Re: What values are you sending to OAuth servers

spruce-bruce · ‎12-25-2018

I'm using the simulator to set up an OAuth flow, and when the app redirects off to the auth service I'm getting this error `An internal server error occurred, could not process the request`

I'm assuming this is coming from the auth server and not from the app. I can authenticate with that server outside of the app using the same values that I'm using in my `OAuth` settings component. So my question is when I do this:

```

        <Oauth
          settingsKey="myOauth"
          title="My OAuth"
          label="MINE"
          status="Login"
          authorizeUrl="https://url.com/login"
          requestTokenUrl="https://url.com/token"
          clientId="SOMETOKEN"
          clientSecret="SOMESECRET"
          scope="some_scope"
          onAccessToken={async (data) => {
            console.log(data);
          }}
        />

```

What data does the authorization code url look like? What is the value of `response_type`? Are there any other values sent besides response_type, scope, return_uri, client_id and client_secret?

My current guess is some value is not supported or is incorrectly supported by the auth server that I'm using and I'm trying to find out what it is. I've seen in other threads that there is an undocumented `oAuthParams` prop, can I expect to override values using that prop? If I do

```

<OAuth

...

oAuthParams={{response_type="gobbledegook"}}

...

/>

```

Will that replace your `response_type`?

I've seen in another thread that there is an undocumented `onReturn` prop as well that can be used to hijack the process and handle the token exchange. Do you guys have some kind of pre-auth hook that will let me inspect/alter the auth url?

spruce-bruce · ‎12-25-2018

Fitbit adds a state param that's sort of unusual - It's a json string. I think state is documented to be a string, so I don't think a JSON string is technically incorrect, but my id provider fails to handle a string with braces and brackets and quotes and stuff.

If i use oAuthParams to overwrite state to be my own custom value it redirects me just fine, but on the way back I run into a new error: "Settings: Uncaught TypeError: Failed to construct 'URL': Invalid URL". I'm worried that this is a result of overwriting state, but I haven't ruled out other things yet.

spruce-bruce · ‎12-26-2018

I believe that the error I'm receiving (Uncaught TypeError: Failed to construct 'URL': Invalid URL) must be because I overwrote the state value in the auth url. I've filed a ticket with my ID provider so hopefully they'll fix it so they don't fail to handle the JSON string in state.

Meanwhile, unless somebody tells me I'm wrong about the url error, I think my only option is to make a middle man auth service. I'm going to set up a node server that takes login requests from fitbit and strips the state value off before sending it to my id provider. Once the user has authenticated I'll have them redirected back to my service where I will put the fitbit state value back onto the redirect_uri and then redirect back to fitbit.

ahunter8850 · ‎12-28-2018

I am getting the exact same error of: 'An internal server error occurred, could not process the request'.

Did you figure it out?

Here is my post

spruce-bruce · ‎01-07-2019

I don't have it working yet, but yeah I know how to deal with it. It's 100% dexcomm's fault. I mean it would be ideal if fitbit wasn't using a json string in their state value, but strictly speaking a json string is a string and therefore meets the rules spelled out in the OAuth spec.

I have an open ticket with dexcom which is moving slowly. I sent them what's going on and they responded in a way that is annoying so i've been procrastinating getting back to them.

The only way to get it to work as it is now will be what I posted above.

You have to set up a proxy service somewhere and do you auth requests through that. That service must strip the state value off the auth request and store it (you'll need to generate an id and send that on in the state). You'll then need to use your service as the redirect_uri as well and when the redirect comes back you'll want to take the new state value, look up the fitbit json from your store (database? file? redis? whatever) and tack it back onto the request and send it back.

State is supposed to be the same value coming back as you send, but that assumes dexcom is treating state correctly. If they aren't then we'd have to get more creative to make it work.

The REAL solution is that dexcom just implements OAuth correctly

ahunter8850 · ‎01-07-2019

Dexcom is useless when it comes to their API. I spoke to some other developers and I got it to work.

Here is how I do it within the Settings Page:

<Webconfig
          label="Dexcom Login"
          status={(props.settingsStorage.getItem("logged_in") === 'true' ? "Logged In" : "Login")}
          constructUrl={(returnUrl, callbackUrl) => {
            props.settingsStorage.setItem("callback", callbackUrl);
            let url = `https://api.dexcom.com/v2/oauth2/login?client_id=tV2Qrqtj2Ph...qjDZk9eReLbc8&redirect_uri=${callbackUrl}&response_type=code&scope=offline_access`;

            return url;
          }}
          onReturn={(query) => {
            let code = query.split('=');
            if (code[1] !== "access_denied") {
              props.settingsStorage.setItem("access_code", code[1]);
            } else {
              props.settingsStorage.setItem("logged_in", 'false');
            }
          }}
        />

spruce-bruce · ‎01-07-2019

Cool.

Fitbit's undocumented features are also a huge headache. If I knew about the constructUrl prop then I could have gotten past this.

Am i missing something here? I don't see onReturn or constructUrl in the reference for the OAuth component.

ahunter8850 · ‎01-07-2019

There is zero reference. I The OAuth component is built upon this.

spruce-bruce · ‎02-03-2019

Did you get around the cors stuff?
Looks like the dexcom api doesn't have cors headers enabled.

ahunter8850 · ‎02-03-2019

Are you working on dexcom? If so I can help you out.

wpk235 · ‎04-04-2019

Did anyone figure out the problem with the CORS headers and dexcom? I'm stuck with this error:

"Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource."

I'd love to hear any solutions! Thanks.

qichuan · ‎04-22-2019

The Webconfig component works perfectly in Android, but no much luck with iOS. I am getting error

in the onReturn callback, can anyone help?

TypeError: r.props.onReturn is not a function. (In 'r.props.onReturn(a.search&&a.search.replace("?",""))', 'r.props.onReturn' is undefined)

handleLoadReason at https:/app-settings.fitbitdevelopercontent.com/static/js/companion-settings.207d3f65e7eb72a7e0f3ca9f35de7935.js:3,29452

o at https:/app-settings.fitbitdevelopercontent.com/static/js/companion-settings.207d3f65e7eb72a7e0f3ca9f35de7935.js:3,30994

setLoadReason at https:/app-settings.fitbitdevelopercontent.com/static/js/companion-settings.207d3f65e7eb72a7e0f3ca9f35de7935.js:3,31243

? at https:/app-settings.fitbitdevelopercontent.com/static/js/companion-settings.207d3f65e7eb72a7e0f3ca9f35de7935.js:6,11629

Join us on the Community Forums!

Community Guidelines

Learn the Basics

Join the Community!

Not finding your answer on the Community Forums?

Go to the Help Site

Contact Support

What values are you sending to OAuth servers

spruce-bruce

spruce-bruce

spruce-bruce

ahunter8850

spruce-bruce

ahunter8850

spruce-bruce

ahunter8850

spruce-bruce

ahunter8850

wpk235

qichuan