Error: request_unauthorized on access token introspection

churcho · August 13, 2020, 7:56pm

Having obtained my access_token, I would like to verify it’s status from within my resource provider. I am running into errors:

msg=An error occurred while handling a request code=401 debug= details=map[] error=request_unauthorized reason=Check that you provided valid credentials in the right format.

My client has "token_endpoint_auth_method": "none" so my assumption is that I do not need to supply header information. If I do, what should be the format of the same?

I am using an Elixir Client to perform these calls and not a CURL or direct HTTP call to the service.

hackerman · August 14, 2020, 11:37am

Thank you for contributing to this repository by creating an issue!

Unfortunately, your issue lacks vital information, such as log files, the error message, the software version, your configuration or other pieces of the puzzle.

Please also ensure that your issue is appropriately formatted. If you do not know how to write markdown, you can find help here.

Helping you with your problem is only possible if you share this information, and it will save a lot of time of back and forth on your as well as our end!

churcho · August 14, 2020, 11:58am

The log simply shows this:

time=2020-08-14T09:12:45Z level=info msg=started handling request http_request=map[headers:map[accept:application/x-www-form-urlencoded accept-encoding:gzip authorization:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". user-agent:hackney/1.16.0 x-forwarded-for:10.0.0.2 x-forwarded-proto:https] host:auth.myapp.com method:POST path:/oauth2/introspect query:<nil> remote:10.0.1.8:38474 scheme:http]
time=2020-08-14T09:12:45Z level=error msg=An error occurred audience=application error=map[message:request_unauthorized reason:Check that you provided valid credentials in the right format. status:Unauthorized status_code:401] service_name= service_version=

hackerman · August 14, 2020, 12:12pm

Well, how are you calling the introspection endpoint? Give me a reproducible case or at least some details to work with.

churcho · August 14, 2020, 1:48pm

I am making the call using an OAuth2 client.

%OAuth2.Client{
  authorize_url: "https://auth.myapp.com/public/oauth2/auth",
  client_id: "7DFA3C17A46FA",
  client_secret: "GfdnUngQVyBVkxvx0hOTU+8jR5zTVUR4LLx97/xJghvH7fwdyCrWzom3Lg35Fp4J",
  headers: [
    {"authorization",
     "Basic N0RGQTNDMTdBNDZGQTpHZmRuVW5nUVZ5QlZreHZ4MGhPVFUrOGpSNXpUVlVSNExMeDk3L3hKZ2h2SDdmd2R5Q3JXem9tM0xnMzVGcDRK"}
  ],
  params: %{},
  redirect_uri: "http://localhost:4000/auth/callback",
  ref: nil,
  request_opts: [],
  serializers: %{"application/json" => Jason},
  site: "https://auth.myapp.com/public/",
  strategy: Auth.Strategy,
  token: nil,
  token_method: :post,
  token_url: "https://auth.myapp.com/public/oauth2/token"
}

That is then piped into a function that makes the post request.

The public part allows me to match the routes in traefik and allows me to push to either 4444 | 4445 based on that.

churcho · August 14, 2020, 1:45pm

Is there a way to enable the logs to provide more info so I can show you exactly what comes in and which format it’s in?

churcho · August 17, 2020, 10:49pm

@hackerman any input on this?

notNeo · August 18, 2020, 7:19am

@churcho maybe post the raw request, instead of forcing recipients to guess how its gonna look.

from the first look your base64 encoded basic authorisation does not seem right
so the error message is on point telling you it can’t do with the credentials given