-
My goal: Use OAuth2 to connect to an API.
-
Issue: If the authentication is configered to use
Client Credentials, there is never a prompt to login and the resulting token is bad. If authentication is configured to useAuthorization Code Grantthe user is prompted to login, but a self-signed certificate error occurs when redirected back to Retool dispite using the "Use self signed cerificates" checkbox. -
Retool version & hosting setup (Docker, K8s, cloud provider, etc.):
Self hosted on Kubernetes. -
Error message(s) or screenshots:
(a) When using Client Credentials, there is not a prompt to login, nor can I see a request to the OAuth server in the browser's Developer Tools. The request to the API endpoint uses this as the Authentication Header:
Authentication: Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Invalid JWT serialization: Missing dot delimiter(s)", error_uri="RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage""
(b) When using Authorization Code Grant I do get prompted to log in usingthe OAuth server. It then seems to forward back to retool but I get this:
This last one contains the error, and comes from the retool callback URL:
retool.ec2-blah-blah-blah-blah.compute-1.amazonaws.com/oauth/user/oauthcallback?state=<guid>&session_state=<guid>&iss=https%3A%2F%2Fec2-blah-blah-blah-blah.compute-1.amazonaws.com%2Fauth%2Frealms%2F<my realm>&code=<code>
- What I’ve tried so far:
I am aware of theuse self-signed certificatesoption when configuring the REST API:
The same error occurs no matter the configuration I put there - turn the option off, add none / any / all of the cert/key values, choose any of the verification modes...
Trying to use the Client Credentials
My OAuth server is configured to accept both of the login methods. I usually use the Client Credentials workflow when connecting to the API through code. In this case I can't see there is any evidence of a request for the codes actually happens.
There are various options for prompting login, skipping prompts, prompt for permissions, etc... but they all work the same.
There is an option for an auth verification endpoint. I chose one that requires the authorization header, and returns 401 when not correct. I have tested this endpoint independently and it works. When I hit the test it will ALWAYS comeback green (and again I see no evidence the endpoint is actually called) with a message status: "Auth modal will not appear (you are already authenticated)", information: "A 2xx response was received from your endpoint which indicates that you are already authenticated", even when I intentionally put in a bad token, or put in a URL that does not exist.
Trying to use Authorization Code Grant
I usually don't use this mechanism, but tried it since the Client Credentials weren't working. In this case, it looks like the login prompts work in that I get my expected login screen, and I have to login correctly. After logging in, I get forwarded back to the retool callback endpoint (which is provided by retool) but I get the above error:
{
"error": "{\"code\":\"SELF_SIGNED_CERT_IN_CHAIN\"}",
"request": {
"url": "ec2-blah-blah-blah-blah.compute-1.amazonaws.com/auth/realms/<my realm>/protocol/openid-connect/token",
"method": "POST",
"headers": {
"Content-Type": "application/x-www-form-urlencoded",
"Host": "ec2-blah-blah-blah-blah.compute-1.amazonaws.com",
"User-Agent": "Node-oauth",
"Content-Length": 324
},
"body": {
"grant_type": "authorization_code",
"redirect_uri": "http://retool.ec2-blah-blah-blah-blah.compute-1.amazonaws.com/oauth/user/oauthcallback",
"client_id": "<my client>",
"client_secret": "---sanitized---",
"code": "---sanitized---"
}
}
}
How do I work with self signed certificates?
