search

puppetlabs / vault-plugin-secrets-oauthapp

OAuth 2.0 secrets plugin for HashiCorp Vault supporting a variety of grant types
Apache License 2.0
94 stars 11 forks source link

`oauth2: server response missing access_token` for the GitHub provider #4

Closed grahamc closed 3 years ago

grahamc commented 4 years ago

Describe the Bug

Following the authorization flow and creating a permanent credential fails.

Steps to Reproduce

Steps to reproduce the behavior:

  1. vault write oauth2/github/config -provider=github client_id=your-client-id client_secret=your-client-secret
  2. vault write oauth2/github/config/auth_code_url state=$(uuidgen) scopes=repo,gist
  3. click the URL and allow: https://github.com/login/oauth/authorize?client_id=your-client-id&response_type=code&scope=repo+gist&state=f0c07f6e-0e6f-4e71-82dc-ce5684c617d0
  4. Copy the code from https://xxxxx/github-callback?code=my-code-here&state=f0c07f6e-0e6f-4e71-82dc-ce5684c617d0
  5. Register my account with vault: vault write oauth2/github/creds/grahamc-repo-gist code=my-code-here

then get:

Error writing data to oauth2/github/creds/grahamc-repo-gist: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/oauth2/github/creds/grahamc-repo-gist
Code: 500. Errors:

* 1 error occurred:
    * oauth2: server response missing access_token

Environment

Vault 1.3.2, oauthapp v1.1.1 on NixOS 20.03

Additional Context

Just following the initial readme steps.

impl commented 4 years ago

Hi there,

Sorry for not replying to this sooner! I don't think I have the watching on issues set up correctly on my side. :crying_cat_face:

One thing I noticed in your initial configuration that I'm not sure about:

$ vault write oauth2/github/config -provider=github client_id=your-client-id client_secret=your-client-secret

I notice you have a - before the provider here that shouldn't be present. In my testing this results in an error (missing provider), but if it's working for you, it might be configuring it in a way that prevents the plugin from accessing the GitHub API.

Another thought is that you may have a corporate proxy that's rewriting the response in a way the plugin can't consume. If that is the case, we may need to add explicit support for forward proxies. In any case, some additional clarity on your environment would be helpful.

If neither of those is the problem, we may need to work on getting a debugging mode enabled that spits out the entire API response from the provider. I'll try to fit that in the next week or two of work over here.

Thanks for your report!

impl commented 3 years ago

Hey @grahamc,

I've been unable to reproduce this, but I'm wondering if this error might be the same as https://github.com/argoproj/argo-cd/issues/3149? Are you potentially echoing the secret with a newline in it into the plugin configuraiton?

I'm going to go ahead and close this ticket, but feel free to reopen if you'd like to work through it with us further.

Thanks!