New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
getting OAuthSwiftError 11 with 400 and 401 status code with PKCE implementation #636
Comments
Wow, that's a lot to read through, but a fantastic amount of detail! Intermittent issues are such a pain. Let me see if I understand what's detailed above.
FIRST TRY
SECOND TRY
{
"aud": "pw-passport-mobile-dev",
"jti": "478602ce170cccb6f09b37a5e12a5ce217a72c71b35f8500b45ab7b8bef6b8f4601abba36aa1f804",
"iat": 1606134314,
"nbf": 1606134314,
"exp": 1606145114,
"sub": "128832165",
"scopes": [
"id",
"email"
]
} Does it always fail with a 400 on the first auth attempt after logout and cleaning Safari data? The error message lists a few things that could be causing the error.
If there was a problem with the authorization code, that would be an issue on the server that created it (unless there's some encoding error happening to the redirect URL). The refresh token isn't being passed in the token call so I'm not sure why it's mentioned. Your The last bit about something being issued to another client could be a clue that your IdP couldn't match up the Could you take a close look at the |
What product or IdP service are you using for your OAuth server? It looks a bit odd that several responses are setting the
This makes it look like OAuthSwift isn't returning cookies that are set by the server. If your server/service requires this cookie to be present on subsequent requests throughout the authorization code flow, then maybe this is why it isn't able to match up the |
Description:
OAuthSwiftError 11 with 400 and 401 status code in PKCE method
OAuth Provider? (custome server):
OAuth Version:
OS (Please fill the version) :
Installation method:
Library version:
Xcode version:
requestError :- Error Domain=OAuthSwiftError Code=401 "The refresh token is invalid." UserInfo={OAuthSwiftError.response.data={length = 41, bytes = 0x7b226572 726f7222 3a225468 65207265 ... 76616c69 642e227d }, NSLocalizedDescription=The refresh token is invalid., Response-Headers={
"Cache-Control" = "no-store, no-cache, must-revalidate";
Connection = close;
"Content-Type" = "application/json; charset=UTF-8";
Date = "Fri, 27 Nov 2020 11:17:15 GMT";
Expires = "Thu, 19 Nov 1981 08:52:00 GMT";
Pragma = "no-cache";
Server = nginx;
"Set-Cookie" = "PWRD=8f47b5160c4a380aabd4bd3f25ecc323; expires=Sat, 28-Nov-2020 12:17:15 GMT; Max-Age=90000; path=/; domain=.arcgames.com";
"X-Domain" = "oauth.arcgames.com";
"X-ServerID" = "scweb04.pwedc.local";
}, NSErrorFailingURLKey=https://oauth.arcgames.com/token, OAuthSwiftError.response=<NSHTTPURLResponse: 0x600001c8a6e0> { URL: https://oauth.arcgames.com/token } { Status Code: 401, Headers {
"Cache-Control" = (
"no-store, no-cache, must-revalidate"
);
Connection = (
close
);
"Content-Type" = (
"application/json; charset=UTF-8"
);
Date = (
"Fri, 27 Nov 2020 11:17:15 GMT"
);
Expires = (
"Thu, 19 Nov 1981 08:52:00 GMT"
);
Pragma = (
"no-cache"
);
Server = (
nginx
);
"Set-Cookie" = (
"PWRD=8f47b5160c4a380aabd4bd3f25ecc323; expires=Sat, 28-Nov-2020 12:17:15 GMT; Max-Age=90000; path=/; domain=.arcgames.com"
);
"X-Domain" = (
"oauth.arcgames.com"
);
"X-ServerID" = (
"scweb04.pwedc.local"
);
} }, Response-Body={"error":"The refresh token is invalid."}} https://oauth.arcgames.com/token
load url https://oauth.arcgames.com/authorize?client_id=***********&redirect_uri=pwe://oauth2redirect&response_type=code&scope=id%20email&state=721&code_challenge=7SpRIIXzmVQtQ5t0xBFHIs-lduzRy4d9A5nbKxd7CKU&code_challenge_method=S256&Device-Id=997A05E0-1C16-4B83-99B0-BBEC3925CED9&theme=passportmobile
844.0 390.0
url.scheme Optional("https")
url Optional(https://oauth.arcgames.com/authorize?client_id=********&redirect_uri=pwe://oauth2redirect&response_type=code&scope=id%20email&state=721&code_challenge=7SpRIIXzmVQtQ5t0xBFHIs-lduzRy4d9A5nbKxd7CKU&code_challenge_method=S256&Device-Id=997A05E0-1C16-4B83-99B0-BBEC3925CED9&theme=passportmobile)
url.scheme Optional("https")
url Optional(https://oauth.arcgames.com/authorize?client_id=*********&redirect_uri=pwe://oauth2redirect&response_type=code&scope=id%20email&state=721&code_challenge=7SpRIIXzmVQtQ5t0xBFHIs-lduzRy4d9A5nbKxd7CKU&code_challenge_method=S256&Device-Id=997A05E0-1C16-4B83-99B0-BBEC3925CED9&theme=passportmobile)
url Optional(pwe://oauth2redirect?code=def50200d65cd8b06ede2df268e7eef66f14dda4e430d07e777dfc1c8edc069e3811aef496e94b51c6fc7591be3566712038807d0e64f1c5627ba663a238a9c71189de6861a1e7fc5880b65c36dba66139aad5acf9cc4fe0a325c2a04eb9660fbd6aeec414bae07a7b1a9e3ffdf10b7a9d80d69cd90e0be91477c64e3fe03cb02a10bef0c89076f0eadac1d343a47eb2683a2dd882facf5b6c4d82b6b5eec95358715ec135edd7bf53c9363189ff617834699fb48ecae2b557ab838543032dc7de76559c0522a24fcfb84ee0949d68bb95cc0ccda44b7a7ef1ad7edd05bf623514ff69f8f57f961f9d63148ae4cbd006c2c8eab21adae62bacf53d76f2e4741884b54acf65254d8476eb37acca8bf28aec500d6256ca2f9788ea79506c4437cfa45158aade8221d91102caf222ff95630a4f53818f8086c0e7cc47c6a9ddbf722cac5996d569321d588bacd5a1745f2e5642499c378ca34d1005e9bf4773ac59235238e1dc29b055d81c89121faf992d956b540ce9f83ffcd66bb6ba4fd573ec822be1e50bb8c80cb5e4c1cc2255eb4d7dfefe5829a2c2ba86eba9ce06d0e7171819516fc7ebe0&state=721)
requestError :- Error Domain=OAuthSwiftError Code=400 "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client." UserInfo={OAuthSwiftError.response=<NSHTTPURLResponse: 0x600001c246e0> { URL: https://oauth.arcgames.com/token } { Status Code: 400, Headers {
"Cache-Control" = (
"no-store, no-cache, must-revalidate"
);
Connection = (
close
);
"Content-Type" = (
"application/json; charset=UTF-8"
);
Date = (
"Fri, 27 Nov 2020 11:17:38 GMT"
);
Expires = (
"Thu, 19 Nov 1981 08:52:00 GMT"
);
Pragma = (
"no-cache"
);
Server = (
nginx
);
"Set-Cookie" = (
"PWRD=6180f4f0a86770cf25c2c4e0db0ca263; expires=Sat, 28-Nov-2020 12:17:37 GMT; Max-Age=90000; path=/; domain=.arcgames.com"
);
"X-Domain" = (
"oauth.arcgames.com"
);
"X-ServerID" = (
"scweb16v.pwedc.local"
);
} }, NSErrorFailingURLKey=https://oauth.arcgames.com/token, OAuthSwiftError.response.data={length = 249, bytes = 0x7b226572 726f7222 3a225468 65207072 ... 6c69656e 742e227d }, Response-Body={"error":"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."}, NSLocalizedDescription=The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client., Response-Headers={
"Cache-Control" = "no-store, no-cache, must-revalidate";
Connection = close;
"Content-Type" = "application/json; charset=UTF-8";
Date = "Fri, 27 Nov 2020 11:17:38 GMT";
Expires = "Thu, 19 Nov 1981 08:52:00 GMT";
Pragma = "no-cache";
Server = nginx;
"Set-Cookie" = "PWRD=6180f4f0a86770cf25c2c4e0db0ca263; expires=Sat, 28-Nov-2020 12:17:37 GMT; Max-Age=90000; path=/; domain=.arcgames.com";
"X-Domain" = "oauth.arcgames.com";
"X-ServerID" = "scweb16v.pwedc.local";
}} https://oauth.arcgames.com/token
some time getting response code 400
when i logout from the app and clean browser data after try to login again i am getting below error so may be it related to PKCE and again i try with same email and password it worked so i am little bit confuse here because sometime it is working and sometime it is not working. below are the details for first try (failed) and second try (success )response….kindly review below and let us know if anything wrong with request
FIRST TRY >>>
Auth request >>
https://oauth.arcgames.com/authorize?client_id=*********&redirect_uri=pwe://oauth2redirect&response_type=code&scope=id%20email&state=47&code_challenge_method=S256&code_challenge=Ey1y4uauuED6fc-kvTo8dtG9uHth6rq7sWebMOinyHw&theme=passportmobile&Device-Id=997A05E0-1C16-4B83-99B0-BBEC3925CED9)
Authorization code >>
pwe://oauth2redirect?code=def50200a656a6efaca693486473701470df495f50273298a22a9b453b46cda12f733ad5d75da19aff0278477d9fec326c7c66c13620850c830812d6b73c9051c9b3d2ce0a68cc40e89a0436c9e53fc72009dc589f70946362d818b501e3731620422cb5e042b14e10f28914b148534da82096c763ef79df9e73a84e40be9b93ef37173051dd13547eb61fab0db6025f3727981071bdd07716fb60c8919a95303dcb3c4c7b3a2a02725fea38995d2d6d1f688f522ef14a94dad2e17c1c3b5f6ea92ec77e0033a3fd51b76f34305c5693f646e35e16e8edce8b926802d43d431a766ebfd99537a485d26fc56d5ce30ce93e6fb8f33a3299c4c6f9a160cd9d861abe4de2e6ba97c242dc9a45b40c9f85770e99597548d959764fbcf7b141f026eb7683d0842ee102e40acf84278798406e8173d2e09a0be8ebf9cbf93d0d402f14c07da96c09aae3d3953810f63150a3c3ac4f6c5a8f5b4d14312f6ab0634796d3221c3eff032ca542c02af45826dc2cb3754abf35238ad8048fde03a0b036814db0cd4d2ae60dbda9736c16110472bc7b06b7ccf712e4c187884a647b8ec29eb362e4ff6ee65e12&state=47)
Error >>
Error Domain=OAuthSwiftError Code=400 “The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.” UserInfo={Response-Headers={
“Cache-Control” = “no-store, no-cache, must-revalidate”;
Connection = close;
“Content-Type” = “application/json; charset=UTF-8”;
Date = “Mon, 23 Nov 2020 12:24:44 GMT”;
Expires = “Thu, 19 Nov 1981 08:52:00 GMT”;
Pragma = “no-cache”;
Server = nginx;
“Set-Cookie” = “PWRD=d992e1b19a11c2e637d22b724e01c4ed; expires=Tue, 24-Nov-2020 13:24:43 GMT; Max-Age=90000; path=/; domain=.arcgames.com”;
“X-Domain” = “oauth.arcgames.com”;
“X-ServerID” = “scweb03.pwedc.local”;
}, OAuthSwiftError.response=<NSHTTPURLResponse: 0x600000eec800> { URL: https://oauth.arcgames.com/token } { Status Code: 400, Headers {
“Cache-Control” = (
“no-store, no-cache, must-revalidate”
);
Connection = (
close
);
“Content-Type” = (
“application/json; charset=UTF-8"
);
Date = (
“Mon, 23 Nov 2020 12:24:44 GMT”
);
Expires = (
“Thu, 19 Nov 1981 08:52:00 GMT”
);
Pragma = (
“no-cache”
);
Server = (
nginx
);
“Set-Cookie” = (
“PWRD=d992e1b19a11c2e637d22b724e01c4ed; expires=Tue, 24-Nov-2020 13:24:43 GMT; Max-Age=90000; path=/; domain=.arcgames.com”
);
“X-Domain” = (
“oauth.arcgames.com”
);
“X-ServerID” = (
“scweb03.pwedc.local”
);
} }, OAuthSwiftError.response.data={length = 249, bytes = 0x7b226572 726f7222 3a225468 65207072 ... 6c69656e 742e227d }, NSLocalizedDescription=The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client., Response-Body={“error”:“The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.“}, NSErrorFailingURLKey=https://oauth.arcgames.com/token} https://oauth.arcgames.com/token
The operation couldn’t be completed. (OAuthSwiftError error -11.)
SECOND TRY >>>>
Auth request >>
https://oauth.arcgames.com/authorize?client_id=*********&redirect_uri=pwe://oauth2redirect&response_type=code&scope=id%20email&state=735&code_challenge=maXTf5gPffSMMRdXPk-43DwQL1ptJRNDouIAjLkGbHY&Device-Id=997A05E0-1C16-4B83-99B0-BBEC3925CED9&code_challenge_method=S256&theme=passportmobile
Authorization code >>
pwe://oauth2redirect?code=def50200d1cb6a878d98d6a91596499048f6b2f582664800775c808bfa550eb7a15f4911529bc3c881f94ea9f7c190ba1ba8ebf5b6fd2f9c1a81dd2ef1546aa9ed2ea26cbd480dbb14765d216a4bb1ba8c8de0e0ef820a69b77a3ec9034eb35dca67a55d71e604572fd6304c47a8ec11561dd3eac90c32fb9ccf26d490c9a984d5043c3bc1b2712185c7d97185bd153560ef3263324facca48dbea27e94fb5febe38a65c2e42f224e354e82e05b425ade736bf1e5aa88073ca4a35e92fb9b4a94dd860c3ec80501a2391de0bca36c0d77797a512df7115c7b94360314f93f1c4c6a14201820b44f29d9eb0434c3aa93296acfb0b7a1e198022355c43bd13427c5863227495d84478f1a346b593b031679ce9d68249d4f93e2f8bfe60186bf9ba8baf8b20e677a005d584ab98ce034080c8ceb6f3c53f541b44282629c6d4e8c86bdb59af86359228ae8e79ca30e824d5587c5ba191887d83138d87e3a8ed2e135a786bbc4f3e2744833af939bcc96b0fdd708ef42ac16de3230754704baa7ffe20b78c60cb9819f3a36f670b1a5d2dc839631ea2b91622f9f12c05d54dfe66947027f4aee2d568&state=735
Success Response
parameters:- [“refresh_token”: def50200c55f1f5255d4e4a7aa752ff29eb438ec0833ad8f3c53d688882091487a06ed55cbd61db0dc933ba1c6c1bcde09b5315de4da839fcd64506ef8b0ab06e614061535a6f9e7e05d0a302cc7b5d45fcc1d0c8ec1c4d7afe4eede7f8b9abd318ef4be3ca3c7eb124674b0ff7a1566f17a5d16ff930b3af8062a6f7613a4163700ae14b3ae6e61448dd2ea4aa53c72c5ca662fb73bd1729fdcdf3adefb2b00e8376c99811b456514df21885b083444e51786c2db92db6f897879cd12941563e1081a8176fac7ee0d7e051c9ef3d7b9127144ecb5c245f9e3323496394350ed1cfcb190cba435b48d3f475089f84dbc6739734b4ca389491bcce0123bf1edbbb1e1d07da82e9345868a8aa352c07d9c2356a18d3db12139edabdc2a1d6bb45035f704dd6a59cb1ad36361c1324715bcf8502636afeceb60002b3e29ab43dc3d539fec4c404916c4809f816e10da876336720ec8c672c991422aecf629fd7534da25f2b31bf2604e3e4fe468e29c99a7a0a6518b086a5b02e8bf61e96360cd19c5a84351273a918b0eb6, “token_type”: Bearer, “expires_in”: 10800, “access_token”: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJwdy1wYXNzcG9ydC1tb2JpbGUtZGV2IiwianRpIjoiNDc4NjAyY2UxNzBjY2NiNmYwOWIzN2E1ZTEyYTVjZTIxN2E3MmM3MWIzNWY4NTAwYjQ1YWI3YjhiZWY2YjhmNDYwMWFiYmEzNmFhMWY4MDQiLCJpYXQiOjE2MDYxMzQzMTQsIm5iZiI6MTYwNjEzNDMxNCwiZXhwIjoxNjA2MTQ1MTE0LCJzdWIiOiIxMjg4MzIxNjUiLCJzY29wZXMiOlsiaWQiLCJlbWFpbCJdfQ.R6YQjYxv4xcStUU2WZ09VSVWb2OX_h-oJ9isdpBhVHz8RWcRCcxgMbYNh1I3Vjb2eQAccaWuIVUv3B6qoH0_sYQmh43RUjge2HkZJfRJVPvhKbV__3iA__EKiA8ypm_iY5v6VkKoVJ-s75AsaZOxXtAYKOLYxKbu9u0S7d3Z3RLdDA_J9bVS8rCXH4uvNGDZkCuiZr9M7mCVZSVSTbcJ4ns2CxG_uwnn9ERRwVCr_HweH-PQVJTCMFxmPPh1cCqCJwwHSHvv0PhCZDyG09DJq17w4_lOnqeT-R6jxnGsqEcbO49Q7q4ou9vEu0YPC4Q-kpuAkPOErTNNNPzAFNX8rA]
The text was updated successfully, but these errors were encountered: