Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorized with Failure #121

Open
neilberkman opened this issue May 25, 2020 · 10 comments
Open

Authorized with Failure #121

neilberkman opened this issue May 25, 2020 · 10 comments
Labels
Kind:Bug

Comments

@neilberkman
Copy link

neilberkman commented May 25, 2020
edited 

OTP 23.0.1
Phoenix 1.5.3
Elixir 1.10.3

Receiving both the data requested and also error struct at the same time using both Github and Google providers.

Github error:

%Plug.Conn{
  adapter: {Plug.Cowboy.Conn, :...},
  assigns: %{
    ueberauth_auth: %Ueberauth.Auth{
      credentials: %Ueberauth.Auth.Credentials{
        expires: false,
        expires_at: nil,
        other: %{},
        refresh_token: nil,
        scopes: ["user"],
        secret: nil,
        token: "***",
        token_type: "Bearer"
      },
      extra: %Ueberauth.Auth.Extra{
        raw_info: %{
          token: %OAuth2.AccessToken{
             access_token: “XX",
            expires_at: nil,
            other_params: %{"scope" => "user"},
            refresh_token: nil,
            token_type: "Bearer"
          },
          user: %{
            "collaborators" => 99,
            "two_factor_authentication" => true,
            "company" => nil,
            "bio" => nil,
            "following" => 99,
            "followers_url" => "https://api.github.com/users/X/followers",
            "public_gists" => 1,
            "id" => X,
            "avatar_url" => "https://avatars3.githubusercontent.com/u/X?v=4",
            "events_url" => "https://api.github.com/users/X/events{/privacy}",
            "starred_url" => "https://api.github.com/users/X/starred{/owner}{/repo}",
            "emails" => [
              %{
                "email" => "XX@XX.com",
                "primary" => false,
                "verified" => true,
                "visibility" => nil
              }
            ],            
          }
        }
      },
      info: %Ueberauth.Auth.Info{
      [...]
      },
      provider: :github,
      strategy: Ueberauth.Strategy.Github,
      uid: XX
    },
    ueberauth_failure: %Ueberauth.Failure{
      errors: [
        %Ueberauth.Failure.Error{
          message: "The code passed is incorrect or expired.",
          message_key: "bad_verification_code"
        }
      ],
      provider: :github,
      strategy: Ueberauth.Strategy.Github
    }
  }

Google error:

%Plug.Conn{
  adapter: {Plug.Cowboy.Conn, :...},
  assigns: %{
    ueberauth_auth: %Ueberauth.Auth{
      credentials: %Ueberauth.Auth.Credentials{
        expires: true,
        expires_at: 1590385396,
        other: %{},
        refresh_token: "XXX",
        scopes: ["openid https://www.googleapis.com/auth/userinfo.email"],
        secret: nil,
        token: "XXX",
        token_type: "Bearer"
      },
      extra: %Ueberauth.Auth.Extra{
        raw_info: %{
          token: %OAuth2.AccessToken{
            access_token: "XXX",
            expires_at: 1590385396,
            other_params: %{
              "id_token" => "XXX",
              "scope" => "openid https://www.googleapis.com/auth/userinfo.email"
            },
            refresh_token: "XXX",
            token_type: "Bearer"
          },
          user: %{
            "email" => "X@X.com",
            "email_verified" => true,
            "hd" => "X.com",
            "picture" => "https://lh3.googleusercontent.com/-XXX/photo.jpg",
            "sub" => "XX"
          }
        }
      },
      info: %Ueberauth.Auth.Info{
        [...]
      },
      provider: :google,
      strategy: Ueberauth.Strategy.Google,
      uid: "XXX"
    },
    ueberauth_failure: %Ueberauth.Failure{
      errors: [
        %Ueberauth.Failure.Error{
          message: "Bad Request",
          message_key: "invalid_grant"
        }
      ],
      provider: :google,
      strategy: Ueberauth.Strategy.Google
    }
  }
@rlb3
Copy link

rlb3 commented Oct 13, 2020

I have the same error with github.

Hex: 0.20.5
Elixir: 1.11.0
OTP: 23.1.1

@Hanspagh
Copy link
Contributor

Hi @neilberkman & @rlb3
Sorry for the delay on this. I have tried to investigate this, the only reason I can find for this is if the full callback phase is run multible times per request. In this case the conn would already have ether of the two responses and the 2. call would add the the other one

Do you by any chance have a more eloborate example of this (Repo or code)?

@Hanspagh Hanspagh mentioned this issue Dec 22, 2020
Merged
@doomspork
Copy link
Member

doomspork commented Dec 22, 2020
edited

@neilberkman / @rlb3 / @Hanspagh is this consistently happening with every request?

There's a couple of reasons off the top of my head where this could potentially originate:

  • Expired tokens. This could occur if a user delays in authorization.
  • Mismatched callback URI. Are you setting one in the developer settings of the provider and then providing one via Ueberauth?
  • A permission is denied (or not requested) and the subsequent Ueberauth call for their profile fails.

For the record: I have seen similar errors in some logs at work but currently we're not using Ueberauth for these logins. We will be moving to that shortly and I hope to be able to track this down with reproducible steps 🤞

@Hanspagh
Copy link
Contributor

@doomspork
I think all those a valid reasons to fail, I can just not wrap my head around why we would both end up with a ueberauth_failure and a ueberauth_auth in the same conn. For me, this only seems to be possible if we run the pipeline twice.

@djschilling
Copy link

I have the same problem using the github provider.

What does the error message exactly mean?

%Ueberauth.Failure.Error{
        message: "The code passed is incorrect or expired.",
        message_key: "bad_verification_code"
      }

Which code is referred to hear. Is it the client_id, client_secret or none of those two?

@kuroski
Copy link

kuroski commented Apr 17, 2021

I was facing the same problem and in my case, I was following a tutorial in a blog regarding authentication with Phoenix...

I was instructed to set up the plug Ueberauth in my router :browser pipeline.

Then by reading the docs here and checking the ueberauth_example
I managed to solve this problem just by removing the plug Ueberauth in my router.ex file.

@doomspork
Copy link
Member

@kuroski do you recall which blog post?

@kuroski
Copy link

kuroski commented Apr 21, 2021

@kuroski do you recall which blog post?

I'm really sorry, but I'm currently not finding that 😞 and I don't recall where I read it through.

@doomspork
Copy link
Member

No worries. If you recall later just let us know. I'd like to follow-up and get it updated 😁

Hopefully I will get around to updating the Guardian / Ueberauth content on Elixir Shcool this year after we roll out the new site 🤞

@hamza-debug
Copy link

config :ueberauth, Ueberauth,
providers: [
github: {Ueberauth.Strategy.Github, [default_scope: "user,public_repo,notifications"]}
]
add this in config.ex file

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Kind:Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@rlb3 @neilberkman @doomspork @Hanspagh @kuroski @djschilling @hamza-debug