cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
MattDendle
Advocate I
Advocate I

OAuth2 Token exchange - Client not authenticating itself to token endpoint.

Hello All,

 

It appears as though the OAuth2 accessCode flow client implementation for PowerApps is not to spec.

 

It appears as though in the request to the token endpoint to exhange a code for a token, the client is not authenticating itself.

The spec states that the client should use Basic HTTP auth ("Authorization: basic ===") using the clientID and client secret for the username and password.  This is not happening, and as a result to code/token exchange doesnt work with the error:

 

Failed to save claims: Failed to exchange code for token. Response code=BadRequest, Details: {"message":"{ \"error\": \"invalid_client\" }"}.

 

Is there a configuration option I can sepecify to change this behaviour?

 

Kind Regards,

Matt Dendle

 

1 ACCEPTED SOLUTION

Accepted Solutions

You're right, we aren't adding the authorization header for the new "Oauth 2" provider when calling the token end point.

 

I'll fix this in our backend but it will unfortanately take a few weeks to reach production and there isn't a way for you to override this behavior.

 

Thanks for bringing this up and I apologize for the inconvenience.

 

Dan

View solution in original post

8 REPLIES 8
danchart
Power Apps
Power Apps

Hi Matt, I work on the authentication backend for PowerApps. Can you clarify what exactly you are doing? If this is a custom API, with which service are you seeing this issue? 

 

Thanks,

 

Dan

Hi Dan!

 

Thanks for your speedy reply.

 

I am attempting to create a PowerApps connection to my API. (using the UI at https://web.powerapps.com/connections)

 

Here is the swagger for the securityDefinitions:

"securityDefinitions": {
"oauth2": {
"type": "oauth2",
"description": "OAuth2 Implicit Flow",
"flow": "accessCode",
"authorizationUrl": "https://dezrez-core-auth-dev.dezrez.com/Dezrez.Core.Api/oauth/authorize",
"tokenUrl": "https://dezrez-core-auth-dev.dezrez.com/Dezrez.Core.Api/oauth/token",
"scopes": {
"impersonate_user": "Fully impersonate you"
}
}
}

 

I also type in the ClientID, ClientSecret, AuthorizeUrl, TokenURL and RefreshURL in the last step.

 

The connection gets created successfully.

 

I then attempt to use the connection by logging in.

 

The flow works great - I log in, I get the authorize screen, and from the logs I see that a code was issued - then PowerApps attempts to exchange this code for a token at the token endpoint.

 

At this stage, the client (I.e. PowerApps infrastructure) should use Http Basic Auth to identify itself to the Token endpoint (according to the spec), using the ClientId and ClientSecret as the username and password.  As there are no credentials, the request to the token endpoint is refused, and the above error results.

 

Does this make sense?

 

Cheers,

Matt

FYI, this is the part of the spec I am alluding to in my post above:

 

https://tools.ietf.org/html/rfc6749#section-3.2.1

 

Cheers,

Matt

 

You're right, we aren't adding the authorization header for the new "Oauth 2" provider when calling the token end point.

 

I'll fix this in our backend but it will unfortanately take a few weeks to reach production and there isn't a way for you to override this behavior.

 

Thanks for bringing this up and I apologize for the inconvenience.

 

Dan

View solution in original post

Hi Dan,

 

Thank you for looking into this!

 

Is there any way to be notified of new builds? just so that I can find the fix and know when its out?

 

Cheers,

Matt

Marun
New Member

Hello, I seem to be having a similar problem. I need to use the Client_Credentials for Grant_Type but have no way to do so. I tried via Postman V1 collections and via a Swagger JSON definition but both return an error. Thanks
Anonymous
Not applicable

This is also a problem for me @danchart - should this be a problem or is there a way of achieving this?

 

Cheers,

Tom

LenobleLumber
Regular Visitor

Problem still exists with several connections including Basecamp. Any guides to help us troubleshoot this occurence?

Helpful resources

Announcements
UG GA Amplification 768x460.png

Launching new user group features

Learn how to create your own user groups today!

Community Connections 768x460.jpg

Community & How To Videos

Check out the new Power Platform Community Connections gallery!

Welcome Super Users.jpg

Super User Season 2

Congratulations, the new Super User Season 2 for 2021 has started!

Carousel 2021 Release Wave 2 Plan 768x460.jpg

2021 Release Wave 2 Plan

Power Platform release plan for the 2021 release wave 2 describes all new features releasing from October 2021 through March 2022.

Top Solution Authors
Users online (1,738)