Permalink
Cannot retrieve contributors at this time
POST /oauth/access_token
| Status | Response |
|---|---|
| 400 | {"error": "invalid_request", "error_description": "the connection was disabled"}The connection is not active or not enabled for your client_id |
| 400 | {"error": "invalid_request", "error_description": "the connection was not found"} |
| 400 | {"error": "invalid_request", "error_description": "missing client_id parameter"} |
| 400 | {"error": "invalid_request", "error_description": "missing access_token parameter"} |
| 401 | {"error": "invalid_request", "error_description": "invalid access_token: invalid_token"}The access_token is invalid or does not contain the scope you set |
| 403 | {"error": "unauthorized_client", "error_description": "invalid client"} |
Problem
When you run scheduled Airflow Databricks jobs, you get this error:
Invalid Access Token : 403 Forbidden Error
Cause
To run or schedule Databricks jobs through Airflow, you need to configure the Databricks connection using the Airflow web UI. Any of the following incorrect settings can cause the error:
- Set the host field to the Databricks workspace hostname.
- Set the login field to token.
- Set the password field to the Databricks-generated personal access token.
- Set the Extra field to a JSON string, where the key is token and the value is your personal access token.
The Databricks-generated personal access token is normally valid for 90 days. If the token expires, then this 403 Forbidden Error occurs.
Solution
Verify that the Extra field is correctly configured with the JSON string:
{"token": "<your personal access token>"}
- Verify that the token is mentioned in both the password field and the Extra field.
- Verify that the host, login, and password fields are configured correctly.
- Verify that the personal access token has not expired.
If necessary, generate a new token (AWS | Azure).
-
Created
March 13, 2017 -
Category
Troubleshooting -
Comments
31
When you schedule a posts on Pilot Poster, in some rare cases, the scheduled posts might hit a hard rock on the way due to some reasons, and among the common reasons for a scheduled post to stop running is the ‘Invalid Access Token‘ error.
How to Detect this Error
Pilot Poster comes with a Logging feature that stores all of the errors encountered during a scheduled post. And to locate the error log, you need to Navigate to Posts > Scheduled Posts > And Click the Folder Icon at the right-hand side of the displayed table.
In the Log page, you will see the reason why your scheduled posts stopped running and if the error message seen is Invalid Access Token as shown in the image above, then read below to see how to fix;
How to Fix Invalid Access Token Error
The invalid access token error simply means the token for the selected app used for posting is expired and needs to be re-authenticated.
And to fix, all you need to do is Re-authenticate the current app used for posting.
To Re-authenticate, Goto Settings > Facebook Apps > Deauthenticate the App. And then click the Authenticate button again.
When you click the Authenticate button again, you do NOT need to go through all of the procedures as you would when Authenticating for the first time. Rather, all you need to click is the Get App Authenticate Link (As shown in the image below).
Copy the displayed access token from the next window that displays and then paste in the Access Token Box. Click the Test Access Token to ensure the copied token is valid, then click the Set Access Token Button.
You have successfully re-authenticate your app. Now is time for you to resume the paused schedule or schedule a new post using your authenticated app.
Was this article helpful?
Here we list the most common errors encountered in Rabobank OAuth 2.0 flow on the client side. These use cases list reason for errors and how to troubleshoot them.
During the Authorization call to get the consent of the user, the TPP may encounter the following:
Invalid client id supplied
You receive an HTTP response of 401 Unauthorized with the message invalid client id or secret while invoking an Authorization flow.
This could be caused by one of the following:
- Invalid client id is supplied in the request.
- Your TPP application is not subscribed to an API using OAuth 2.0.
To solve this issue, your application should be subscribed to an API using OAuth 2.0 and provide a valid client ID.
Redirect URI mismatch
When registering an application, you should provide a redirect URI on the Rabobank developer portal.
If you have more than one redirect URLs listed in the developer portal, make sure to provide one of the redirect URI (as provided during registration) in the redirect_uri query parameter during an Authorization call. If the redirect URI from your request does not match with the one registered on the Rabobank developer portal, you get the following error:
Requesting access token
To access the requested resources, you should exchange the received authorization code for an access token. During the retrieval of the access token, you may encounter the following:
Invalid authorization code (grant type code flow)
The authorization code should be sent to the token endpoint to get the access token. Sending an invalid authorization code (expired, invalid, or already used) results in the below error:
Http status:400(Bad request){"error":"invalid_grant"}
To avoid this error, you should pass the correct authorization code before it expires (expiry: 5 minutes). Make sure to not call the token endpoint multiple times using the same authorization code.
Adding a slight delay of 1000ms before calling this endpoint ensures that the authorization code is in sync across our servers.
Invalid refresh token
Sending invalid Refresh token to get access token results in the below error:
Http status:401(Unauthorized){"error":"invalid_grant"}
The Refresh token is valid for 30 days and can be only used once. To avoid this error, you should pass a valid Refresh token and not use the same token multiple times.
Invalid authorization header
While making a call to the token endpoint, an Authorization header should be provided consisting of a client id and client secret. If an invalid combination is passed, it results in the below error:
Http status:401(Unauthorized){"error":"invalid_client"}
To avoid this error, you should use the correct client id and client secret and make sure that the Authorization header is prepared as specified in the OAuth documentation.
Grant type missing
While making a call to the token endpoint, the grant_type query parameter should be provided. The value of this query parameter is based on the type of authorization you are passing to the endpoint.
For example, if you are swapping an authorization code for an access token the value of the parameter should be the authorization_code.
An example of the error message returned is as below:
Http status:400(Bad request){"error":"invalid_request"}
To avoid this error, make sure to provide all the required parameters, including grant_type.
Requesting resources with an access token
Access token invalid
The Access token issued by the authorization server is valid for 60 minutes for PSD2 and 24 hrs for Premium after receiving. Passing an expired or invalid Access token while accessing the resource results in the following error.
{"httpCode":"401","httpMessage":"Unauthorized","moreInformation":"This server could not verify that you are authorized to access the URL"}
To avoid this error, you should always check the expiry time associated with the access token. If the token is expired, use a Refresh token to receive a new Access token.
If you are unable to get a new access token using the refresh token, it could be because the user consent is either expired or revoked. You can validate the consent using the Consent Details Service API.
If this is the case, you should renew the consent before proceeding.
How to check if the user consent is expired (or) revoked?
Using the information you received during the authorization flow, you can retrieve the consent by a specific Id as explained in the API Consent Details Service documentation.
If the consent status is one of the following, the consent is not valid and cannot be used to access the resources:
- expired
- revokedByPsu
- terminatedByTpp
- received
- rejected
Using an invalid consent results in the following error:
{"httpCode":"403","httpMessage":"Forbidden","moreInformation":"CONSENT_INVALID"}
To access the resource gain, you should follow the authorization flow again and ask the user permission(s) to the required resources.
Deactivated or Expired consent
The consent of the user may be expired or revoked by the user, while your access/refresh tokens are still active, this results in a 403 Forbidden CONSENT_INVALID error message.
You may also check the status of the consent by making a call to Consent Details Service API and re-initiate the consent flow if required.
Not having the required permission to access an API
{"httpCode":"403","httpMessage":"Forbidden","moreInformation":"FORBIDDEN"}
A 403 Forbidden FORBIDDEN error can be triggered if the Access token included in the request does not contain the correct scope for the API being used.
Example: You have an access token for the scope paymentRequest, but you are trying to access the Account information API, this API requires a different scope: ‘ais.balances.read’.
To avoid this error, follow the authorization flow with the correct scope required for your API.
I’m currently working on a simple Spring Boot application where I pass client_id and secret to get the access token which gets me a refresh and access token.
But then when I try to access resources(my REST API) using that token (with this URL: curl -H «Authorization: Bearer ead8ba5d-88ad-4531-a821-db08bf25e888» localhost:8081/my-end-point ), it doesn’t work for me and gives me following error-
{«error»:»invalid_token»,»error_description»:»Invalid access token: ead8ba5d-4531-db08bf2fe888″}
This is how my endpoint looks like-
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RestController;
import java.security.Principal;
@RestController
@RequestMapping(path = "/my-end-point")
public class PrincipalResource {
@RequestMapping(method = RequestMethod.POST)
public Principal oauth(Principal principal) {
/*
* Translate the incoming request, which has an access token
* Spring security takes the incoming request and injects the Java Security Principal
* The converter inside Spring Security will handle the to json method which the Spring Security
* Oauth client will know how to read
*
* The @EnableResourceServer on the application entry point is what makes all this magic happen.
* If there is an incoming request token it will check the token validity and handle it accordingly
*
*
*/
return principal;
}
} `
asked Feb 13, 2018 at 7:34
2
make sure that in your AuthServerOAuth2Config
security.allowFormAuthenticationForClients().checkTokenAccess("permitAll()");
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.allowFormAuthenticationForClients().checkTokenAccess("permitAll()");
}
and start generating some tokens by making POST requests to your server at URL:localhost:yourport/oauth/token
for example:
http://localhost:8085/oauth/token?client_secret=secret&client_id=web&grant_type=password&username=kalaiselvan&password=kalaiselvan
it will return token
{
"access_token": "8b816685-b7da-4996-a3e2-ff18b4538a2b",
"token_type": "bearer",
"refresh_token": "f458c09b-f739-4488-be0f-2b0e3c5a62d1",
"expires_in": 637,
"scope": "read"
}
copy the access_token from the response data and make new POST request
http://localhost:8085/account
I hope it will be helpful to you
answered Feb 13, 2018 at 9:12
KalaiselvanKalaiselvan
2,0751 gold badge18 silver badges31 bronze badges
9