I have a custom Go CLI app that I am currently successfully able to use to trigger authentication and get a valid OAUTH2 access token (it generates a URL for me to browse to, and starts a listener to act as the redirect URL to receive the resulting authentication code). I'm then creating the SASL XOAUTH2 encoded string that contains my username and the access token as a bearer token (see this for SASL XOAUTH2 token format) to use with mbsync's XOAUTH2 authentication mechanism.
However, authentication fails with the following message from mbsync:
IMAP command 'AUTHENTICATE XOAUTH2 <base64-encoded token>' returned an error: NO AUTHENTICATE failed.
I cannot figure out if authentication fails because my SASL XOAUTH2 token is formatted incorrectly, because I don't have the correct scopes defined, etc.
Can someone tell me where I might be able to find error logs for these failed authentication attempts? I see logs for my successful logins when generating the authentication code and access token that's part of the OAUTH2 flow, but I can't find any logs for failed SASL XOAUTH2 logins against IMAP.
Related
I am trying to migrate authentication via auth0 from a jvm based solution which uses auth0 rest api to a node based solution using node-auth0.
At present its a 2 step process:
Get token via POST /oauth/token
Get user profile via /userInfo
In the node application, I am constructing AuthenticationClient while providing clientId, clientSecret and domain as AuthenticationClientOptions and able to get the token successfully using passwordGrant but when I use the same authenticationClient object to call getProfile while providing the token obtained from passwordGrant, I get this error:
Request failed with status code 401
What’s confusing is that in Auth0 dashboard, this request is successful.
I am using node-auth0 SDK Version: 2.42.0 on Node 15.14.0
The token obtained via passwordGrant will be processed to respond for userInfo. Hence, the token must have in its audience claim <your-auth0-domain>/userInfo.
In my java web application I want to get access to user's mailbox by using jakarta mail. For that purpose I followed https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth for OAuth2 authorization code flow.
On Azure port I setup my app and added API permissions as below
Now user is redirecting to below authorize endpoint:
https://login.microsoftonline.com/5426ee07-9b73-4a9e-8075-395ab439c6fa/oauth2/v2.0/authorize?client_id=b6067ad9-7195-430b-a35d-97b7aa7beb8f&response_type=code&redirect_uri=http://localhost:8080/callback/microsoft&response_mode=query&scope=offline_access%20https%3A%2F%2Fgraph.microsoft.com%2FIMAP.AccessAsUser.All%20https%3A%2F%2Fgraph.microsoft.com%2FSMTP.Send
After entering credentials and accepting the consent redirect_uri gets hit with auth code. Based on that auth code I formed token endpoint URL and hitting it from server, the token endpoint is as follow:
URL: https://login.microsoftonline.com/5426ee07-9b73-4a9e-8075-395ab439c6fa/oauth2/v2.0/token
Form Data:
client_id=b6067ad9-7195-430b-a35d-97b7aa7beb8f
scope=offline_access%20https%3A%2F%2Foutlook.office.com%2FIMAP.AccessAsUser.All
redirect_uri=http://localhost:8080/callback/microsoft
grant_type=authorization_code
client_secret=QUs8Q~aboLBiopTezMTKwzQjIwWsFFXjc2kCRaRs (I know I have shared the secret)
code={code received from authorize end point}
Response to this post request comes as:
{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'b6067ad9-7195-430b-a35d-97b7aa7beb8f' named 'Email Connector'. Send an interactive authorization request for this user and resource.\r\nTrace ID: dc008ced-e23f-4919-bd45-b7ae7c68b000\r\nCorrelation ID: 9b6ede03-3c05-4a78-8975-036a3cb20773\r\nTimestamp: 2022-06-07 19:51:30Z","error_codes":[65001],"timestamp":"2022-06-07 19:51:30Z","trace_id":"dc008ced-e23f-4919-bd45-b7ae7c68b000","correlation_id":"9b6ede03-3c05-4a78-8975-036a3cb20773","suberror":"consent_required"}
Here, I don't understand why the error is saying The user or administrator has not consented to use the application, user has accepted the consent after entering credentials on authorize end point. Event more If we look at the screenshot above admin has already given grant to access the directory.
I tried to reproduce the same scenario in my environment and got the same error as below:
To resolve the error, please check the authorize endpoint you are using to get the code.
Avoid using Microsoft graph API scopes while getting the code.
Replace it with the scope you are using to get access token like below:
https://login.microsoftonline.com/Your_TenantID/oauth2/v2.0/authorize?
client_id=Your_ClientID
&response_type=code
&redirect_uri=http://localhost:8080/callback/microsoft
&response_mode=query
&scope= offline_access https://outlook.office.com/IMAP.AccessAsUser.All
&state=12345
Get the code from the above authorization endpoint.
I got the access token successfully after modifying the endpoint like below:
To validate the access token decode it in jwt.io and check the aud and scp claims like below:
I am using OpenID connect authorization provider with Apache Nifi. The authorization is provided by Azure Active Directory.
The implicit grant flow is working fine and I am able to login to the Nifi UI.
However, when I am generating a toke using client credentials flow through Azure AD and using it in Nifi. I am getting the following error :-
Unable to validate the access token.
Upon inquiring further in the Nifi logs. The complete error log is this :-
2020-03-23 11:33:07,408 ERROR [NiFi Web Server-30] o.a.nifi.web.security.jwt.JwtService Unable to validate the access token.
Caused by: The default resolveSigningKey(JwsHeader, Claims) implementation cannot be used for asymmetric key algorithms (RSA, Elliptic Curve). Override the resolveSigningKey(JwsHeader, Claims) method instead and return a Key instance appropriate for the RS256 algorithm.
2020-03-23 11:33:07,408 WARN [NiFi Web Server-30] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Unable to validate the access token.
From what I understand, RS256 signed tokens are not supported by Apache Nifi or am I doing something wrong ?
Here is the token that is working after implicit flow.
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI1ZjVlOTc0Zi04YzcxLTQ2NTctYTk1My1hODNhMjMzNGFkZTciLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vNWY1ZTk3NGYtOGM3MS00NjU3LWE5NTMtYTgzYTIzMzRhZGU3L3YyLjAiLCJhdWQiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vNWY1ZTk3NGYtOGM3MS00NjU3LWE5NTMtYTgzYTIzMzRhZGU3L3YyLjAiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiI1ZjVlOTc0Zi04YzcxLTQ2NTctYTk1My1hODNhMjMzNGFkZTciLCJraWQiOjIsImV4cCI6MTU4NDk5MDM1MywiaWF0IjoxNTg0OTg2NzU0fQ.j-n7HbniajEItWUMNWwoD9Ds17focVPD1Bng23KCCF8
Here is the token generated using client credentials flow that is not working :-
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IllNRUxIVDBndmIwbXhvU0RvWWZvbWpxZmpZVSIsImtpZCI6IllNRUxIVDBndmIwbXhvU0RvWWZvbWpxZmpZVSJ9.eyJhdWQiOiJhcGk6Ly9uaWZpIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvNWY1ZTk3NGYtOGM3MS00NjU3LWE5NTMtYTgzYTIzMzRhZGU3LyIsImlhdCI6MTU4NDc2NTE5NywibmJmIjoxNTg0NzY1MTk3LCJleHAiOjE1ODQ3NjkwOTcsImFpbyI6IjQyTmdZSGltZnRkQVBuQ24rWk5YbnRHUmo1VXZBZ0E9IiwiYXBwaWQiOiI3N2NmMmYxZC04MTlmLTQ0NDMtYjI1NS0wZjcyYmQyMjA1OTUiLCJhcHBpZGFjciI6IjEiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC81ZjVlOTc0Zi04YzcxLTQ2NTctYTk1My1hODNhMjMzNGFkZTcvIiwib2lkIjoiN2JjZTEwYzAtNWFhYy00ZjNhLWEyMjQtMWRkNmFmZDgwYWE3Iiwicm9sZXMiOlsiQ29uc3VtZXIiXSwic3ViIjoiN2JjZTEwYzAtNWFhYy00ZjNhLWEyMjQtMWRkNmFmZDgwYWE3IiwidGlkIjoiNWY1ZTk3NGYtOGM3MS00NjU3LWE5NTMtYTgzYTIzMzRhZGU3IiwidXRpIjoiZ290bWYyYm5QVWUyYzlzWFhyUURBQSIsInZlciI6IjEuMCJ9.GOVOxmNPT3p8aa8pRlcssfq-R4beflrG343BQM-MAtqHEIwAyHfDX0K3BmV5-SVSnNlt8BKBXicq-IgtiHtdo4HLWAEu7FGH2udH-SJwMbk4_kmH8RaE-zps_ZUjt_L04dZpwK5e-VfRmBkIFKh-KkxvXVabyvLfgJZCwPq4_d_mP0PK4Jmx0xibysYMIbyw0Le883-2GCXVACLZfxQAwblaZiS1LXe7cBkyp508Ij_GZCs4sTwZ7_p6uydx0MqdFUtQVyJOO5pCRo0fDLmKWfAme8uqz36gOa9g6chpALCQfbSBMsZbZxPT9eRSFCZaezuayuh03wFipO_tvzAyEA
And this is the openid discovery url :-
https://login.microsoftonline.com/5f5e974f-8c71-4657-a953-a83a2334ade7/v2.0/.well-known/openid-configuration
i've followed all the instructions at the doc for generate JWT Token, but only receive "Bad Request" as response...
when i try to run eg-01-php-jwt the same occurs. i'm using DocuSign demo environment and simulating requests using Postman and curl
the steps i'm doing are:
generating authorization uri as https://account-d.docusign.com/oauth/auth?response_type=code&scope=signature%20impersonation&client_id=c0c3e3b4-87ec-46e6-afad-9f8cf9dda84c&redirect_uri=http://example.com/api/docusign/obtain-consent/callback
fill login and password for different docusign sandbox account
at the redirected uri i get the code parameter and decode at jwt.io, getting kid value from header
use kid value at sub to generate a new jwt token
sign jwt token with my private key
try to obtain access token and receive "Bad Request" as response message
my (updated) generated token is
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJjMGMzZTNiNC04N2VjLTQ2ZTYtYWZhZC05ZjhjZjlkZGE4NGMiLCJzdWIiOiI2ODE4NWZmMS00ZTUxLTRjZTktYWYxYy02ODk4MTIyMDMzMTciLCJpYXQiOjE1NTExMDA0MDksImV4cCI6MTU1MjEwMDQwOSwiYXVkIjoiYWNjb3VudC1kLmRvY3VzaWduLmNvbSIsInNjb3BlIjoic2lnbmF0dXJlIGltcGVyc29uYXRpb24ifQ.I1LhY77Rd0-op6UE3zUQvA5UxXIBzHUMyhhrwSN_TBv9ghiNAOr2aVz8Glf16bulkqSrE6A67h3DvL_VDm5NpNzcDQttjlf-CtlnBrjyt2w1niZkYnlmrUXW3SofDJkNHEj9-zQOa2XBrzTOLIhD6g2V0adBe45mwwGpMpOu0oPameUseDVEBeQ50mCZcyiMGYazEA0qeE9Ws9Rb7GxZxmOIZXaWirohmJhNfic5wHprJvA6tTwxai5-4xAwnhrjpsOWKoQRxXRkCKKcIIrKf8SEz4KOH2RCUBqMZRGys81CIDtowtLoDUeMCRKTaxnbrCFax4blJSZ8X3ptyneVpw
UPDATE # 2019-02-26:
to achieve what i want i needed to complete the authorization code flow, get the user account id from step 4 (retrieve user data) and finally generate the jwt token with that info as sub at payload!
That assertion previously only included the signature scope. JWT Authentication requires signature impersonation.
Now that that has been updated, there are a couple of other possible issues:
Invalid user ID. The JWT assertion requires an active User ID in the
sub field. If the user is closed or the ID is incorrect this will
fail.
Invalid signature. The JWT assertion must be signed with an RSA
private key associated with the iss / Client ID in use. If there
are any invalid/encoding characters or trailing spaces, the signature
may not be valid.
I'd recommend opening a case with DocuSign Support. On your side, you'll only receive the error invalid_grant. Support-side logging will have a more specific error. To assist with resolution, when opening a case please provide the following:
Integrator key
Demo account ID
JWT Assertion
x-DocuSign-TraceToken header value
Good morning everyone,
I Have set up an App Service in Azure and added Authentication via Azure AD B2C. So far so good everything works fine. After 1 hour though, when the token expires, I try to refresh it but then I get an error back that the refresh token has been revoked. What goes wrong here ? I have set up the backend like explained in this post : and when logging in I pass the additional parameter like so :
user = await Manager.CurrentClient.LoginAsync(currentContext,MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory,new Dictionary<string, string>() { { "response_type", "code id_token" } });
This is my refresh code :
user = await Manager.CurrentClient.RefreshUserAsync();
This is the error I am getting
{Microsoft.WindowsAzure.MobileServices.MobileServiceInvalidOperationException:
Refresh failed with a 403 Forbidden error. The refresh token was
revoked or expired. --->
Microsoft.WindowsAzure.MobileServices.MobileServiceInvalidOperationException:
You do not have permission to view this directory or page. at
Microsoft.WindowsAzure.MobileServices.MobileServiceHttpClient+d__24.MoveNext
() [0x001ec] in :0
Am I missing something here ?
Thank you
EDIT :
Here is a Screenshot of the Settings in the Portal
EDIT 2 :
Here is an error form the server logs when trying to refresh the token :
EDIT 3 :
And here the Application Log from the webserver for the given request :
2017-01-18T15:08:33 PID[6344] Verbose Received request: GET
https://api.near.lu/.auth/refresh 2017-01-18T15:08:33 PID[6344]
Verbose JWT validation succeeded. Subject:
'sid:453a1ad2710466bc9873240e888d8b91', Issuer:
'https://api.near.lu/'. 2017-01-18T15:08:33 PID[6344] Warning The
refresh request issued by sid:453a1ad2710466bc9873240e888d8b91 (SID:
ac22f7309036f0c07a54b1299b9601ef) failed because no refresh tokens
were found in the token store. 2017-01-18T15:08:33 PID[6344]
Information Sending response: 403.80 Forbidden 2017-01-18T15:08:34
PID[6344] Verbose Received request: GET
https://api.near.lu/.auth/login/aad?response_type=code%20id_token
2017-01-18T15:08:34 PID[6344] Verbose Downloading OpenID
configuration from
https://login.microsoftonline.com/nearauth.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_Default
2017-01-18T15:08:36 PID[6344] Verbose Downloading OpenID issuer
keys from
https://login.microsoftonline.com/nearauth.onmicrosoft.com/discovery/v2.0/keys?p=b2c_1_default
2017-01-18T15:08:37 PID[6344] Information Redirecting:
https://login.microsoftonline.com/nearauth.onmicrosoft.com/oauth2/v2.0/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Fapi.near.lu%2F.auth%2Flogin%2Faad%2Fcallback&client_id=c4c15bfb-eac4-4cdc-861f-eb01594e19d2&scope=openid+profile+email&response_mode=form_post&state=redir%3D%26b2cPolicy%3D&p=b2c_1_default&nonce=9e243549b62f49878cc370048c6effa9_20170118151334
2017-01-18T15:08:39 PID[6344] Verbose Received request: POST
https://api.near.lu/.auth/login/aad/callback 2017-01-18T15:08:39
PID[6344] Error An error of type 'unauthorized_client' occurred
during the login process: 'AADB2C90057: The provided application is
not configured to allow the OAuth Implicit flow. Correlation ID:
8336662f-8847-4f8b-bb37-6925a5d3e264 Timestamp: 2017-01-18 15:08:38Z '
2017-01-18T15:08:39 PID[6344] Information Sending response: 401.73
Unauthorized
EDIT 4:
This is the log of a successfull login :
2017-01-18T19:10:14 PID[6344] Verbose Received request: GET
https://api.near.lu/.auth/login/aad?response_type=code%20id_token
2017-01-18T19:10:14 PID[6344] Information Redirecting:
https://login.microsoftonline.com/nearauth.onmicrosoft.com/oauth2/v2.0/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Fapi.near.lu%2F.auth%2Flogin%2Faad%2Fcallback&client_id=c4c15bfb-eac4-4cdc-861f-eb01594e19d2&scope=openid+profile+email&response_mode=form_post&state=redir%3D%26b2cPolicy%3D&p=b2c_1_default&nonce=817be561f67343688001637fa7808690_20170118191514
2017-01-18T19:10:30 PID[6344] Verbose Received request: POST
https://api.near.lu/.auth/login/aad/callback 2017-01-18T19:10:30
PID[6344] Verbose JWT validation succeeded. Subject:
'1eaf9f41-1562-4ac9-9538-b893c9123087', Issuer:
'https://login.microsoftonline.com/07407dc1-946a-4afc-9186-84e6023ba814/v2.0/'.
2017-01-18T19:10:30 PID[6344] Verbose Calling into external HTTP
endpoint POST
https://login.microsoftonline.com/nearauth.onmicrosoft.com/oauth2/v2.0/token.
2017-01-18T19:10:32 PID[6344] Information Login completed for 'aget'.
Provider: 'aad'. 2017-01-18T19:10:32 PID[6344] Verbose Writing
'AppServiceAuthSession' cookie for site 'api.near.lu'. Length: 792.
2017-01-18T19:10:32 PID[6344] Information Redirecting:
https://api.near.lu/.auth/login/done#token=%7B%22authenticationToken%22%3A%22ey--REMOVED PART OF THE TOKEN--%22%2C%22user%22%3A%7B%22userId%22%3A%22sid%3Aed01ed7507f147976aa1704783267861%22%7D%7D
2017-01-18T19:10:33 PID[6344] Verbose Received request: GET
https://api.near.lu/.auth/login/done 2017-01-18T19:10:33 PID[6344]
Information Sending response: 200.0 OK
This is the error log i get when I try to refresh immediatley after logging in :
2017-01-23T10:55:06 PID[6344] Verbose Received request: POST
https://api.near.lu/.auth/refresh 2017-01-23T10:55:06 PID[6344]
Verbose JWT validation succeeded. Subject:
'sid:ed01ed7507f147976aa1704783267861', Issuer:
'https://api.near.lu/'. 2017-01-23T10:55:06 PID[6344] Warning The
refresh request issued by sid:ed01ed7507f147976aa1704783267861 (SID:
9a6c2ee324a092937c5e2f953803e662) failed because no refresh tokens
were found in the token store. 2017-01-23T10:55:06 PID[6344]
Information Sending response: 403.80 Forbidden
Which is weird, as it can be seen in the above picture the token store is enabled...
The problem could be that your current App Service Authentication / Authorization setup is not configured to support token refresh. A simple way to confirm this would be to enable Application Logging and look at the warning messages in the application log stream when a refresh operation fails. More details on application logging can be found here: https://learn.microsoft.com/en-us/azure/app-service-web/web-sites-enable-diagnostic-log
See the following blog post (which I wrote) to learn more about how to update your Authentication / Authorization settings to support token refresh: https://cgillum.tech/2016/08/10/app-service-auth-and-azure-ad-b2c-part-2/#refresh. The short version is that you need to:
create an app key in your B2C app registration and set that as the client secret in your Authentication / Authorization "Advanced" settings for AAD in the portal.
Request the offline_access scope when logging in. This ensures you get a refresh token from AAD B2C when the user logs in.
Your login code should look like the following:
user = await Manager.CurrentClient.LoginAsync(
currentContext,
MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory,
new Dictionary<string, string>() { { "scope", "openid offline_access" } });
To use the refresh user, we have to store the refresh token to the app service token store.
You can check whether there are refresh token via using the request below:
Get:https://{yourMoibleAppName}.azurewebsites.net/.auth/me
X-ZUMO-AUTH: {accessToken}
The access token you can get from user.MobileServiceAuthenticationToken.
If there is no refresh token returned, you can check whether following requirements are satisfied:
the token store is enable
the response_type of request contains code
Developers doesn't revoke the access_token, refresh_token, user permission
And all settings well, however the the app still get the 403 error, we should prompt user to login again(refer to Refreshing user logins in App Service Mobile Apps).
And to avoid misunderstanding, when you specify you were using Azure AD B2C tenant, would you mind sharing the detail steps you protected the mobile service?
Update( able to reproduce this issuing using the b2c app which register this way)