I had a node app hosted as an azure web app on Linux environment. The node service handles events requests as a GET method. The application was working fine and all of a sudden since last 2 days it started throwing 431 error.
there was another similar question posted link but this is not the case here. I do not have AAD enabled
have also verified below areas
no change in the node app
no change on the client side sending the get request
no explicit headers are sent. this was verified by making simple postman calls as well
what could have gone wrong here? any help?
Is it only happening for certain users? When I've seen this in the past, it was because we kept user role & state in the token (which generally does get passed in a header) and for some "test" users that had access to absolutely everything, that token was too large and we had a 431. For pretty much any other user things were fine.
Our fix was to use a key-value store (could be SQL, CosmosDB, etc.) and the user token was now an ID that mapped to the value in the data store, and the role & state info was moved there.
Related
I've built an API-based integration with DocuSign (using their PHP SDK), and am now at the point of deploying to the production server. I have reconfigured everything with the production integration key, public/private key pair, user and account IDs, endpoint URL, etc. replacing the demo ones. The OAuth portion of the conversation is working fine, and I get a valid token back. When I then try to send an envelope, I hit a USER_LACKS_MEMBERSHIP error, and cannot figure out why. As far as I can see, everything about the API user is the same between the demo and production systems.
I've authorized the application and made sure that it's in the list of "Applications with Access to DocuSign".
I have enabled logging, but the only things that are showing up in there appear to be from my own navigation in the site, nothing related to the API calls at all.
Most of the documentation that I can find on this simply repeats the generic error text: "The UserID does not have a valid membership in this Account." If I go to the account admin and look at the list of users, the one I'm expecting is right there, with DS Admin permission; not sure what else might be done to give them "membership". One mentioned not using SendOnBehalfOf, but I'm not, so I can't really remove that.
All the code is identical, just configuration that's changed. Not sure where else to look. Anybody have any suggestions for what to try?
FURTHER INFORMATION
I've tried the getUserInfo call in the SDK, passing the same access token I use for the other call. It returns successfully, showing that it is for the user I'm expecting, in the one group we have, on the production server. And yet, when I enable logging again, as this same user, there is still zero record in the resulting logs of any of this API activity.
Attempts to do things like list templates with the SDK fail with the same USER_LACKS_MEMBERSHIP error.
Using the Diagnostics API (again, through the SDK) to check logging status shows that it is NOT enabled (despite my enabling it in the UI), but can be enabled with a separate call. Subsequently attempting to use listRequestLogs in the SDK generates a 404 error, though the URL matches what's listed in the API documentation (/v2/diagnostics/request_logs). Not sure whether these findings confirm that I'm somehow logging onto the API and the UI with different users (even though the user name and internal ID match), or that there's some problem with the logging facility in DocuSign.
The problem turns out to be the URL I was using for API calls. I switched from demo.docusign.net in testing to www.docusign.net in live, but being in Canada we need to use ca.docusign.net. For those who find this later, you can get the correct base path to use from the oauth/userinfo endpoint, or the getUserInfo() call through the SDK (PHP SDK, at least; don't know what the analogous call would be in others).
There are 3 things to consider:
API calls are made to an endpoint (URL) that contains the account # (either GUID or short form) in the url. Take a note of that number in the url.
Auth Token is a token for a specific user in a specific account.
UserId for the specific call. That is a specific user in the account.
If the user is not in the account, or there's a mismatch between #1 and #2 - you'll get this error. You must work with a single account and have it in all places as well as the user must be a member of this account.
Re:
I have enabled logging, but the only things that are showing up in there appear to be from my own navigation in the site, nothing related to the API calls at all.
Since the request logging is not showing your API activity, the problem is that the person you've logged in as on the web tool is not the same as the person (user id) that you've logged in as on your application.
Solution for OAuth Authorization Code authentication: double check that when your app is logging into DocuSign, you're using the account.docusign.com authentication server, not the account-d.docusign.com auth server. (Look at the URL in your browser during the login sequence.)
Solution for OAuth JWT authentication: re-check that the impersonated user id is from the production system and you're using the right authentication server
I have created three B2C applications:
TestWebApp
TestApiOne
TestApiTwo
Both API applications were created the exact same way. Web API access is enabled, reply URLs have been specified, an App ID URL has been assigned, and keys have been generated. Both APIs have an additional read and write scope.
In TestWebApp API access, I am able to add TestApiOne with all three scopes without an issue.
When trying to add TestApiTwo to the TestWebApp API access list, the operation fails with the following error.
Failed to add the API access. Reason: The B2C service has an internal
error. If you created this B2C directory just now, please try again
after couple of minutes. If the problem persists, please contact
Support
(https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-support/).
If you do not have a B2C directory you can refer
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-get-started/
I thought maybe there is a limit of one API per application. To test, I created a temporary application "TempApp". I received the same error displayed above while trying to add API access for both TestApiOne and TestApiTwo.
Has anyone else experienced this issue?
There's not a limit of one API per application. I have done research and it works fine by my side.
Please have a look at the guide and check your steps.
I have tried to replicate the issues that you are facing by putting diff redirect reply url domains and also by making one application to be native and one normal web app but it doesn't help.
Could you try to delete all the webapps and try making 1 and then adding another to it.
Then create the 3rd one.
Please check this or if you can share some screen shots. That would be helpful.
You can definitely add multiple web apps to api access of one web app.
Last night I created a new Azure CosmosDB instance. I created a new database and collection and went home without writing any data to it.
This morning I went back to the Azure portal and found my brand-new, empty database racked up 11,820 requests overnight! Where are these requests coming from?! Is this normal? Should I expect to see ~354,600 phantom requests each month even if I never use the database?
I'm not even sure what to search for on SO or Google. I tried things like 'Azure CosmosDB shows requests I didn't send', 'CosmosDB phantom requests', etc but didn't find anything related to this problem. Can anyone explain what's going on?
There is currently a bug that causes this chart to show unrelated internal service traffic. The fix is under way.
Sorry for any confusion it might have caused and please use Metrics tab for any usage information.
I don't have any active Cosmos DBs running now, but about four months ago I was using it and never saw anything like that.
Notice the color-key on the graph -- they're all HTTP 403 which is "Forbidden". According to the docs these events result in a 403 response:
The authorization token expired.
403 is also returned during a POST to create a resource when the resource quota has been reached. An example of this is when trying to add documents to a collection that has reached its provisioned storage.
403 can also be returned when a stored procedure, trigger, or UDF has been flagged for high resource usage and blocked from execution.
Microsoft being who they are, there are other docs which also say this about a 403 response:
Returned when you pass an invalid api-key.
Just a guess: The new service you created matches the name of a service someone previously created then deleted, and you're picking up zombie traffic from something that used to hit that service.
Their docs about diagnostics don't list HTTP 403 as logged traffic, but I'd probably go to the Activity tab on the portal and take a look anyway. (It does say HTTP 401 "Unauthorized" are recorded, I wouldn't be surprised if it was just an oversight that 403 isn't mentioned.)
If that doesn't reveal anything useful, I'd open a ticket.
I am trying out the Azure AD-B2C. The user signup/sign in is fine when the MFA is turned off. But when I turn it on, and the user tries to sign in and provides the phone number, and requests a text message by clicking "send code", I get the Http 400 error: size of request headers is too long. Anybody else have this issue?
The error HTTP 400: Size of header request is too long generally happens because there's too many cookies.
Azure AD B2C's login goes through login.microsoftonline.com, as does almost every Microsoft service (O365, Azure, etc). So if you've got several accounts that you've signed in to across these services, you're accumulating cookies that will cause this problem.
Clearing the cookies should resolve this problem. If this is happening on a recurring basis, you should edit your question to include details about the request and cookies in order to best figure out what's bloating the request and how to reduce it.
Short answer: The file with the custom UI was not found by Microsoft login service. After getting shipped around it resulted in the error.
I had the same error with AAD B2C but "cookies" was not the problem. In my case I got the error while testing in the Azure B2C portal checking the policies and the custom UI pages. We use Azure Blob storage to hold custom login setup, its fast and it scales without our attention. The problem was found by using my test website using the B2C service. I put a stop/break on the Account controller's "public Task OnRemoteFailure(RemoteFailureContext context)" method. The debugger message gave me the full context of the error, an http 404 error and it gave the file name it was trying to find. Blob storage is case sensitive. The setup configuration used to configure B2C has camelCase names. The group who created the actual UI customization uses all lower case names. It took someone with access to all the assets to find the simple case name issue. Errors in distributed systems can be difficult.
We're building a mobile application that uses Facebook login and attempts to show users their friends that are also using the application.
We generate an access token as part of the login process and pass this up to our server hosted in Azure.
When we request the users friends using:
https://graph.facebook.com/me/friends?access_token=[access_token]&fields=id%2Cname&limit=5
We get the following response on our Azure servers:
{"data":[]}
However requesting the URL directly from my local browser returns a number of records - regardless of whether I'm logged into Facebook or not.
The Facebook App that the user logged in via is published to live (otherwise they wouldn't be able to log in at all).
The only users that return results when called from within Azure are users configured as testers or developers in the Facebook app - is there a setting I've missed?
Looks like the "Country Restricted" setting was causing the problem - we'd limited this to users in the UK which meant requests from the Azure servers in Dublin where returning empty.
Removing this restriction (or possibly increasing to include Ireland) resolved the issue.
Note that this restriction doesn't impact test users, developers or administrators, all of whom work throughout testing and into release.