I see these messege in the UCP logs:
<3>2018-08-24T13:11:05Z ucp-controller-10.3.11.70 /bin/controller[1]: {"level":"error","msg":"unable to authenticate user with refresh token on auth provider: invalid_grant: no such account for refresh token: keyid:0bfd4f0d330d0385e56f1eb59a8d86f9a85f4fe380de53fe89f77b932f9a08b3","time":"2018-08-24T13:11:05Z"}
What is the cause and how to fix it.
thanks
Related
I'm using spring boot with keycloak adapter. I enabled policy enforcement and it works correct. But the problem is the server is returning 403 for expired token and for not providing token also while it should return 401.I need server to return 401 when no token provided or when it's expired. The reason is the adapter when found no token or token expired it creates client-criendentials call with the client I'd and secret of the server to get token then revalidate it for policies which of course return 403. And this should be stopped. Any help
I am able to login with Facebook into my SpringBoot application only if I disable the "Require App Secret" option in the Facebook Developer application configuration.
When the extra (recommended) security check is enabled I get an error
org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_user_info_response]
An error occurred while attempting to retrieve the UserInfo Resource: Error details: [UserInfo Uri:
https://graph.facebook.com/me?fields=id,name,email, Error Code: {message=API calls from the server
require an appsecret_proof argument, type=GraphMethodException, code=100, fbtrace_id=xxxx}]
It is evident that Spring Security tries to access Facebook (calling https://graph.facebook.com/me?fields=id,name,email) to retrieve the authenticated user but it fails to pass the extra parameter appsecret_proof.
It is not immediately clear (after digging into SpringSecurity documentation and forums) how I can let Spring add the extra token.
I had a very similar situation - I could not log in to my application using the facebook user account.
First make sure that the given client id and secret id are correct (sometimes it can be confused with your other project). If you are sure that the entered data is okay, I would start by checking the available permits. So open the facebook login plugin panel (you should have a tab on the right side of the screen).
For my case, the following configuration was sufficient:
What's more, check the available permission and features:
public_profile access is required to extract basic information of a user who wants to log in to your website. In addition, it is also worth adding an email request.
Also check the configuration for the facebook client, which allows you to get the user token:
spring:
security:
oauth2:
client:
registration:
facebook:
clientId: your-client-id
clientSecret: your-client-secret
redirectUri: "{baseUrl}/api/oauth2/callback/{registrationId}" # Note that facebook now mandates the use of https redirect URIs, so make sure your app supports https in production
scope:
- email
- public_profile
provider:
facebook:
authorizationUri: https://www.facebook.com/v3.0/dialog/oauth
tokenUri: https://graph.facebook.com/v3.0/oauth/access_token
userInfoUri: https://graph.facebook.com/v3.0/me?fields=id,first_name,middle_name,last_name,name,email
In my case, the above configuration was enough for the user to authorize himself on an external website.
I am learning Oauth grant types.I have observed that refresh token is applicable only for
authorization Code and Resource Owner Password Credential Grant .
My question is why it is applicable only for authorization Code and Resource Owner Password Credential Grant and not for Implicit and client credentials Grant?
Refresh tokens should only be issued to clients that can authenticate themselves when using it.
The authorization code grant is intended to be used by confidential clients (client that can keep a secret). And the use of the refresh token should be authenticated using client credentials.
The resource owner password credentials flow issues a refresh token, so that the client does not have to keep the user's username and password around. It can use the refresh token to get a new access token.
The implicit grant was intended to be used by public clients (who cannot keep a secret). Since they cannot keep a secret, there's no way for these clients to have client credentials used with the refresh grant.
And finally, the client credential flow does not need a refresh token, as it can just use the client credentials to get a new access token when the old one expired.
if you are using v5 you can use https://docs.spring.io/spring/docs/5.0.0.M5_to_5.0.0.RC1/Spring%20Framework%205.0.0.RC1/org/springframework/web/cors/CorsConfiguration.html
CorsConfiguration#applyPermitDefaultValues
or you can use
#RestController
#CrossOrigin(origins = "*", methods= {RequestMethod.GET,RequestMethod.POST})
public class HelloRESTController {
I have a Jhipster application that uses JWT as authentication method.
Lately my server started to print repeatdely this error message:
com.company.security.jwt.JWTFilter: Security exception for user xxxxxx - JWT expired at 2018-05-03T23:47:49+0000. Current time: 2018-05-04T17:18:28+0000
Always with the same user. Usually when a token expires and the user checked the option remember me the token is refreshed.
What could be happening? This specific user is not able to refresh the token and keep sending requests with the expired token?
I have an access token with the necessary scope. I also successful access the resource server. The error occur when the resource server try to fetch the user Principal from the Authorization server. I really hope i can get some hints or help about how i can solve this
The access Token:
{"access_token":"65ce0f1a-192f-4ad2-b7bb-cb9c7cbf0be9","token_type":"bearer","refresh_token":"f1e2a49d-5b24-4e9c-b9da-567eb47d6ab7","expires_in":149,"scope":"read write trust"}
The resource server call:
curl -H "Authorization:Bearer 65ce0f1a-192f-4ad2-b7bb-cb9c7cbf0be9" http://localhost:9001/resource/hello
Resource server output after the call:
2016-10-10 10:10:06.144 INFO 411 --- [nio-9001-exec-5] o.s.b.a.s.o.r.UserInfoTokenServices : Getting user info from: http://localhost:9000/auth/user
The endpoint (localhost:9000/auth/user) get executed but i always get the following response to my curl request:
{"error":"insufficient_scope","error_description":"Insufficient scope for this resource","scope":"read"}
I resolved this by removing the user info uri from the resource server properties. Since I use a jdbc token store, the resource server can verify the authenticity of the token from the database and not relying on the auth server anymore.