cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
MattDendle
Advocate I
Advocate I

OAuth2 Token exchange - Client not authenticating itself to token endpoint.

‎09-20-2016 06:21 AM

Hello All,

 

It appears as though the OAuth2 accessCode flow client implementation for PowerApps is not to spec.

 

It appears as though in the request to the token endpoint to exhange a code for a token, the client is not authenticating itself.

The spec states that the client should use Basic HTTP auth ("Authorization: basic ===") using the clientID and client secret for the username and password.  This is not happening, and as a result to code/token exchange doesnt work with the error:

 

Failed to save claims: Failed to exchange code for token. Response code=BadRequest, Details: {"message":"{ \"error\": \"invalid_client\" }"}.

 

Is there a configuration option I can sepecify to change this behaviour?

 

Kind Regards,

Matt Dendle

 

Message 1 of 9
5,418 Views
1 ACCEPTED SOLUTION

Accepted Solutions
danchart
Power Apps
Power Apps
In response to MattDendle

‎09-21-2016 12:46 PM

You're right, we aren't adding the authorization header for the new "Oauth 2" provider when calling the token end point.

 

I'll fix this in our backend but it will unfortanately take a few weeks to reach production and there isn't a way for you to override this behavior.

 

Thanks for bringing this up and I apologize for the inconvenience.

 

Dan

View solution in original post

Message 5 of 9
7,023 Views
8 REPLIES 8
danchart
Power Apps
Power Apps

‎09-20-2016 07:51 PM

Hi Matt, I work on the authentication backend for PowerApps. Can you clarify what exactly you are doing? If this is a custom API, with which service are you seeing this issue? 

 

Thanks,

 

Dan

Message 2 of 9
5,402 Views
0 Kudos
MattDendle
Advocate I
Advocate I
In response to danchart

‎09-21-2016 01:56 AM

Hi Dan!

 

Thanks for your speedy reply.

 

I am attempting to create a PowerApps connection to my API. (using the UI at https://web.powerapps.com/connections)

 

Here is the swagger for the securityDefinitions:

"securityDefinitions": {
"oauth2": {
"type": "oauth2",
"description": "OAuth2 Implicit Flow",
"flow": "accessCode",
"authorizationUrl": "https://dezrez-core-auth-dev.dezrez.com/Dezrez.Core.Api/oauth/authorize",
"tokenUrl": "https://dezrez-core-auth-dev.dezrez.com/Dezrez.Core.Api/oauth/token",
"scopes": {
"impersonate_user": "Fully impersonate you"
}
}
}

 

I also type in the ClientID, ClientSecret, AuthorizeUrl, TokenURL and RefreshURL in the last step.

 

The connection gets created successfully.

 

I then attempt to use the connection by logging in.

 

The flow works great - I log in, I get the authorize screen, and from the logs I see that a code was issued - then PowerApps attempts to exchange this code for a token at the token endpoint.

 

At this stage, the client (I.e. PowerApps infrastructure) should use Http Basic Auth to identify itself to the Token endpoint (according to the spec), using the ClientId and ClientSecret as the username and password.  As there are no credentials, the request to the token endpoint is refused, and the above error results.

 

Does this make sense?

 

Cheers,

Matt

Message 3 of 9
5,395 Views
MattDendle
Advocate I
Advocate I
In response to MattDendle

‎09-21-2016 05:46 AM

FYI, this is the part of the spec I am alluding to in my post above:

 

https://tools.ietf.org/html/rfc6749#section-3.2.1

 

Cheers,

Matt

 

Message 4 of 9
5,390 Views
danchart
Power Apps
Power Apps
In response to MattDendle

‎09-21-2016 12:46 PM

You're right, we aren't adding the authorization header for the new "Oauth 2" provider when calling the token end point.

 

I'll fix this in our backend but it will unfortanately take a few weeks to reach production and there isn't a way for you to override this behavior.

 

Thanks for bringing this up and I apologize for the inconvenience.

 

Dan

View solution in original post

Message 5 of 9
7,024 Views
MattDendle
Advocate I
Advocate I
In response to danchart

‎09-22-2016 01:45 AM

Hi Dan,

 

Thank you for looking into this!

 

Is there any way to be notified of new builds? just so that I can find the fix and know when its out?

 

Cheers,

Matt

Message 6 of 9
5,378 Views
Marun
New Member

‎06-05-2017 03:22 AM
Hello, I seem to be having a similar problem. I need to use the Client_Credentials for Grant_Type but have no way to do so. I tried via Postman V1 collections and via a Swagger JSON definition but both return an error. Thanks
Message 7 of 9
4,993 Views
Anonymous
Not applicable
In response to Marun

‎01-09-2018 06:33 AM

This is also a problem for me @danchart - should this be a problem or is there a way of achieving this?

 

Cheers,

Tom

Message 8 of 9
4,485 Views
0 Kudos
LenobleLumber
New Member

‎12-18-2018 03:47 AM

Problem still exists with several connections including Basecamp. Any guides to help us troubleshoot this occurence?

Message 9 of 9
3,333 Views
0 Kudos

Helpful resources

Announcements
New Badges

New Solution Badges!

Check out our new profile badges recognizing authored solutions!

New Power Super Users

Congratulations!

We are excited to announce the Power Apps Super Users!

Power Apps Community Call

Power Apps Community Call: February

Did you miss the call? Check out the Power Apps Community Call here.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All
Users online (77,511)