Hi,
I am having issues authenticating my app using Oauth2. I am able to login to the sandbox and authorise the app but then I get the error below.
Gemfile
gem "omniauth-oauth2", "~> 1.8"
gem "omniauth-rails_csrf_protection", "~> 1.0"
I can share more details about the strategies I created if required.
Thanks,
Neil
Looks related - Temporary 403 responses despite required permissions
POST https://api.freeagent.com/v2/token_endpoint and also POST FreeAgent : Login are both returning awsalb-generated 403 forbidden responses. No further info is returned to debug the reason for the error, so I suspect freeagent’s AWS WAF is being a bit overzealous here blocking traffic.
Hello Neil,
Thank you for reaching out with your query and also thank you to Mark for your response.
After speaking to our security team they have confirmed that our web application firewall was identifying these requests as malicious and blocking them. They have since confirmed that they have run a fix for this that should resolve your issues.
Would you be able to try authenticating your app again and let me know if this is working again for you?
Many thanks,
James
Thanks to both Mark and James for the responses. I spent a few more hours digging into this and discovered it was actually an error in the response processing of my app.
It appears that the omniauth-freeagent-oauth2 gem (omniauth-freeagent-oauth2 | RubyGems.org | your community gem host) has been removed from github but I was able to download it and inspect it locally. I used this as a basis for updating my own strategy.
Here it is incase anyone else needs it.
# initializers/oauth2/freeagent.rb
# frozen_string_literal: true
require 'omniauth-oauth2'
module OmniAuth
module Strategies
class FreeAgent < OmniAuth::Strategies::OAuth2
# Give your strategy a name.
option :name, "freeagent"
# This is where you pass the options you would pass when
# initializing your consumer from the OAuth gem.
option :client_options, {
site: ENV['RAILS_ENV'] == 'production' ? "https://api.freeagent.com" : "https://api.sandbox.freeagent.com",
authorize_url: "/v2/approve_app",
token_url: "/v2/token_endpoint"
}
# You may specify that your strategy should use PKCE by setting
# the pkce option to true: https://tools.ietf.org/html/rfc7636
# option :pkce, true
# These are called after authentication has succeeded. If
# possible, you should try to set the UID without making
# additional calls (if the user id is returned with the token
# or as a URI parameter). This may not be possible with all
# providers.
uid do
raw_info["user"]["url"]
end
info do
{
name: raw_info["user"]["name"] || "#{raw_info['user']['first_name']} #{raw_info['user']['last_name']}",
email: raw_info["user"]["email"],
first_name: raw_info["user"]["first_name"],
last_name: raw_info["user"]["last_name"],
}
end
extra do
{
raw_info: raw_info,
}
end
def raw_info
@raw_info ||= access_token.get("/v2/users/me").parsed
end
def callback_url
options[:redirect_uri] || full_host + script_name + callback_path
end
end
end
end
OmniAuth.config.add_camelization "freeagent", "FreeAgent"
and the omniauth initializer
# initializers/omniauth.rb
Rails.application.config.middleware.use OmniAuth::Builder do
provider :freeagent,
Rails.application.credentials.dig(:freeagent, :api_key),
Rails.application.credentials.dig(:freeagent, :api_secret)
end
OmniAuth.config.logger = Rails.logger if Rails.env.development?
Hey James, this is also happening on our live application.
Despite having the correct permissions these requests are coming back with 403:
https://api.freeagent.com/v2/bank_accounts
https://api.freeagent.com/v2/invoices?