Token is Invalid or Invalid state token provided - node.js

So i'm running into a problem I suspect I shouldn't be having and having tried several things i'm seemingly at an impasse.
I am trying to integrate LinkedIn login with Stormpath and it seems the accounts get created and technically the user is logged in, the application does return one of two errors:
"Token is invalid" or "Invalid state token provided."
I checked my id and secret several times and the authorized callback urls etc but I'm not sure where else to actually check, some help would be appreciated.
To try further I did in fact clone https://github.com/stormpath/stormpath-express-react-example and run it, and everything else works fine but again LinkedIn login on this app doesn't work so I suspect its not my code (maybe, after years of coding I'm never really comfortable saying its not my code, but there you have it).
I have attached the screenshot of things in case my now very tired eyes are missing something. Can someone point me to my mistake please?

For reference, Omar and I looked through this problem and realized that his server was not running ntp, and the clock was running fast.
This meant that the signed token request generated by Stormpath's Express integration was sent to Stormpath's REST API with a different valid time interval than expected, and thus failed validation.
We fixed it by installing ntp and syncing the server's time.

Related

How to fix oauth2client.client.HttpAccessTokenRefreshError in google analytics python api

When I call GoogleAnalytics REST_API using python it returns the following error message
oauth2client.client.HttpAccessTokenRefreshError: invalid_grant:
Invalid JWT: Token must be a short-lived token (60 minutes) and in a
reasonable timeframe. Check your iat and exp values in the JWT claim.
I also ref this link: oauth2client.client.HttpAccessTokenRefreshError: invalid_grant: Invalid JWT
but the problem not solved any solution?
I have found that this type of error can appear in at least a couple of situations, one most likely related to the clock (I suggest to investigate this thoroughly because it is usually the problem) and the other due to a generic message related to credentials (https://github.com/docker/for-mac/issues/2076):
The time of the machine that runs containers drifts from system time, and doesn't appear to reset itself properly. Stopping and restarting (i.e. Docker for Mac) should be fixed the issue, alternatively try outputting your token information to detect any difference in time between it and that of your machine;
if you are using a credential file that was deleted on my project, so just create another credential file;

What is causing 'FAILED_DOCUMENT_REQUEST. Lighthouse was unable to reliably load the page'

We are getting desktop only error for https://www.southwarkeba.org.uk as follows:
An error has occurred
Lighthouse returned error: FAILED_DOCUMENT_REQUEST. Lighthouse was unable to reliably load the page you requested. Make sure you are testing the correct URL and that the server is properly responding to all requests. (Details: net::ERR_TIMED_OUT)
Not getting this issue with other speed checking tools that I use such as PingDom or GTMetrix
I got a very similar error while assigning a userId guid in a cookie to a variable that was never getting retrieved by PageSpeed Insights.
The process is that a user accesses our site, if they are authenticated, it grabs their authenticated userId, otherwise it creates an anonymous guid and assigns it to userId and then to a cookie. It then grabbed the userId from the cookie.
PageSpeed Insights is of course the latter (anonymous) and is simply not retrieving the userId from the cookie (and probably not creating the cookie in the first place).
The only difference in error is our Details: net: is: ERR_INVALID_RESPONSE
Since your error is ERR_TIMED_OUT (and assuming it's not a genuine network failure), I would look at parts of your code that are not accessible by PageSpeed Insights (e.g. a subsequent resource that's actually down, a resource authenticated by user credentials, or authenticated by ip address, etc).
I realize I'm late to the party here, and the OP has probably found a solution already, but maybe this will help someone else down the road as googling my specific error returns zero results.

Error:"invalid_grant", Description:"Token has been revoked.", Uri:""

I have an MVC app, like explained here: https://developers.google.com/api-client-library/dotnet/guide/aaa_oauth#web-applications-aspnet-mvc
From Javascript I make AJAX calls to some Action that uses Google API to get message from Gmail.
At first everything works fine, but after some time I keep receiving
Error:"invalid_grant", Description:"Token has been revoked.", Uri:""
Can someone explain to me what that means and why I am getting this error ???
Cheers
Error:"invalid_grant", Description:"Token has been revoked.", Uri:""
Means just that the user has revoked your access to their data you will need to request authentication again.
One thing you need to remember is that while testing. If you request access from yourself you grant it get a refresh token, do it again you get another refresh token. They both will work. You can do this up to 26 times and have 26 technically live and active refresh tokens for an application. Once you do it the 27th time the first one will stop working normally you just get an invalid grant error.
Token has been revoked normally means that the user has revoked access in Google but it might be different with Gmail.
Update 2021:
Invalid grant means that the token you have no longer works. As of 2021 google has made a change which will cause all refresh tokens to expire after seven days if the project that created it is still in the testing phase. The solution is to move your project to production and then your refresh tokens will last longer then seven days.

authentication-flows email URL's do not work after web server reset

I have been playing around with authentication-flows and noticed that when I restart the web server the URL's no longer work, they are all invalid. I walked through debugging but I am still a bit lost as to exactly why, though I have a lot of good reasons why it should happen (and I am sure you do also).
I want to make a service which will be distributed to multiple containers and when a request comes in any of them could serve it. As the solution stands right now, it looks like I will have to make modifications to make possible.
What exactly is making the URL invalid? and what changes could I make to make my proposed solution possible?
Thank you in advance.
In response to Ohard's comment:
1. Why the URL is invalid
Let me tell you how I get the error. I deploy the war, submit forgot password. Receive the email to reset my password then stop the war. When that happens my reset password page extracts the enc. I then stop and redeploy the war. After isend a rest request with the enc and a new password to the /rest/setNewPassword mapping, then receive:
09 Jan 2016 03:50:48,799 [http-nio-8082-exec-1] ERROR
web.rest.UserActionRestController - Failed to decrypt URL content
aX8uaOWkqAUQN2xOzlPAOHJjPZaxBwho7.yoMeUtMnJA
in ohadr\crypto\service\CryptoService.java there is an exception on line 261:
throw new CryptoException("Failed to decrypt URL content " +
based64EncryptedContent, e);
which I then use a break point to find:
java aes javax.crypto.BadPaddingException: Given final block not
properly padded
I am sure if you try to reproduce this issue, you will find the same results...
Note: when I do this without the re-deploy everything works great!
2. How to make auth-flows work as SaaS
There are three use cases I want this service to fulfil:
Currently, If I host a service and it goes down without a fail-over, people who have URL's will be unable to use their links when it comes back up. I want them to be able to use the links regardless.
(untested -- but will be soon) Similar to the second, If I host this service on multiple docker containers I believe that it will not be able to receive link that did not orginially come from its container, therefore containers could not share unsorted loads. It should be able to read any of the enc's and process it.
EDIT:
1. Why the URL is invalid
An even easier way to test this is just to submit a forgotten password, get the email and then stop the war. Redeploy it, then click the link. I got this stack trace:
https://drive.google.com/file/d/0Bwa-JXbjFUDueXVMWWJibjY2Zm8/view?usp=sharing
Don't worry about csrf it is not enabled.
1. Why the URL is invalid
As it looks like, the ICryptoUtil instance is re-created after you redoply the war.
CryptoService.java line 38:
return ContextLoader.getCurrentWebApplicationContext().getBean(ICryptoUtil.class);
I suggest for you to do a small test. Encrypt a string twice, now and after the redeploy and compare the results.
If you got 2 different results then your crypto is not capable to decrypt an encrypted string of another crypto instance.
#EdiZ is right.
To be more accurate, every time your web-app loads, Spring loads all the beans. Among them are Crypto's library beans, such as CryptoUtil and CryptoProvider, and if you look carefully you will notice on DefaultCryptoProvider.loadMasterKeys() that a new key is generated.
I believe that explains the behavior you see.
Currently, If I host a service and it goes down without a fail-over,
people who have URL's will be unable to use their links when it comes
back up. I want them to be able to use the links regardless
It seems to be a duplication of your first question; I think that the first issue will have to be resolved in order to make it work as you wish. If the server reboots, all the links become invalid - the users will have to click again on "forget password" (for example) and get a new link - it is for you to decide how big this deal is.
If I host this service and I do have a failover I assume the failover
will not be able to read URL that is not from it originally. It should
be able to read any of the enc's and process it.
I assume that you have to develop some more persistence, so the server can decrypt URLs that were not generated by it...
Hope that helps.

Occassional Oauth exceptions - user hasn't authorized the app

I am fairly sure my application is handling most things properly as it works 88-92% of the time, but way too often I am getting the following error:
(OAuthException - #200) (#200) The user hasn't authorized the application to perform this action
I don't understand how this is possible. When the user is requested to authorize the app, I do not see any way for them accept a subset of the permissions required (it's all or nothing). If they proceed, and I get an auth token, doesn't that mean my app has the needed access? If not, how are users doing that, and how can I prevent or at least detect it?
In terms of background, my application is a kiosk application that takes the user's photo and allows them to post it (or, more precisely, a link to it) on their facebook timeline. The kiosk gets the user's authorization, then passes the token and all other data to a central web service that then communicates with Facebook. This has been working 88-92% of the time for the past week. Despite no code changes or application configuration changes, prior to the past week it had been working 93-96% of the time for the couple weeks prior to that, and about 98% earlier than that.
Is there any way I can provide some details (usernames and auth tokens) to facebook for more analysis? PLEASE HELP!

Resources