OAuth2::Error HTTP Basic: Access denied

Hi,

I am having issues authenticating my app using Oauth2. I am able to login to the sandbox and authorise the app but then I get the error below.

Gemfile

gem "omniauth-oauth2", "~> 1.8"
gem "omniauth-rails_csrf_protection", "~> 1.0"

I can share more details about the strategies I created if required.
Thanks,
Neil

Looks related - Temporary 403 responses despite required permissions

POST https://api.freeagent.com/v2/token_endpoint and also POST FreeAgent : Login are both returning awsalb-generated 403 forbidden responses. No further info is returned to debug the reason for the error, so I suspect freeagent’s AWS WAF is being a bit overzealous here blocking traffic.

Hello Neil,

Thank you for reaching out with your query and also thank you to Mark for your response.

After speaking to our security team they have confirmed that our web application firewall was identifying these requests as malicious and blocking them. They have since confirmed that they have run a fix for this that should resolve your issues.

Would you be able to try authenticating your app again and let me know if this is working again for you?

Many thanks,
James

Thanks to both Mark and James for the responses. I spent a few more hours digging into this and discovered it was actually an error in the response processing of my app.

It appears that the omniauth-freeagent-oauth2 gem (omniauth-freeagent-oauth2 | RubyGems.org | your community gem host) has been removed from github but I was able to download it and inspect it locally. I used this as a basis for updating my own strategy.

Here it is incase anyone else needs it.

# initializers/oauth2/freeagent.rb
# frozen_string_literal: true

require 'omniauth-oauth2'

module OmniAuth
  module Strategies
    class FreeAgent < OmniAuth::Strategies::OAuth2
      # Give your strategy a name.
      option :name, "freeagent"

      # This is where you pass the options you would pass when
      # initializing your consumer from the OAuth gem.
      option :client_options, {
        site: ENV['RAILS_ENV'] == 'production' ? "https://api.freeagent.com" : "https://api.sandbox.freeagent.com",
        authorize_url: "/v2/approve_app",
        token_url: "/v2/token_endpoint"
      }

      # You may specify that your strategy should use PKCE by setting
      # the pkce option to true: https://tools.ietf.org/html/rfc7636
      # option :pkce, true

      # These are called after authentication has succeeded. If
      # possible, you should try to set the UID without making
      # additional calls (if the user id is returned with the token
      # or as a URI parameter). This may not be possible with all
      # providers.
      uid do
        raw_info["user"]["url"]
      end

      info do
        {
          name: raw_info["user"]["name"] || "#{raw_info['user']['first_name']} #{raw_info['user']['last_name']}",
          email: raw_info["user"]["email"],
          first_name: raw_info["user"]["first_name"],
          last_name: raw_info["user"]["last_name"],
        }
      end

      extra do
        {
          raw_info: raw_info,
        }
      end

      def raw_info
        @raw_info ||= access_token.get("/v2/users/me").parsed
      end

      def callback_url
        options[:redirect_uri] || full_host + script_name + callback_path
      end
    end
  end
end

OmniAuth.config.add_camelization "freeagent", "FreeAgent"

and the omniauth initializer

# initializers/omniauth.rb
Rails.application.config.middleware.use OmniAuth::Builder do
  provider :freeagent,
           Rails.application.credentials.dig(:freeagent, :api_key),
           Rails.application.credentials.dig(:freeagent, :api_secret)
end

OmniAuth.config.logger = Rails.logger if Rails.env.development?