OAuth2::Error HTTP Basic: Access denied


I am having issues authenticating my app using Oauth2. I am able to login to the sandbox and authorise the app but then I get the error below.


gem "omniauth-oauth2", "~> 1.8"
gem "omniauth-rails_csrf_protection", "~> 1.0"

I can share more details about the strategies I created if required.

Looks related - Temporary 403 responses despite required permissions

POST https://api.freeagent.com/v2/token_endpoint and also POST FreeAgent : Login are both returning awsalb-generated 403 forbidden responses. No further info is returned to debug the reason for the error, so I suspect freeagent’s AWS WAF is being a bit overzealous here blocking traffic.

Hello Neil,

Thank you for reaching out with your query and also thank you to Mark for your response.

After speaking to our security team they have confirmed that our web application firewall was identifying these requests as malicious and blocking them. They have since confirmed that they have run a fix for this that should resolve your issues.

Would you be able to try authenticating your app again and let me know if this is working again for you?

Many thanks,

Thanks to both Mark and James for the responses. I spent a few more hours digging into this and discovered it was actually an error in the response processing of my app.

It appears that the omniauth-freeagent-oauth2 gem (omniauth-freeagent-oauth2 | RubyGems.org | your community gem host) has been removed from github but I was able to download it and inspect it locally. I used this as a basis for updating my own strategy.

Here it is incase anyone else needs it.

# initializers/oauth2/freeagent.rb
# frozen_string_literal: true

require 'omniauth-oauth2'

module OmniAuth
  module Strategies
    class FreeAgent < OmniAuth::Strategies::OAuth2
      # Give your strategy a name.
      option :name, "freeagent"

      # This is where you pass the options you would pass when
      # initializing your consumer from the OAuth gem.
      option :client_options, {
        site: ENV['RAILS_ENV'] == 'production' ? "https://api.freeagent.com" : "https://api.sandbox.freeagent.com",
        authorize_url: "/v2/approve_app",
        token_url: "/v2/token_endpoint"

      # You may specify that your strategy should use PKCE by setting
      # the pkce option to true: https://tools.ietf.org/html/rfc7636
      # option :pkce, true

      # These are called after authentication has succeeded. If
      # possible, you should try to set the UID without making
      # additional calls (if the user id is returned with the token
      # or as a URI parameter). This may not be possible with all
      # providers.
      uid do

      info do
          name: raw_info["user"]["name"] || "#{raw_info['user']['first_name']} #{raw_info['user']['last_name']}",
          email: raw_info["user"]["email"],
          first_name: raw_info["user"]["first_name"],
          last_name: raw_info["user"]["last_name"],

      extra do
          raw_info: raw_info,

      def raw_info
        @raw_info ||= access_token.get("/v2/users/me").parsed

      def callback_url
        options[:redirect_uri] || full_host + script_name + callback_path

OmniAuth.config.add_camelization "freeagent", "FreeAgent"

and the omniauth initializer

# initializers/omniauth.rb
Rails.application.config.middleware.use OmniAuth::Builder do
  provider :freeagent,
           Rails.application.credentials.dig(:freeagent, :api_key),
           Rails.application.credentials.dig(:freeagent, :api_secret)

OmniAuth.config.logger = Rails.logger if Rails.env.development?