
"#{::CUSTOM_PROVIDER_URL}/auth/admin/access_token",
       :access_token_path  => '/auth/admin/access_token',
       :request_token_url=> "#{::CUSTOM_PROVIDER_URL}/oauth/token",
       :request_token_path => '/oauth/token',
       :token_url=> "#{::CUSTOM_PROVIDER_URL}/oauth/token",
       :token_path => '/oauth/token',
       :ssl => {:ca_path => "/etc/ssl/certs"}
     }
But still got an 404 error from the OAuth2 gem =/.

Thanks for all the help!

Reply to this email directly or view it on GitHub:

https://github.com/joshsoftware/sso-devise-omniauth-provider/issues/12#issuecomment-5433595

rfernand commented 12 years ago

Gautam, the request_token_url and request_token_path variables were fine. The whole system worked out-of-the-box when changing it to a subdomain instead of the subdirectory. Later I am gonna check if the solutions mentioned in 1 works to configure the project ENV correctly.

Greetings!